Author: randrada

Volatility pstree

Posted on by randrada

Memory Analysis using Volatility - pstree

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

pstree – a volatility plugin that print all running processes as a tree(parent-child relationship).

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins

Using the Volatility pstree plugin, we can see the parent child relationship of all the processes.

This plugin can be a good use to detect if the sample have spawned another process.

#note: We can identify the child process because it is indented from the parent process.

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS_version> pstree

In this sample, we can see that NjRAT malware spawned another processes when infecting the system.

Volatility pslist

Posted on by randrada

Memory Analysis using Volatility - pslist

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

pslist – a volatility plugin that print all running processes by following the EPROCESS (a structure that Windows used to represent a process) lists.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Plugins

Volatility pslist plugin enumerates all the running processes inside the captured memory dump.

This includes the (1) Process ID, (2) Parent Process ID, (3) Session ID and etc.

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS_Version> pslist

To filter running processes,

We can use the -p option then feed it with the Process ID of choice.

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS> pslist -p <PID>

In this sample we can see that pslist has enumerated all running processes, including a process that has an odd name with the process ID 4040.

OSForensics

Posted on by randrada

Digital Forensics using PassMark - OSForensics

Try OSForensic Free Trial
Click here to view OSForensics use cases

OSForensics is a commercial forensic tool designed to perform automatic triage for a faster and more reliable way to locate files on a Windows computer. You can search by filename, size, creation and modified dates, and other criteria depending on your needs.

Results are returned and made available in several different useful views. This includes the Timeline View, which allows you to sift through the matches on a timeline, making evident the pattern of user activity on the machine.

OSForensics has these capabilities:

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Related Topic

WinPmem

Posted on by randrada

Memory Acquisition using Velocidex Enterprise - WinPmem

Velocidex WinPmem Github
Download WinPmem
WinPmem Releases
Click here to view Velocidex WinPMem use cases

WinPmem is a physical memory acquisition tool allowing investigator to recover and analyze valuable artifacts that are often only found in memory.

WinPmem has its following features:

      • Open Source
      • Support for WinXP – Win10, x86, x64. The WDK7600 can be used to include WinXP support. As default, the provided WinPmem executables will be compiled with WDK10, supporting Win7 – Win10, and feature more modern code.
      • Three different independent method to create memory dump. One method should always work even when faced with kernel mode rootkits.
      • Raw memory dump image support.
      • A read device interface is used instead of writing the image from the kernel like some other imagers. This allows us to have complex userspace imager (e.g. copy across network, hash etc), as well as analysis on the live system(e.g. can be run directly on the device).

In an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connection, malware intrusions, registry hives and etc that can be a valuable source as an evidence and not typically stored on the local hard disk. This is one of the investigator’s favorite data source to perform digital forensics and knowing the right tool to dump memory is a must.

Related Topic

Veloc WinMemCap

Posted on by randrada

Endpoint Detection and Response using - Velociraptor

Learn more about Velociraptor
More about Artifacts

Velociraptor is a sophisticated digital forensic and incident response tool that improves visibility into endpoints. It was developed by DFIR professionals who needed a powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints.

Velociraptor Query Language gives Velociraptor power and flexibility. VQL is a framework for creating highly customized artifacts, which allows you to collect, query, and monitor almost any aspect of an endpoint, groups of endpoints, or an entire network. It can also be used to create continuous monitoring rules on the endpoint, as well as automate tasks on the server. (source: https://docs.velociraptor.app/docs/overview/)

From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero without performing an interactive logon. This is also because during an incident, multiple endpoints might be involved and performing an interactive logon on each of these endpoints is not an ideal response for any responder.

Related Topic

Let’s dive into Velociraptor and what’s the one cool thing about it? It’s called Artifacts.

What are Artifacts? Artifacts are mini-programs which are composed of VQL queries. This allows Velociraptor users to search for the query by name or description and simply run the query on the endpoint without necessarily needing to understand or type the query into the UI. (source: https://docs.velociraptor.app/docs/vql/artifacts/)

Velociraptor has an artifact named Windows.Memory.Acquisition which function is to acquire the live memory to its client using the WinPmem tool, which gives a responder the ability to triage the system’s volatile data.

#note: This may take a while depending on the resources on your system you’re working on.

 

Magnet RAM Capture

Posted on by randrada

Memory Acquisition using Magnet Forensics - RAM Capture

Download Magnet RAM Capture
Click here view Magnet Forensics RAM Capture use cases

Magnet RAM Captuer is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.

Magnet RAM Capture has a small memory footprint, meaning investigators can run the tool while minimizing the amount of data that is overwritten in memory. You can export captured memory data in Raw (.DMP/.RAW/.BIN) format and easily upload it into leading analysis tools, including Magnet AXIOM and Magnet IEF.

