Memory Analysis Archives - Page 3 of 5

Volatility getsids

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - getsids

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

getsids – a volatility plugin that is used print the SIDs owning each process.

SID or Security Identifier – is a unique value of variable length used to identify a trustee. Each account has a unique SID issued by an authority, such as a Windows domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Security Identifier helps the investigator/analyst identify lateral movement on the environment.

Typically an attacker might use an existing account or create and add a new account to administrators group. SID can help us identify what privilege this account have.

Volatility getsids plugin gives us a clear view of these artifact on our volatile memory.

In this sample, Why we investigate explorer.exe?

explorer.exe is responsible for any user interaction on the system which includes opening, reading or deleting a file and many other functionality that involves user interaction. Volatility getsids plugin can extract the account name and their SID from a process which can be a good help for investigator/analyst during Incident Response and Forensics. (It can be other process not explorer.exe this only depends on the situation you have.)

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> getsids -p <PID>

#note: If there are SID value that has no equivalent account name, the account being used might be in the remote system which volatility has no access of its details that is why it left blank.

#note: This plugin can help you to investigate critical systems, if you have an alert that an account is compromise and is being used for lateral movement you can then check the critical systems if its accessed by the compromised account.

Volatility yarascan

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - yarascan

yarascan – a volatility plugin that is used to scan process or kernel memory with Yara signatures.

Using the Volatility yarascan plugin, we can be able to speed up the process to look for interesting information by using -y option and feed it with the signature we want to find.

In the sample below, we will attempt to use “notepad.pdb” that is found inside notepad.exe process to see if yarascan able to find it inside our volatile memory.

We can see that using yarascan, it able to find the owner process and the process ID.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> yarascan -Y “<signature”

In this sample, we will investigate a volatile memory that is infected with Sinowal malware using Volatility yarascan plugin.

First, we run netscan to list for connection and retrieve network related IOCs.

Next, if valuable information is retrieved using netscan plugin we can then use it as a signature for yarascan.

In this case we have detected that our local system is connecting to outbound ip address: 108.59.6.39

Now, we can see the processes that contains this signature.

In this case both these processes has the signature:

Process name: Sinowal.exe PID: 4016

Process name: regsvr32.exe PID: 3020

We can then use the information to investigate further.

Volatility callbacks

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - callbacks

callbacks – a volatility plugin that is used to print system-wide notification routines.

Windows Callback – Windows operating system allows the driver to register a callback routine which will be called when a particular event occurs. Also, this functionality gives the rootkit driver the ability to monitor system activities and take necessary action depending on the activity.

In using Volatility callbacks plugin, we can see different information such as:

Type – is monitored by the module.

Callback – callback function address.

Module – is responsible for monitoring the function.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> callbacks

#note: To use callbacks to look for suspicious driver/module, look for unknown name and unknown details.

Volatility printkey

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - printkey

printkey – a volatility plugin that is used print a registry key, and its subkeys and values. This plugin will search all hives and print the key information(if found) for the requested key. Therefore, if the key is located in more than one hive, the information for the key will be printed for each hive that contains it.

In this sample, we will use the Volatility printkey plugin to print a specific registry location from our captured memory dump. In our case, we list “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” registry key.

This plugin can help the analyst enumerate a registry key and check what its subkeys, and values, without extracting the registry hives.

Looking at the sample below, we can see the value, and subkeys inside this registry key.

If the information of interest is found, we can then dump the registry hives for further analysis.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> printkey -K <registry_key>

In this sample, we will use the printkey plugin to investigate the registry hive of our system infected with Zeus Banking malware.

The image below, we list the registry key “Software\Microsoft\Windows\CurrentVersion\Run” to see its values and subkeys. This registry key is commonly used by malware to persist on the system and survive the reboot.

We can see by listing the Run registry key using the plugin a value named GoogleUpdate.exe is found and we can see that it is residing inside AppData\Local which is not a normal location for Google Update.

Volatility connections

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - connections

connections – a volatility plugin that is used to scan connections on Windows XP and Windows 2003 only.

Connection State:

- - CLOSE_WAIT
  - CLOSED
  - ESTABLISHED
  - FIN_WAIT_1
  - FIN_WAIT_2
  - LAST_ACK
  - LISTEN
  - SYN_RECEIVED
  - SYN_SEND
  - TIMED_WAIT

When capturing a memory dump from Windows XP, you cannot use netscan as a plugin. Instead, we will use the Volatility connection plugin to extract network related data from inside our volatile memory.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> connections

Volatility netscan

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - netscan

netscan – a volatility plugin that is used to scan connections on vista, 7, 8, 10 and later image for connections and sockets.

