legal contact
 

Day 3 (FOR508.3)

Day 3 Memory Forensics in Incident Response and Threat Hunting

 

Step

1.Acquire

Capture Raw Memory

i.e. Hibernation File

2.Context

Establish Context

Find Key Memory Offsets

3.Analyze

Analyse Data for Significant Elements

Recover Evidence

Acquiring a forensic image from a live machine within a large Enterprise

https://github.com/google/grr-doc/blob/master/faq.md

https://holdmybeersecurity.com/2016/06/25/google-grr-incident-response-tool/

Attach a forensic image to your forensic workstation

cmd

result/remarks

mkdir /home/sansforensics/fresponsemounts

Create a folder to hang in the later images

mount -o ro,show_sys_files,streams_interface=windows /dev/loop1p2 /home/sansforensics/fresponsemounts

mount the image as RO

 

Acquiring Memory

powercfg -H <ON|OFF>

Tool

live/dead
Systems

XP/Win2003

Windows7/8/10

Windows 2008/2012

Windows 2016

remarks

WinPMEM

live

YES

YES

YES

NO

2016 requires WHQL signed driver to accquire RAM

Dumpit

live

YES

YES

YES

NO

F-Response

live

YES

YES

YES

NO

SIFT

live

YES

YES

YES

NO

Belkasoft Live RAM Capturer

live

YES

YES

YES

NO

MagnetForensics Ram Capturer

live

YES

YES

YES

NO

Hibernation File

dead

YES

YES

YES

YES

Use imagecopy (volatility), hibd2bin.exe, hibernation recon to decompress

Page and Swap files

dead

YES

YES

YES

YES

Memory/Crash dump

dead

YES

YES

YES

YES

Acquiring Virtual Memory

Product

MEM location

remarks

2008 Hyper-V

<Drive letter>\XXX\<VM Name>\Virtual Machines\GUID\

VM Workstation

<Drive letter>\XXX\My Virtual Machines\<VM name>\

VM Fusion

/Users/<username>/Documents/VirtualMachines.localized/

VM ESX

<DataCenterName>\DatastoreName\<VirtualMachineName>\

VirtualBox

.VirtualBox/Machines/>VM Name>/Snapshots/

VB only holds the memory that is actively in use,
hence the spanshot might not be a full memory dump

Parallels

/Users/<username>/Documents/Parallels/<VM Name>/Snapshots

Windows Memory Analysis

Step

search for ...

1

Identify Context

Find the Kernel Process Control Region (KPCR), Kernel Debugger Data Block (KDBG), Directory Table Base (DTB)

2

Parse Memory Structures

  • Executive Process (EPROCESS) blocks (PsActiveProcessHead holding all currently running processes in memory)
  • Process Environment (PEB) blocks
    • DLLs loaded
  • Virtual Address Descriptors (VAD) Tree
    • List of memory sections belonging to the process (memory page)
  • Kernel Modules/Drivers
3

Scan for Outliers

Unlinked processes, DLLs, sockets and threats

Unmapped memory pages with execute priviledges

Hook detection

Known heuristics and signatures

4

Analysis

Search for Anomalies

Relative Security Identifier (RID)

RID

Reserved for

500

Administrator

501

Guest

512

Domain Admin Group

>1000

"normal" users

Code injection IOC

vol.py malfind

Lists process with PAGE_EXECUTE_READWRITE privileges NOT mapped to a file on disk.

Windows Portable Execution signature (PE): 4d 5a 90 00 or MZ-Flag

Assembly Code equivalent to "MZ":
PUSH EBP
MOV EPB, ESP