A taste of memory forensics

As hacking techniques evolve more and more, hacks are being done without the malicious programs touching the hard drive. All of these processes reside inside the memory of the victim computer. When this happens memory forensics becomes necessary. In this post I’m going to show a few of the volatility modules that can be used to find running processes, unknown network connections, and the DLLs associated with each process that are found inside of computer memory.

First I’m going to make sure I’m in the directory that has my memory images

I navigated to the directory where I have my memory images and I used the ls command to list them.
I navigated to the directory where I have my memory images and I used the ls command to list them.

Once I know I have the right images to analyze I use the volatility framework to analyze the memory files. Volatility is a free open source suite of software that is used for advanced memory forensics. It is supported by the Volatility Foundation. The website for the volatility foundation can be found at: http://www.volatilityfoundation.org/

First I’m going to check for open network connections.

This is the command that is used to see the open network connections at the time the memory image was taken
This is the command that is used to see the open network connections at the time the memory image was taken. The timeliner module is going to be used
I used the grep command to narrow down the results to just network connections that are active or "established".
I used the grep command to narrow down the results to just network connections that are active or “established”.

This is odd because this computer should not have any active network connections at all. So this is the first indication that something is wrong.

Next I dig a little deeper and I use volatility to display a list of all the running processes. The pslist module is used to do this.

The command for viewing the running processes
The command for viewing the running processes
Notice that you see an FTKimager.exe process. This is the imaging software that I used to capture the memory image
Notice that you see an FTKimager.exe process. This is the imaging software that I used to capture the memory image

In windows each executable (.exe) has dynamic link libraries (DLLs) associated with it. These are located inside of the .exe file. Volatility can be used to see each DLL that is inside of an executable. The dlllist module is used for this task.

The command to get the DLLs from the executables.
The command to get the DLLs from the executables.
The dlllidt module lists all of the DLLs associated with the EXEs. The modle also lists the command line syntax that is used to run each executable. The process ID for each EXE is also listed.
The dlllist module lists all of the DLLs associated with the EXEs. The module also lists the command line syntax that is used to run each executable. The process ID for each EXE is also listed.

I found an interest DLL in one of the executables. I decided to Google it to see if it was something odd.

After searching Google for this I found out that this DLL is the Microsoft Visual C Run Time Library. It is a normal process that runs in Windows.
After searching Google for this I found out that this DLL is the Microsoft Visual C Run Time Library. It is a normal process that runs in Windows.

This is a small taste of what memory forensics is. It is a growing field and the more complex hacking attacks get the more rouge processes may be located in memory. Thanks for reading!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s