Memory Forensic

Brief description of topic

What is memory analysis?

Easy way how to learn more about the attackers.

Malicious binary may only be present in memory. No binary obfuscation present – the code has to run

How to acquire memory?

How to analyze it?

Sockets (connections/network artifacts)

Processes

Threads

Handles (files)

Mutexes

Libraries/modules

Filetypes 101/102

Executables

PE

PE 101

PE 102

COM

COM 101

COM/PE DOS

ELF

ELF

MACH-O

MACH-O

DOL

DOL

Documents

PDF

PDF

Archives

ZIP

ZIP

RAR

RAR

GZIP

GZIP

TAR

TAR

BZ2

BZ2

Multimedia files

SWF/Flash

JPG

JPEG

BMP

BMP

PNG

GIF

GIF

TIFF (LE/BE)

TIFF Little Endian

TIFF Big Endian

PGM

PGM

PPM

PPM

XBM

XBM

WAV

WAV101

Instructions

x86

x86 OpCodes

x64

x64 OpCodes

Tools

There is a lot of useful tools, SANS created cheet sheet describing usage of them.

volatility

# Image info
vol -f memory.dmp imageinfo

# Show me running processes
vol -f memory.dmp pslist

# Find injected code and dump it
vol -f memory.dmp malfind

# Dump process
vol -f memory.dmp procdump -p <PID>

rekall

The Rekall Memory Forensic Framework is a collection of memory acquisition and analysis tools

Useful rekall cheat sheet by SANS.

# Image info
rekal -f memory.dmp imageinfo

# Show running processes
rekal -f memory.dmp pslist
rekal -f memory.dmp pstree

# Show connections
rekal -f memory.dmp netscan
rekal -f memory.dmp netstat

# Find injected code and dump it
rekal -f memory.dmp malfind

# Dump process
vol -f memory.dmp procdump

Resources

Reverse engineering for Beginners, link

Volatility 3 CheatSheetonfvp