Practical Memory Forensics E-Book

Practical Memory Forensics

Jumpstart effective forensic analysis of volatile memory

Svetlana Ostrovskaya

Oleg Skulkin

BIRMINGHAM—MUMBAI

Practical Memory Forensics

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson D'suoza

Publishing Product Manager: Shrilekha Malpani

Senior Editor: Shazeen Iqbal

Content Development Editor: Rafiaa Khan

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Subalakshmi Govindhan

Production Designer: Joshua Misquitta

Marketing Coordinator: Sanjana Gupta

First published: February 2022

Production reference: 2310322

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80107-033-1

www.packt.com

Writing the book has been a very exciting and challenging journey, and I am truly grateful to my family, friends, and colleagues – all of whom have believed in me and supported me in every way possible. Special thanks to my friend and colleague Oleg, who invited me to write the book one wonderful winter day, thus starting this journey.

– Svetlana Ostrovskaya

I would like to thank the Packt team for this opportunity and, of course, Svetlana for accepting this challenge – words can't describe how happy I am to have such talented people on my team.

– Oleg Skulkin

Contributors

About the authors

Svetlana Ostrovskaya is a principal DFIR consultant at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. Besides active involvement in incident response engagements, Svetlana has extensive training experience in various regions, including Russia, CIS, MEA, Europe, and APAC. She has coauthored articles on information security and computer forensics, as well as a number of training programs, including Windows Memory Forensics, Linux Forensics, Advanced Windows Forensic Investigations, and Windows Incident Response and Threat Hunting.

Oleg Skulkin is the head of the digital forensics and malware analysis laboratory at Group-IB. Oleg has worked in the fields of digital forensics, incident response, and cyber threat intelligence and research for over a decade, fueling his passion for uncovering new techniques used by hidden adversaries. Oleg has authored and coauthored multiple blog posts, papers, and books on related topics and holds GCFA and GCTI certifications.

About the reviewers

Rohit Tamma is a senior program manager currently working with Microsoft. With over 10 years of experience in the field of security, his background spans management and technical consulting roles in the areas of application and cloud security, mobile security, penetration testing, and secure coding. Rohit also coauthored Learning Android Forensics, from Packt, which explains various ways to perform forensics on mobile platforms. You can contact him on Twitter at @RohitTamma.

Igor Mikhaylov has been working as a forensics expert for 21 years. During this time, he has attended a lot of seminars and training classes in top forensic companies (such as Guidance Software, AccessData, and Cellebrite) and forensic departments of government organizations in the Russian Federation. He has experience and skills in computer forensics, incident response, cellphone forensics, chip-off forensics, malware forensics, data recovery, digital image analysis, video forensics, big data, and other fields. He has worked on several thousand forensic cases. When he works on a forensic case, he examines evidence using in-depth, industry-leading tools and techniques. He uses forensic software and hardware from leaders in the forensics industry. He has written three tutorials on cellphone forensics and incident response for Russian-speaking forensics experts. He was also the reviewer of Windows Forensics Cookbook by Oleg Skulkin and Scar de Courcier, from Packt.

Table of Contents

Preface

Section 1: Basics of Memory Forensics

Chapter 1: Why Memory Forensics?

Understanding the main benefits of memory forensics

No trace is left behind

Privacy keeper

Learning about the investigation goals and methodology

The victim's device

The suspect's device

Discovering the challenges of memory forensics

Tools

Critical systems

Instability

Summary

Chapter 2: Acquisition Process

Introducing memory management concepts

Address space

Virtual memory

Paging

Shared memory

Stack and heap

What's live memory analysis?

