Archives For Memory Forensics

SANS recently posted a webcast I recorded on memory forensics.  While the presentation is from early 2012, the concepts are solid and this deck was eventually expanded to the full day of memory forensics training present in the updated Forensics 508 course.

Despite being written in 2006, Chris Ries’ paper Inside Windows Rootkits is still surprisingly relevant.  About the only thing missing is a discussion of new(er) x64 mitigation techniques like Kernel Mode Code Signing and Kernel Patch Protection (aka PatchGuard).  Few resources have explained rootkit internals so simply.  As an example, Figure 2 from the paper neatly ties together the rootkit hooking universe:

Figure 2, Inside Windows Rootkits by Chris Ries

Figure 2: Potential places to intercept a call to the FindNextFile function, Inside Windows Rootkits by Chris Ries

The original PDF is a little hard to find these days, but here are a couple of links:



With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface.  This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.

You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box): Continue Reading…

Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe.  It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge.   Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics.  There is good reason for this.  Memory can be extremely fickle, with layouts and structures changing on a whim.   As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch.  The fact that we have free tools such as Volatile Systems Volatility and Mandiant Redline supporting memory images of arbitrary size from (nearly) every modern version of Windows is nothing short of miraculous.

Nowhere is it more obvious how far the memory analysis field has come than looking at the recent innovations in Mac and Linux memory forensics.  Examiners of these less popular platforms have had to sit patiently for years as Windows memory forensics moved from being feasible for OS internals experts to being approachable for the masses.  Against all odds, Linux memory analysis has recently seen rapid innovations.  If support for the various Windows versions came slowly, imagine the complexity posed by the myriad flavors of Linux and the long list of possible kernel versions.  It turns out that the Volatility framework is particularly well suited to tackle this Hydra with its abstraction layers facilitating everything from different image formats to swappable OS profiles to rapid plugin development.

Continue Reading…

In case you missed it over on the SANS Computer Forensics blog, we recently updated our memory forensics cheat sheet. Not a lot has changed other than updating a few parameter options, adding Michael Cohen’s WinPmem (live memory analysis with Volatility!), and reflecting a few of the changes in the upcoming 2.3 Volatility release (including body file format in Jamie Levy’s timeliner plugin)


(click for PDF)

PlugX Malware Progression

Amanda Stewart at the FireEye blog dissected the PlugX malware remote access tool (RAT).  Of particular interest is this beautiful graphic showing the attack progression.  With decoys, DLL sideloading, encrypted payloads, process injection, and new payload retrieval, this attack pretty much has it all!

Excellent intro to Windows Internals: Windows Exploratory Surgery with Process Hacker | #DFIR
Chad Tilbury

One of the fun things I have been working on is the huge revision of the SANS Forensics 508: Advanced Forensics and Incident Response material.  Rob Lee has spent the last ten years building and updating what has become one of the most well-known and respected digital forensics training courses.  The golden age of hacking is in full swing and a whole host of new threats have emerged, including state-sponsored espionage (aka APT), hactivism, client-side attacks, and crimeware.  Digital forensic investigations have never been more in demand.  However, computer intrusion and malware investigations require a very different skill set than the cases seen by the average forensic examiner.  Rob saw a great opportunity to update the FOR508 course to train this next generation of forensic professionals.  I estimate that at least 60-70% of the course and nearly every exercise  is new within the last year.  My specific part in the course is writing the new memory forensics day.  My forensic experience dates to the late 1990s, and I can’t remember any other advance in the field that has so fundamentally shifted the balance from the bad guys to the good guys.  Memory forensics is now a mature discipline and we have a wonderful array of  tools available, allowing us to analyze everything from raw memory files to hibernation files to crash dumps to live memory audits.   Memory analysis is a game changing skill and we spend a significant part of the new 508 course learning and incorporating the results of that analysis into the broader forensic process.

Continue Reading…

A year after release, the Malware Analyst’s Cookbook continues to elicit uniformly high praise from the security community.  It is one of those rare books that only come around once every few years.  The breadth of information covered is staggering, and it makes an excellent reference to return to as your skills develop.  If I could make one recommendation, I would encourage readers to not wait to read the last four chapters of the book.

The last quarter of the book covers memory forensic analysis, and it is the definitive resource currently available on the subject (either online or in print).   Continue Reading…

I have been using F-Response Tactical lately and wanted to share some of my thoughts.  When I first encountered the Tactical product, I had to brainstorm with Matt Shannon at F-Response to understand its use cases.  I spend a lot of my time doing incident response, and in that role I have used many of the enterprise forensic platforms.  These tools are largely agent based, meaning a small application is run on the target system allowing raw device access to system components and communication back to a central hub for analysis.  F-Response has this capability in their Consultant and Enterprise editions, and the capability has even started to filter down to some of our standard forensic suites, such as FTK 3 covered in this previous post.   F-Response Tactical takes a different approach.  It uses a paired set of dongles instead of  agents.  While limiting for some applications (such as geographically remote acquisition), it makes up for it by being dead simple to use.  To start, you plug the “Subject” dongle into your target system and execute an application to begin beaconing on the network.  The matched “Examiner” dongle plugs into your forensic workstation and is used to connect to the Subject.  Once connected, you have full access to all physical disks, volumes, and memory on the Subject system.  Since access is at the raw device level, even files traditionally locked by the filesystem can be accessed, like Exchange .edb database files, Registry hives, and System Restore Points.  These items are mounted on your forensic workstation, allowing analysis using your favorite forensic software.

Live Response Applications

Continue Reading…