[Day 11] Memory Forensics Not all gifts are nice¶
Le Cours¶
Memory Forensic¶
Memory forensics is the analysis of the volatile memory that is in use when a computer is powered on. Computers use dedicated storage devices called Random Access Memory (RAM) to remember what is being performed on the computer at the time. RAM is extremely quick and is the preferred method of storing and accessing data. However, it is limited compared to storage devices such as hard drives. This type of data is volatile because it will be deleted when the computer is powered off. RAM stores data such as your clipboard or unsaved files.
We can analyse a computer’s memory to see what applications (processes), what network connections were being made, and many more useful pieces of information. For example, we can analyse the memory of a computer infected with malware to see what the malware was doing at the time.
Let’s think about cooking. You normally store all of your food in the fridge - a hard drive is this fridge. When you are cooking, you will store ingredients on the kitchen counter so that you can quickly access them, but the kitchen counter (RAM) is much smaller than a fridge (hard drive)
Why is Memory Forensics Useful?¶
Memory forensics is an extremely important element when investigating a computer. A memory dump is a full capture of what was happening on the Computer at the time, for example, network connections or things running in the background. Most of the time, malicious code attempts to hide from the user. However, it cannot hide from memory.
We can use this capture of the memory for analysis at a later date, especially as the memory on the computer will eventually be lost (if, for example, we power off the computer to prevent malware from spreading). By analysing the memory, we can discover exactly what the malware was doing, who it was contacting, and such forth.
An Introduction to Processes¶
At the simplest, a process is a running program. For example, a process is created when running an instance of notepad. You can have multiple processes for an application (for example, running three instances of notepad will create three processes). This is important to know because being able to determine what processes were running on the computer will tell us what applications were running at the time of the capture.
On Windows, we can use Task Manager(pictured below) to view and manage the processes running on the computer. On a computer, processes are usually categorised into two groups:
Category |
Description |
Example |
|---|---|---|
User Process |
These processes are programs that the user has launched. For example, text editors, web browsers, etc. |
notepad.exe - this is a text editor that is launched by the user. |
Background Process |
These processes are automatically launched and managed by the Operating System and are often essential to the Operating System behaving correctly. |
dwm.exe - this is an essential process for Windows that is responsible for displaying windows and applications on the computer. |
Introducing Volatility¶
Volatility is an open-source memory forensics toolkit written in Python. Volatility allows us to analyse memory dumps taken from Windows, Linux and Mac OS devices and is an extremely popular tool in memory forensics. For example, Volatility allows us to:
List all processes that were running on the device at the time of the capture
List active and closed network connections
Use Yara rules to search for indicators of malware
Retrieve hashed passwords, clipboard contents, and contents of the command prompt
And much, much more!
Once Volatility and its requirements (i.e. Python) are installed, Volatility can be run using python3 vol.py. The terminal below displays Volatility’s help menu:
cmnatic@aoc2022-day-11:~/volatility3$ python3 vol.py -h
Volatility 3 Framework 2.4.1
usage: volatility
plugin ...
An open-source memory forensics framework
optional arguments:
-h, --help Show this help message and exit, for specific plugin options use 'volatility --help'
-c CONFIG, --config CONFIG
--cropped for brevity--
And finally, now we need to decide what we want to analyse the image for. Volatility uses plugins to perform analysis, such as:
Listing processes
Listing network connections
Listing contents of the clipboard, notepad, or command prompt
And much more! If you’re curious, you can read the documentation here
In this task, we are going to use Volatility to:
See what Operating System the memory dump is from
See what processes were running at the time of capture
See what connections were being made at the time of capture
Using Volatility to Analyse an Image¶
Before proceeding with our analysis, we need to confirm the Operating System of the device that the memory has been captured from. We need to confirm this because it will determine what plugins we can use in our investigation.
First, let’s use the imageinfo plugin to analyse our memory dump file to determine the Operating System. To do this, we need to use the following command (remembering to include our memory dump by using the -f option): python3 vol.py -f workstation.vmem windows.info.
Note: This can sometimes take a couple of minutes, depending on the size of the memory dump and the hardware of the system running the scan.
Plugin |
Description |
Objective |
|---|---|---|
windows.pslist |
This plugin lists all of the processes that were running at the time of the capture. |
To discover what processes were running on the system. |
windows.psscan |
This plugin allows us to analyse a specific process further. |
To discover what a specific process was actually doing. |
windows.dumpfiles |
This plugin allows us to export the process, where we can perform further analysis (i.e. static or dynamic analysis). |
To export a specific binary that allows us further to analyse it through static or dynamic analysis. |
windows.netstat |
This plugin lists all network connections at the time of the capture. |
To understand what connections were being made. For example, was a process causing the computer to connect to a malicious server? We can use this IP address to implement defensive measures on other devices. For example, if we know an IP address is malicious, and another device is communicating with it, then we know that device is also infected. |
Please note that this is not all of the possible plugins. An extensive list of the Windows sub-set of plugins can be found here.
