Memory Fornesics Notes

8/10/2019 Memory Fornesics Notes

1/28

Memory Forensics

Simply download DumpIt put it onto a USB drive

If you are running it on Windows 7 you will need administrators rights

if using a USB drive, ensure that enough space is there to store the memory

image.

http!!www.moonsols.com!"#$$!#7!$%!moonsols&dumpit&goes&mainstream!

'nce memory image is created we can analy(e with )olatility

http!!www.volatilityfoundation.org!*+"!c$"wa

Identifying the Profile of a Memory image

volatility imageinfo -f memimage.raw- to get the image details

he /Imageinfo0 command gives you several pieces of information,1or now, we

2ust need to 3now the profile type of the memory dump


2/28

Retrieving Registry Hives Lists

4ow, we need the hive list so we can get the starting location of where the

registry information resides

volatility hivelist -f memimage.raw --profile=Win!P"#$%

&'mping Individ'al Registry Hives

We now have a list of where several 3ey items are located in the memory dump.We can use this information to find individual artifacts or we can 2ust dump the

whole hive list.

o do so, you simply need to use the /hivedump0 command and the virtual

memory address to the hive you want to view from the list recovered a5ove.

ta3e a loo3 at the Software hive, vitual offset address.

volatility --profile=Win!P"#$% -f memimage.raw hived'mp -o

(#$c)c((($


3/28

Retrieving !pecific Registry *ey +al'e

Using hivedump will return a ton of registry settings, which might 5e a little morethan we need. 6ou can also search the registry 3eys for specific data

1or eample to find the name of the last logged in user you can chec3 theWin8ogon registry 3ey

volatility -f memimage.raw --profile=Win!P"#$% print,ey -*

!oftwareMicrosoftWindows /01'rrent+ersionWinlogon


4/28

Password Hashes

If you can o5tain a memory image, you can get the password hashes. his is of

importance to security penetration testers 5ecause if you have the hashes, youcan then proceed to crac3 them or use them in pass the hash types of attac3s to

access other systems on the networ3.

o do this we need to 3now the starting memory locations for the System and

S9: 3eys. We loo3 in the hivelist, for this copy down the num5ers in the firstcolumn that correspond to the S9: and S6S;: locations.


5/28

List of R'nning Process

4ow lets ta3e a loo3 at recovering a list of the running processes and active

networ3 connections

volatility pslist -f memimage.raw --profile=Win!P"#$%


6/28

Listing R'nning Process as a 0ree

o view the process listing in tree form, use the pstree command. his

enumerates processes using the same techni@ue as pslist, so it will also not showhidden or unlin3ed processes. Ahild process are indicated using indention and

periods.

volatility pstree -f memimage.raw --profile=Win!P"#$%


7/28

3n'merating Processes

o enumerate processes using pool tag scanning, use the psscan command. his

can find processes that previously terminated inactiveC and processes that have

5een hidden or unlin3ed 5y a root3it

volatility psscan -f memimage.raw --profile=Win!P"#$%


8/28

Listing &LLs Loaded into Memory

o display a processs loaded D88s, use the dlllist command.

volatility dlllist -f memimage.raw 4profile=Win!P"#$%


9/28

3#tract &LL from a Process5s memory

o etract a D88 from a processs memory space and dump it to dis3 for analysis,use the dlldump command.

volatility.e#e dlld'mp -f memimage.raw --profile=Win!P"#$% -r

,ernel)6 -& o't

It is possi7le d'mp all dll5s of a specific process 'sing its process id.


10/28

Retrieving 1ommands typed in 1ommand Prompt

9nother interesting command we can run is /cmdscan0. his plug&in allows us to

see what commands, if any, were run from the command prompt

volatility cmdscan &f memimage.raw &&profileEWin7S


11/28

volatility netscan &f memimage.raw &&profileEWin7S


12/28


13/28

Root,it detection 'sing +olatility

?idden process are revealed through volatility pslist, psscan module

volatility.ee pslist &f infected&winp.raw -profileEWin


14/28

volatility.e#e psscan -f infected-win#p.raw 4profile=Win8P!P)#$%

Drivers loaded 5y the ?ac3erdefender root3it is revealed 5y the module

driverscan

volatility.e#e driverscan -f infected-win#p.raw --profile=Win8P!P)#$%


15/28

:odules running on the infected system can 5e revealed 5y modules and

modscan"

volatility.e#e mod'les -f infected-win#p.raw --profile=Win8P!P)#$%

o scan physical memory for 3ernel modules, use the modscan command. his

can pic3 up previously unloaded drivers and drivers that have 5eenhidden!unlin3ed 5y root3its. Included in the output is the offset of the module,

which is a physical address

volatility.e#e modscan -f infected-win#p.raw --profile=Win8P!P)#$%


16/28

&'mp the s'spicio's process into a directory.

volatility.ee malfind &f infected&winp.raw &&profileEWin


17/28

Upload the dumped process to the virus total for anlysis.


18/28

9asic Malware :nalysis 'sing +olatility

http!!malwarecoo35oo3.googlecode.com!svn&history!r"F!trun3!$7!$!(eus.vmem.(ip

Download the a5ove memory dump, which is infected with a Jeus :alware.

Determine the 'S of the memory snapshot were ta3en, use imageinfo command.

volatility imageinfo -f ;e's.vmem

8ist out the processes which were running during the snapshot are ta3en. Use the

pslist command.

volatility pslist -f ;e's.vmem --profile=Win8P!P6#$%


19/28

8ist the open A< connections using the connscan command.

volatility connscan -f ;e's.vmem --profile=Win8P!P6#$%

Do a whois on the o5tained I< address from the a5ove step.

Whois "


20/28


21/28

8istout the registry hives loaded into memory. Use hivelist command.

volatility hivelist -f ;e's.vmem --profile=Win8P!P6#$%

he 3ey KUserInit specifies what program should 5e launched right after a userlogs into Windows.

he default program for this 3ey is ALwindowsLsystemH"Luserinit.ee.

Userinit.ee is a program that restores your profile, fonts, colors, etc. for your

username.

It is possi5le to add further programs that will launch from this 3ey 5y separating

the programs with a comma. Its is a common place for tro2ans

volatility print,ey -f ;e's.vmem 4profile=Win8P!P6#$% -o (#e">)a7%(-* ?MicrosoftWindows /01'rrent+ersionWinlogon@


22/28

8ist the process in tree form using the pstree command. his plugin print process

list as a tree so we can visuali(e the parent!child relationships.

volatility pstree -f ;e's.vmem --profile=Win8P!P6#$%


23/28

We did notice that winlogon.ee launched sdraF.ee and that the system process

svchost.ee %


24/28


25/28


26/28

4ow run the malfind plugin. Areate a directory called out let the malfind module

dumps the em5edded program in the process id %MF.

volatility malfind -f ;e's.vmem 4profile=Win8P!P6#$% -p $>% -& o't


27/28

4ow upload the etracted dump from out directory to )irus otal, you can seethat it is 5eing detected as a J5ot.


28/28

>eference

https!!code.google.com!p!volatility!wi3i!Aommand>eference*connections

Date post:	02-Jun-2018
Category:	Documents
Upload:	shafeeque-olassery-kunnikkal
View:	214 times
Download:	0 times

Memory Fornesics Notes

Documents