Task 16, Day 11, Memory Forensics Not all gifts are nice

Note: Two days later I realized I forgot to rename this and the next posts in the front-end. Fitting for a memory-centric task.

Memory forensics is analysis of volatile memory. Interesting analogy:

  • Normally store food in the fridge (hard drive). When cooking, store ingrediants on counter for quick access, but the counter (RAM) is smaller than the fridge. (Also doesn’t store it as well/long) Memory dump is full capture of what was running at the time: network connections, apps, background processes, etc. MAlicious code tries to hide from user, but can’t hide from memory.

Volatility

Open-source memory forensics toolkit written in python. Analyzes memory dumps from Windows, Linux, and MacOS devices. Allows:

  • List all processes running on device at time of capture
  • List active and closed network connections
  • Use Yara rules to search for indicators of malware
  • Retrieve hashed passwords, clipboard contents, components of command prompt
  • Much, much more

Once Volatility and requirements (Python) are installed run with python3 vol.py. Requires options like name and location of dump, and action to perform. Common options and examples:

  • -f - provide file and location of dump python3 vol.py -f /path/to/my/memdump.vmem
  • -v - increase verbosity. Sometimes useful for understanding what is going on during debugging python3 vol.py -v
  • -p - override default location of plugins pythone3 vol.py -p /path/to/my/custom/plugins
  • -o - specify extracted process or DLL location python3 vol.py -o /output/extracted/files/here

Types of actions:

  • List processes
  • List netowrk connections
  • List contents of clipboard, notepad, cmd prompt

Usage

First, confirm OS of the device memory capture came from. This determines plugins used.

Start with imageinfo plugin. python3 vol.py -f workstation.vmem windows.info

Windows plugins for this task:

  • windows.pslist - list processes running at capture
  • windows.psscan - analyse a specific process further
  • windows.dumpfiles - export process for futher analysis (static or dynamic analysis)
  • windows.netstat - list all network connections at time of capture Looking at connections can show if malware was connected to a malicious server, and its IP address, which allows for defensive measures on other devices. Also can use to determine if another device is infected if it connects to same malicious server.

The Task

Find a binary and info about it.

Found all the details, but might need to watch the walkthrough to see if there are other details I should be learning, or applications I should be making.