i Memory Forensic – All things in moderation

Memory Forensic

What is memory forensic?

Memory forensics is forensic analysis of a computer‘s memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer’s hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.(Wikipedia)

Requirement

In this post, i use tool on Windows. Now, let’s go.

Get name computer

Tool: Volatility

Command: >vol.py -f <memory_image> –profile=<profile> envars | findstr COMPUTERNAME

Get profile:

You can view profile on volatility with command: >vol.py –info

 

Windows has a lot of environment variables for running processes that can retrieve reference data like OS, TEMP, windir, Path … and the currently used host name will be stored in a variable named COMPUTERNAME. You can view environment variables via Power Shell.

Command: Get-ChildItem Env:

memory forensic

Get process list

Use Volatility:

Command: >vol.py -f <file_image> –profile==<profile_name> pslist

pslist: finds and walks the doubly linked list of processes and prints a summary of the data. This method typically cannot show you terminated or hidden processes.

pstree: takes the output from pslist and formats it in a tree view, so you can easily see parent and child relationships.

psscan: scans for _EPROCESS objects instead of relying on the linked list. This plugin can also find terminated and unlinked (hidden) processes.

psxview: locates processes using alternate process listings, so you can then crossreference different sources of information and reveal malicious discrepancies.

Use Redline:

Redline’s strengths are that it has a very easy-to-use interface and shows a lot of process information.

Get password use

 List the registry hive:

vol.py -f ch2.dmp –profile=Win7SP1x86 hivelist
Volatility Foundation Volatility Framework 2.6.1
Virtual Physical Name
———- ———- —-
0x8ee66740 0x141c0740 \SystemRoot\System32\Config\SOFTWARE
0x90cab9d0 0x172ab9d0 \SystemRoot\System32\Config\DEFAULT
0x9670e9d0 0x1ae709d0 \??\C:\Users\John Doe\ntuser.dat
0x9670f9d0 0x04a719d0 \??\C:\Users\John Doe\AppData\Local\Microsoft\Windows\UsrClass.dat
0x9aad6148 0x131af148 \SystemRoot\System32\Config\SAM
0x9ab25008 0x14a61008 \SystemRoot\System32\Config\SECURITY
0x9aba79d0 0x11a259d0 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x9abb1720 0x0a7d4720 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x8b20c008 0x039e1008 [no name]
0x8b21c008 0x039ef008 \REGISTRY\MACHINE\SYSTEM
0x8b23c008 0x02ccf008 \REGISTRY\MACHINE\HARDWARE
0x8ee66008 0x141c0008 \Device\HarddiskVolume1\Boot\BCD

Extract the hashes

Now, with the virtual offset of SYSTEM and SAM, we can extract the hashes:

D:\volatility>vol.py -f ch2.dmp –profile=Win7SP1x86 hashdump -y 0x8b21c008 -s 0x9aad6148 > hashes.txt
Volatility Foundation Volatility Framework 2.6.1

View file hashes.txt:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John Doe:1000:aad3b435b51404eeaad3b435b51404ee:b9f917853e3dbf6e6831ecce60725930:::

Crack the hashes

You can using a local tool (like HashCat) or using a online tool. In this post, i use HashKiller:

Yep, we can see password of user John Doe

Network carving

To make network carving on a memory file, there are some tools that can be used: bulk_extractor and CapLoader. In this post, we using CapLoader.

CapLoader to scratch memory dump network data via Carve packet feature from file.

CapLoader is a Windows tool designed to handle large amounts of captured network traffic. CapLoader performs indexing of PCAP/PcapNG files and visualizes their contents as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.

CapLoader is the ideal tool to use when handling big data PCAP files in sizes up to many gigabytes (GB). The contents of individual flows can be exported to tools like Wireshark and NetworkMiner in just a matter of seconds.

You can view more information with file pcap.

In this article, I have given some basic commands for you to be exposed to forensic memory. The next lesson is to analyze each case by case.

Leave a Reply