You are on page 1of 28

Memory Forensics

Simply download DumpIt put it onto a USB drive


If you are running it on Windows 7 you will need administrators rights
if using a USB drive, ensure that enough space is there to store the memory
image.
http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/
Once memory image is created we can analyze with Volatility
http://www.volatilityfoundation.org/#!24/c12wa
Identifying the Profile of a Memory image
volatility imageinfo -f memimage.raw to get the image details
The Imageinfo command gives you several pieces of information,For now, we
just need to know the profile type of the memory dump

Retrieving Registry Hives Lists


Now, we need the hive list so we can get the starting location of where the
registry information resides
volatility hivelist -f memimage.raw --profile=Win7SP1x86

Dumping Individual Registry Hives


We now have a list of where several key items are located in the memory dump.
We can use this information to find individual artifacts or we can just dump the
whole hive list.
To do so, you simply need to use the hivedump command and the virtual
memory address to the hive you want to view from the list recovered above.
take a look at the Software hive, vitual offset address.
volatility --profile=Win7SP1x86 -f memimage.raw hivedump -o
0x8c3c0008

Retrieving Specific Registry Key Value


Using hivedump will return a ton of registry settings, which might be a little more
than we need. You can also search the registry keys for specific data
For example to find the name of the last logged in user you can check the
WinLogon registry key
volatility -f memimage.raw --profile=Win7SP1x86 printkey -K
"Software\Microsoft\Windows NT\CurrentVersion\Winlogon"

Password Hashes
If you can obtain a memory image, you can get the password hashes. This is of
importance to security penetration testers because if you have the hashes, you
can then proceed to crack them or use them in pass the hash types of attacks to
access other systems on the network.
To do this we need to know the starting memory locations for the System and
SAM keys. We look in the hivelist, for this copy down the numbers in the first
column that correspond to the SAM and SYSTEM locations.
Place the virtual address for System in the y switch and the address for the SAM
into -s.
The following command pulls the password hashes out of memory and stores
them in a text file called hashs.txt:

volatility hashdump -f memimage.raw --profile=Win7SP1x86 -y


0x8881a3c8 -s 0x8c3c7008 > hashes.txt

Simply check the hash.txt file and you will see the admin hash and the password
hashes for any users these hashes could then be taken and cracked in an online
hash cracking site or any one of the password cracking programs like John the
Ripper or Hashcat.

List of Running Process


Now lets take a look at recovering a list of the running processes and active
network connections
volatility pslist -f memimage.raw --profile=Win7SP1x86

Listing Running Process as a Tree


To view the process listing in tree form, use the pstree command. This
enumerates processes using the same technique as pslist, so it will also not show
hidden or unlinked processes. Child process are indicated using indention and
periods.
volatility pstree -f memimage.raw --profile=Win7SP1x86

Enumerating Processes
To enumerate processes using pool tag scanning, use the psscan command. This
can find processes that previously terminated (inactive) and processes that have
been hidden or unlinked by a rootkit
volatility psscan -f memimage.raw --profile=Win7SP1x86

Listing DLLs Loaded into Memory


To display a process's loaded DLLs, use the dlllist command.
volatility dlllist -f memimage.raw profile=Win7SP1x86

Extract DLL from a Process's memory


To extract a DLL from a process's memory space and dump it to disk for analysis,
use the dlldump command.
volatility.exe dlldump -f memimage.raw --profile=Win7SP1x86 -r
kernel32 -D out
It is possible dump all dll's of a specific process using its process id.

Retrieving Commands typed in Command Prompt


Another interesting command we can run is cmdscan. This plug-in allows us to
see what commands, if any, were run from the command prompt
volatility cmdscan -f memimage.raw --profile=Win7SP1x86

Retrieving Network Connection


We can view network connections that were active from the memory dump by
using the netscan command

volatility netscan -f memimage.raw --profile=Win7SP1x86


The data returned shows all network connections, including the process name,
source and destination IP addresses including ports.
This information helps the analyst see what network connections were active

From pslist output of the command discussed above, we see the physical memory
location, process name and the PID number of all process that were running. You
can also use volatility to view the exact programs that may be running under the
process. This helps malware analysts track down malicious processes and their
associated programs.