Windows

Linux and macOS

Understanding partial versus full memory acquisition

Exploring popular acquisition tools and techniques

Virtual or physical

Local or remote

How to choose

It's time

Summary

Section 2: Windows Forensic Analysis

Chapter 3: Windows Memory Acquisition

Understanding Windows memory-acquisition issues

Preparing for Windows memory acquisition

Acquiring memory with FTK imager

Acquiring memory with WinPmem

Acquiring memory with Belkasoft RAM Capturer

Acquiring memory with Magnet RAM Capture

Summary

Chapter 4: Reconstructing User Activity with Windows Memory Forensics

Technical requirements

Analyzing launched applications

Introducing Volatility

Profile identification

Searching for active processes

Searching for finished processes

Searching for opened documents

Documents in process memory

Investigating browser history

Chrome analysis with yarascan

Firefox analysis with bulk extractor

Tor analysis with Strings

Examining communication applications

Email, email, email

Instant messengers

Recovering user passwords

Hashdump

Cachedump

Lsadump

Plaintext passwords

Detecting crypto containers

Investigating Windows Registry

Virtual registry

Installing MemProcFS

Working with Windows Registry

Summary

Chapter 5: Malware Detection and Analysis with Windows Memory Forensics

Searching for malicious processes

Process names

Detecting abnormal behavior

Analyzing command-line arguments

Command line arguments of the processes

Command history

Examining network connections

Process – initiator

IP addresses and ports

Detecting injections in process memory

Dynamic-link library injections

Portable executable injections

Process Hollowing

Process Doppelgänging

Looking for evidence of persistence

Boot or Logon Autostart Execution

Create Account

Create or Modify System Process

Scheduled task

Creating timelines

Filesystem-based timelines

Memory-based timelines

Summary

Chapter 6: Alternative Sources of Volatile Memory

Investigating hibernation files

Acquiring a hibernation file

Analyzing hiberfil.sys

Examining pagefiles and swapfiles

Acquiring pagefiles

Analyzing pagefile.sys

Analyzing crash dumps

Crash dump creation

Analyzing crash dumps

Summary

Section 3: Linux Forensic Analysis

Chapter 7: Linux Memory Acquisition

Understanding Linux memory acquisition issues

Preparing for Linux memory acquisition

Acquiring memory with LiME

Acquiring memory with AVML

Creating a Volatility profile

Summary

Chapter 8: User Activity Reconstruction

Technical requirements

Investigating launched programs

Analyzing Bash history

Searching for opened documents

Recovering the filesystem

Checking browsing history

Investigating communication applications

Looking for mounted devices

Detecting crypto containers

Summary

Chapter 9: Malicious Activity Detection

Investigating network activity

Analyzing malicious activity

Examining kernel objects

Summary

Section 4: macOS Forensic Analysis

Chapter 10: MacOS Memory Acquisition

Understanding macOS memory acquisition issues

Preparing for macOS memory acquisition

Acquiring memory with osxpmem

Creating a Volatility profile

Summary

Chapter 11: Malware Detection and Analysis with macOS Memory Forensics

Learning the peculiarities of macOS analysis with Volatility

Technical requirements

Investigating network connections

Analyzing processes and process memory

Recovering the filesystem

Obtaining user application data

Searching for malicious activity

Summary

Other Books You May Enjoy

Preface

Memory forensics is a powerful analysis technique that could be used in different areas from incident response to malware analysis. For an experienced investigator, memory is an essential source of valuable data. Memory forensics not only provides key insights into the user's context and allows you to look for unique traces of malware, but also, in some cases, helps to piece together the puzzle of a sophisticated targeted attack.

This book will introduce you to the concept of memory forensics and then gradually progress deep into more advanced concepts of hunting and investigating advanced malware using free tools and memory analysis frameworks. This book takes a practical approach and uses memory images from real incidents to help you get a better understanding of the subject so that you will be equipped with the skills required to investigate and respond to malware-related incidents and complex targeted attacks. This book touches on the topic of Windows, Linux, and macOS internals and covers concepts, techniques, and tools to detect, investigate, and hunt threats using memory forensics.

By the end of this book, you will be well versed in memory forensics and will have gained hands-on experience of using various tools associated with it. You will be able to create and analyze memory dumps on your own, examine user activity, detect traces of fileless malware, and reconstruct the actions taken by threat actors.

Who this book is for

This book is intended to be read by incident responders, digital forensic specialists, cybersecurity analysts, system administrators, malware analysts, students, and curious security professionals new to this field and interested in learning memory forensics. You are assumed to have a basic understanding of malware and its workings. Knowledge of operating system internals would be helpful but is not mandatory. Sufficient information will be provided to those new to this field.

What this book covers

Chapter 1, Why Memory Forensics?, explains why memory forensics is a vital part of many digital forensic examinations nowadays based on real-world examples, describing the main goals and investigation techniques used by DFIR specialists as well as discussing daily challenges they face.

Chapter 2, Acquisition Process, familiarizes you with the basic techniques and tools used for memory acquisition, and the possible issues associated with this process. In addition, you will have the opportunity to compare live memory analysis with that of memory dumps by examining the pros and cons.

Chapter 3, Windows Memory Acquisition, discusses Windows memory acquisition tools along with their approach to memory work. Some suggestions for choosing the right tool will be discussed as well as comprehensive examples.

