Memory Forensics
Simply download DumpIt put it onto a USB drive
If you are running it on Windows 7 you will need administrators rights
if using a USB drive, ensure that enough space is there to store the memory
image.
[Link]
Once memory image is created we can analyze with Volatility
[Link]
Identifying the Profile of a Memory image
volatility imageinfo -f [Link] to get the image details
The Imageinfo command gives you several pieces of information,For now, we
just need to know the profile type of the memory dump
�Retrieving Registry Hives Lists
Now, we need the hive list so we can get the starting location of where the
registry information resides
volatility hivelist -f [Link] --profile=Win7SP1x86
Dumping Individual Registry Hives
We now have a list of where several key items are located in the memory dump.
We can use this information to find individual artifacts or we can just dump the
whole hive list.
To do so, you simply need to use the hivedump command and the virtual
memory address to the hive you want to view from the list recovered above.
take a look at the Software hive, vitual offset address.
volatility --profile=Win7SP1x86 -f [Link] hivedump -o
0x8c3c0008
�Retrieving Specific Registry Key Value
Using hivedump will return a ton of registry settings, which might be a little more
than we need. You can also search the registry keys for specific data
For example to find the name of the last logged in user you can check the
WinLogon registry key
volatility -f [Link] --profile=Win7SP1x86 printkey -K
"Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
�Password Hashes
If you can obtain a memory image, you can get the password hashes. This is of
importance to security penetration testers because if you have the hashes, you
can then proceed to crack them or use them in pass the hash types of attacks to
access other systems on the network.
To do this we need to know the starting memory locations for the System and
SAM keys. We look in the hivelist, for this copy down the numbers in the first
column that correspond to the SAM and SYSTEM locations.
Place the virtual address for System in the y switch and the address for the SAM
into -s.
The following command pulls the password hashes out of memory and stores
them in a text file called [Link]:
volatility hashdump -f [Link] --profile=Win7SP1x86 -y
0x8881a3c8 -s 0x8c3c7008 > [Link]
Simply check the [Link] file and you will see the admin hash and the password
hashes for any users these hashes could then be taken and cracked in an online
hash cracking site or any one of the password cracking programs like John the
Ripper or Hashcat.
�List of Running Process
Now lets take a look at recovering a list of the running processes and active
network connections
volatility pslist -f [Link] --profile=Win7SP1x86
�Listing Running Process as a Tree
To view the process listing in tree form, use the pstree command. This
enumerates processes using the same technique as pslist, so it will also not show
hidden or unlinked processes. Child process are indicated using indention and
periods.
volatility pstree -f [Link] --profile=Win7SP1x86
�Enumerating Processes
To enumerate processes using pool tag scanning, use the psscan command. This
can find processes that previously terminated (inactive) and processes that have
been hidden or unlinked by a rootkit
volatility psscan -f [Link] --profile=Win7SP1x86
�Listing DLLs Loaded into Memory
To display a process's loaded DLLs, use the dlllist command.
volatility dlllist -f [Link] profile=Win7SP1x86
�Extract DLL from a Process's memory
To extract a DLL from a process's memory space and dump it to disk for analysis,
use the dlldump command.
[Link] dlldump -f [Link] --profile=Win7SP1x86 -r
kernel32 -D out
It is possible dump all dll's of a specific process using its process id.
�Retrieving Commands typed in Command Prompt
Another interesting command we can run is cmdscan. This plug-in allows us to
see what commands, if any, were run from the command prompt
volatility cmdscan -f [Link] --profile=Win7SP1x86
Retrieving Network Connection
We can view network connections that were active from the memory dump by
using the netscan command
�volatility netscan -f [Link] --profile=Win7SP1x86
The data returned shows all network connections, including the process name,
source and destination IP addresses including ports.
This information helps the analyst see what network connections were active
From pslist output of the command discussed above, we see the physical memory
location, process name and the PID number of all process that were running. You
can also use volatility to view the exact programs that may be running under the
process. This helps malware analysts track down malicious processes and their
associated programs.
�Process Handles of [Link]
Get the PID of [Link] from the pslist cmmand output.
volatility handles -f [Link] --profile=Win7SP1x86 -p 2732 -t process
�Rootkit detection using Volatility
Hidden process are revealed through volatility pslist, psscan module
[Link] pslist -f [Link] profile=WinXPSP3x86
�[Link] psscan -f [Link] profile=WinXPSP3x86
Drivers loaded by the Hackerdefender rootkit is revealed by the module
driverscan
[Link] driverscan -f [Link] --profile=WinXPSP3x86
�Modules running on the infected system can be revealed by modules and
modscan2
[Link] modules -f [Link] --profile=WinXPSP3x86
To scan physical memory for kernel modules, use the modscan command. This
can pick up previously unloaded drivers and drivers that have been
hidden/unlinked by rootkits. Included in the output is the offset of the module,
which is a physical address
[Link] modscan -f [Link] --profile=WinXPSP3x86
�Dump the suspicious process into a directory.
[Link] malfind -f [Link] --profile=WinXPSP3x86 -D out
�Upload the dumped process to the virus total for anlysis.
�Basic Malware Analysis using Volatility
[Link]
Download the above memory dump, which is infected with a Zeus Malware.
Determine the OS of the memory snapshot were taken, use imageinfo command.
volatility imageinfo -f [Link]
List out the processes which were running during the snapshot are taken. Use the
pslist command.
volatility pslist -f [Link] --profile=WinXPSP2x86
�List the open TCP connections using the connscan command.
volatility connscan -f [Link] --profile=WinXPSP2x86
Do a whois on the obtained IP address from the above step.
Whois [Link]
��Listout the registry hives loaded into memory. Use hivelist command.
volatility hivelist -f [Link] --profile=WinXPSP2x86
The key UserInit specifies what program should be launched right after a user
logs into Windows.
The default program for this key is C:\windows\system32\[Link].
[Link] is a program that restores your profile, fonts, colors, etc. for your
username.
It is possible to add further programs that will launch from this key by separating
the programs with a comma. Its is a common place for trojans
volatility printkey -f [Link] profile=WinXPSP2x86 -o 0xe153ab60
-K Microsoft\Windows NT\CurrentVersion\Winlogon
�List the process in tree form using the pstree command. This plugin print process
list as a tree so we can visualize the parent/child relationships.
volatility pstree -f [Link] --profile=WinXPSP2x86
�We did notice that [Link] launched [Link] and that the system process
[Link] (Pid 856) is connected to the [Link] (PPid 676) looked
to have some code injected into it. 9.) Lets revisit our printkey command so we
can detect if the windows firewall is enabled or disabled.
volatility printkey -f [Link] --profile=WinXPSP2x86 -K
"ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Stan
dardProfile"
The function apihooks looks at the [Link] process with the PID 856 and
finds two in-line hooks
volatility apihooks -f [Link] profile=WinXPSP2x86 -p 856
���Now run the malfind plugin. Create a directory called out let the malfind module
dumps the embedded program in the process id 856.
volatility malfind -f [Link] profile=WinXPSP2x86 -p 856 -D out
�Now upload the extracted dump from out directory to Virus Total, you can see
that it is being detected as a Zbot.
�Reference:
[Link]