# Windows Memory Forensic Analysis
**Windows Memory Forensic Analysis** involves examining a memory dump from a Windows system to uncover evidence of malicious activity, running processes, network connections, and more. Memory analysis is particularly useful for investigating advanced threats, fileless malware, and volatile evidence that is not stored on disk.
## Setting Up Volatility3 in the Ubuntu Environment
```bash
sudo apt-get update
sudo apt install python3-pip
pip3 install volatility3
```
```bash
pip3 install capstone
source .profile
vol -h
```
## Important Files for Memory Analysis
**hiberfil.sys:** The `hiberfil.sys` file is a system file used by Windows to store the contents of RAM (Random Access Memory) when a system enters hibernation mode. From a digital forensics perspective, it can be a rich source of volatile data that would otherwise be lost when the system is powered off.
**Pagefile.sys:** The `Pagefile` is a physical extension of Random Access Memory (RAM). In Windows, when the RAM reached compacity the system will move idle data to pagefile.sys (located on the hard disk) to free up space. The pagefile.sys can be located at %SYSTEMDRIVE%\pagefile.sys and may contain information related to user activity.
**Swapfile.sys:** The `Swapfile` is similar to the Pagefile as both use hard drive space as temporary storage when RAM is full. Starting with Windows 10, the Swapfile specifically handles inactive Microsoft Store apps, storing them in `swapfile.sys` to preserve their state for later use. Located alongside `pagefile.sys` at `%SYSTEMDRIVE%\swapfile.sys`, it may also contain data related to user activity. Together, the Swapfile and Pagefile help ensure sufficient free RAM for smooth system performance.
## Gathering Windows System Information with Volatility3
**Plugin:** `windows.info`
**Use:** Identifies the operating system version and architecture
```bash
vol -f win10-memory.raw windows.info
```
## Detecting Suspicious Windows Processes
**Plugin:** `windows.pstree`
**Use:** Used to display processes in a hierarchical tree format based on their parent-child relationships.
```bash
vol -f win10-memory.raw windows.pstree
```
Here are the three services to note:
* **notepad.exe:** 4668
* **powershell.exe:** 5712
* **AtomicService.exe:** 5064
## Dumping Processes From the Memory
Let's see some details about the process with PID `5064.`
```bash
vol -f win10-memory.raw windows.pslist --pid 5064
```
Let's identify the parent process of this process.
```bash
vol -f win10-memory.raw windows.pslist --pid 668
```
```bash
vol -f win10-memory.raw windows.pslist --pid 5064 --dump
```
```bash
strings 5064.AtomicService..0xb60000.dmp
```
We can obtain the file's hash and search for it on VirusTotal.
## Detecting and Analyzing Injected DLLs
Let's retrieve the DLLs for the notepad.exe process.
```bash
vol -f win10-memory.raw windows.dlllist --pid 4668
```
Let's dump the DLLs loaded by this process.
```bash
vol -f win10-memory.raw windows.dlllist --pid 4668 --dump
```
```bash
strings dlls/pid.4668.T1055.001.dll.0x27aaaca06d0.0x7ffb2be40000.dmp | more
```
## Identifying Process Owners and Associated SIDs
Identifying process owners and associated Security Identifiers (SIDs) is a crucial step in forensic investigations to determine which user account is running a specific process.
**SID (Security Identifier)**: A unique identifier used by Windows to represent a user or group. It helps track process ownership and permissions.
```bash
vol -f win10-memory.raw windows.getsids --pid 4668 5712 5064
```
## Registry Keys
```bash
vol -f win10-memory.raw windows.registry.hivelist
```
We have a registry key named `AtomicRedTeam`.
```bash
vol -f win10-memory.raw windows.registry.printkey --offset 0xe78203872000 --key AtomicRedTeam
```
* **`--offset 0xe78203872000`**:
* Specifies the memory offset where the registry hive resides. This is typically obtained from prior analysis using a plugin like `windows.registry.hivelist`.
* **`--key AtomicRedTeam`**:
* Indicates the specific registry key to inspect.
The command queries the registry hive loaded at a specific memory offset to locate and display the contents of the registry key named `AtomicRedTeam`.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://faresbltagy.gitbook.io/footprintinglabs/practical-windows-forensics/windows-memory-forensic-analysis.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
.png?alt=media&token=5d5836ec-c86f-4bcb-9312-6b493d098a20)
.png?alt=media&token=dc1f856d-3114-42e0-9e44-8a46f8fc8529)
.png?alt=media&token=32930b7d-6a71-4add-90e3-b7e48c4d5b03)
.png?alt=media&token=fe3fa685-3609-4b79-a3a7-381848e92116)
.png?alt=media&token=67392ab8-d2ba-4d43-8628-2c9d3664cbaf)
.png?alt=media&token=961ef8b7-2175-4556-9251-06d31e4649bf)
.png?alt=media&token=ef7c4cb1-83aa-4628-9d1c-f3e758254026)
.png?alt=media&token=214690f0-af82-47c7-8358-f7e6e69b4d9a)
.png?alt=media&token=e74c436f-c254-4d54-b17d-0c10bdcb25a4)
.png?alt=media&token=ef07b0c5-e983-4821-9b84-969f5fb1a4fa)
.png?alt=media&token=35fa8c31-bae9-496a-b9e5-6a66734efbef)
.png?alt=media&token=5c773a5d-480a-47ea-baa5-dcbccb38e5d8)
.png?alt=media&token=de1b0041-9941-410a-8c35-3084fa7d6816)
.png?alt=media&token=98373773-e5bd-4bc4-90c9-8d182e6036e4)
.png?alt=media&token=aa91ecbd-2f86-4d06-9a1d-3e0f8b55d7b8)
.png?alt=media&token=6954906f-efe2-4575-906d-951d97cbe8c1)