# Memory Investigations
### Memory Investigations
* Analyzing an image of RAM has become a staple of investigations
* First, we need to collect memory (WinPmem)
* Then we use the same strategies for examining memory images as on live systems
```bash
E:\> .\winpmem_mini.exe .\win10.0.22000.556.raw
```
Memory forensics, which involves analyzing RAM images, is essential in digital investigations due to the valuable data stored in memory but not on disk. Additionally, analyzing memory snapshots ensures the evidence remains unchanged during the investigation.
## Volatility Overview
* Volatility is a Python framework for analyzing memory
* Runs on Windows, macOS, Linux
* Analyzes Windows, macOS, and Linux memory captures
* Specify a memory capture and a desired plugin for analysis
### Listing Processes
```bash
sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.pslist.PsList
Volatility 3 Framework 2.0.2
PID PPID ImageFileName CreateTime
4 0 System 2022-03-28 11:10:44.000000
344 4 smss.exe 2022-03-28 11:10:44.000000
640 564 lsass.exe 2022-03-28 11:10:52.000000
5248 640 nc.exe 2022-03-28 11:31:56.000000
2612 5248 conhost.exe 2022-03-28 11:31:56.000000
...
```
The `windows.pslist.PsList` plugin lists processes, similar to live analysis tools like `Get-Process`. The output shows details such as the process name, PID, PPID, start time, and occasionally the termination time. Process names are often truncated to 14 characters due to the structure of the Windows EPROCESS block.
### Parent and Child Processes
```bash
sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.pstree.PsTree
Volatility 3 Framework 2.0.2
PID PPID ImageFileName CreateTime
4 0 System 2022-03-28 11:10:44
* 344 4 smss.exe 2022-03-28 11:10:44
564 448 wininit.exe 2022-03-28 11:10:52
* 640 564 lsass.exe 2022-03-28 11:10:52
** 5248 640 nc.exe 2022-03-28 11:31:56
*** 2612 5248 conhost.exe 2022-03-28 11:31:56
```
The `windows.pstree.PsTree` plugin creates a visual representation (in text) of the parent-child relationships for running processes.
### Scanning for Network Connections
```bash
sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.netscan.NetScan
Volatility 3 Framework 2.0.2
Proto LocalAddr Port State PID Owner
TCPv4 0.0.0.0 49667 LISTENING 1844 svchost.exe
TCPv4 0.0.0.0 49667 LISTENING 1844 svchost.exe
TCPv4 10.10.0.4 139 LISTENING 4 System
TCPv4 0.0.0.0 135 LISTENING 948 svchost.exe
TCPv4 0.0.0.0 49665 LISTENING 564 wininit.exe
TCPv4 0.0.0.0 49664 LISTENING 640 lsass.exe
UDPv4 10.10.0.4 137 0 4 System
UDPv4 10.10.0.4 138 0 4 System
TCPv4 0.0.0.0 1508 LISTENING 5248 nc.exe
TCPv4 0.0.0.0 49670 LISTENING 3220 svchost.exe
```
The `windows.netscan.NetScan` plugin scans memory for network-related data, including active connections and listening sockets, similar to the `netstat` command or PowerShell's `Get-NetTCPConnection` and `Get-NetUDPEndpoint` cmdlets. The example shows its output.
### Process Command Line
```bash
sec504@slingshot:~$ vol -q -f win10.0.22000.556.raw windows.cmdline.CmdLine
Volatility 3 Framework 2.0.2
PID Process Args
4 System Required memory at 0x20 is not valid (process exited?)
948 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -p
1012 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1040 svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s HvHost
3532 MsMpEng.exe "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2202.4-0\MsMpEng.exe"
5248 nc.exe C:\Windows\System32\nc.exe -Ldp 1508 -e cmd.exe
3264 cmd.exe Required memory at 0xc88aa08020 is not valid ...
```
The `windows.cmdline.CmdLine` plugin shows the process ID, and command line for processes that were running when the image was collected.
