|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/

Last changed: 08.09.2020

Memory Forensics

The open source tool volatility can be used to analyze memory dumps.

volatility2/vol.py --info
volatility2/vol.py <PLUGIN> -h

Even though volatility 3.0 is currently in development and is still missing some functionality it can be quite useful especially for newer versions of Windows.

volatility3/vol.py --help
volatility3/vol.py <PLUGIN> --help

Acquisition

winpmem

You can download winpmem and run it on the target machine to create a memory image.

winpmem.exe --format raw --volume_format raw -o memory.raw

dump memory from virtualbox

vboxmanage debugvm 'VM Name' dumpvmcore --filename memory.elf
volatility2/vol.py -f memory.elf imageinfo
volatility2/vol.py -f memory.elf vboxinfo
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 imagecopy -O memory.raw

dump memory from vmware

You can either create a snapshot of the virtual machine and copy the .vmem and the .vmsn files or suspend the virtual machine and copy the .vmem and the .vmss file. If both files are in the same folder you can open the .vmem file with volatility.

volatility2/vol.py -f memory.vmem imageinfo
volatility2/vol.py -f memory.vmem vmwareinfo
volatility2/vol.py -f memory.vmem --profile=Win10x64_18362 imagecopy -O memory.raw

If you only have the .vmem file you can try to manually convert it.

dd if=memory.vmem of=memory.padded_raw bs=1G count=3 oflag=append conv=notrunc
dd if=/dev/zero of=memory.padded_raw bs=1G count=1 oflag=append conv=notrunc       
dd if=memory.vmem of=memory.padded_raw bs=1G skip=3 oflag=append conv=notrunc

Yara scan

volatility3/vol.py -f memory.elf windows.vadyarascan --yara-file my_rules.yara

Process analysis

search processes in memory

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 pslist
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 psscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 cmdline
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 dlllist

extract binary

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -D . procdump
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -D . procdump -m
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -D . memdump
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -D . vaddump
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> -b <BASE> dlldump -D .

extract driver module

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 modules
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 unloadedmodules
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -b <BASE> -D . moddump

get binary filesize

readpe -S evil.exe | grep Pointer -B 1

services

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 svcscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -K "ControlSet001\services\<EVIL_SERVICE>" printkey

find malware activity

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 netscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 ndispktscan -p out.pcap
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 malfind
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 malfind -p <PID> -D .
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 getsids -p <PID>
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 apihooks
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 ldrmodules -p <PID>

User behavior

logon sessions

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 sessions

environment variables

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 envars -p <PID>

console history

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 consoles
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 cmdscan

file system information

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 mftparser
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 filescan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 dumpfiles -Q <PHYSICAL_OFFSET> -D . -n

registry keys

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 hivelist
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -o <VIRTUAL_OFFSET> hivedump > SOFTWARE.dmp
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -K "Microsoft\Windows\CurrentVersion\Run" printkey
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -K "Software\Microsoft\Windows\CurrentVersion\Run" printkey

Volatility3 can dump recursively.

volatility3/vol.py -f memory.elf windows.registry.hivelist
volatility3/vol.py -f memory.elf windows.registry.printkey --offset <VIRTUAL_OFFSET> --key ControlSet001\\Services\\<EvilService> --recurse

data carving

The strings tool offers a parameter to print file offsets of its findings.

strings -td | grep NEEDLE > string_offsets
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 strings -s string_offsets

bulk_extractor carves files for known patterns and generates a report which can be opened in BEViewer.

bulk_extractor memory.image -o dump_directory
BEViewer

Other carving tools to mention are photorec and foremost.

Some plugins of volatility also do carving for known kernel objects.

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 psscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 netscan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 filescan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 hivescan
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 mutantscan -s

dump cleartext credentials from crashdump

A memory image can be converted to a crashdump with volatility

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 raw2dmp -O memory.dmp

This crashdump can be opened in windbg. To dump cleartext credentials the mimikatz dll has to be loaded.

.load /path/to/mimilib.dll
!process 0 0 lsass.exe
.process /r /p <ADDRESS>
!mimikatz

analysing kernel objects in volshell

_KDDEBUGGER_DATA64

The Kernel Debugging Data Block (KDBG) virtual address can be found with volatilitys imageinfo or kdbgscan plugins.

dt('_KDDEBUGGER_DATA64', <VIRTUAL ADDRESS>)

Interesting content:

Volatility plugins:

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 pslist
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 modules

_EPROCESS

dt('_LIST_ENTRY', <PsActiveProcessHead>)
dt('_EPROCESS', <Flink>-0x188)
ps()

Interesting content:

_PEB

To resove virtual addresses in user space you need to change the context to its process first.

sc()
cc(pid=<PID>)
dt('_PEB', <VIRTUAL ADDRESS)

Interesting content:

Volatility plugins:

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 sessions

_PEB_LDR_DATA

Interesting content:

Volatility plugins:

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> dlllist

_RTL_USER_PROCESS_PARAMETERS

Interesting content:

The content of the environment variables can be displayed with

db(<ENV_ADDRESS>, <ENV_SIZE>)

Volatility plugins:

volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> cmdline
volatility2/vol.py -f memory.elf --profile=Win10x64_18362 -p <PID> envars