Windows Memory Forensic Analysis

Windows Memory Forensic Analysis involves examining a memory dump from a Windows system to uncover evidence of malicious activity, running processes, network connections, and more. Memory analysis is particularly useful for investigating advanced threats, fileless malware, and volatile evidence that is not stored on disk.

Setting Up Volatility3 in the Ubuntu Environment

sudo apt-get update
sudo apt install python3-pip
pip3 install volatility3
pip3 install capstone
source .profile
vol -h

Important Files for Memory Analysis

hiberfil.sys: The hiberfil.sys file is a system file used by Windows to store the contents of RAM (Random Access Memory) when a system enters hibernation mode. From a digital forensics perspective, it can be a rich source of volatile data that would otherwise be lost when the system is powered off.

Pagefile.sys: The Pagefile is a physical extension of Random Access Memory (RAM). In Windows, when the RAM reached compacity the system will move idle data to pagefile.sys (located on the hard disk) to free up space. The pagefile.sys can be located at %SYSTEMDRIVE%\pagefile.sys and may contain information related to user activity.

Swapfile.sys: The Swapfile is similar to the Pagefile as both use hard drive space as temporary storage when RAM is full. Starting with Windows 10, the Swapfile specifically handles inactive Microsoft Store apps, storing them in swapfile.sys to preserve their state for later use. Located alongside pagefile.sys at %SYSTEMDRIVE%\swapfile.sys, it may also contain data related to user activity. Together, the Swapfile and Pagefile help ensure sufficient free RAM for smooth system performance.

Gathering Windows System Information with Volatility3

Plugin: windows.info

Use: Identifies the operating system version and architecture

vol -f win10-memory.raw windows.info

Detecting Suspicious Windows Processes

Plugin: windows.pstree

Use: Used to display processes in a hierarchical tree format based on their parent-child relationships.

vol -f win10-memory.raw windows.pstree

Here are the three services to note:

  • notepad.exe: 4668

  • powershell.exe: 5712

  • AtomicService.exe: 5064

Dumping Processes From the Memory

Let's see some details about the process with PID 5064.

vol -f win10-memory.raw windows.pslist --pid 5064

Let's identify the parent process of this process.

vol -f win10-memory.raw windows.pslist --pid 668
vol -f win10-memory.raw windows.pslist --pid 5064 --dump 
strings 5064.AtomicService..0xb60000.dmp

We can obtain the file's hash and search for it on VirusTotal.

Detecting and Analyzing Injected DLLs

Let's retrieve the DLLs for the notepad.exe process.

vol -f win10-memory.raw windows.dlllist --pid 4668 

Let's dump the DLLs loaded by this process.

vol -f win10-memory.raw windows.dlllist --pid 4668 --dump
strings dlls/pid.4668.T1055.001.dll.0x27aaaca06d0.0x7ffb2be40000.dmp | more

Identifying Process Owners and Associated SIDs

Identifying process owners and associated Security Identifiers (SIDs) is a crucial step in forensic investigations to determine which user account is running a specific process.

SID (Security Identifier): A unique identifier used by Windows to represent a user or group. It helps track process ownership and permissions.

vol -f win10-memory.raw windows.getsids --pid 4668 5712 5064

Registry Keys

vol -f win10-memory.raw windows.registry.hivelist

We have a registry key named AtomicRedTeam.

vol -f win10-memory.raw windows.registry.printkey --offset 0xe78203872000 --key AtomicRedTeam
  • --offset 0xe78203872000:

    • Specifies the memory offset where the registry hive resides. This is typically obtained from prior analysis using a plugin like windows.registry.hivelist.

  • --key AtomicRedTeam:

    • Indicates the specific registry key to inspect.

The command queries the registry hive loaded at a specific memory offset to locate and display the contents of the registry key named AtomicRedTeam.

Last updated