Why Memory Dump?

Volatile memory can reveal a lot of important information about a system and its users. There are often instances where evidence stored in memory is never written to the hard drive and may only be found in pagefile.sys and hiberfil.sys. Memory analysis is essential to many malware and intrusion incidents and can be imperative in recovering valuable evidence for almost any PC investigation. Running processes and programs, active network connections, registry hives, passwords, keys, and decrypted files are just a few examples of the evidence that can be found in memory. Many web apps, like Gmail, or private/incognito browsing modes, will only store data in memory, meaning the evidence cannot be recovered from the hard disk. (source: https://www.magnetforensics.com/blog/acquiring-memory-with-magnet-ram-capture/).

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Related Topic

AccessData FTK

Posted on by randrada

Memory Acquisition using AccessData - FTK

Download FTK Imager 4.7
Click here to view FTK Imager use cases

FTK Imager is a data preview and imaging tool used to acquire data(evidence) in a forensically sound manner by creating copies of data without making changes to the original evidence. FTK Imager 4.5 includes faster image creation, additional evidence processing improvements including XFS file system support, improvements to the command line, disk imaging , evidence parsing, and memory dump.

Why Memory Dump?

Volatile memory, or RAM, is used to store data currently used by a running process: whether it is a user application or a system service. This type of memory is much quicker than a regular hard drive, but unlike files permanently stored on a drive(unless deleted), data from RAM may disappear instantly. At the time, it may store data crucial for your case, including passwords in raw format without encryption or encoding, decrypted data otherwise kept encrypted on a drive, decryption keys for various services, apps, and WDE, remote session data; chats in social networks; malware code; cryptocurrency transactions; various system info such as loaded registry branches; and so on.(source: https://belkasoft.com/ram-dumping-tool-selection)

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Related Topic

RegRipper3.0

Posted on by randrada

Endpoint Incident Response using - RegRipper

Download RegRipper 3.0
Click here to view RegRipper use cases

RegRipper is an open source forensic software application developed by Harlan Carvey, and what it does is extract data from the Windows Registry, ranging from user-related registry to system registry and etc.

RegRipper has a set of plugins that can be used by the examiner to suit their needs.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

Dumpit

Posted on by randrada

Memory Acquisition using MoonSols - DumpIt.exe

Download DumpIt.exe

DumpIt is a tiny free utility tool that is used to generate a physical memory dump of Windows machines. It works with both x86 and x64 machines. The raw memory dump is generated in the current directory; only a confirmation question is prompted before starting. This is perfect for deploying the executable on USB keys for quick incident response needs.

Why Memory Dump?

Volatile memory, or RAM, is used to store data currently used by a running
process: whether it is a user application or a system service. This type of memory is much quicker than a regular hard drive, but unlike files permanently stored on a drive(unless deleted), data from RAM may disappear instantly. At the time, it may store data crucial for your case, including passwords in raw format without encryption or encoding, decrypted data otherwise kept encrypted on a drive, decryption keys for various services, apps, and WDE, remote session data; chats in social networks; malware code; cryptocurrency transactions; various system info such as loaded registry branches; and so on.(source: https://belkasoft.com/ram-dumping-tool-selection)

From an incident response perspective, the volatile data residing inside the
system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Related Topic

This is a GUI-based tool, which is easy to use.

After executing the DumpIt.exe tool, it will prompt with a question.

Hit “y” to proceed, then a live RAM capture will be dumped.

#note: This may take a while depending on the resources on your system you’re working on.

 

Belkasoft RamCapture

Posted on by randrada

Memory Acquisition using Belkasoft - Live RAM Capture

Download Belkasoft Live RAM Capturer
Click here to view Belkasoft RamCapture uses cases

Belkasoft Live RAM Capturer is a tiny free forensic tool that allows you to reliably extract the entire contents of a computer’s volatile memory-even if protected by anti-debugging or anti-dumping system. Belkasoft RAM Capturer is compatible with all versions and editions of Windows, including XP, Vista, Windows 7, 8, and 10, 2003, and 2008 Server.

Why Memory Dump?

Volatile memory, or RAM, is used to store data currently used by a
running process: whether it is a user application or a system service.
This type of memory is much quicker than a regular hard drive, but
unlike files permanently stored on a drive(unless deleted), data from
RAM may disappear instantly. At the time, it may store data crucial for
your case, including passwords in raw format without encryption or
encoding, decrypted data otherwise kept encrypted on a drive, decryption
keys for various services, apps, and WDE, remote session data; chats in
social networks; malware code; cryptocurrency transactions; various
system info such as loaded registry branches; and so on.(source: https://belkasoft.com/ram-dumping-tool-selection)

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Related Topic