Task 16, Day 11, Memory Forensics Not all gifts are nice
Note: Two days later I realized I forgot to rename this and the next posts in the front-end. Fitting for a memory-centric task.
Memory forensics is analysis of volatile memory. Interesting analogy:
Normally store food in the fridge (hard drive). When cooking, store ingrediants on counter for quick access, but the counter (RAM) is smaller than the fridge. (Also doesn’t store it as well/long)
Memory dump is full capture of what was running at the time: network connections, apps, background processes, etc. MAlicious code tries to hide from user, but can’t hide from memory.
Volatility
Open-source memory forensics toolkit written in python. Analyzes memory dumps from Windows, Linux, and MacOS devices. Allows:
List all processes running on device at time of capture
List active and closed network connections
Use Yara rules to search for indicators of malware
Retrieve hashed passwords, clipboard contents, components of command prompt
Much, much more
Once Volatility and requirements (Python) are installed run with python3 vol.py. Requires options like name and location of dump, and action to perform. Common options and examples:
-f - provide file and location of dump python3 vol.py -f /path/to/my/memdump.vmem
-v - increase verbosity. Sometimes useful for understanding what is going on during debugging python3 vol.py -v
-o - specify extracted process or DLL location python3 vol.py -o /output/extracted/files/here
Types of actions:
List processes
List netowrk connections
List contents of clipboard, notepad, cmd prompt
Usage
First, confirm OS of the device memory capture came from. This determines plugins used.
Start with imageinfo plugin. python3 vol.py -f workstation.vmem windows.info
Windows plugins for this task:
windows.pslist - list processes running at capture
windows.psscan - analyse a specific process further
windows.dumpfiles - export process for futher analysis (static or dynamic analysis)
windows.netstat - list all network connections at time of capture
Looking at connections can show if malware was connected to a malicious server, and its IP address, which allows for defensive measures on other devices. Also can use to determine if another device is infected if it connects to same malicious server.
The Task
Find a binary and info about it.
Found all the details, but might need to watch the walkthrough to see if there are other details I should be learning, or applications I should be making.