This is a series of posts in which I am going to quickly explain some basic theory around memory forensics and how to hunt your attacker once he has been identified inside your network. I am also going to alleviate the burden of extracting information from your endpoint memory dump with the Vshot script which is an excellent contribution made by another professional in the industry which I will introduce later in the post.
Why memory forensics to hunt down your attacker?
This is an easy answer if you look at the memory architecture of modern computers.
Disk — Virtual Memory (still disk) — RAM — Cache — CPU
Information is being pulled by CPU from Disk and the more you get into the right (following the heading above), the faster and more costly the memory storage will be. RAM is the pivot point where all information is currently stored during execution. If the threat is currently active in the machine you will likely find traces of activity in memory.
Memory forensics is also an important step during in the investigation stage in the incident response process. To fully understand the threat you are dealing with it is necessary to pay attention to memory as the artifacts and evidence found in here are unique to this component of the computer. Much of the evidence that can be collected in memory cannot be found in other computer forensic artifacts, memory enriches the investigation and helps to establish the playground for deeper analysis in the disk.
To sum up and build up the case for memory forensics, if you need to understand your threat better, if you need to create a threat intelligence or hunting capacity, memory is one of these places in the endpoint that you do want to analyze first since it is volatile, provides abundant evidence and helps you to narrow your search when you analyse the disk since it is a big bucket of information.
Memory analysis general process
All we are going to do is basically study the properties of the processes running in memory following these steps:
- Identify rogue processes and look at its properties such as name, path, command line, start time and SID’s
- Analyze process DLL’s and handles inside the process
- Review network artifacts such as suspicious ports, connections and processes
These are the basic steps, for more targeted attacks we are going to also look into the following,
- Evidence of code injections
- Check for signs of a rootkit
At the very end we can dump the suspicious processes and drivers to send it to other teams such as malware reverse engineering.
Extracting evidence from the memory dump
One of the biggest pains to analyze a memory dump is to extract all the evidence with Volatility. Command by command takes some long time to examine the dump so you can script Volatility or use other scripts available out there.
From all the scripts I have researched the one that works well and it is already included in a Linux distro such as Remnux is the following:
The author, Devin Gergen, is continuously working on the script and according to version 4.01 of the script there are more updates to come such as:
- Extended Volatility tools
- Profile specific tools
- -oshm option to use /dev/shm for ouput only (do not copy the memory image file to /dev/shm)
- timeline support
- resume interrupted image processing
To make the script work is extremely simple, once you boot up Remnux open a CLI and point vshot to a memory dump to start the extraction and go for a coffee until it finishes its job.
The script will determine the image profile base on a KDBG search in case of finding more than one profile you need to correctly indicate which one is the right one. Until here everything is the same as if you were doing it manually.
In less than 30 minutes it ran 43 Volatility plugins and dumped the results in the directory provided, I did not use multi threading however with multi threading enabled the processing should be even faster.
Now with all the evidence parsed and extracted we can start the most important phase, which is the analysis of the evidence. I will quickly go through it in a second post.