Memory Forensics Power: An Introduction

April 17, 2017 by

Security Ninja

Since we live in a digital world, it becomes utmost important for digital environment to be secure so that we can operate safely and reliably. So often we have heard that an organization, a government website, a social media platform, etc. is under cyber-attack which is carried out by Distributed denial of service(DDoS), Ransomware variants, Virus, Rootkit, etc. Nowadays we have seen malicious authors have changed their way of attacking as they have become more sophisticated and have more advanced tools at their disposal. We know that attackers will target us again and again through different methods. Thus, it becomes increasingly important for organizations to fully investigate any possible intrusion or attack to collect and build up more comprehensive Indicators of Compromise(IoCs). This challenge is further aggravated since attackers are carrying out advanced persistence attacks(APTs) against an organization and traditional tools like Antivirus (AV) are not fully capable of detecting these threats. Research shows that these APT's can live inside an organization environment without getting detected for nearly six months up to 1 year and some of them are an advanced form of attacks which the organization has fixed earlier and considered safe. Since new malware can hide itself and is often encrypted and obfuscated, it becomes even more challenging for the incident response team to investigate true nature of malware like what resources it is using, what files it is modifying on the affected system, what processes it is creating, etc. To understand and analyze such malware activities, we can capture them in their native form when they are running in memory.

Why Memory Forensics?

Memory forensics helps in analyzing advanced malware since in memory, malware artifacts can be analyzed more thoroughly, and more useful IoCs can be built. For example, memory forensics of famous attacks like Stuxnet, black energy revealed some new artifacts about the attack which were not noticed earlier. Memory Forensics is a process starting from finding an affected system, capturing its memory, analyzing it and if needed dumping the malicious process for further analysis. With memory forensics, we can analyze many types of OS artifacts like running processes, live network connections, loaded drivers, API hooks and artifacts like shim cache that will reside only in memory and gets flushed to disk only after a system reboot. It is also useful for analyzing memory resident malware which never writes any information to disk and thus can go unnoticed. With memory forensics, we can also analyze advanced kernel level attacks like Direct Kernel Object Manipulation(DKOM) to detect malware hiding activity. There are various tools like such as Volatility, Redline, Rekall, etc. which helps in memory forensics.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Memory Forensics Process

Below is a self-explaining diagram showing Memory forensics process at higher level

Memory Forensics process starts with the acquisition of target machines. Now these images can be any formats such as:

• Raw Format
• Hibernation File
• Page File
• Crash Dump etc.

There are various tools available like MoonSols, Belkasoft RAM capture which will assist in the acquisition of the image. For page files remember that there can be a maximum of 16-page files in a system, so once the image is acquired analyst must check for all available page files. For a Hibernation file, before the analyst starts analyzing the image, it needs to be decompressed. Also for the VM's image taking a snapshot is the best way to start however keep in mind that there are other files as other than snapshot which might contain some relevant data.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Challenges in Memory Forensics

• Most important part is to make sure that the image is acquired properly and it maintains its integrity throughout the course of analysis and investigation. Without a clean capture of the image it would leave very fewer artifacts in the image to analyze if not none.
• With frequent OS releases from OS vendors, OS internal structures are changing rapidly, but the tools which are used by memory forensics are not compatible with such images. For example, there are very image acquiring software's which are not compatible with Windows 10.
• Since Virtualization is adopted by all organizations these days, it is creating a gap between the image formats provided by VM vendors and what can be analyzed by the analysis software.
• As described above, memory forensics data land is huge and requires a thorough understanding of internal structures and expected(benign) OS/process's behavior to filter out known goods from the anomalies.
• Like mentioned above, for the interested memory regions which require further analysis, those sections need to be dumped. To analyze end to end, memory forensics must be combined with Reverse Engineering.

Thus, memory forensics has a lot of power to establish hidden context in an investigation, and thus it should be included as an integral part of every investigation. Memory forensics has its own challenges, but they can be overcome with experience and practice.