Connection State:

- - CLOSE_WAIT
  - CLOSED
  - ESTABLISHED
  - FIN_WAIT_1
  - FIN_WAIT_2
  - LAST_ACK
  - LISTEN
  - SYN_RECEIVED
  - SYN_SEND
  - TIMED_WAIT

We can use the Volatility netscan plugin to enumerate network communication to our system and what process is responsible for the connection. We can also see what is the status of that connection.

Here we can see the following details:

(1) Foreign Address – outbound local ip address where our local system connects.

(2) PID – Process ID of the process responsible for the connection.

(3) Owner – Process name responsible for the connection.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> netscan

In this sample, we extract network information from a system’s memory dump that is infected with Sinowal Malware.

Using the Volatility netscan plugin we are able to detect the inbound and outbound ip address:

192.168.30.144:52467 > 108.59.6.39:80

#note: Check the system for unknown ip address both inbound and outbound. Also, see if it is using a non-standard port for connection.

Volatility moddump

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - moddump

moddump – a volatility plugin that is used dump a kernel driver to an executable file sample to disk.

After listing all the loaded modules using modules plugin, we can then use the Volatility moddump to dump it to disk for further analysis. We will use -b option and feed it with the base address of the kernel driver of choice.

In the sample below, we will dump srv.sys to disk.

First, Run modules plugin and copy the base address.

Next, use the syntax below.

Our syntax will be: vol.exe -f <mem_dump> –profile=<OS_version> moddump -b <base_address> -D <dest>

Then, a kernel driver will be dumped to the specified location.

#note: These steps can help if the system is infected with low level operating malware specially rootkits which operates below the system level, most rootkit implement and use a service to install itself as a kernel driver which gives the malware a full access to the system. Dumping the said malicious driver can aid the analyst to analyze the driver to create and IOCs.

Volatility modules

Posted on June 20, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - modules

modules – a volatility plugin that is used print list of loaded modules/drivers.

Using the Volatility modules plugin, we can able to extract all the loaded modules/drivers inside the volatile memory.

Here are the following details that you will see:

- - Name – of the loaded modules/drivers
  - Base Address – where the loaded module is located in the system.
  - File – where the loaded module is located in the disk.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> modules

#note: In digital forensics, modules can be a persistence technique of a malware that can let itself operate in a low level function that allows the malware to takeover the whole system. Being able to parse these artifacts during investigation is a great leap for the investigator when investigating a possible rootkit malware.

Volatility malfind

Posted on June 19, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - malfind

malfind – a volatility plugin that is used find hidden and injected code. What malfind does is it finds a suspicious VAD memory region that has PAGE_EXECUTE_READWRITE memory protection in a process.

We can use the Volatility malfind to find suspicious memory region that have PAGE_EXECUTE_READWRITE protection.

In this sample, we can see that on process id 1796 there is a MZ 4d5a residing in @0x6550000 memory region.

This can lead us to the conclusion that this memory region is injected with malicious executable because it matches the memory protection PAGE_EXECUTE_READWRITE.

Now, you can then dump this memory region using vaddump for quick and further analysis.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> malfind -p <PID> -D <dest>

#note: An executable inside the memory region with 0x40 memory protection means injected not normally loaded.

In this sample, we also use malfind to detect possible code injection inside the process memory.

As we can see that it detects (1)PAGE_EXECUTE_READWRITE permission with its (2)assembly code representation.

at (3) we dumped the result from malfind to disk for further analysis.

at (4) we use strings extraction tool to find out what are the string it contains. This gives us that this memory region contains API function and other interested strings.

Now, at (5) we can submit this dumped memory region to VirusTotal for quick scanning and this gives us the result that this memory region is injected with a malware that identifed as XtremeRAT backdoor.

Volatility procdump

Posted on June 19, 2022June 19, 2022 by randrada

Memory Analysis using Volatility - apihooks

procdump – a volatility plugin that is used to dump a specific process.

In an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connection, malware intrusions, registry hives and etc that can be a valuable source as an evidence and not typically stored on the local hard disk. This is one of the investigator’s favorite data source to perform digital forensics and knowing the right tool to dump memory is a must.