Process Handles of Explorer.exe


Get the PID of Explorer.exe from the pslist cmmand output.
volatility handles -f memimage.raw --profile=Win7SP1x86 -p 2732 -t process

Rootkit detection using Volatility


Hidden process are revealed through volatility pslist, psscan module
volatility.exe pslist -f infected-winxp.raw profile=WinXPSP3x86

volatility.exe psscan -f infected-winxp.raw profile=WinXPSP3x86

Drivers loaded by the Hackerdefender rootkit is revealed by the module


driverscan
volatility.exe driverscan -f infected-winxp.raw --profile=WinXPSP3x86

Modules running on the infected system can be revealed by modules and


modscan2
volatility.exe modules -f infected-winxp.raw --profile=WinXPSP3x86

To scan physical memory for kernel modules, use the modscan command. This
can pick up previously unloaded drivers and drivers that have been
hidden/unlinked by rootkits. Included in the output is the offset of the module,
which is a physical address
volatility.exe modscan -f infected-winxp.raw --profile=WinXPSP3x86

Dump the suspicious process into a directory.


volatility.exe malfind -f infected-winxp.raw --profile=WinXPSP3x86 -D out

Upload the dumped process to the virus total for anlysis.

Basic Malware Analysis using Volatility


http://malwarecookbook.googlecode.com/svn-history/r26/trunk/17/1/zeus.vmem.zip

Download the above memory dump, which is infected with a Zeus Malware.
Determine the OS of the memory snapshot were taken, use imageinfo command.
volatility imageinfo -f zeus.vmem

List out the processes which were running during the snapshot are taken. Use the
pslist command.
volatility pslist -f zeus.vmem --profile=WinXPSP2x86

List the open TCP connections using the connscan command.


volatility connscan -f zeus.vmem --profile=WinXPSP2x86

Do a whois on the obtained IP address from the above step.


Whois 193.104.41.75

Listout the registry hives loaded into memory. Use hivelist command.
volatility hivelist -f zeus.vmem --profile=WinXPSP2x86

The key UserInit specifies what program should be launched right after a user
logs into Windows.
The default program for this key is C:\windows\system32\userinit.exe.
Userinit.exe is a program that restores your profile, fonts, colors, etc. for your
username.
It is possible to add further programs that will launch from this key by separating
the programs with a comma. Its is a common place for trojans
volatility printkey -f zeus.vmem profile=WinXPSP2x86 -o 0xe153ab60
-K Microsoft\Windows NT\CurrentVersion\Winlogon

List the process in tree form using the pstree command. This plugin print process
list as a tree so we can visualize the parent/child relationships.
volatility pstree -f zeus.vmem --profile=WinXPSP2x86

We did notice that winlogon.exe launched sdra64.exe and that the system process
svchost.exe (Pid 856) is connected to the internetservices.exe (PPid 676) looked
to have some code injected into it. 9.) Lets revisit our printkey command so we
can detect if the windows firewall is enabled or disabled.
volatility printkey -f zeus.vmem --profile=WinXPSP2x86 -K
"ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Stan
dardProfile"

The function apihooks looks at the svchost.exe process with the PID 856 and
finds two in-line hooks

volatility apihooks -f zeus.vmem profile=WinXPSP2x86 -p 856

Now run the malfind plugin. Create a directory called out let the malfind module
dumps the embedded program in the process id 856.
volatility malfind -f zeus.vmem profile=WinXPSP2x86 -p 856 -D out

Now upload the extracted dump from out directory to Virus Total, you can see
that it is being detected as a Zbot.

Reference:
https://code.google.com/p/volatility/wiki/CommandReference#connections