We’re going to do some memory forensics today!
Learning Objectives #
- Understand what memory forensics is and how to use it in a digital forensics investigation.
- Understand what volatile data and memory dumps are.
- Learn about Volatility and how it can be used to analyse a memory dump.
- Learn about Volatility profiles.
What is Memory Forensics #
Also known as volatile memory analysis or RAM forensics, is a branch of digital forensics.
It’s examiniation and analysis of a computers RAM, to uncover digital evidence and artefacts. This differs from hard disk forensics, where all files on the disk can be recovered. Memory forensics focuses on the programs that were running when the memory dump took place.
This data is volatile since it will be deleted when the computer is turned off.
What is Volatile Data #
It’s information that is temporarily stored in RAM and can be easily lost or altered when the computer is powered off (or restarted).
Volatile data is crucial for investigators because it provides a snapshot of the computers state at the time of an incident.
An initial reaction might be to turn off the device to contain the threat, this leads to valuable information being lost. \
Example of Volatile Data:
- Running processes
- Network connections
- RAM contents
What are Processes #
It’s an independent, self-contained unit of execution within an OS. It consists of its own program code, data, memory space and system resources. \
We can categorise processes into two distinct groups:
| Category | Description | Example |
|---|---|---|
| User Process | Processes a user has started. Typically involves applications and software the users interact with directly | Firefox |
| Background Process | Processes that operate without direct user interaction. Often perform tasks that are essential for the system’s operation or for providing services to user processes | Automated backups |
Volatility #
Volatility is a command-line tool (cli) that lets digital forensics and incident response teams analyse a memory dump.
It’s written in Python and can analyse snapshots taken from Linux, MacOS and Windows. It has a wide range of use cases, including the following:
- Listing any active and closed network connections.
- Listing a device’s running processes at the time of capture.
- Listing possible command line history values.
- Extracting possible malicious processes for further analysis.
- …
Volatility Profiles #
Profiles are crucial for correctly interpreting the memory dump.
It defines the OS architecture, version and various memory specifics to the target system.
To view profiles for Windows, run vol.py --info.
Profiles for Linux have to be manually created from the same device the memory dump is from. Some of the reasons why:
- Linux is not a single, monolithic OS. Each distribution may have different kernel versions, configurations and memory layouts.
- Unlike Windows, Linux kernel internals can vary significantly across different distros and versions.
- Linux is open-source. This leads to greater flexibility and customisation, but also results in more variability in memory structures.
In todays room, THM has allready created a profile for us.
To use the profile, run:
cp profile.zip ~/.local/lib/python2.7/site-packages/volatility/plugins/overlays/linux/.
Then run vol.py --info | grep Ubuntu to confirm our profile is set.
To create your own Linux profiles, check out this article.
Memory Analysis #
We have to specify the -f flag and the --profile flag to begin the analysis. The -h shows the help, and the plugins we can use to help with our analysis.
vol.py -f linux.mem --profile="LinuxUbuntuProfile" -h.
Volatility Plugins #
History File #
A good place to start. It allows us to see whether there are any commands executed by our malicious actor while they were on the system.
vol.py -f linux.mem --profile="LinuxUbuntuProfile" linux_bash
Running Processes #
Examining running processes is fundamental and crucial part of analysing a system’s memory dump.
vol.py -f linux.mem --profile="LinuxUbuntuProfile" linux_pslist
Process Extraction #
A good way to understand what a process is doing is by extracting the binary of the process.
vol.py -f linux.mem --profile="LinuxUbuntuProfile" linux_procdump -D extracted/ -p <pidnumber>.
File Extraction #
We can utilise the linux_enumerate_files plugin to help us enumerate files on the server.
This help us review any files of interest.
vol.py -f linux.mem --profile="LinuxUbuntuProfile" linux_enumerate_files | grep -i cron to grep for cron files.
To extract the file we need the inode value (to the far left of the previous command). Then run:
vol.py -f linux.mem --profile="LinuxUbuntuProfile" linux_find_file -i <inode_value> -O extracted/output_file