Windows Memory Forensic Analysis

Windows Memory Forensic Analysis involves examining a memory dump from a Windows system to uncover evidence of malicious activity, running processes, network connections, and more. Memory analysis is particularly useful for investigating advanced threats, fileless malware, and volatile evidence that is not stored on disk.

Setting Up Volatility3 in the Ubuntu Environment

sudo apt-get update
sudo apt install python3-pip
pip3 install volatility3

Important Files for Memory Analysis

hiberfil.sys: The hiberfil.sys file is a system file used by Windows to store the contents of RAM (Random Access Memory) when a system enters hibernation mode. From a digital forensics perspective, it can be a rich source of volatile data that would otherwise be lost when the system is powered off.

Pagefile.sys: The Pagefile is a physical extension of Random Access Memory (RAM). In Windows, when the RAM reached compacity the system will move idle data to pagefile.sys (located on the hard disk) to free up space. The pagefile.sys can be located at %SYSTEMDRIVE%\pagefile.sys and may contain information related to user activity.

Swapfile.sys: The Swapfile is similar to the Pagefile as both use hard drive space as temporary storage when RAM is full. Starting with Windows 10, the Swapfile specifically handles inactive Microsoft Store apps, storing them in swapfile.sys to preserve their state for later use. Located alongside pagefile.sys at %SYSTEMDRIVE%\swapfile.sys, it may also contain data related to user activity. Together, the Swapfile and Pagefile help ensure sufficient free RAM for smooth system performance.

Gathering Windows System Information with Volatility3

Plugin: windows.info

Use: Identifies the operating system version and architecture

Detecting Suspicious Windows Processes

Plugin: windows.pstree

Use: Used to display processes in a hierarchical tree format based on their parent-child relationships.

Here are the three services to note:

  • notepad.exe: 4668

  • powershell.exe: 5712

  • AtomicService.exe: 5064

Dumping Processes From the Memory

Let's see some details about the process with PID 5064.

Let's identify the parent process of this process.

We can obtain the file's hash and search for it on VirusTotal.

Detecting and Analyzing Injected DLLs

Let's retrieve the DLLs for the notepad.exe process.

Let's dump the DLLs loaded by this process.

Identifying Process Owners and Associated SIDs

Identifying process owners and associated Security Identifiers (SIDs) is a crucial step in forensic investigations to determine which user account is running a specific process.

SID (Security Identifier): A unique identifier used by Windows to represent a user or group. It helps track process ownership and permissions.

Registry Keys

We have a registry key named AtomicRedTeam.

  • --offset 0xe78203872000:

    • Specifies the memory offset where the registry hive resides. This is typically obtained from prior analysis using a plugin like windows.registry.hivelist.

  • --key AtomicRedTeam:

    • Indicates the specific registry key to inspect.

The command queries the registry hive loaded at a specific memory offset to locate and display the contents of the registry key named AtomicRedTeam.

PreviousUncover Malicious Activity with Windows Event Log AnalysisNextHackthebox Rooms

Last updated