Practical Memory Forensics by Tal Eliyah

For Digital Forensics analysts, memory forensics is an important and crucial task. Memory forensics can lead to hidden evidence in cybercrime. In this article, we will be going through steps and procedures to analyze memory of the system using volatility.

Volatility is an open source framework for memory forensics. It's mainly used for incident response and malware analysis. Volatility can analyze memory dumps from most of 32 & 64 bit Windows versions, whether it’s a raw dump, hibernation file, VM snapshot or Microsoft crash dump.  Volatility can work on Linux memory dumps in raw or LiME formats. It also supports 38 versions of MAC OS memory dumps. Last, but not least, Android phones dumps are also supported.

Commands and their results:

   1. Imageinfo:

>volatility-2.4.standalone.exe -f memdump.mem imageinfo

This command shows the information of the image like details of the system from where the image is taken, suggested profile, date and time the image was taken, etc.

image28

Explanation of command:

This command identifies the type of system from which the image of the memory is taken. If the system for which of the image is taken is not known, then the imageinfo command is used. This command tells you the likely profiles that can be used for passing the parameter. The suggestions could be multiple. The appropriate profile can be chosen among those by checking the image type field. It also gives the information about KPCR and KDBG values. These values are automatically scanned by plugins when needed. Supplying the profile to other commands can generate faster results.

2. Kdbgscan:

>volatility-2.4.standalone.exe --profile=Win8SP0x86 -f memdump.mem kdbgscan>kdbgscan.txt

image22

image23

image33

Explanation:

This commands scans for possible potential KDBG structures. The KDBG structure maintained by Windows kernel for debugging purpose. It provides a list of loaded kernel modules and running processes. It also contains version information, like memory model, etc.

3. Pslist:

>volatility-2.4.standalone.exe --profile=Win8SP0x86 -f memdump.mem pslist >pslist.txt

image29

image18

image12

Explanation:

This command lists processes of the system. But this command doesn’t show the hidden processes or unlinked processes. The image shows the list of processes that were running in the system at the time the image was taken. This shows the doubly-linked list pointed to PsActiveProcessHead. The information we have here is the Offset value of processes (this is the virtual address), Name of processes, Process ID (PID), Parent Process ID (PPID), number of threads, number of handles, sessions and time/date when the process started.

   4. Pstree:

volatility-2.4.standalone.exe --profile=Win8SP0x86 -f memdump.mem pstree

image13

image16

Explanation:

This command shows the process listing in form of a tree. This is a similar command to psscan but the view is different. Also, it doesn’t show the hidden processes. It shows the child processes by using indentions and periods.

   5. Psscan:

>volatility-2.4.standalone.exe --profile=Win8SP0x86 -f memdump.mem psscan >psscan.txt

image20

image30

Explanation:

This command computes the processes using the pool tag scanning. The command can also find the processes that are hidden or unlinked by any rootkit previously. The image for our test case is attached for this command. It contains more information than pslist command. The processes that are terminated or unlinked are shown in the ‘Time Exited’ column which shows the date and time of the termination of the process. To investigate the hidden process, we need the physical offset that can be seen in the image above.

   6. Getsids:

> volatility-2.4.standalone.exe --profile=Win8SP0x86 -f memdump.mem getsids –p 644,732,904,1964,2660,1700,1068,2924,1032,1468,832,2704,864,964,2236,1876,2020,3208,3296,3600,1516,1144,2080,1276,740,584,1928,1164,3360,3912,3464,4,500,628,672,992,1000,636,2172,2556 > id.txt

image32

 Explanation:

This command shows the SID (Security Identifiers) associated with the process. Also, the processes can be identified that have malicious privileges. For our test case, we mentioned all the PIDs in the command to verify the SID of the processes. The image shows all the security privileges for all processes.

   7. Malfind:

>volatility-2.4.standalone.exe --profile=Win8SP0x86 -f memdump.mem -p 644,732,904,1964,2660,1700,1068,2924,1032,1468,832,2704,864,964,2236,1876,2020,3208,3296,3600,1516,1144,2080,1276,740,584,1928,1164,3360,3912,3464,4,500,628,672,992,1000,636,2172,2556 malfind> malware.txt

image31

Explanation:

Malfind is used to find hidden codes and DLLs in memory. This has several purposes, like finding injected codes in user mode memory which is based on VAD tags and page permissions. It can also be used to locate a sequence of bytes, ANSI strings or Unicode strings and regular expressions. The basic purpose of malfind is to locate the DLLs that are not located by standard methods. In the mentioned example, this command runs on all the processes that were running and the results are shown above. The image shows the details of one of the processes with PID 2020.

   8. Vadinfo:

>volatility-2.4.win.standalone.exe --profile=Win7SP0x86 -f memdump.mem -p 4,252,396,496,480,876,772,952,1264,700,1120,1232,852,360,1384,820,1384,820,1868,1004,2028,624,1932,1396,1492,1660,908,488,344,408,944,456,284,1728,1584,2284 vadinfo > vad.txt

image17

OUTPUT:

************************************************************************

Pid: 4

VAD node @ 0x8566c0e8 Start 0x00d90000 End 0x00db2fff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @85632318 Segment 82600ee8

NumberOfSectionReferences:     1 NumberOfPfnReferences:       0

NumberOfMappedViews:           38 NumberOfUserReferences:     38

Control Flags: Commit: 1

First prototype PTE: 82e00ee8 Last contiguous PTE: 82e00ff8

Flags2: Inherit: 1

VAD node @ 0x98669ba0 Start 0x00060000 End 0x0007ffff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @9a9514b0 Segment 9d10ae30