Chapter 4, Reconstructing User Activity with Windows Memory Forensics, looks at reconstructing user activity, which is essential for many cases since it gives a better understanding of what is going on. This chapter provides some insights into user action recovery techniques based not only on running processes and network connections but also on the analysis of the Windows registry and file system in memory.

Chapter 5, Malware Detection and Analysis with Windows Memory Forensics, tackles how modern malware tends to leave as few traces as possible on the disk, which is why memory analysis is becoming a critical element of forensic investigation. In this chapter, we will explain how to search for traces of malicious software in process memory as well as in the Windows Registry, event logs, and file system artifacts in memory.

Chapter 6, Alternative Sources of Volatile Memory, addresses the fact that, sometimes, it is impossible to create a memory dump for analysis, however, there is always a chance of finding some volatile memory on disk. This chapter introduces alternative sources of volatile data in Windows along with the tools and techniques for their analysis.

Chapter 7, Linux Memory Acquisition, shows the core differences between Windows and Linux memory acquisition. Tools for Linux memory acquisition will be proposed along with their configuration and use cases.

Chapter 8, User Activity Reconstruction, looks at how reconstructing user activity in Linux-based systems is a bit different from that in Windows. This chapter will give you several tricks for how to track user activity with Linux memory dumps.

Chapter 9, Malicious Activity Detection, focuses on the techniques needed to search for malicious activity in Linux-based systems and analyze it.

Chapter 10, MacOS Memory Acquisition, relates to the acquisition process, focusing on macOS memory acquisition tools and their use, so you will be able to create memory dumps from all popular operating systems.

Chapter 11, Malware Detection and Analysis with macOS Memory Forensics, looks at techniques that allow us to get the data we need to track user actions and detect and analyze malicious activity in macOS memory.

To get the most out of this book

In this book, we have attempted to describe everything in great detail and take you through the whole process step by step. So, all you need is a computer or virtual machine with Windows and Linux installed.

Since the book is practice-oriented, we recommend that you try out all the methods and tools described in it to get the most out of the book.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801070331_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "To find such processes, you can use the psscan plugin."

Any command-line input or output is written as follows:

C:\WINDOWS\system32> wmic process list full

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Living off the land is a very popular approach in which attackers use built-in tools and installed legitimate software for their own purposes."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share your thoughts

Once you've read Practical Memory Forensics, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Basics of Memory Forensics

This section will not only inform you of the benefits of memory forensics but will also introduce you to the basic concepts of volatile memory and the process of its acquisition and analysis so that you have a general understanding of the topic.

This section of the book comprises the following chapters:

Chapter 1: Why Memory Forensics?

We are living in a world where nothing is more certain than change and cybercrimes are no exception. New attack techniques are constantly being developed, and hundreds of malicious programs and scripts are being written and tested to bypass security controls, while scanners scrutinize the World Wide Web for vulnerable hosts and publicly available services. That is why it is extremely important to stay on trend and have all kinds of tools and techniques in your arsenal to be on the same page as the threat actors.

So, why is memory forensics a vital part of many digital forensic examinations and incident response engagements today? What are the main investigative goals and techniques used by digital forensics and incident response professionals? What challenges do they face every day? You'll find answers to these questions in this chapter.

This chapter will cover the following topics:

Understanding the main benefits of memory forensics

Naturally, for the reader who picks up this book, the benefits are obvious. Since you have decided to deepen your knowledge of memory forensics, you probably have your own reasons for doing so. However, let's take another look at the most common situations in which Random Access Memory (RAM) investigation can play a crucial role (not only in digital forensics but also incident response and malware analysis), and perhaps you will discover new use cases for the knowledge and skills you have acquired.

No trace is left behind

The number of threat actors using living off the land and fileless attack techniques has increased dramatically over the past few years. Attackers no longer care as much about removing their footprints, instead, they try to leave as few of them as possible to avoid detection. This makes the job of information security professionals much more difficult because the use of built-in tools and the lack of malicious files on the disk that can be scanned means that some traditional security solutions may be useless. A lack of logging may make it very hard to reconstruct how threat actors abused built-in dual-use tools, for example, various command and scripting interpreters, in the course of a post-mortem examination, so acquiring and analyzing memory may play a key role in such cases.

Let's discuss each case separately.

