BulkExtractor is a command-line tool that carve data such as URLs, emails, and PDF files.
Windows Memory contains rich and valuable information that can be used as source artifact for gathering evidences and by having enough knowledge how to parse the data can be helpful for the investigator to perform their tasked.
Volatility is a tool used for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time-efficient and quick manner.
UserAssist– a volatility plugin that is used to print userassist registry keys and information.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
Related Blog Post:
https://www.eyehatemalwares.com/incident-response/blog-ir/phishing-ir-approach/
mactime creates an ASCII timeline of file all activity. This tool can be used to detect anomalous behavior and be able to reconstruct events, its output is a .txt format that contains reconstructed activity.
Why Timeline?
Reconstructing the events can play an important role during the investigation, because it allows the investigator to rebuild the activities happened before and after the event was first detected. It allows the investigator to have a bird’s eye view of the activities done by a certain malware or a threat actors and used this to construct a systematize action.
To be able to use this tool, first we must install Perl.
On Strawberry Perl’s website, download perl that suits your Windows Architecture.
Next, download Sleauthkit. (As of, Sleauthkit’s version is currently 4.11.1)
Next, extract Sleauthkit.zip to C:\ drive.
Then, browse to the C:\Sleauthkit\bin directory and then copy it.
Now, go to Environment Variables and add the copied directory to Path variable.
In this demo, we will use a sample body file to be processed by mactime using the -b parameter.
Then, we save the output in a .txt format named mac_timeline.txt
Command: mactime.pl -b body.txt > mac_timeline.txt
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
timeliner – a volatility plugin that is used to create timeline for various artifacts found in the memory.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
Scenario: You are tasked with investigating an endpoint that is flagged by the IDS/IPS contacting a suspicious external server.
Approach: Detecting Clipboard Function Hooking
This approach answers the question(s):
What is name of malicious process?
What technique does this malware use for stealth operation?
When was the process started?
What type of malware was detected? How so?
In what family and variant does this malware belong?
Below are the detailed step-by-step analysis taken to extract valuable information from the given memory sample.
#note: Use a separate isolated machine to perform this task.
To detect the presence of a spyware info-stealing malware in the memory we need to enumerate Windows station.
Windows Station contains information about clipboard activity and by analyzing this data source the analyst can detect clipboard snooping along with the frequency of clipboard usage which is a normal capability of a spyware.
To perform this task, we need to run Volatility wndscan plugin.
– –
First, open command prompt with administrator privilege and run the following syntax:
In Windows: vol.exe -f <mem.dmp> –profile=<OS> wndscan
In Linux: python vol.py -f <mem.dmp> –profile=<OS> wndscan
– –
We need to pay attention on the details inside spwndClipViewer which give us an overview on what process tries to own the clipboard function.
In this case, we see IEXPLORE.EXE:1560 in WinSta0 which a reg flag for us because why is the internet facing process such as internet explorer tries to access and monitor our clipboard.
– –
Through this data we can now then start our triage to support our investigation.
From performing this approach we are able to answer the question:
“What is name of malicious process?” A: IEXPLORE.EXE:1560
We are now proceeding to Step 2: Enumerating the Target Process.
Now, we have identified our target process from enumerating Windows Station.
We can now list the process using Volatility pslist and cmdline plugin.
To perform this task.
– –
First, run Volatility pslist plugin.
In Windows: vol.exe -f <mem.dmp> –profile=<OS> pslist -p 1560
In Linux: python vol.py -f <mem.dmp> –profile=<OS> pslist -p 1560
– –
Next, run Volatility cmdline plugin to know if this process resides on its original location.
In Windows: vol.exe -f <mem.dmp> –profile=<OS> cmdline -p 1560
In Linux: python vol.py -f <mem.dmp> –profile=<OS> cmdline -p 1560
In this case, we see internet explorer is a legitimate process.
– –
We have identified that the process is legitimate but it does not make sense because this process is monitoring our clipboard function.
From performing this approach, we can now answer the following question:
“When was the process started?” A: 2016-04-30 17:41:34 UTC+0000
Now, we are ready to dig deeper and proceed to Step 3: Identifying Process Injection.
We identified that our target process is a legitimate Internet Explorer process but this doesn’t seem right.
We have to dig deeper.
From a malware analysis perspective, we know that a malware can inject code from another process(legitimate process mostly) to perform its malicious intent and to avoid detection.
To hunt for this injection process,
– –
First, run Volatility malfind plugin.
In Windows: vol.exe -f <mem.dmp> –profile=<OS> malfind -p 1560
In Linux: python vol.py -f <mem.dmp> –profile=<OS> malfind -p 1560
In this case, we see that malfind detects discrepancies on 0x10000000 virtual address.
