Introduction to Memory Analysis

Emil Tan

Team Lead, Co-Founder

http://edgis-security.org

@EdgisSecurity

Introduction to Memory Analysis

http://edgis-security.org/



Agenda

What can you find in the memory?

Why perform memory analysis?

Tools to perform memory acquisition

Tools to perform memory analysis

Memory analysis demonstration using Mandiant Redline™

Memory analysis for forensics investigation

What can you find in the memory?

The state of the machine

Processes and threads (including hidden processes)

Network connections (sockets, IP addresses, domain names, ports)

Hardware and software configuration

Event logs

Windows registry keys

And many more

Encryption keys, passwords, caches, clipboards, etc.

It’s a rich data source!

Referenced:

SANS FOR 508: Advanced Computer Forensics Analysis & Incident Response

Content FOR 508.2: Incident Response & Memory Analysis – Slide 6

Why perform memory analysis?

It’s a rich data source

Understand the state of the machine

Behavioural analysis of users, attackers, processes

Best place to look for traces of malicious activity

Find malware (including rootkit!)

Difficult to clean trace on memory

Malware needs to be unpacked to be executed

Data not found in hard disk (e.g. memory-only malware,

network activities)

Referenced:



Tools to perform memory acquisition

MoonSols DumpIt (Windows x86 and x64)

MoonSols Windows Memory Toolkit

Mandiant Redline™

Virtual Machines (Snapshots / Save states)

VMware (.vmem)

Microsoft Hyper-V (.bin)

Parallels (.mem)

VirtualBox (.sav)... Not quite.

Referenced:


Content FOR 508.2: Incident Response & Memory Analysis – Slide 14, 17

Tools to perform malware analysis

String searching (e.g. grep) But you can’t inspect memory based on memory structure

Mandiant Redline™

Mandiant Memoryze™

Volatility

Internet Evidence Finder (IEF)

F-Response

HBGary Responder

Volafox

Second Look®

Referenced:


Content FOR 508.2: Incident Response & Memory Analysis – Slide 22 – 25

Processes Unidentifiable Processes and Threads

File path

Parent process

Parameters / arguments

SID

Start time

Malware Rating Index

Looking into: Process Objects

DLLs

Handles

Threads

Memory Sections

Sockets

Referenced:


Content FOR 508.2: Incident Response & Memory Analysis – Slide 49, 51

Network Connections

Sockets

IP addresses

Ports

Processes

Referenced:



Code injection

Code injection is evil!

DLL Injection

Process hollowing

Referenced:



Further analysis

Process and Drivers acquisition

Scanning engines

Analysis sandboxes

Static and dynamic malware analysis

Referenced:



Indicators of Compromise

Experience

OpenIOC

Create signatures

Memory analysis for forensics investigation

Memory acquisition may change the state of evidence, but...

Memory is a rich data source!

Hash acquired memory file during initial acquisition

Acquire all kind of evidence even if you do not have

the capabilities now.

References

Don’t Pull the Plug: Windows Memory Analysis & Forensics by Rob Lee

FOR 508 – Advanced Computer Forensics Analysis & Incident Response

508.2 Memory Analysis for Incident Response

by Rob Lee & Chad Tilbury

3 Phases of Malware Analysis by Lenny Zeltser

SANS Digital Forensics & Incident Response Curriculum

More Resources

SANS Computer Forensics http://computer-forensics.sans.org/

SANS Memory Forensics Cheat Sheet v1.0 (Pocket Reference Guide)

http://computer-forensics.sans.org/



Introduction to Memory Analysis

Technology

Transcript of Introduction to Memory Analysis