Find me in memory

Let's start with malware that works exclusively in memory. The concept itself is not new. When talking about the beginning of the era of memory-resident malware, some researchers refer to Maltese Amoeba, a virus first discovered back in 1991 in Ireland. Others prefer to start with the Code Red worm that appeared in 2001. In any case, since the beginning of the twenty-first century, fileless attacks have only gained momentum and are becoming more and more popular. For example, a payload may be injected directly into memory via PowerShell, and it is becoming extremely common. The process injection technique itself was included in the top 10 MITRE ATT&CK® techniques of 2020 by many cybersecurity vendors. For example, here are the top 10 techniques from the Red Canary 2021 Threat Detection Report via https://redcanary.com/threat-detection-report/techniques/:

Figure 1.1 – Top 10 MITRE ATT&CK techniques of 2020

Process hollowing, dynamic-link library injection, process doppelgänging, and other process injection sub-techniques are used not only by sophisticated state-sponsored threat groups but even by commodity malware operators.

Frame of work

The other side of the issue is the use of numerous post-exploitation frameworks, such as Metasploit, Cobalt Strike, or PowerShell Empire. Such instrumentation provides attackers with a wide range of options to generate a variety of malicious payloads and inject them into memory.

Created with offensive security in mind, these frameworks allowed first penetration testers and red teamers, and then various threat actors to use a wide range of techniques with very limited footprints on disk, even if they didn't have outstanding malware development experience. For example, Cobalt Strike's Beacon payload's unmanaged PowerShell features allowed threat actors to run it without actually running powershell.exe, abusing the Windows API instead.

Such frameworks as Cobalt Strike have become so common that some threat actors even use them instead of custom malware. For example, the notorious Evil Corp group, whose members are believed to be behind high-profile ransomware attacks, including Garmin, switched the Dridex bot to Cobalt Strike's Beacon in their WastedLocker campaigns.

Living off the land

Living off the land is a very popular approach in which attackers use built-in tools and installed legitimate software for their own purposes. Most tools for example, PowerShell or WMI, are used by system administrators to perform their daily tasks, making it difficult not only to detect attackers but also to block the tools they use.

Attackers can utilize living-off-the-land techniques with a variety of tactics. PowerShell can be used for downloading the initial payload from the attacker-controlled server, binaries such as rundll32.exe and regsvr32.exe can be used for execution and defense evasion, Ntdsutil can be leveraged for credentials access, and PsExec and WMIC can be abused for remote execution. There are lots of similar examples, and if the IT infrastructure doesn't have advanced logging capabilities, an analyst's chances of extracting such information may be very low. If acquired in time, memory analysis may be of great help!

Another important note is that in many cases, you can find only the first stage of the malicious binary on the disk – the next stage (and potentially even the next!) is loaded from the server directly into memory, so you won't see it during post-mortem analysis if you don't have a memory image.

What's more, most malicious binaries are packed, encoded, and encrypted nowadays in order to avoid detection, but not in memory! So you can use tools such as PE-sieve to collect potentially malicious code for further analysis. Of course, we'll show you how to do it in the following chapters.

Privacy keeper

In recent years, the issue of privacy has become more acute. Tons of personal data, photos, and messages appear online every day. Service providers collect information about our personalities, interests, and routines to make their work more efficient and more useful. Instant messengers, browsers with privacy modes, in-memory file systems, password managers, and crypto containers are emerging as a result.

Of course, privacy is everyone's concern, but it is most relevant to cybercriminals, as they really have something to hide. We have seen more than once situations where files of interest found on a suspect's computer have been encrypted or saved in a crypto container. In such situations, memory collection and analysis is the key to all doors, as it allows investigators to retrieve the passwords and keys needed for decryption.

As you can see, there are different cases but they all have one thing in common, which is that in each of them, memory forensics can play an extremely important role.

Learning about the investigation goals and methodology

The basis of any forensic investigation is goal setting. Goals determine evidence to look for, methods to use, and tools we need. The right approach to goal setting helps to achieve the desired result quickly and efficiently. Remember the famous "divide et impera" principle? Despite its origins and primary purpose, this principle is great for achieving any goals, the main thing is to understand what to divide and how to use it. As part of the investigation goal setting, this principle can be used to break down the primary goal into smaller and simpler ones. Thus, by dividing our goals into components, we get a set of specific actions, the result of which will be the pieces of the puzzle and all we will have to do is to put them together.

Let's start with the more general goals. If we receive for examination the device involved in the incident, there is a high probability that it is either one of the following:

Let's look at what both are in the next sections.