– –
What we see from this result are:
Red Flag #1: 0x10000000 has PAGE_EXECUTE_READWRITE Memory Protection
Red Flag #2: 5a4d MZ – Executable running from this memory region.
This can give us an idea that this memory region was injected with malicious code.
– –
Now, we identified the discrepancies and also see why our target process IEXPLORE.EXE:1560 is behaving oddly.
From this approach, we can now answer the question:
“What technique does this malware use for stealth operation?” A: Remote Process Injection
Now, we are ready to proceed on the next step. Step 4: Extraction of Suspicious Memory Region.
Now, we have identified the reason why our target process is monitoring Windows Station clipboard activity.
The next step we need to do is to extract this memory region that we suspectedly identified being injected with a malicious code.
To perform this task,
– –
First, we need to copy the identified injected memory region.
In Windows: vol.exe -f <mem.dmp> –profile=<OS> vaddump -p 1560 -b 0x10000000 -D <dir>
In Linux: python vol.py -f <mem.dmp> –profile=<OS> vaddump -p 1560 -b 0x10000000 -D <dir>
In this case, we successfully dump the suspicious memory region.
– –
Next, we extract strings from our extracted memory region.
The syntax will be like: strings.exe <memoryaddress_dmp> | findstr -i key
We pipe our result to findstr command to match “key” keyword.
– –
By performing the actions above, we were able to extract strings.
We can now see that this memory region has GetKeyboardState(), TServerKeylogger and etc. strings.
Now, we were able to identify that this memory region is injected with malicious keylogger malware.
– –
We can now able to answer the question:
“What type of malware was detected? How so?” A: Spyware or Info-stealing malware, it can monitor keyboard.
Now, we proceed to Step 5: Wrapping our Investigation.
Now, we are able to identify why our target process is behaving oddly.
We can now able to wrap our investigation, by hashing the extracted memory region and then submit to VirusTotal.
To perform this task,
– –
First, drag the dumped memory region to HashMyFiles tool and get the hash value.
Next, submit hash value to VirusTotal[.]com
Now, we are able to detect that our sample was then flagged by VirusTotal as malicious.
We can see that 40/67 AV Vendor detect it as malicious and some labeled it as Trojan.Fugrafa and RAT.XTREME malware.
– –
We can now answer the following question:
“In what family and variant does this malware belong?” A: XTREME RAT Family && Gen.Variant.Fugrafa.
Through this approach, we are able to detect a malware that can able to hook clipboard function and we were able to support our theory and then proved it.
We know how to combine different Volatility plugins to helps us with our investigation.
#note: There are other approach for detecting spyware and this is just an example.
Feel free to explore and identify what suits your need. Happy learning.
Scenario: You are tasked with investigating an endpoint that is flagged by the IDS/IPS contacting a suspicious external server.
Approach: Carving Executable Files Artifacts
This approach answers the question(s):
What is name of malicious process?
What technique does this malware use for stealth operation?
How many entries of malicious .exe found on the disk?
What type of malware was detected? How so?
Is there any additional file created? When was the file created?
Creation: 2014-10-22 17-09-32 UTC+0000
Modified: 2014-10-22 17-09-32 UTC+0000
MFT Altered: 2014-10-22 17-09-32 UTC+0000
Access Date: 2014-10-22 17-09-32 UTC+0000
Below are the detailed step-by-step analysis taken to extract valuable information from the given memory sample.
#note: Use a separate isolated machine to perform this task.
In conducting digital forensic, we have to start with what we know.
Since we are tasked with investigating an endpoint that reports to a known malicious external server, we know that there might be a process responsible for this action.
To perform this task, we need to enumerate all the running processes inside our captured volatile memory.
– –
First, we will use Volatility pstree plugin to enumerate the parent-child relationship of all running processes.
To perform this task, we run the syntax:
In Windows: vol.exe -f <mem.dmp> –profile=<OS> pstree
In Linux: python vol.py -f <mem.dmp> –profile=<OS> pstree
In this case, we see red flag.
Red Flag 1: Process ID 1676,1700 with incorrect name scvhost.exe and wuaumqr.exe
– –
Next, we try to run Volatility pslist plugin with svchost.exe to see if there is PID: 1676.
To perform this task, we run the syntax:
In Windows: vol.exe -f <mem.dmp> –profile=<OS> pslist | findstr -i “svchost”
In Linux: python vol.py -f <mem.dmp> –profile=<OS> pslist | grep -i “svchost”
In this case, we see another red flag.
Red Flag 2: Enumerating svchost.exe no 1676 since it is spelled s”C”vhost.exe instead of s”V”chost.exe
#tip: This technique is called Pyscholinguistic technique. Malware authors used this for stealth technique and to avoid detection where they replace either a letter of a legitimate process or swapping it.
– –
Then, we try to run Volatility cmdline plugin with both PIDs 1676 and 1700 to view where was this executable located inside the disk.
