Memory dump analysis

Memory dump analysis is the most common type of challenge that creators give to participants. They might provide a .raw or .mem file, and you are required to conduct analysis and solve the challenge's questions.

Here are the tools you need for this type of challenge:

1. Volatility3 or Volatility Workbench

2. MemProcFS

3. EVTXtract

Noted that in the industry, we don't just get a memory dump file; we get both disk images and memory dumps. However, for the sake of challenge puzzles, the challenge creator might give you only a memory dump to make it more challenging.

But before we use all these actual weapons, please give a shot with strings command with grep context_strings on the mem dump. For example:

strings windows.mem | grep -i "flag{"

Strategy

1. Check running processes

2. Check commands

3. Check Network connections

4. Check injected process

5. Check files

6. Check registry

MemProcFS

Imagine you can "Mount" memory images and analyze them with Explorer and Notepad. This tool, MemProcFS will create a virtual file system representing the processes, file handles, registry, $MFT, and more.

To install and use MemProcFS, please install Dokan first at https://github.com/dokan-dev/dokany/releases

Then download the binaries from the release: https://github.com/ufrisk/MemProcFS/releases

Usage

Mount and forensics!

memprocfs.exe -device memdump.mem -forensic 1

Navigate and explore the folders:

Directory	Description
conf	Configuration and Status.
forensic	Forensic mode.
misc	Miscellaneous functionality
name	Per-process directories listed by process name.
pid	Per-process directories listed by process pid.
py	Python based plugins.
registry	Registry information.
sys	System information.
vm	Virtual Machine (VM) information.

Running Processes

Navigate to M:\sys\proc where the files:

proc = Show process in tree mode proc-v = Show process with command

Network connection

Navigate to M:\sys\net\

Investigate injected process

Navigate to M:\forensic\findevil and find RWX section in the output result

Dump shellcode

Go to M:\pid\<PID number\vmemd and then find the address that we're take note from the findevil result

Then, we can use shellcode emulator or shellcode launcher to know what the program does including:

1. Shellcode2exe

2. Blobrunner

3. SCDbg

4. speakeasy

Volatility WorkBench

Volatility Workbench is a graphical user interface (GUI) for the Volatility if you hate Linux command line version.

Basic Usage

Browse Image -> Choose Windows Platform as option -> Refresh Process List > Choose Command options -> Run -> Investigate the output

These is the plugins that I found crucial in analysis:

Plugin	Description
windows.cmdline.CmdLine	Lists process command line arguments.
windows.dlllist.DllList	Lists the loaded modules in a particular Windows memory image.
windows.dumpfiles.DumpFiles	Dumps cached file contents from Windows memory samples.
windows.envars.Envars	Displays process environment variables.
windows.filescan.FileScan	Scans for file objects present in a particular Windows memory image.
windows.getservicesids.GetServiceSIDs	Lists process token SIDs.
windows.getsids.GetSIDs	Prints the SIDs owning each process.
windows.handles.Handles	Lists process open handles.
windows.malfind.Malfind	Lists process memory ranges that potentially contain injected code.
windows.mbrscan.MBRScan	Scans for and parses potential Master Boot Records (MBRs).
windows.memmap.Memmap	Prints the memory map.
windows.modscan.ModScan	Scans for modules present in a particular Windows memory image.
windows.mutantscan.MutantScan	Scans for mutexes present in a particular Windows memory image.
windows.netscan.NetScan	Scans for network objects present in a particular Windows memory image.
windows.netstat.NetStat	Traverses network tracking structures present in a particular Windows memory image.
windows.pslist.PsList	Lists the processes present in a particular Windows memory image.
windows.psscan.PsScan	Scans for processes present in a particular Windows memory image.
windows.pstree.PsTree	Lists processes in a tree based on their parent process ID.
windows.registry.hivelist.HiveList	Lists the registry hives present in a particular memory image.
windows.registry.hivescan.HiveScan	Scans for registry hives present in a particular Windows memory image.
windows.registry.printkey.PrintKey	Lists the registry keys under a hive or specific key value.
windows.registry.userassist.UserAssist	Prints UserAssist registry keys and information.
windows.sessions.Sessions	Lists processes with session information extracted from environmental variables.
windows.skeleton_key_check.Skeleton_Key_Check	Looks for signs of Skeleton Key malware.

EVTXtract

This tool recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.

The use case of this tool is when the challenge creator ask us to find something in the event log, but all he/she gives is a mem dump.

Download: https://github.com/williballenthin/EVTXtract

Usage

It's quite hard to read the XML output, you might need CTRL+F with context of the incident.