The victim's device

Consider a situation in which the victim's device is under investigation. The main goal in this case is to answer the question, What happened? One way is to break this question down into its components:

Now let's do the same thing with the question, How did the attacker gain access to the system?:

Let's ask questions about malicious files too:

Finding answers to these questions requires not only knowledge of the digital artifacts and their sources but also the attacker's tactics, techniques, and procedures, so such assessments must also be cyber threat intelligence-driven.

This is the level to which each upper-level question should be broken down. As a result, we have a final list of questions that will allow us to piece together a picture of the incident and answer the first question of What happened? in detail.

The suspect's device

A similar method can be used to investigate the device from which the attacks are suspected to have originated. In this case, questions would be posed based on what the owner of the device is suspected of. For example, if they are suspected of being a malware developer, our questions would be related to the presence of development tools, traces of source code, sales of malware, and so on.

So, we have discussed how memory forensics can help our investigation and what methodology we can apply to do so. However, we cannot remain silent and overlook the weaknesses and possible risks. Let's discuss the challenges of memory forensics.

Discovering the challenges of memory forensics

We hope you have already realized the importance of memory analysis. Now it is time to look for the pitfalls. RAM is a very useful and extremely fragile thing. Any interaction with the system, even the smallest one, can lead to irreversible consequences. For this reason, one of the most important challenges in memory analysis is data preservation.

A few important points related to memory dump creation are listed in the next sections.

Tools

Since most operating systems do not have built-in solutions for creating complete memory dumps, you will have to use specialized tools. There are all kinds of tools available today for creating full memory dumps as well as for extracting individual processes. Investigators can be guided by various considerations when choosing a tool:

Unfortunately, even using a trusted tool cannot guarantee 100% success. Moreover, it can corrupt the system, and that brings us to the following point.

Critical systems

In some cases, running tools to create memory dumps can cause an overload of the system. That is why an investigator who decides to create a memory dump should be ready to take responsibility for possible risks. The system under investigation could be a critical object, disabling which could lead not only to the loss of important data, but also to the shutdown of critical business processes, and in rare cases, even to a threat to the lives and health of people. The decision to create memory dumps on such systems should be balanced and consider all the pros and cons.

Instability

If the system under investigation is infected with poorly written malware, it is itself unstable. In this situation, an attempt to create a memory dump could lead to unpredictable consequences.

Besides, sometimes malware tries to use anti-forensic techniques and prevent memory preservation in every possible way, which again leads to unpredictable consequences. This happens rarely, but this factor should also be taken into account.

Summary

Memory is a great source of forensic artifacts in the hands of an experienced investigator. Memory analysis provides information on malware activity and its functionality, user context, including recent actions, browsing activity, messaging, and unique evidence such as fileless malware, memory-only application data, encryption keys, and so on.

Memory analysis, like anything else, must be approached in some way. One of the most important things is to set the investigation goal and break it down into simple components to conduct the investigation more quickly and efficiently, and, what's more important, to decide whether it's necessary or data left on the disk is enough to get the answers.

Of course, there is no silver bullet, and memory forensics also has its drawbacks. The main problem is data preservation, but if you can manage that, you will be generously rewarded.

So now that you've learned about the benefits of memory forensics and the challenges associated with it, and you understand the approach to investigation, what's next? We think it's time to dive into the more practical stuff, and our first stop is the memory acquisition process, which we'll talk about in the next chapter.

Chapter 2: Acquisition Process

Memory acquisition is usually referred to as the process of copying the contents of volatile memory to a non-volatile storage device for preservation. To have a good understanding of the process, the investigator needs to know at least some memory management principles, understand how tools for memory extraction work, and be able to choose the most appropriate tool and use it correctly. In addition, it is important to understand that creating full memory dumps is not always the only solution. There is live memory analysis, which also has its advantages and, in some cases, may be preferable to memory acquisition.

In this chapter, you'll learn about the following:

Introducing memory management concepts

There are several concepts related to the organization and management of random-access memory (RAM). Understanding these concepts will allow you to make the memory investigation process more conscious and effective. Let's start with the address space.

Address space

RAM is an array of memory cells, each with its own physical address used to access that cell. However, processes do not have direct access to physical memory. This is because processes can easily harm the operating system and even cause it to crash completely when interacting with physical memory. Moreover, the use of physical addresses by processes makes it difficult to organize the simultaneous execution of programs. To solve these problems, an abstraction known as address space was created.