# Memory dump analysis Memory dump analysis is the most common type of challenge that creators give to participants. They might provide a .raw or .mem file, and you are required to conduct analysis and solve the challenge's questions. Here are the tools you need for this type of challenge: 1. Volatility3 or Volatility Workbench 2. MemProcFS 3. EVTXtract Noted that in the industry, we don't just get a memory dump file; we get both disk images and memory dumps. However, for the sake of challenge puzzles, the challenge creator might give you only a memory dump to make it more challenging. But before we use all these actual weapons, please give a shot with `strings` command with `grep context_strings` on the mem dump. For example: ```sh strings windows.mem | grep -i "flag{" ``` ## Strategy 1. Check running processes 2. Check commands 3. Check Network connections 4. Check injected process 5. Check files 6. Check registry ## MemProcFS Imagine you can "Mount" memory images and analyze them with Explorer and Notepad. This tool, MemProcFS will create a virtual file system representing the processes, file handles, registry, $MFT, and more. To install and use MemProcFS, please install Dokan first at Then download the binaries from the release: ### Usage Mount and forensics! ``` memprocfs.exe -device memdump.mem -forensic 1 ```
Navigate and explore the folders: | Directory | Description | | ---------------------------------------------------------------- | ----------------------------------------------- | | [conf](https://github.com/ufrisk/MemProcFS/wiki/FS_Conf) | Configuration and Status. | | [forensic](https://github.com/ufrisk/MemProcFS/wiki/FS_Forensic) | Forensic mode. | | [misc](https://github.com/ufrisk/MemProcFS/wiki/FS_Misc) | Miscellaneous functionality | | name | Per-process directories listed by process name. | | pid | Per-process directories listed by process pid. | | py | Python based plugins. | | [registry](https://github.com/ufrisk/MemProcFS/wiki/FS_Registry) | Registry information. | | [sys](https://github.com/ufrisk/MemProcFS/wiki/FS_SysInfo) | System information. | | [vm](https://github.com/ufrisk/MemProcFS/wiki/VM) | Virtual Machine (VM) information. |
### Running Processes Navigate to `M:\sys\proc` where the files: `proc` = Show process in tree mode\ `proc-v` = Show process with command
### Network connection Navigate to `M:\sys\net\`
### Investigate injected process Navigate to `M:\forensic\findevil` and find RWX section in the output result
### Dump shellcode Go to `M:\pid\
Then, we can use shellcode emulator or shellcode launcher to know what the program does including: 1. Shellcode2exe 2. Blobrunner 3. SCDbg 4. speakeasy ## Volatility WorkBench Volatility Workbench is a graphical user interface (GUI) for the Volatility if you hate Linux command line version. ### Basic Usage Browse Image -> Choose `Windows` Platform as option -> Refresh Process List > Choose `Command` options -> Run -> Investigate the output
These is the plugins that I found crucial in analysis:
PluginDescription
windows.cmdline.CmdLineLists process command line arguments.
windows.dlllist.DllListLists the loaded modules in a particular Windows memory image.
windows.dumpfiles.DumpFilesDumps cached file contents from Windows memory samples.
windows.envars.EnvarsDisplays process environment variables.
windows.filescan.FileScanScans for file objects present in a particular Windows memory image.
windows.getservicesids.GetServiceSIDsLists process token SIDs.
windows.getsids.GetSIDsPrints the SIDs owning each process.
windows.handles.HandlesLists process open handles.
windows.malfind.MalfindLists process memory ranges that potentially contain injected code.
windows.mbrscan.MBRScanScans for and parses potential Master Boot Records (MBRs).
windows.memmap.MemmapPrints the memory map.
windows.modscan.ModScanScans for modules present in a particular Windows memory image.
windows.mutantscan.MutantScanScans for mutexes present in a particular Windows memory image.
windows.netscan.NetScanScans for network objects present in a particular Windows memory image.
windows.netstat.NetStatTraverses network tracking structures present in a particular Windows memory image.
windows.pslist.PsListLists the processes present in a particular Windows memory image.
windows.psscan.PsScanScans for processes present in a particular Windows memory image.
windows.pstree.PsTreeLists processes in a tree based on their parent process ID.
windows.registry.hivelist.HiveListLists the registry hives present in a particular memory image.
windows.registry.hivescan.HiveScanScans for registry hives present in a particular Windows memory image.
windows.registry.printkey.PrintKeyLists the registry keys under a hive or specific key value.
windows.registry.userassist.UserAssistPrints UserAssist registry keys and information.
windows.sessions.SessionsLists processes with session information extracted from environmental variables.
windows.skeleton_key_check.Skeleton_Key_CheckLooks for signs of Skeleton Key malware.
## EVTXtract This tool recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images. The use case of this tool is when the challenge creator ask us to find something in the event log, but all he/she gives is a mem dump. Download: ### Usage It's quite hard to read the XML output, you might need CTRL+F with context of the incident.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.