Memory Investigations
Memory Investigations
Analyzing an image of RAM has become a staple of investigations
First, we need to collect memory (WinPmem)
Then we use the same strategies for examining memory images as on live systems
Memory forensics, which involves analyzing RAM images, is essential in digital investigations due to the valuable data stored in memory but not on disk. Additionally, analyzing memory snapshots ensures the evidence remains unchanged during the investigation.
Volatility Overview
Volatility is a Python framework for analyzing memory
Runs on Windows, macOS, Linux
Analyzes Windows, macOS, and Linux memory captures
Specify a memory capture and a desired plugin for analysis
Listing Processes
The windows.pslist.PsList
plugin lists processes, similar to live analysis tools like Get-Process
. The output shows details such as the process name, PID, PPID, start time, and occasionally the termination time. Process names are often truncated to 14 characters due to the structure of the Windows EPROCESS block.
Parent and Child Processes
The windows.pstree.PsTree
plugin creates a visual representation (in text) of the parent-child relationships for running processes.
Scanning for Network Connections
The windows.netscan.NetScan
plugin scans memory for network-related data, including active connections and listening sockets, similar to the netstat
command or PowerShell's Get-NetTCPConnection
and Get-NetUDPEndpoint
cmdlets. The example shows its output.
Process Command Line
The windows.cmdline.CmdLine
plugin shows the process ID, and command line for processes that were running when the image was collected.
windows.dlllist.DllList
List DLLs for processes
windows.driverscan.DriverScan
List kernel modules
windows.envars.Envars
List environment variables
windows.filescan.FileScan
Scan for files
windows.dumpfiles.DumpFiles
Carve out files
windows.info.Info
Examine Windows version information
windows.hashdump.Hashdump
Retrieve password hashes
windows.privileges.Privs
List privileges by process
windows.registry.hivelist.HiveList
List registry hive offsets
windows.registry.printkey.PrintKey
Access keys with --offset
windows.registry.userassist.UserAssist
Enumerate programs run from the Start menu
windows.registry.certificates.Certificates
List trusted certificates in Windows cert. store
windows.svcscan.SvcScan
List service name, display name, and PID
Applying Memory Investigation
Memory investigation steps are similar to live investigation steps:
We use Volatility to analyze memory instead of PowerShell cmdlets
The analysis process starts with the EOI:
Suspicious process? Start with PsList and PsTree
Suspicious network listener? Start with NetScan, then move to processes
Suspicious program? Start with CmdLine, then processes
Memory analysis, like live investigations, starts with an event of interest (EOI). For suspicious processes, use Volatility's PsList and PsTree plugins to examine process details (name, ID, parent ID, start time). For suspicious network listeners, the NetScan plugin identifies IPs, ports, process names, connection status, and process IDs, which can then be further analyzed using PsList and PsTree. For suspicious programs, start with the CmdLine plugin and proceed with detailed process analysis using PsList and PsTree.
Lab 1.3: Memory Investigation
In this lab we will analyze memory evidence from the Falsimentis compromise.
Preprocessing with Volatility
Let's run Volatility's vol command several times for each of the following plugins and saving the output a file.
windows.netscan.NetScan
windows.pstree.PsTree
windows.pslist.PsList
windows.cmdline.CmdLine
windows.filescan.FileScan
windows.dlllist.DllList
Instead of running all of these commands individually, we could opt to run them all at once using a shell loop with the following command:
Preprocessing with Strings
Let's use the Linux strings
utility to extract ASCII, 16-bit little endian, and 16-bit big endian strings from the memory image for preprocessing analysis.
By default, the strings
command extracts ASCII text. The -e l
option extracts 16-bit little-endian, while -e b
extracts 16-bit big-endian strings. All three formats (ASCII, little-endian, big-endian) can reveal valuable system information.
Examining Network Connections
From Lab 1.2, we identified beacon traffic from Falsimentis systems to the site www1-google-analytics.com (IP: 167.172.201.123). Now, let's search for processes communicating with this IP.
Notice the name of the process that connected to the suspicious IP address, analytics.exe with process ID 5736.
Next, let's see if analytics.exe is communicating with any other sites using grep again.
From examining the output, it appears the only remote systems analytics.exe connected to was 167.172.201.123 , at least at the time of capture.
Examining Processes
Let's examine the running processes using the windows.pslist.PsList
and windows.pstree.PsTree
plugins. These show details like process name, ID, and parent-child relationships, with PsTree
providing a visual representation for easier analysis.
