Memory Forensics

Home » News » Memory Forensics
Posted by: adham saad Comments: 0 Post Date: August 2, 2022

What is Memory forensics?

Memory forensics is the process of capturing the running memory of a device and then analyzing the captured output for evidence of malicious software. Unlike hard-disk forensics where the file system of a device is cloned and every file on the disk can be recovered and analyzed, memory forensics focuses on the actual programs that were running on a device when the memory dump was captured.

Memory forensics is a vital form of cyber investigation that allows an investigator to identify unauthorized and anomalous activity on a target computer or server. This is usually achieved by running special software that captures the current state of the system’s memory as a snapshot file, also known as a memory dump. This file can then be taken offsite and searched by the investigator.This is useful because of the way in which processes, files and programs are run in memory, and once a snapshot has been captured, many important facts can be ascertained by the investigator, such as:

  • Processes running
  • Executable files that are running
  • Open ports, IP addresses and other networking information
  • Users that are logged into the system, and from where
  • Files that are open and by whom

Already we can see how much this information can help an investigator as they seek out system anomalies, and by being able to capture the volatile information inside the system’s memory, they are able to create a permanent record of the system’s state as it was. This means that suspicious programs such as computer viruses and malware can be tracked down in a lab environment and traced back to the source if possible. This is vital in instances where malware leaves no trace of its activity on a target system’s hard drive, making memory forensics especially important as a means to identify such activity.

Why memory forensics?

Volatile memory is very crucial as it can help us understand the state of a compromised system and gave give us great insights into how an adversary might’ve attacked the system.

When it comes to malware attacks, volatile memory is sometimes the only source for investigating such attacks. The recent trend in malware has been such that most of them are only memory-resident malware. That means analysis of non-volatile evidence won’t give us convincing clues about the presence of malware at all.

The best example for such a scenario would be Stuxnet. Stuxnet was first of much such malware which was only memory resident and they remained dormant in the victim’s system until a target was found.

Ever since Stuxnet, there has been an alarming trend of such attacks and on a positive note, more research into memory forensics!

What is Volatile Data?

Volatile data is something that any incident responder needs to be aware of, the reason being is that when dealing with a compromised device one of the first reactions may be to turn the device off to contain the threat.

The problem with this approach is that any malware that is running on the device will be running in memory. So any network connections and running processes will be lost, this is because the malware has been running in memory and this data is now lost. This volatile data is not written to disk and is changing constantly in memory, so powering down the device means valuable evidence has been destroyed. 

Network containment (isolating the device from the rest of the network) is the preferred option when isolating a compromised device. This method will securely contain the incident and also preserve valuable evidence and not destroy the volatile data in memory.

What is a Memory Dump?

A memory dump or RAM dump is a snapshot of memory that has been captured for memory analysis. When a RAM dump is captured it will contain data relating to any running processes at the time the capture was taken. 

 What is Acquisition Methods?

The angle of investigation that you take during this acquisition phase will depend mostly on the scenario that you are presented with and the requirements of the case. This depends largely on the operating system that your host is running, or what the perceived issue is that needs to be investigated at the time of the incident. How you go about capturing the image also depends on what you are trying to establish through your investigative process, and what it is that you are trying to prove or disprove.

Generally your investigation will focus on the activities of the user on the system, or evidence that proves that the system in question has been compromised. Sometimes even encryption keys and passwords can be uncovered if they are part of the evidentiary requirements of your case. There must be a clear understanding of what needs to be established on the target system, and how it can help to advance your investigation.

Forensic investigators are highly skilled and can identify activity on a system that should not be present, allowing them to prove that a system has been compromised. It allows them to identify rootkits and malware, to find unusual processes, and reveal covert communication, which can shed light on what is happening currently in a target system.

Here are some examples of acquisition formats that are used in memory forensics. There are many different memory acquisition types, but these are five of the most common methods and formats that are used today:

  • RAW Format – Extracted from a live environment
  • Crash Dump – Information gathered by the operating system
  • Hibernation File – A saved snapshot that your operating system can return to after hibernating
  • Page File – This is a file that stores similar information that is stored in your system RAM
  • VMWare Snapshot – This is a snapshot of a virtual machine, which saves its state as it was at the exact moment that the snapshot was generated

Once you have acquired your data, you can begin the process of examining the system, and any suspicious activities will then be uncovered as you proceed. Data carving is a commonly used approach, and depending on the desired outcomes of your particular case, there are many other approaches that can be looked at as well. Below is a list of some commonly used tools in the field that allow for these different approaches to be utilized.

Examining Your Captured Data

There are many avenues for an investigator to take when it comes to analyzing a target system, so many in fact that there are entire book series’ that are dedicated to the subject. We will instead take a look at some common approaches that can be used by an investigator when trying to glean more information via memory forensics.