To perform this task, we run the syntax:
In Windows: vol.exe -f <mem.dmp> –profile=<OS> cmdline -p <PID>
In Linux: python vol.py -f <mem.dmp> –profile=<OS> cmdline -p <PID>
In this case, we see wuaumqr.exe:1700 is residing at C:\Windows\System32
– –
After running these series of plugins and commands we can see the red flags of the processes.
Now, we can start on our investigation with this information.
Done by our analysis, we can now answer the questions:
“What is name of malicious processes?” scvhost.exe:1676 && wuaumqr.exe:1700
“What technique does this malware use for stealth operation?” A: Psycholinguistic Technique
We already identified the red flags just by running simple pslist and pstree plugin.
Now, we know that there are 2 processes involve name scvhost.exe:1676 and wuaumqr.exe:1700, we can search this executable from the memory using Volatility filescan plugin.
To perform this task,
– –
First, we need to extract all the file entries found in our memory:
In Windows: vol.exe -f <mem.dmp> –profile=<OS> filescan > filelist.txt
In Linux: python vol.py -f <mem.dmp> –profile=<OS> filescan > filelist.txt
– –
Next, we need to perform filtering to our extracted file entries using sysinternals strings.exe.
In Windows: strings -a <extracted>.txt | findstr -i “.exe” > exefiles.txt
In Linux: strings -a <extracted>.txt | grep -i “.exe” > exefiles.txt
Now, we successfully extracted .exe files.
– –
Having this artifacts, we can now proceed to Stage 3: Looking for .EXE files of Interest.
Now, having the artifacts we can now search for our file of interest.
From the previous analysis, we identified that there are processes involve with .exe file extension.
Now, we will use this information to start and know what we are looking for.
In our case, we are interested with the .exe file that resides inside C:\Windows\System32 which named wuaumqr.exe that we know mimic wuaumgr.exe(Windows Automatic Update Manager).
– –
First, open “exefiles.txt” with a text editor tool.
Next, search for “wuaumqr.exe”.
In this case, we can now see the suspicious .exe file and its equivalent Physical address.
We found 2 entries:
– –
After performing such actions, we can confirm that our .exe file of interest resides on the disk and we identified that there are 2 entries.
Now, we will use the physical offset address of the found entries to extract these executable.
We run the following syntax:
In Windows: vol.exe -f <mem.dmp> –profile=<OS> dumpfiles -Q <physical_offset> -D <dir>
In Linux: python vol.py -f -f <mem.dmp> –profile=<OS> dumpfiles -Q <physical_offset> -D <dir>
In this case, we have extracted 2 artifacts of wuaumqr.exe
– –
Now, we have extracted the artifacts and can answer the question:
“How many entries of malicious .exe found on the disk?”
We are now ready to Step 4: Wrapping our Investigation.
Now, we have extracted artifacts related to our suspicious process. What to do now?
We can run strings and extract the data inside of these dumped executable.
– –
First, we extract all strings from our sample.
In our case, we can see words like “Keylogger” which gives us an indication that this executable is malicious.
We also, see strings like F5, F6 and other .exe which can be use to create our host-based IOC.
– –
Next, we hash our sample and submitted to VirusTotal[.]com.
In this case, VT results 47/54 AV Vendor flagged it malicious SpyBot:Keylogger.
Now, we identified that our sample is malicious and labeled as SpyBot Keylogger.
From a malware analysis perspective, Keylogger malware logs all the data, keystrokes to the disk before beaconing it towards the external server to be analyzed by its owner.
We will try to hunt this if there are any.
To perform this task:
– –
First, perform osint and check for additional information on VirusTotal[.]com
In this case, we see that this malware creates a text file named “keylog.txt” that is logged inside C:\Windows\System32
– –
Next, we extract $mft entries to see if we can find this log file.
In Windows: vol.exe -f <mem_dump> –profile=<OS> mftparser –output-file=mft.txt -D <dir>
In Linux: python vol.py -f <mem_dump> –profile=<OS> mftparser –output-file=mft.txt -D <dir>
After successful execution, we have extracted all $mft entries and dumped it to disk and save it in a text file.
– –
Now, we can perform simple search of this “keylog.txt” from the extracted $mft entries.
In this case, we can confirm that that “keylog.txt” was then found.
We can also see the date/time information:
Creation: 2014-10-22 17-09-32 UTC+0000
Modified: 2014-10-22 17-09-32 UTC+0000
MFT Altered: 2014-10-22 17-09-32 UTC+0000
Access Date: 2014-10-22 17-09-32 UTC+0000
– –
Not only we found the additional file created, we also gather the date-time information which can really help if we timeline the incident.
Now, we can answer the question: “Is there any additional file created? When was the file created?”.
