Windows Memory Forensic Analysis
Windows Memory Forensic Analysis involves examining a memory dump from a Windows system to uncover evidence of malicious activity, running processes, network connections, and more. Memory analysis is particularly useful for investigating advanced threats, fileless malware, and volatile evidence that is not stored on disk.
Setting Up Volatility3 in the Ubuntu Environment
sudo apt-get update
sudo apt install python3-pip
pip3 install volatility3
pip3 install capstone
source .profile
vol -h
Important Files for Memory Analysis
hiberfil.sys: The hiberfil.sys file is a system file used by Windows to store the contents of RAM (Random Access Memory) when a system enters hibernation mode. From a digital forensics perspective, it can be a rich source of volatile data that would otherwise be lost when the system is powered off.
Pagefile.sys: The Pagefile is a physical extension of Random Access Memory (RAM). In Windows, when the RAM reached compacity the system will move idle data to pagefile.sys (located on the hard disk) to free up space. The pagefile.sys can be located at %SYSTEMDRIVE%\pagefile.sys and may contain information related to user activity.
Swapfile.sys: The Swapfile is similar to the Pagefile as both use hard drive space as temporary storage when RAM is full. Starting with Windows 10, the Swapfile specifically handles inactive Microsoft Store apps, storing them in swapfile.sys to preserve their state for later use. Located alongside pagefile.sys at %SYSTEMDRIVE%\swapfile.sys, it may also contain data related to user activity. Together, the Swapfile and Pagefile help ensure sufficient free RAM for smooth system performance.
Gathering Windows System Information with Volatility3
Plugin: windows.info
Use: Identifies the operating system version and architecture
vol -f win10-memory.raw windows.info
Detecting Suspicious Windows Processes
Plugin: windows.pstree
Use: Used to display processes in a hierarchical tree format based on their parent-child relationships.
vol -f win10-memory.raw windows.pstree
Here are the three services to note:
notepad.exe: 4668
powershell.exe: 5712
AtomicService.exe: 5064
Dumping Processes From the Memory
Let's see some details about the process with PID 5064.
vol -f win10-memory.raw windows.pslist --pid 5064
Let's identify the parent process of this process.
vol -f win10-memory.raw windows.pslist --pid 668
vol -f win10-memory.raw windows.pslist --pid 5064 --dump 
strings 5064.AtomicService..0xb60000.dmp
We can obtain the file's hash and search for it on VirusTotal.
Detecting and Analyzing Injected DLLs
Let's retrieve the DLLs for the notepad.exe process.
vol -f win10-memory.raw windows.dlllist --pid 4668 
Let's dump the DLLs loaded by this process.
vol -f win10-memory.raw windows.dlllist --pid 4668 --dump
strings dlls/pid.4668.T1055.001.dll.0x27aaaca06d0.0x7ffb2be40000.dmp | more
Identifying Process Owners and Associated SIDs
Identifying process owners and associated Security Identifiers (SIDs) is a crucial step in forensic investigations to determine which user account is running a specific process.
SID (Security Identifier): A unique identifier used by Windows to represent a user or group. It helps track process ownership and permissions.
vol -f win10-memory.raw windows.getsids --pid 4668 5712 5064
Registry Keys
vol -f win10-memory.raw windows.registry.hivelist
We have a registry key named AtomicRedTeam.
vol -f win10-memory.raw windows.registry.printkey --offset 0xe78203872000 --key AtomicRedTeam
--offset 0xe78203872000:Specifies the memory offset where the registry hive resides. This is typically obtained from prior analysis using a plugin like
windows.registry.hivelist.
--key AtomicRedTeam:Indicates the specific registry key to inspect.
The command queries the registry hive loaded at a specific memory offset to locate and display the contents of the registry key named AtomicRedTeam.
Last updated