In this grep command, the -C 3 argument displays three lines of context before and after each string match.
This is an odd-looking process tree. ONENOTE.EXE (process ID 8016) spawned cmd.exe (process ID 4452). This cmd.exe spawned analytics.exe (process ID 2532). This copy of analytics spawned another copy of analytics.exe (process ID 5736). The second analytics.exe spawned another cmd.exe (process ID 5804). ONENOTE.EXE also spawned a random-looking process named bJKRJiSAnPkf.e (process ID 5568).
Examining File Objects
Next let's examine file objects to see if there is anything else useful for our analysis.
The output shows analytics.exe is in the \Windows\System32 directory, which helps in creating indicators for detecting the malware on a system.
Examining Loaded DLLs
Next, let's take a look at loaded DLLs and command lines for the processes of interest ( analytics.exe and bJKRJiSAnPkf.e ).
Volatility can't list DLLs for the analytics.exe process due to potential issues like swapped-out memory pages or changes occurring during capture.
Examining Command Lines
Next, let's check for any command line details associated with the analytics.exe process.
The memory capture does not indicate any command line information for other process, though the child process reports inaccessible memory.
Examining Strings
Searching for analytics.exe
Instead of manually sifting through all the data, let's search for something more specific to reduce the output. For example, the filescan output indicated that the analytics.exe
process had the file analytics.exe
open in \Windows\System32
.
Let's break down the command:
The command
grep -i -h 'windows\\system32\\analytics' fm-tetris.strings- *.txt
performs a case-insensitive search (-i
) for lines containingwindows\system32\analytics
in text files, excluding filename information (-h
). It uses double backslashes (\\
) to escape the backslash character in the search string, enclosed in single quotes.sort -u - sort the lines of output, returning unique lines ( -u )
Examining the output, it appears there are two more files that might be of interest:
C:\Windows\System32\analyticsbackup.bat
C:\Windows\system32\AnalyticsInstaller.exe
Searching for bJKRJiSAnPkF.e
It appears bJKRJiSAnPkf.exe is located in the \Users\jchadwick\appdata\local\temp directory.
Summary
Key findings about the Falsimentis incident include:
The program analytics.exe (process ID 5736) communicates with www1-google- analytics.com .
A suspicious program named bJKRJiSAnPkf.exe is located in \Users\jchadwick\appdata\local\temp .
At 17:33:03 AM UTC, ONENOTE.EXE spawned a copy of bJKRJiSAnPkf.exe (process ID 5568).
At 17:34:06 AM UTC, ONENOTE.EXE spawned a copy of cmd.exe (process ID 4452)
At 17:34:09 AM UTC, cmd.exe (process ID 4452) spawned analytics.exe (process ID 2532).
At 17:34:10 AM UTC, analytics.exe (process ID 2532) spawned analytics.exe (process ID 5736).
At 18:08:06 AM UTC, analytics.exe (process ID 5736) spawned cmd.exe (process ID 5804).
Bonus Lab
Investigating Other Strings
Let's search for the string "midnitemeerkats" in all text files generated by Volatility and the strings
utility.
There's a reference to the "midnitemeerkats" string, which suggests a command to open the URL http://www.midnitemeerkats.com/note
in full-screen mode using the default browser and Windows start utility. We should investigate this website for further analysis.
Open https://midnitemeerkats.com/note/
in Firefox using a separate system with a privacy-focused VPN. Avoid connecting from your investigation host or company network to prevent the attacker from tracking your investigation through their website logs.
In this page we see the ransom note, but the attackers also included a link to a YouTube video. Let's click on the YouTube video Share link to get the short URL string, as shown here.
The share link for this YouTube video is https://youtu.be/GSMCRD35ch4
. Let's compare the shortened identifier GSMCRD35ch4 with the memory investigation files' output.
The origin=http://lolcats.org
parameter at the end of the YouTube embed URL indicates that the video was originally embedded on http://lolcats.org
.
Identifying the lolcats.org domain in this incident is crucial as it exposes another site used by the Midnite Meerkats attacker, offering key insights into the attacks on Falsimentis.
Revisit Network Investigation Data
Searching the access.log file confirms that there is activity directed to the lolcats.org domain.
The output shows that 172.16.42.103 (FM-TETRIS) and 172.16.42.105 (FM-ELECTRONICA) contacted lolcats.org.
Last updated