Memory forensics helps in analyzing advanced malware since in memory, malware artifacts can be analyzed more thoroughly, and more useful IoCs can be built. For example, memory forensics of famous attacks like Stuxnet, black energy revealed some new artifacts about the attack which were not noticed earlier. Memory Forensics is a process starting from finding an affected system, capturing its memory, analyzing it and if needed dumping the malicious process for further analysis. With memory forensics, we can analyze many types of OS artifacts like running processes, live network connections, loaded drivers, API hooks and artifacts like shim cache that will reside only in memory and gets flushed to disk only after a system reboot. It is also useful for analyzing memory resident malware which never writes any information to disk and thus can go unnoticed. With memory forensics, we can also analyze advanced kernel level attacks like Direct Kernel Object Manipulation(DKOM) to detect malware hiding activity. There are various tools like such as Volatility, Redline, Rekall, etc. which helps in memory forensics. Below is a self-explaining diagram showing Memory forensics process at higher level
Memory Forensics process starts with the acquisition of target machines. Now these images can be any formats such as:
Raw Format Hibernation File Page File Crash Dump etc.
There are various tools available like MoonSols, Belkasoft RAM capture which will assist in the acquisition of the image. For page files remember that there can be a maximum of 16-page files in a system, so once the image is acquired analyst must check for all available page files. For a Hibernation file, before the analyst starts analyzing the image, it needs to be decompressed. Also for the VM’s image taking a snapshot is the best way to start however keep in mind that there are other files as other than snapshot which might contain some relevant data.
Once the Image is acquired, then the next step is to ensure that the image profiling is done. Normally tools like Volatility look for KDBG block to find out the image OS and Service Pack. Since this block leads to Active process list and loaded modules, you can also find information like a number of active processes, the number of loaded modules directly from such high level. Once the profile is selected, then we start finding other artifacts from the acquired image like running process on the system when the image is acquired, what dlls are loaded, what network connections were active at the time of acquiring. There are lot more artifacts that can be collected from the system at this point. Once the profiling is done, then the analyst compare the outcome of different artifacts with the normal and find out discrepancies. Since memory data is huge, this step requires experience and OS level understanding to filter out known goods. Once the outliers are established, it can be used to make IOC’s, or if some other interesting section of memory is acquired, then that portion of memory is dumped for further analysis.
Challenges in Memory Forensics
Most important part is to make sure that the image is acquired properly and it maintains its integrity throughout the course of analysis and investigation. Without a clean capture of the image it would leave very fewer artifacts in the image to analyze if not none. With frequent OS releases from OS vendors, OS internal structures are changing rapidly, but the tools which are used by memory forensics are not compatible with such images. For example, there are very image acquiring software’s which are not compatible with Windows 10. Since Virtualization is adopted by all organizations these days, it is creating a gap between the image formats provided by VM vendors and what can be analyzed by the analysis software. As described above, memory forensics data land is huge and requires a thorough understanding of internal structures and expected(benign) OS/process’s behavior to filter out known goods from the anomalies. Like mentioned above, for the interested memory regions which require further analysis, those sections need to be dumped. To analyze end to end, memory forensics must be combined with Reverse Engineering.
Thus, memory forensics has a lot of power to establish hidden context in an investigation, and thus it should be included as an integral part of every investigation. Memory forensics has its own challenges, but they can be overcome with experience and practice.