  • Open Files Associated With Process: This is an extremely useful approach, as it shows which files are open by a suspicious process on the target system. Malware can often be identified just by the location of the associated files that are open, and knowing where these files are located is also beneficial to the overall investigation, especially if these files are storing logs of user inputs via the keyboard. This would mean that the user’s passwords could have been inadvertently divulged to the malware authors that created the software. This will help to strengthen the case that the investigator is building.
  • Decoded Applications in Memory: Sometimes, the author of the malware that is present on the target system will be encrypted, making it impossible for anyone but the perpetrator to successfully make use of the data that it has been collecting. However, sometimes a decrypted version of the application can be caught in the memory snapshot, which allows the investigator to more accurately examine the application’s activities. The investigator might even be able to identify the hash or cipher that was used for the encryption, thus allowing them to read previously inaccessible data associated with the malware instance on the target machine.
  • Timestamp Comparison: In some instances, malware can interfere with the target host’s timestamps on the system files, making them appear to be untouched by the infection. This is known as time stomping, and can seriously inhibit an investigator’s ability to discover when the infection first occurred. By capturing the memory dump, investigators can compare the process time stamps to the system file timestamps to establish when the system was first compromised. Once a date and time has been established, records such as emails and browser history can be looked at to help identify the possible cause of the infection by finding any correlations in time and date between the process timestamps and the application time frames.
  • Network Information: Once the infected processes have been identified, then the specific network communications surrounding the infection can be further dissected. This can reveal a virtual treasure trove of information, such as:
    • Source IP Addresses such as where the malware instance is reporting back to
    • Compromised ports on the host machine
    • The frequency at which the malware was communicating over the network
    • Understanding how the infection spreads itself over the network
  • User Activity: By looking at the information that was acquired during all of the previous steps, the forensic investigator can start to piece together a fairly accurate series of events that led to the main incident. This can be determined via the system log files that were captured earlier, and can help to ascertain to what extent, if any, that a user on site may have been involved. Remote unauthorized access can also be detected, which can help with determining the extent to which the network protocols of the organization have been compromised.

Once the findings have been made, the investigator can work with his or her team to establish if there are any other sources of information that need to be looked at further, and if any additional techniques need to be applied to the target machine or data set.

The Best Memory Forensic Tools

There are both free and commercial products available on the market, and many forensics investigators will have their own personal preferences. Some investigators may find that they need to use commercial products only, however many professionals will use a wide array of both free and paid tools to get the job done. Here are some examples:

  • Volatility Suite: This is an open source suite of programs for analyzing RAM, and has support for Windows, Linux and Mac operating systems. It can analyze RAW, Crash, VMWare, and Virtualbox dumps with no issues.
  • Rekall: This is an end-to-end solution for incident responders and investigators, and features both acquisition and analysis tools. It can be thought of as more of a forensic framework suite than just a single application.
  • Helix ISO: This is a bootable live CD as well as a standalone application that makes it very easy for you to capture a memory dump or memory image of a system. There are some risks associated with running this directly on a target system, namely an acquisition footprint, so make sure that it fits your requirements.
  • Belkasoft RAM Capturer: This is another forensic tool that allows for the volatile section of system memory to be captured to a file. First responders will find that the functionality and wide range of tools available in this software package will allow for their investigations to start off as quickly as possible.
  • Process Hacker: This is an open source process monitoring application that is very useful to run while the target machine is in use. It will give the investigator a better understanding of what is currently affecting the system before the memory snapshot is taken, and can go a long way to help uncover any malicious processes, or even help to identify what processes have been terminated within a set period of time.

Once you have captured the data that you need, you can start to examine it, while trying to find meaningful information on the target PC that you are interrogating

How is Memory Forensics Different from Hard Drive Forensics?

Memory forensics can be thought of as a current snapshot of a system that gives investigators a near real time image of the system while in use. Hard drive forensics is normally focused on data recovery and decryption, usually made from an image of the drive in question.

One can think of memory forensics as a live response to a current threat, while hard drive forensics can be seen as more of a post mortem of events that have already transpired. Memory forensics is time sensitive, as the information that is required is stored in volatile system memory, and if the system is restarted or powered off, then that information is flushed from system memory. Hard drives, on the other hand, are a non-volatile form of computer storage. There are some volatile elements to hard drives, such as cache and buffer stores, so this also needs to be taken into account by the forensic investigator.

Depending on the nature of the investigation, either technique can be used to gain further information about the system in question. Likewise, both methods can be used on the same system if necessary, and investigators will have to use their discretion and select the appropriate action where necessary.

Author

Leave a Reply

Your email address will not be published. Required fields are marked *