NumberOfSectionReferences:     0 NumberOfPfnReferences:       0

NumberOfMappedViews:           1 NumberOfUserReferences:     1

Control Flags: Commit: 1

First prototype PTE: 9e27a6f8 Last contiguous PTE: 9e27a7f0

Flags2: Inherit: 1

VAD node @ 0x8f1fb0a0 Start 0x00020000 End 0x0003ffff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @9b3a1e38 Segment 9d012cc0

NumberOfSectionReferences:     0 NumberOfPfnReferences:       0

NumberOfMappedViews:           1 NumberOfUserReferences:     1

Control Flags: Commit: 1

First prototype PTE: 82f9e8b0 Last contiguous PTE: 82f9e9a8

Flags2: Inherit: 1

VAD node @ 0x85741810 Start 0x00010000 End 0x00010fff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @85741990 Segment 8c8e3b48

NumberOfSectionReferences:     1 NumberOfPfnReferences:       0

NumberOfMappedViews:           2 NumberOfUserReferences:     3

Control Flags: Commit: 1

First prototype PTE: 82e23818 Last contiguous PTE: 82e23818

Flags2:

VAD node @ 0x9bf37378 Start 0x00040000 End 0x0005ffff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @9861ca28 Segment 9d1173e0

NumberOfSectionReferences:     0 NumberOfPfnReferences:       0

NumberOfMappedViews:          1 NumberOfUserReferences:     1

Control Flags: Commit: 1

First prototype PTE: 9e27b810 Last contiguous PTE: 9e27b908

Flags2: Inherit: 1

VAD node @ 0x9863db30 Start 0x00080000 End 0x0009ffff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @85c1b530 Segment 8ba34820

NumberOfSectionReferences:     0 NumberOfPfnReferences:       0

NumberOfMappedViews:           1 NumberOfUserReferences:     1

Control Flags: Commit: 1

First prototype PTE: 82f199d0 Last contiguous PTE: 82f19ac8

Flags2: Inherit: 1

VAD node @ 0x85bc5ca0 Start 0x00e00000 End 0x00e1ffff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @85bc58b0 Segment 8aa60f60

NumberOfSectionReferences:     0 NumberOfPfnReferences:       0

NumberOfMappedViews:           1 NumberOfUserReferences:     1

Control Flags: Commit: 1

First prototype PTE: 82e00bd0 Last contiguous PTE: 82e00cc8

Flags2: Inherit: 1

VAD node @ 0x85bc50d8 Start 0x00dc0000 End 0x00ddffff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @85bce320 Segment 8aa60fd0

NumberOfSectionReferences:     0 NumberOfPfnReferences:       0

NumberOfMappedViews:           1 NumberOfUserReferences:     1

Control Flags: Commit: 1

First prototype PTE: 82e00de0 Last contiguous PTE: 82e00ed8

Flags2: Inherit: 1

VAD node @ 0x85bc3fb8 Start 0x00de0000 End 0x00dfffff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @85bc3008 Segment 8aa60f98

NumberOfSectionReferences:     0 NumberOfPfnReferences:       0

NumberOfMappedViews:           1 NumberOfUserReferences:     1

Control Flags: Commit: 1

First prototype PTE: 82e00cd8 Last contiguous PTE: 82e00dd0

Flags2: Inherit: 1

VAD node @ 0x85fe46e0 Start 0x77290000 End 0x773f6fff Tag Vad

Flags: Protection: 7, VadType: 2

Protection: PAGE_EXECUTE_WRITECOPY

Vad Type: VadImageMap

ControlArea @85fe47c0 Segment 8a3fa550

NumberOfSectionReferences:    2 NumberOfPfnReferences:     255

NumberOfMappedViews:           37 NumberOfUserReferences:     39

Control Flags: File: 1, Image: 1

FileObject @85fe49c0, Name: \Windows\System32\ntdll.dll

First prototype PTE: 82e39008 Last contiguous PTE: fffffffc

Flags2: Inherit: 1

VAD node @ 0x85bc5c50 Start 0x00e20000 End 0x00e3ffff Tag Vad

Flags: Protection: 4

Protection: PAGE_READWRITE

Vad Type: VadNone

ControlArea @85bc92f8 Segment 8aa60d48

NumberOfSectionReferences:     0 NumberOfPfnReferences:          0

NumberOfMappedViews:           1 NumberOfUserReferences:     1

Control Flags: Commit: 1

First prototype PTE: 82e00ac8 Last contiguous PTE: 82e00bc0

Flags2: Inherit: 1

************************************************************************

 Explanation:

This command shows the extended information of the processes in VAD node. The result shown is for one process only. It shows the following information:

  • Address of the MMVAD structure in kernel.

  • Starting and ending virtual addresses in process memory.

  • VAD tag.

  • Name of memory mapped file.

  • Memory protection constants specifically permissions.

   9. Ldrmodules:

>volatility-2.4.standalone.exe --profile=Win8SP0x86 -f memdump.mem ldrmodules -p 644,732,904,1964,2660,1700,1068,2924,1032,1468,832,2704,864,964,2236,1876,2020,3208,3296,3600,1516,1144,2080,1276,740,584,1928,1164,3360,3912,3464,4,500,628,672,992,1000,636,2172,2556 -v >ldr.txt

image19

Explanation:

This command identifies the base addresses of the unlinked DLL’s. There are many ways and methods to hide a DLL. So we can do this by unlinking the DLL from one of the linked lists in PEB. However, this doesn't remove the information in the VAD. This information helps to identify the base address of a DLL and its full path. Ldrmodules is used to cross reference this information.


About the Author: Tal Eliyahu

AAEAAQAAAAAAAAX1AAAAJDE1YTJhZWM0LTVlZTQtNDRiNS1hMDA0LTdhMWU2MGIzMGY5YQOperational Security Specialist

BugSec

Source: LinkedIn

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013