Windows Memory Forensic Analysis
Last updated
Last updated
Windows Memory Forensic Analysis involves examining a memory dump from a Windows system to uncover evidence of malicious activity, running processes, network connections, and more. Memory analysis is particularly useful for investigating advanced threats, fileless malware, and volatile evidence that is not stored on disk.
hiberfil.sys: The hiberfil.sys
file is a system file used by Windows to store the contents of RAM (Random Access Memory) when a system enters hibernation mode. From a digital forensics perspective, it can be a rich source of volatile data that would otherwise be lost when the system is powered off.
Pagefile.sys: The Pagefile
is a physical extension of Random Access Memory (RAM). In Windows, when the RAM reached compacity the system will move idle data to pagefile.sys (located on the hard disk) to free up space. The pagefile.sys can be located at %SYSTEMDRIVE%\pagefile.sys and may contain information related to user activity.
Swapfile.sys: The Swapfile
is similar to the Pagefile as both use hard drive space as temporary storage when RAM is full. Starting with Windows 10, the Swapfile specifically handles inactive Microsoft Store apps, storing them in swapfile.sys
to preserve their state for later use. Located alongside pagefile.sys
at %SYSTEMDRIVE%\swapfile.sys
, it may also contain data related to user activity. Together, the Swapfile and Pagefile help ensure sufficient free RAM for smooth system performance.
Plugin: windows.info
Use: Identifies the operating system version and architecture
Plugin: windows.pstree
Use: Used to display processes in a hierarchical tree format based on their parent-child relationships.
Here are the three services to note:
notepad.exe: 4668
powershell.exe: 5712
AtomicService.exe: 5064
Let's see some details about the process with PID 5064.
Let's identify the parent process of this process.
We can obtain the file's hash and search for it on VirusTotal.
Let's retrieve the DLLs for the notepad.exe process.
Let's dump the DLLs loaded by this process.
Identifying process owners and associated Security Identifiers (SIDs) is a crucial step in forensic investigations to determine which user account is running a specific process.
SID (Security Identifier): A unique identifier used by Windows to represent a user or group. It helps track process ownership and permissions.
We have a registry key named AtomicRedTeam
.
--offset 0xe78203872000
:
Specifies the memory offset where the registry hive resides. This is typically obtained from prior analysis using a plugin like windows.registry.hivelist
.
--key AtomicRedTeam
:
Indicates the specific registry key to inspect.
The command queries the registry hive loaded at a specific memory offset to locate and display the contents of the registry key named AtomicRedTeam
.