Memory dump analysis

Memory dump analysis is the most common type of challenge that creators give to participants. They might provide a .raw or .mem file, and you are required to conduct analysis and solve the challenge's questions.

Here are the tools you need for this type of challenge:

  1. Volatility3 or Volatility Workbench

  2. MemProcFS

  3. EVTXtract

Noted that in the industry, we don't just get a memory dump file; we get both disk images and memory dumps. However, for the sake of challenge puzzles, the challenge creator might give you only a memory dump to make it more challenging.

But before we use all these actual weapons, please give a shot with strings command with grep context_strings on the mem dump. For example:

strings windows.mem | grep -i "flag{"

Strategy

  1. Check running processes

  2. Check commands

  3. Check Network connections

  4. Check injected process

  5. Check files

  6. Check registry

MemProcFS

Imagine you can "Mount" memory images and analyze them with Explorer and Notepad. This tool, MemProcFS will create a virtual file system representing the processes, file handles, registry, $MFT, and more.

To install and use MemProcFS, please install Dokan first at https://github.com/dokan-dev/dokany/releases

Then download the binaries from the release: https://github.com/ufrisk/MemProcFS/releases

Usage

Mount and forensics!

memprocfs.exe -device memdump.mem -forensic 1

Navigate and explore the folders:

DirectoryDescription

conf

Configuration and Status.

forensic

Forensic mode.

misc

Miscellaneous functionality

name

Per-process directories listed by process name.

pid

Per-process directories listed by process pid.

py

Python based plugins.

registry

Registry information.

sys

System information.

vm

Virtual Machine (VM) information.

Running Processes

Navigate to M:\sys\proc where the files:

proc = Show process in tree mode proc-v = Show process with command

Network connection

Navigate to M:\sys\net\

Investigate injected process

Navigate to M:\forensic\findevil and find RWX section in the output result

Dump shellcode

Go to M:\pid\<PID number\vmemd and then find the address that we're take note from the findevil result

Then, we can use shellcode emulator or shellcode launcher to know what the program does including:

  1. Shellcode2exe

  2. Blobrunner

  3. SCDbg

  4. speakeasy

Volatility WorkBench

Volatility Workbench is a graphical user interface (GUI) for the Volatility if you hate Linux command line version.

Basic Usage

Browse Image -> Choose Windows Platform as option -> Refresh Process List > Choose Command options -> Run -> Investigate the output

These is the plugins that I found crucial in analysis:

PluginDescription

windows.cmdline.CmdLine

Lists process command line arguments.

windows.dlllist.DllList

Lists the loaded modules in a particular Windows memory image.

windows.dumpfiles.DumpFiles

Dumps cached file contents from Windows memory samples.

windows.envars.Envars

Displays process environment variables.

windows.filescan.FileScan

Scans for file objects present in a particular Windows memory image.

windows.getservicesids.GetServiceSIDs

Lists process token SIDs.

windows.getsids.GetSIDs

Prints the SIDs owning each process.

windows.handles.Handles

Lists process open handles.

windows.malfind.Malfind

Lists process memory ranges that potentially contain injected code.

windows.mbrscan.MBRScan

Scans for and parses potential Master Boot Records (MBRs).

windows.memmap.Memmap

Prints the memory map.

windows.modscan.ModScan

Scans for modules present in a particular Windows memory image.

windows.mutantscan.MutantScan

Scans for mutexes present in a particular Windows memory image.

windows.netscan.NetScan

Scans for network objects present in a particular Windows memory image.

windows.netstat.NetStat

Traverses network tracking structures present in a particular Windows memory image.

windows.pslist.PsList

Lists the processes present in a particular Windows memory image.

windows.psscan.PsScan

Scans for processes present in a particular Windows memory image.

windows.pstree.PsTree

Lists processes in a tree based on their parent process ID.

windows.registry.hivelist.HiveList

Lists the registry hives present in a particular memory image.

windows.registry.hivescan.HiveScan

Scans for registry hives present in a particular Windows memory image.

windows.registry.printkey.PrintKey

Lists the registry keys under a hive or specific key value.

windows.registry.userassist.UserAssist

Prints UserAssist registry keys and information.

windows.sessions.Sessions

Lists processes with session information extracted from environmental variables.

windows.skeleton_key_check.Skeleton_Key_Check

Looks for signs of Skeleton Key malware.

EVTXtract

This tool recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.

The use case of this tool is when the challenge creator ask us to find something in the event log, but all he/she gives is a mem dump.

Download: https://github.com/williballenthin/EVTXtract

Usage

It's quite hard to read the XML output, you might need CTRL+F with context of the incident.

PreviousRegistry AnalysisNextGeneral

Last updated