Le chall¶
Bon, vous l’aurez compris, il s’agit de mettre en application des principes assez basiques surement de l’analyse de dump mémoire.
Question 1 : What is the Windows version number that the memory image captured?¶
elfmcblue@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.info
Volatility 3 Framework 2.4.1
Kernel Base0xf803218a8000
DTB0x1ad000
Symbolsfile:///home/elfmcblue/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/E0093F3AEF
15D58168B753C9488A4043-1.json.xz
Is64BitTrue
IsPAEFalse
layer_name0 WindowsIntel32e
memory_layer1 FileLayer
KdVersionBlock0xf80321cd23c8
Major/Minor15.18362
MachineType34404
KeNumberProcessors4
SystemTime2022-11-23 10:15:56
NtSystemRootC:\Windows
NtProductTypeNtProductWinNt
NtMajorVersion10
NtMinorVersion0
PE MajorOperatingSystemVersion10
PE MinorOperatingSystemVersion0
PE Machine34404
PE TimeDateStampMon Apr 14 21:36:50 2104
elfmcblue@aoc2022-day-11:~/volatility3$
Question 2 : What is the name of the binary/gift that secret Santa left?¶
elfmcblue@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.pslist
Volatility 3 Framework 2.4.1
Progress: 100.00PDB scanning finished
PIDPPIDImageFileNameOffset(V)ThreadsHandlesSessionIdWow64CreateTimeExitTimeFile output
40 System 0xc0090b286040141 -N/A False2022-11-23 09:43:13.000000 N/ADisabled
1044 Registry 0xc0090b2dd0804 -N/A False2022-11-23 09:43:04.000000 N/ADisabled
3164 smss.exe 0xc0090e4384002 -N/A False2022-11-23 09:43:13.000000 N/ADisabled
436428 csrss.exe 0xc0090ea6514010 -0 False 2022-11-23 09:43:18.000000 N/ADisabled
512504 csrss.exe 0xc0090f35e14012 -1 False 2022-11-23 09:43:19.000000 N/ADisabled
536428 wininit.exe 0xc0090f2c00801 -0 False 2022-11-23 09:43:19.000000 N/ADisabled
584504 winlogon.exe 0xc0090f3830803 -1 False 2022-11-23 09:43:19.000000 N/ADisabled
656536 services.exe 0xc0090e5323405 -0 False 2022-11-23 09:43:20.000000 N/ADisabled
680536 lsass.exe 0xc0090f3a50806 -0 False 2022-11-23 09:43:20.000000 N/ADisabled
792656 svchost.exe 0xc0090fa3324012 -0 False 2022-11-23 09:43:22.000000 N/ADisabled
820536 fontdrvhost.ex 0xc0090f3a31405 -0 False 2022-11-23 09:43:22.000000 N/ADisabled
828584 fontdrvhost.ex 0xc0090fa391405 -1 False 2022-11-23 09:43:22.000000 N/ADisabled
916656 svchost.exe 0xc0090fad72c07 -0 False 2022-11-23 09:43:23.000000 N/ADisabled
1000584 dwm.exe 0xc0090fb0b08013 -1 False 2022-11-23 09:43:24.000000 N/ADisabled
380656 svchost.exe 0xc0090fba924041 -0 False 2022-11-23 09:43:25.000000 N/ADisabled
420656 svchost.exe 0xc0090fbbf28015 -0 False 2022-11-23 09:43:25.000000 N/ADisabled
1116656 svchost.exe 0xc0090fc2e2c016 -0 False 2022-11-23 09:43:26.000000 N/ADisabled
1124656 svchost.exe 0xc0090fc302c016 -0 False 2022-11-23 09:43:26.000000 N/ADisabled
1204656 svchost.exe 0xc0090fc2a08019 -0 False 2022-11-23 09:43:26.000000 N/ADisabled
12564 MemCompression 0xc0090fa3504034 -N/A False2022-11-23 09:43:26.000000 N/ADisabled
1292656 svchost.exe 0xc0090fc752c02 -0 False 2022-11-23 09:43:26.000000 N/ADisabled
1436656 svchost.exe 0xc0090fdb52c07 -0 False 2022-11-23 09:43:28.000000 N/ADisabled
1536656 svchost.exe 0xc0090fdc42c017 -0 False 2022-11-23 09:43:28.000000 N/ADisabled
1576656 svchost.exe 0xc0090fdf32c04 -0 False 2022-11-23 09:43:29.000000 N/ADisabled