| Volatility 3 Module | Capability |
| ------------------------------------------ | ------------------------------------------------ |
| windows.dlllist.DllList | List DLLs for processes |
| windows.driverscan.DriverScan | List kernel modules |
| windows.envars.Envars | List environment variables |
| windows.filescan.FileScan | Scan for files |
| windows.dumpfiles.DumpFiles | Carve out files |
| windows.info.Info | Examine Windows version information |
| windows.hashdump.Hashdump | Retrieve password hashes |
| windows.privileges.Privs | List privileges by process |
| windows.registry.hivelist.HiveList | List registry hive offsets |
| windows.registry.printkey.PrintKey | Access keys with --offset |
| windows.registry.userassist.UserAssist | Enumerate programs run from the Start menu |
| windows.registry.certificates.Certificates | List trusted certificates in Windows cert. store |
| windows.svcscan.SvcScan | List service name, display name, and PID |
### Applying Memory Investigation
Memory investigation steps are similar to live investigation steps:
* We use Volatility to analyze memory instead of PowerShell cmdlets
The analysis process starts with the EOI:
* Suspicious process? Start with PsList and PsTree
* Suspicious network listener? Start with NetScan, then move to processes
* Suspicious program? Start with CmdLine, then processes
Memory analysis, like live investigations, starts with an event of interest (EOI). For suspicious processes, use Volatility's **PsList** and **PsTree** plugins to examine process details (name, ID, parent ID, start time). For suspicious network listeners, the **NetScan** plugin identifies IPs, ports, process names, connection status, and process IDs, which can then be further analyzed using **PsList** and **PsTree**. For suspicious programs, start with the **CmdLine** plugin and proceed with detailed process analysis using **PsList** and **PsTree**.
## Lab 1.3: Memory Investigation
In this lab we will analyze memory evidence from the Falsimentis compromise.
### Preprocessing with Volatility
Let's run Volatility's vol command several times for each of the following plugins and saving the output a file.
* windows.netscan.NetScan
* windows.pstree.PsTree
* windows.pslist.PsList
* windows.cmdline.CmdLine
* windows.filescan.FileScan
* windows.dlllist.DllList
```bash
vol -q -f FM-TETRIS.mem windows.netscan.NetScan > fm-tetris.netscan.txt
vol -q -f FM-TETRIS.mem windows.pstree.PsTree > fm-tetris.pstree.txt
vol -q -f FM-TETRIS.mem windows.pslist.PsList > fm-tetris.pslist.txt
vol -q -f FM-TETRIS.mem windows.cmdline.CmdLine > fm-tetris.cmdline.txt
vol -q -f FM-TETRIS.mem windows.filescan.FileScan > fm-tetris.filescan.txt
vol -q -f FM-TETRIS.mem windows.dlllist.DllList > fm-tetris.dlllist.txt
```
Instead of running all of these commands individually, we could opt to run them all at once using a shell loop with the following command:
```bash
for plugin in windows.netscan.NetScan windows.pstree.PsTree windows.pslist.PsList windows.cmdline.CmdLine
windows.filescan.FileScan windows.dlllist.DllList; do vol -q -f FM-TETRIS.mem $plugin > fm-tetris.$plugin.txt; done
```
### Preprocessing with Strings
Let's use the Linux `strings` utility to extract ASCII, 16-bit little endian, and 16-bit big endian strings from the memory image for preprocessing analysis.
```bash
strings FM-TETRIS.mem > fm-tetris.strings-asc.txt # ASCII
strings -e l FM-TETRIS.mem > fm-tetris.strings-unile.txt # 16-bit little endian
strings -e b FM-TETRIS.mem > fm-tetris.strings-unibe.txt # 16-bit big endian
```
By default, the `strings` command extracts ASCII text. The `-e l` option extracts 16-bit little-endian, while `-e b` extracts 16-bit big-endian strings. All three formats (ASCII, little-endian, big-endian) can reveal valuable system information.
### Examining Network Connections
From Lab 1.2, we identified beacon traffic from Falsimentis systems to the site www1-google-analytics.com (IP: 167.172.201.123). Now, let's search for processes communicating with this IP.
```bash
grep 167.172.201.123 fm-tetris.netscan.txt
```
Notice the name of the process that connected to the suspicious IP address, analytics.exe with process ID 5736.
Next, let's see if analytics.exe is communicating with any other sites using grep again.
```bash
grep analytics.exe fm-tetris.netscan.txt
```
From examining the output, it appears the only remote systems analytics.exe connected to was 167.172.201.123 , at least at the time of capture.
### Examining Processes
Let's examine the running processes using the `windows.pslist.PsList` and `windows.pstree.PsTree` plugins. These show details like process name, ID, and parent-child relationships, with `PsTree` providing a visual representation for easier analysis.
```bash
grep -C 3 analytics.exe fm-tetris.pstree.txt
```
In this grep command, the -C 3 argument displays three lines of context before and after each string match.
This is an odd-looking process tree. ONENOTE.EXE (process ID 8016) spawned cmd.exe (process ID 4452). This cmd.exe spawned analytics.exe (process ID 2532). This copy of analytics spawned another copy of analytics.exe (process ID 5736). The second analytics.exe spawned another cmd.exe (process ID 5804). ONENOTE.EXE also spawned a random-looking process named bJKRJiSAnPkf.e (process ID 5568).
### Examining File Objects
Next let's examine file objects to see if there is anything else useful for our analysis.
```bash
grep analytics.exe fm-tetris.filescan.txt
grep bJKRJiSAnPkf.e fm-tetris.filescan.txt
```
The output shows analytics.exe is in the \Windows\System32 directory, which helps in creating indicators for detecting the malware on a system.
