Memory forensics/analysis is an interesting playground in the security and digital forensics investigation area, it consists of acquiring and analyzing the image of a volatile running computer memory. With the right tools and techniques, various interesting forensics artifacts can be extracted and examined leading to better understand the content of the captured memory image. In this article we are going to scratch the tip of the iceberg in this topic by introducing two simple yet powerful tools (DumpIt and Volatility) that can help you start playing around in this area.
Memory Dump With DumpIt
If you are familiar with MoonSols “win32dd” and “win64dd” tools for memory dumps, then “DumpIt” is nothing new to you, it is basically the fusion of these two versions into one powerful tool which will enable its users to take a memory dump of the physical memory of the targeted Windows machine.
The actual process of taking the dump is easy, assuming you have access to the machine’s desktop. First place the DumpIt program on a USB drive from which we will start it, and make sure that the capacity of the drive is large enough to hold the captured dump which will be a little bit larger than the actual RAM size. Plug the USB Drive into the targeted machine and run the program, a command prompt will open asking for confirmation, then the capturing process will start, and upon completion a dump file will be created on the USB drive.
Is it forensically sound?
Well to be clear, when talking about forensics and digital investigation, it is important to keep the data Original, as is, and not to modify anything on it, by that ensuring its authenticity. Using Dumpit, has is considered a Software based Acquisition, meaning a software has to be run on the target machine and by that adds some data to the memory (e.g. command history). Hardware based Acquisition which relies on specialized tools can be used in this case, yet each technique and tool has its Pros and Cons, a good paper on the subject is provided by the SANS Institute.
One additional step to add here after getting the captured dump file, is to calculate its hash-value using one or more hashing algorithms such as MD5, SHA-1, etc… for the sake of the example, I’ve used MD5SUMS a tool to generate the MD5 hash value of my memory dump file. This can be easily achieved by running the following command after installing the tool.
Analyzing the Captured Memory Dump
OK we got the dump, what’s next?
Now we can start playing with one of the best memory analysis frameworks out there. Volatility is one of several memory analysis tools, yet is considered by many, including myself, as a great and powerful tool which will enable you to analyze and extract useful artifacts from the memory dump. If your investigation will be conducted on MS Windows OS, then download the standalone executable version where you can directly run it without any installation.
First thing first, you need to gather some primarily information about the dump file under investigation, and that can be achieve by specifying the option “imageinfo” as shown below, this will provide with some handy information to use such as the possible type of operating system version used.
NOTE: In the following section some of the available options will be covered briefly, for more information about the options and their usage, I recommend you check the tool help, for instance by running the following command
Recover Registry Information
What’s better than looking into a goldmine of information, and by that I am referring to the registry. Volatility gives you the option to mine through the various hives of the registry to gather various kinds of information and data about the targeted system. For this examination, you have to get the list of available hives and their memory address, and that can be easily achieved by using the “hivelist” option in volatility as follow:
volatility hivelist -f <mem-dump-filename>.raw --profile=Win7SP1x64
If you notice, we specified the option to be used, hivelist in this case, and the memory dump file to analyze using the ‘-f‘ option, and finally the OS Suggested profile using the ‘–profile‘ option, which we identified in the “imageinfo” feature used above.
Great now we can use this information to go deeper, for instance by getting the list of installed programs on the system, which can be extracted from the “Software hive (\SystemRoot\System32\Config\SOFTWARE)” by using the “hive-dump” option and specifying the virtual memory address of the specified hive.
volatility -f <mem-dump-filename>.raw --profile=Win7SP1x64 hivedump -o <virtual-mem-address>
One interesting option is “hashdump” which will enable you to extract the password hashes which are stored in the memory, and them you can analyze them later on and try to crack them using tools such as “John the Ripper“. In order to extract those hashes, you have to specify for the command the SAM and SYSTEM hives virtual memory location in the options “-s” and “-y” respectively as follow:
volatility.exe hashdump -f <mem-dump-filename>.raw --profile=Win7SP1x64 -y <SYSTEM_VIRTUAL_MEM_ADDRESS> -s <SAM_VIRTUAL_MEM_ADDRESS> > extracted-passhash.txt
Recover The Process List
Another great feature is the option which will enable you to recover the list of running processes on the system, this will give a great insight on possible suspected processes, and what the user has been running at the time of the memory capture. This can be achieved by using two options, the first “pslist” will get the list of running processes on the Windows system, and the second “pstree” will display the running process in a hierarchical tree format showing the parent processes and their childs.
volatility pslist -f <mem-dump-filename>.raw --profile=Win7SP1x64
volatility pstree -f <mem-dump-filename>.raw --profile=Win7SP1x64
Recover The List Of Network Connections TO/FROM the System
Last but not least, the “netscan” option will allow us to extract information about the network connections held from and to the system with details such as the source, and destination IPs, ports, process ID, and much more. This might turn some great and valuable information for the investigator about the active network connections held on this machine.
volatility netscan -f <mem-dump-filename>.raw --profile=Win7SP1x64
As I mentioned previously, this is just an overview about the Memory Forensics process, covering some of the basics just to get you started. Volatility is a very powerful tools with a great set of features and options which I recommend you to check and experiment with. Volatility along with DumpIt, can be considered a great memory forensics duo.