Digital forensics

Memory Forensics Power: An Introduction

April 17, 2017 by Security Ninja

Since we live in a digital world, it becomes utmost important for digital environment to be secure so that we can operate safely and reliably. So often we have heard that an organization, a government website, a social media platform, etc. is under cyber-attack which is carried out by Distributed denial of service(DDoS), Ransomware variants, Virus, Rootkit, etc. Nowadays we have seen malicious authors have changed their way of attacking as they have become more sophisticated and have more advanced tools at their disposal. We know that attackers will target us again and again through different methods. Thus, it becomes increasingly important for organizations to fully investigate any possible intrusion or attack to collect and build up more comprehensive Indicators of Compromise(IoCs). This challenge is further aggravated since attackers are carrying out advanced persistence attacks(APTs) against an organization and traditional tools like Antivirus (AV) are not fully capable of detecting these threats. Research shows that these APT’s can live inside an organization environment without getting detected for nearly six months up to 1 year and some of them are an advanced form of attacks which the organization has fixed earlier and considered safe. Since new malware can hide itself and is often encrypted and obfuscated, it becomes even more challenging for the incident response team to investigate true nature of malware like what resources it is using, what files it is modifying on the affected system, what processes it is creating, etc. To understand and analyze such malware activities, we can capture them in their native form when they are running in memory.

Why Memory Forensics?

Memory forensics helps in analyzing advanced malware since in memory, malware artifacts can be analyzed more thoroughly, and more useful IoCs can be built. For example, memory forensics of famous attacks like Stuxnet, black energy revealed some new artifacts about the attack which were not noticed earlier. Memory Forensics is a process starting from finding an affected system, capturing its memory, analyzing it and if needed dumping the malicious process for further analysis. With memory forensics, we can analyze many types of OS artifacts like running processes, live network connections, loaded drivers, API hooks and artifacts like shim cache that will reside only in memory and gets flushed to disk only after a system reboot. It is also useful for analyzing memory resident malware which never writes any information to disk and thus can go unnoticed. With memory forensics, we can also analyze advanced kernel level attacks like Direct Kernel Object Manipulation(DKOM) to detect malware hiding activity. There are various tools like such as Volatility, Redline, Rekall, etc. which helps in memory forensics.

Memory Forensics Process

Below is a self-explaining diagram showing Memory forensics process at higher level

  • Memory Forensics process starts with the acquisition of target machines. Now these images can be any formats such as:
    • Raw Format
    • Hibernation File
    • Page File
    • Crash Dump etc.

    There are various tools available like MoonSols, Belkasoft RAM capture which will assist in the acquisition of the image. For page files remember that there can be a maximum of 16-page files in a system, so once the image is acquired analyst must check for all available page files. For a Hibernation file, before the analyst starts analyzing the image, it needs to be decompressed. Also for the VM’s image taking a snapshot is the best way to start however keep in mind that there are other files as other than snapshot which might contain some relevant data.

  • Once the Image is acquired, then the next step is to ensure that the image profiling is done. Normally tools like Volatility look for KDBG block to find out the image OS and Service Pack. Since this block leads to Active process list and loaded modules, you can also find information like a number of active processes, the number of loaded modules directly from such high level. Once the profile is selected, then we start finding other artifacts from the acquired image like running process on the system when the image is acquired, what dlls are loaded, what network connections were active at the time of acquiring. There are lot more artifacts that can be collected from the system at this point.
  • Once the profiling is done, then the analyst compare the outcome of different artifacts with the normal and find out discrepancies. Since memory data is huge, this step requires experience and OS level understanding to filter out known goods. Once the outliers are established, it can be used to make IOC’s, or if some other interesting section of memory is acquired, then that portion of memory is dumped for further analysis.

Challenges in Memory Forensics

  • Most important part is to make sure that the image is acquired properly and it maintains its integrity throughout the course of analysis and investigation. Without a clean capture of the image it would leave very fewer artifacts in the image to analyze if not none.
  • With frequent OS releases from OS vendors, OS internal structures are changing rapidly, but the tools which are used by memory forensics are not compatible with such images. For example, there are very image acquiring software’s which are not compatible with Windows 10.
  • Since Virtualization is adopted by all organizations these days, it is creating a gap between the image formats provided by VM vendors and what can be analyzed by the analysis software.
  • As described above, memory forensics data land is huge and requires a thorough understanding of internal structures and expected(benign) OS/process’s behavior to filter out known goods from the anomalies.
  • Like mentioned above, for the interested memory regions which require further analysis, those sections need to be dumped. To analyze end to end, memory forensics must be combined with Reverse Engineering.

Thus, memory forensics has a lot of power to establish hidden context in an investigation, and thus it should be included as an integral part of every investigation. Memory forensics has its own challenges, but they can be overcome with experience and practice.

Posted: April 17, 2017
Security Ninja
View Profile