Understand how essential it is to do memory analysis in order to find evidences which are rarely found anywhere else. This is not a copyright material and the information included is collected from various sources for educational purposes
3. Why Memory Forensics
Everything in the OS traverses RAM
Best place to identify malicious software
activity
Analyze and track recent activity on the
system
Collect evidence that cannot be found
anywhere else
4. Artifacts that can be found in Memory
Processes Logged Users
Drivers Open files
Kernel Modules Unsaved documents
Socket Information Live registries
Passwords Video Buffers (Screenshots)
Crypto Passphrases BIOS Memory
Decrypted Files VOIP Calls
Execution State Malicious Code
Clipboard Material IM chats
Network Drive buffers Rootkit Footprints
5. Advantages of Memory Forensics
Password in clear text in memory
Programs running
Open Documents / Files
Open content of compressed programs
(packers)
Network Connections – current and recent
Crypto Keys (BitLocker, PGP Whole Disk
Encryption, TrueCrypt etc.)
Command Line parameters (DOSKEY/cmd.exe)
6. The Malware Paradox
Malware may be successful at either hiding or
executing, but it is nearly impossible to do
both!
Malware can hide, but it has to execute to be
effective.
7. Memory Forensics
Acquisition
• Executing Memory
• Pagefile
• Hibernation file
Context
• Find offset from the needed structures
• Extract structures from memory
• Isolate Processes
8. Memory Analysis Process
1. Identify Rouge processes
2. Analyze process DLLs and handles
3. Review Network Artifacts
4. Look for evidence of code injection
5. Check for signs of rootkit
6. Dump suspicious processes and drivers
9. Finding the First Hit
Analyzing
Processes
Image
Name
Full Path
Parent
Process
Command
Line
StartTime SIDs
10. Redline
Free but not open source
Identify Rouge processes
Was the process started at boot?
What user was logged on?
Any other suspicious processes?
Any further clues/string searches
Explore more
What did you collect so far…. Binaries/network
connections/compromised user
accounts……….Compare with live audit on the
system