### Examining Loaded DLLs
Next, let's take a look at loaded DLLs and command lines for the processes of interest ( analytics.exe and bJKRJiSAnPkf.e ).
```bash
grep -C 5 analytics.exe fm-tetris.dlllist.txt
```
Volatility can't list DLLs for the analytics.exe process due to potential issues like swapped-out memory pages or changes occurring during capture.
### Examining Command Lines
Next, let's check for any command line details associated with the analytics.exe process.
```bash
grep analytics.exe fm-tetris.cmdline.txt
```
The memory capture does not indicate any command line information for other process, though the child process reports inaccessible memory.
## Examining Strings
### Searching for analytics.exe
```bash
grep -i analytics.exe fm-tetris.strings-*.txt
```
Instead of manually sifting through all the data, let's search for something more specific to reduce the output. For example, the filescan output indicated that the `analytics.exe` process had the file `analytics.exe` open in `\Windows\System32`.
```bash
grep -i -h 'windows\\system32\\analytics' fm-tetris.strings-*.txt | sort -u
```
Let's break down the command:
* The command `grep -i -h 'windows\\system32\\analytics' fm-tetris.strings- *.txt` performs a case-insensitive search (`-i`) for lines containing `windows\system32\analytics` in text files, excluding filename information (`-h`). It uses double backslashes (`\\`) to escape the backslash character in the search string, enclosed in single quotes.
* sort -u - sort the lines of output, returning unique lines ( -u )
Examining the output, it appears there are two more files that might be of interest:
* C:\Windows\System32\analyticsbackup.bat
* C:\Windows\system32\AnalyticsInstaller.exe
### Searching for bJKRJiSAnPkF.e
```bash
grep -i -h bJKRJiSAnPkf fm-tetris.strings-*.txt | sort -u
```
It appears bJKRJiSAnPkf.exe is located in the \Users\jchadwick\appdata\local\temp directory.
### Summary
Key findings about the Falsimentis incident include:
* The program analytics.exe (process ID 5736) communicates with www1-google- analytics.com .
* A suspicious program named bJKRJiSAnPkf.exe is located in \Users\jchadwick\appdata\local\temp .
* At 17:33:03 AM UTC, ONENOTE.EXE spawned a copy of bJKRJiSAnPkf.exe (process ID 5568).
* At 17:34:06 AM UTC, ONENOTE.EXE spawned a copy of cmd.exe (process ID 4452)
* At 17:34:09 AM UTC, cmd.exe (process ID 4452) spawned analytics.exe (process ID 2532).
* At 17:34:10 AM UTC, analytics.exe (process ID 2532) spawned analytics.exe (process ID 5736).
* At 18:08:06 AM UTC, analytics.exe (process ID 5736) spawned cmd.exe (process ID 5804).
## Bonus Lab
### Investigating Other Strings
Let's search for the string "midnitemeerkats" in all text files generated by Volatility and the `strings` utility.
```bash
grep midnitemeerkats fm-tetris.*txt
```
There's a reference to the "midnitemeerkats" string, which suggests a command to open the URL **`http://www.midnitemeerkats.com/note`** in full-screen mode using the default browser and Windows start utility. We should investigate this website for further analysis.
Open **`https://midnitemeerkats.com/note/`** in Firefox using a separate system with a privacy-focused VPN. Avoid connecting from your investigation host or company network to prevent the attacker from tracking your investigation through their website logs.
In this page we see the ransom note, but the attackers also included a link to a YouTube video. Let's click on the YouTube video Share link to get the short URL string, as shown here.
The share link for this YouTube video is **`https://youtu.be/GSMCRD35ch4`** . Let's compare the shortened identifier GSMCRD35ch4 with the memory investigation files' output.
```bash
grep GSMCRD35ch4 fm-tetris.*txt | sort -u
```
The `origin=http://lolcats.org` parameter at the end of the YouTube embed URL indicates that the video was originally embedded on `http://lolcats.org`.
Identifying the lolcats.org domain in this incident is crucial as it exposes another site used by the Midnite Meerkats attacker, offering key insights into the attacks on Falsimentis.
### Revisit Network Investigation Data
```bash
grep lolcats.org access.log
```
Searching the access.log file confirms that there is activity directed to the lolcats.org domain.
```bash
TZ=America/Los_Angeles awk '/lolcats.org/ {print strftime("%T", $1), $3, $7, $9}' access.log
```
The output shows that 172.16.42.103 (FM-TETRIS) and 172.16.42.105 (FM-ELECTRONICA) contacted lolcats.org.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://faresbltagy.gitbook.io/footprintinglabs/sans-sec504-and-labs/book-one/memory-investigations.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.