1584656 svchost.exe 0xc0090fdf52c03 -0 False 2022-11-23 09:43:29.000000 N/ADisabled
1656656 svchost.exe 0xc0090fe962402 -0 False 2022-11-23 09:43:29.000000 N/ADisabled
1708656 spoolsv.exe 0xc0090fea32007 -0 False 2022-11-23 09:43:29.000000 N/ADisabled
1816656 svchost.exe 0xc0090ff092c012 -0 False 2022-11-23 09:43:30.000000 N/ADisabled
2064656 svchost.exe 0xc009100ee24010 -0 False 2022-11-23 09:43:34.000000 N/ADisabled
2108656 vm3dservice.ex 0xc009100f12402 -0 False 2022-11-23 09:43:34.000000 N/ADisabled
2216656 vmtoolsd.exe 0xc0091030c28013 -0 False 2022-11-23 09:43:35.000000 N/ADisabled
2236656 VGAuthService. 0xc009100f30802 -0 False 2022-11-23 09:43:35.000000 N/ADisabled
2440656 svchost.exe 0xc0090b33608011 -0 False 2022-11-23 09:43:37.000000 N/ADisabled
25282108 vm3dservice.ex 0xc0090b3030802 -1 False 2022-11-23 09:43:38.000000 N/ADisabled
2984656 dllhost.exe 0xc0091045628010 -0 False 2022-11-23 09:43:44.000000 N/ADisabled
780656m sdtc.exe 0xc009105952809 -0 False 2022-11-23 09:43:46.000000 N/ADisabled
516792W miPrvSE.exe 0xc009105b928011 -0 False 2022-11-23 09:43:53.000000 N/ADisabled
3464380 sihost.exe 0xc009108252806 -1 False 2022-11-23 09:43:59.000000 N/ADisabled
3500656 svchost.exe 0xc0091070430011 -1 False 2022-11-23 09:43:59.000000 N/ADisabled
3540380 taskhostw.exe 0xc0091074a3008 -1 False 2022-11-23 09:43:59.000000 N/ADisabled
3724420 ctfmon.exe 0xc009107990809 -1 False 2022-11-23 09:44:00.000000 N/ADisabled
4040584 userinit.exe 0xc009109cb3400 -1 False 2022-11-23 09:44:05.000000 2022-11-23 09:44:41.000000 Disabled
40644040 explorer.exe 0xc009109cd40086 -1 False 2022-11-23 09:44:05.000000 N/ADisabled
4268656 svchost.exe 0xc00910cbd3005 -1 False 2022-11-23 09:44:13.000000 N/ADisabled
4816792 StartMenuExper 0xc00910e6a4c09 -1 False 2022-11-23 09:44:21.000000 N/ADisabled
4948792 RuntimeBroker. 0xc009110210802 -1 False 2022-11-23 09:44:23.000000 N/ADisabled
5052656 SearchIndexer. 0xc0091109d24016 -0 False 2022-11-23 09:44:25.000000 N/ADisabled
5096792 SearchUI.exe 0xc009110a108062 -1 False 2022-11-23 09:44:25.000000 N/ADisabled
5156792 RuntimeBroker. 0xc009115640809 -1 False 2022-11-23 09:44:28.000000 N/ADisabled
27604064 SecurityHealth 0xc00910fa83801 -1 False 2022-11-23 09:44:45.000000 N/ADisabled
1048656 SecurityHealth 0xc0090b39e0809 -0 False 2022-11-23 09:44:46.000000 N/ADisabled
21204064 vmtoolsd.exe 0xc0091134c3c09 -1 False 2022-11-23 09:44:46.000000 N/ADisabled
58684064 msedge.exe 0xc00910faa4c00 -1 False 2022-11-23 09:44:46.000000 2022-11-23 09:58:15.000000 Disabled
58924064 OneDrive.exe 0xc0091189a40025-1True2022-11-23 09:44:47.000000 N/ADisabled
6416792 dllhost.exe 0xc009103904c05 -1 False 2022-11-23 09:45:16.000000 N/ADisabled
6772792 SkypeApp.exe 0xc00910dc40c042 -1 False 2022-11-23 09:45:22.000000 N/ADisabled
6924792 SkypeBackgroun 0xc009119492404 -1 False 2022-11-23 09:45:22.000000 N/ADisabled
3580792 RuntimeBroker. 0xc00910bd83001 -1 False 2022-11-23 09:45:24.000000 N/ADisabled
3912792 RuntimeBroker. 0xc00911c180801 -1 False 2022-11-23 09:45:29.000000 N/ADisabled
6828656 svchost.exe 0xc009100570808 -0 False 2022-11-23 09:45:39.000000 N/ADisabled
4244656 SgrmBroker.exe 0xc00911c290803 -0 False 2022-11-23 09:45:49.000000 N/ADisabled
4368656 svchost.exe 0xc00911e2d0809 -0 False 2022-11-23 09:45:50.000000 N/ADisabled
