Memory Analysis using Volatility - getsids
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
getsids – a volatility plugin that is used print the SIDs owning each process.
SID or Security Identifier – is a unique value of variable length used to identify a trustee. Each account has a unique SID issued by an authority, such as a Windows domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
Security Identifier helps the investigator/analyst identify lateral movement on the environment.
Typically an attacker might use an existing account or create and add a new account to administrators group. SID can help us identify what privilege this account have.
Volatility getsids plugin gives us a clear view of these artifact on our volatile memory.
In this sample, Why we investigate explorer.exe?
explorer.exe is responsible for any user interaction on the system which includes opening, reading or deleting a file and many other functionality that involves user interaction. Volatility getsids plugin can extract the account name and their SID from a process which can be a good help for investigator/analyst during Incident Response and Forensics. (It can be other process not explorer.exe this only depends on the situation you have.)
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> getsids -p <PID>
#note: If there are SID value that has no equivalent account name, the account being used might be in the remote system which volatility has no access of its details that is why it left blank.
#note: This plugin can help you to investigate critical systems, if you have an alert that an account is compromise and is being used for lateral movement you can then check the critical systems if its accessed by the compromised account.