Memory forensics

What is memory forensics? Answer is simple, look for artefacts in memory. However this is not necessarily easy to acheive. There are some things we can look for in memory, that can help the investegation you have to perform.

The artefacts:

  • Password hashes
  • Cache of network
  • Process list of active programs and proof of execution
  • Command lists
  • Dlllist
  • Netscan

My example here is based on the image from the classroom. Malware was executed. Using Volatility 3.1 based on a Win 10 memory image aquired by FTK 4.7.1

Analysis carried out by volatilty 3.1 (https://www.volatilityfoundation.org/3)

Requirements

You need to "git clone https://github.com/volatilityfoundation/volatility3" this link into either windows or Linux and have python3 installed as well. (Please note Remnux is not installed with volatiltiy3 by default )

Overview

Volatilty 3 consits of plugins bsed on the operating system, compared to the old 2.X thatconsisted of profiles to different releases of the operating systems versions. This makes the new version perform in a more wide seltion of memorydumps compared to the old version. Volatilty 3 is also a bit faster than the old one.

You can gain a quick overview of the functions in volatilty

python3 vol.py -h
Result of above command

When you identify the command you want to use then you press in the below command . Please have a look at the cheatsheet

volatility-3-cheatsheet.pdf

TIP

use " > command.txt (name the command for the command used to pipe the data to a file, that makes search easier afterwards and you also have the output in a file. then search for what you are looking for fx cat filename.txt | grep nameOfWhatYouAreLookingFor )

Linux Searches

This is the reference list from the program (Ver. 3.2.5.0)

  • linux.bash.Bash
  • linux.capabilities.Capabilities
  • linux.check_afinfo.Check_afinfo
  • linux.check_creds.Check_creds
  • linux.check_idt.Check_idt
  • linux.check_modules.Check_modules
  • linux.check_syscall.Check_syscall
  • linux.elfs.Elfs linux.envars.Envars
  • linux.iomem.IOMem
  • linux.keyboard_notifiers.Keyboard_notifiers
  • linux.kmsg.Kmsg
  • linux.lsmod.Lsmod
  • linux.lsof.Lsof
  • linux.malfind.Malfind
  • linux.mountinfo.MountInfo
  • linux.proc.Maps
  • linux.psaux.PsAux
  • linux.pslist.PsList
  • linux.psscan.PsScan
  • linux.pstree.PsTree
  • linux.sockstat.Sockstat
  • linux.tty_check.tty_check

Mac searches

  • mac.bash.Bash
  • mac.check_syscall.Check_syscall
  • mac.check_sysctl.Check_sysctl
  • mac.check_trap_table.Check_trap_table
  • mac.ifconfig.Ifconfig
  • mac.kauth_listeners.Kauth_listeners
  • mac.kauth_scopes.Kauth_scopes
  • mac.kevents.Kevents
  • mac.list_files.List_Files
  • mac.lsmod.Lsmod
  • mac.lsof.Lsof
  • mac.malfind.Malfind
  • mac.mount.Mount
  • mac.netstat.Netstat
  • mac.proc_maps.Maps
  • mac.psaux.Psaux mac.pslist.PsList
  • mac.pstree.PsTree
  • mac.socket_filters.Socket_filters
  • mac.timers.Timers
  • mac.trustedbsd.Trustedbsd
  • mac.vfsevents.VFSevents
  • timeliner.Timeliner

Windows Searches

  • windows.bigpools.BigPools
  • windows.cachedump.Cachedump
  • windows.callbacks.Callbacks
  • windows.cmdline.CmdLine
  • windows.crashinfo.Crashinfo
  • windows.devicetree.DeviceTree
  • windows.dlllist.DllList
  • windows.driverirp.DriverIrp
  • windows.drivermodule.DriverModule
  • windows.driverscan.DriverScan
  • windows.dumpfiles.DumpFiles
  • windows.envars.Envars
  • windows.filescan.FileScan
  • windows.getservicesids.GetServiceSIDs
  • windows.getsids.GetSIDs
  • windows.handles.Handles
  • windows.hashdump.Hashdump
  • windows.info.Info
  • windows.joblinks.JobLinks
  • windows.ldrmodules.LdrModules
  • windows.lsadump.Lsadump
  • windows.malfind.Malfind
  • windows.mbrscan.MBRScan
  • windows.memmap.Memmap
  • windows.mftscan.MFTScan
  • windows.modscan.ModScan
  • windows.modules.Modules
  • windows.mutantscan.MutantScan
  • windows.netscan.NetScan
  • windows.netstat.NetStat
  • windows.poolscanner.PoolScanner
  • windows.privileges.Privs
  • windows.pslist.PsList
  • windows.psscan.PsScan
  • windows.pstree.PsTree
  • windows.registry.certificates.Certificates
  • windows.registry.hivelist.HiveList
  • windows.registry.hivescan.HiveScan
  • windows.registry.printkey.PrintKey
  • windows.registry.userassist.UserAssist
  • windows.sessions.Sessions
  • windows.skeleton_key_check.Skeleton_Key_Check
  • windows.ssdt.SSDT
  • windows.statistics.Statistics
  • windows.strings.Strings
  • windows.svcscan.SvcScan
  • windows.symlinkscan.SymlinkScan
  • windows.vadinfo.VadInfo
  • windows.vadwalk.VadWalk
  • windows.vadyarascan.VadYaraScan
  • windows.verinfo.VerInfo
  • windows.virtmap.VirtMap

Generic searches

  • banners.Banners
  • configwriter.ConfigWriter
  • frameworkinfo.FrameworkInfo
  • isfinfo.IsfInfo
  • layerwriter.LayerWriter
  • timeliner.Timeliner
  • yarascan.YaraScan