1524656 svchost.exe 0xc00911d690803 -0 False 2022-11-23 09:45:59.000000 N/ADisabled
5796792 smartscreen.ex 0xc009110e908011 -1 False 2022-11-23 09:52:45.000000 N/ADisabled
2272792 WindowsInterna 0xc00910e6f08015 -1 False 2022-11-23 09:53:36.000000 N/ADisabled
4600656 svchost.exe 0xc00910dd54804 -0 False 2022-11-23 09:54:27.000000 N/ADisabled
7000656 MsMpEng.exe 0xc0091044c08034 -0 False 2022-11-23 09:54:37.000000 N/ADisabled
49804064 notepad.exe 0xc00911a930801 -1 False 2022-11-23 09:54:38.000000 N/ADisabled
6572656 NisSrv.exe 0xc00911e2c0804 -0 False 2022-11-23 09:54:44.000000 N/ADisabled
58844064 procexp64.exe 0xc00910cb90804 -1 False 2022-11-23 09:56:13.000000 N/ADisabled
71285868 msedge.exe 0xc009127410c00 -1 False 2022-11-23 09:58:15.000000 2022-11-23 10:01:54.000000 Disabled
6584792 ApplicationFra 0xc0090b3750802 -1 False 2022-11-23 09:58:58.000000 N/ADisabled
1920792 RuntimeBroker. 0xc00911bd70801 -1 False 2022-11-23 09:59:00.000000 N/ADisabled
19284064 cmd.exe 0xc0090b3a84c01 -1 False 2022-11-23 09:59:09.000000 N/ADisabled
66041928 conhost.exe 0xc0091418d0804 -1 False 2022-11-23 09:59:09.000000 N/ADisabled
4640792 WinStore.App.e 0xc009141a24c011 -1 False 2022-11-23 09:59:24.000000 N/ADisabled
58884064 cmd.exe 0xc009118670801 -1 False 2022-11-23 09:59:38.000000 N/ADisabled
59325888 conhost.exe 0xc00911bbf0804 -1 False 2022-11-23 09:59:38.000000 N/ADisabled
6220792 ShellExperienc 0xc00911c4a4c014 -1 False 2022-11-23 10:01:52.000000 N/ADisabled
3944792 RuntimeBroker. 0xc009119954c01 -1 False 2022-11-23 10:01:54.000000 N/ADisabled
45607128 msedge.exe 0xc0091185d4c027 -1 False 2022-11-23 10:01:54.000000 N/ADisabled
52084560 msedge.exe 0xc0091275a4c07 -1 False 2022-11-23 10:01:54.000000 N/ADisabled
1924560 msedge.exe 0xc00911da74c013 -1 False 2022-11-23 10:01:54.000000 N/ADisabled
8044560 msedge.exe 0xc009142904c011 -1 False 2022-11-23 10:01:54.000000 N/ADisabled
55964560 msedge.exe 0xc009142934c07 -1 False 2022-11-23 10:01:54.000000 N/ADisabled
31081928 python.exe 0xc00911c2d4c02 -1 False 2022-11-23 10:02:27.000000 N/ADisabled
29605052 SearchProtocol 0xc0091275c4c06 -0 False 2022-11-23 10:14:10.000000 N/ADisabled
37805052 SearchFilterHo 0xc009105b50c04 -0 False 2022-11-23 10:14:10.000000 N/ADisabled
20405888 mysterygift.ex 0xc0090b52e4c03 -1 False 2022-11-23 10:15:19.000000 N/ADisabled
3885052 SearchProtocol 0xc00912bf24c07 -1 False 2022-11-23 10:15:24.000000 N/ADisabled
On découvre donc vers le bas un exe « mysterygift.exe ». On comprends vite qu’il s’agit du binaire malveillant.
Question 3 : What is the Process ID (PID) of this binary?¶
Pour cette question, il est possible d’utiliser windows.psscan. Cela nous remonte la même liste mais avec cette fois-ci la distinction entre le PID et le PPID. Dans tous les cas, il s’agit du même que celui présent plus haut, mais tronqué de sa seconde moitiée soit 2040.
Question 4 : Dump the contents of this binary. How many files are dumped?¶
L’objectif de cette question est juste de montrer comment fonctionne le dump de volatility. Il ne s’agit pas là de voir quels sont les fichiers récupérer par le malware.
elfmcblue@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.dump --pid 2040
elfmcblue@aoc2022-day-11:~/volatility3$ ls -l *img |wc -l
16