Memory Forensics using Volatility (1).pptx

ISAC Certified Forensic Investigator (ICFI) @ISAC
Volatile Memory Forensics
Module-7:
Memory Forensics using Volatility

Memory Forensics
Importance of Memory Forensics
Memory Analysis Tool
Analysis of Windows 7 RAM
using Volatility 3
Understand the Suspect and
Accounts
Understand the Suspect’s PC
Network Forensics
Investigate Command History
Investigate Suspect’s USB
Overview
Volatile Memory Forensics ISAC Certified Forensic Investigator (ICFI) @ISAC

Volatile data resides in a computer’s short term memory storage and can include data like
browsing history, chat messages, crash reports, security compromise and clipboard contents.
Memory forensics (sometimes referred to as memory analysis) refers to the analysis of volatile
data in a computer’s memory dump (or core dump) which is snapshot capture of computer
memory data at a specific instant.
Memory dump analysis is a very important step of the Incident Response process.
Information security professionals conduct memory forensics to investigate and identify
attacks or malicious behaviors that do not leave easily detectable tracks on hard drive data.
The RAM (memory) dump of a running compromised machine usually very helpful in
reconstructing the events/activities that the attacker performed on the machine.
Memory Forensics

Memory forensics can provide unique insights into runtime system activity, including open
network connections and recently executed commands or processes.
Any program – malicious or otherwise – must be loaded in memory in order to execute,
making memory forensics critical for identifying otherwise obfuscated attacks.
In many cases, critical data pertaining to attacks will exist solely in memory, for example:
 Network connections
 Account credentials
 Chat messages
 Encryption keys
 Running processes
 Injected code fragments
 internet history
Importance of Memory Forensics

Memory Acquisition : The process of acquiring volatile memory to non-volatile storage (to file
on disk).
On Physical Machine (Tools):
 FTK Imager
 Belkasoft Ram Capturer
 Memoryze by FireEye
 WinPmem
 Dumpit by MoonSols (Windows Memory)
On Virtual Machine (Tools):
 Suspend the VM (.vmem)
Memory Acquisition Tools

ISAC Certified Forensic Investigator (ICFI) @ISAC
— h
The Volatility Framework is open-source and written in Python. Downloads are available in zip
and tar archives, Python module installers, and standalone executables.
It can analyze raw dumps, crash dumps, VMware dumps (.vmem), virtual box dumps, and
many others.
It supports analysis for Linux, Windows, Mac, and Android systems.
Volatility 3 installation:
• git clone https://github.com/volatilityfoundation/volatility3.git
• cd volatility3
• python3 setup.py
Memory Analysis Tool
The installation will fail if you have a new Kali
version 2020.4, you can jump to next slide

Volatility Help

Identify the OS Information

Investigation
Understand the Suspect and Accounts
Understand the Suspect’s PC
Network Forensics
Investigate Command History
Investigate Suspect’s USB

Understand the Suspect & Accounts

Who was using the Device?
Physical file location = {subkeys of active user
profile}
=HKEY_USERS <SID> (linked to by HKEY_CURRENT_USER)
• SID: Security Identifier: a unique, immutable identifier of a user,
user group, or other security principal.
• Users can change names but not SID

Who are associated with the suspect device?
• Sam – HKEY_LOCAL_MACHINESAM
• Security – HKEY_LOCAL_MACHINESECURITY
• Software – HKEY_LOCAL_MACHINESOFTWARE
• System – HKEY_LOCAL_MACHINESYSTEM
• Default – HKEY_USERS.DEFAULT
SID Name Description
S-1-5-18 Local System A service account that is used by the operating system.
S-1-5-19 NT Authority Local Service
S-1-5-20 NT Authority Network Service
S-1-5-21 Administrator/Guest A user account for the system administrator.
SID
format
details

Who has SID= S-1-5-21-1716914095-909560446-1177810406-1002?
SSHD_Server is an account made by an SSH
server.., It allows remotely log in to the
computer.

Who has SID= S-1-5-21-1716914095-909560446-1177810406-1000?
It could be interesting to list the processes using a privileges SID (and the processes using some service
SID).
python vol.py -f memdumpWin7.mem windows.getsids

Who is the default logon user?
Default automatically log
on

Hive Overview
Each user has a profile (ntuser.dat)
• Keys under HKLMSYSTEMCurrentControlSetControlhivelist
• Point to HKEY_LOCAL_MACHINESYSTEM
• Point to HKEY_LOCAL_MACHINEHARDWARE

HKEY_USERS (HKU)
Contains information about all the users who
logged in to the computer at some point
When log on, the current logged in user profile
is linked by HKCU
Saved in each user's profile folder
C:UsersIEUserNtuser.dat C:
Usersssh_ServerNtuser.dat C:
UsersDefault UserNtuser.dat

HKEY_CURRENT_USERS (HKCU)
Does not contain any data
A link to the subkey of HKEY_USERS
Stores settings for currently logged-in user
Unloaded when the user logs out
If no profile is available, built from default user
Control everything of the current logged user
Environment variables
Desktop settings,
Network connections, printers,
Application preferences.
Keyboard layout
Current logged user
information
Treasure for investigators

HKEY_LOCAL_MACHINE (HKLM)
Contains computer hardware and software information
Loaded at boot time from hard disk
• Store Plug-and-Play devices Infor
• Created dynamically, not stored in a
fil
e
Loaded at boot time
from

Understand the Suspect’s PC

Where to find CPU information of Suspect’s PC?
Find key = “DESCRIPTIONCentralProcessor0”
If your system has multiple processors, they
are all listed as subkeys under this key. If your
system has only one processor, it is listed as
processor 0.

Where to find CPU information of Suspect’s PC?
Print key starts from offset 0x87c459c8. Offset can be skipped

What is the name of Suspect’s device?
Note: On a live registry, you will see
“CurrentControlSet” instead of “ControlSet001”.
Because it is not a live, we need to check
ControlSet001

What is the Time Zone Information?

What is the Last Shutdown Time?

What is the USB Device?

Program Executions
 Windows systems maintain a set of keys in the registry database
(UserAssist keys) to keep track of programs that executed.
 The number of executions and last execution date and time are available
in these
keys.

Network Forensics

Suspicious IPs connect to PC
NetScan: Scans network objects (open network connections) present in the
memory

Process Name of the Suspicious IP
Find out process name with pid 4

Installing YaraScan Plugin
YaraScan is a tool aimed at (but not limited to) helping malware researchers to identify and
classify malware samples. It scans kernel memory using Yara rules.
 pip install yara-
python
 pip install pycrypto
 pip install pefile
 pip install capstone
Dependencies

Investigate Command History

Memory Forensics using Volatility (1).pptx

More Related Content

Similar to Memory Forensics using Volatility (1).pptx

Recently uploaded

Memory Forensics using Volatility (1).pptx