Unit-4
Memory Forensics and Volatility Memory Dumping with Moon Sols Windows Memory Toolkit
Memory forensics is a crucial aspect of cybersecurity investigations, allowing analysts to examine the contents
of a computer's RAM to uncover hidden threats and malicious activities. Tools like Moon Sols Windows
Memory Toolkit play a vital role in this process by facilitating memory dumping and analysis.
Memory Dumping
Memory dumping involves capturing the entire contents of a computer's RAM and storing it in a file for
later analysis. This process is essential because RAM is volatile, meaning its contents are lost when the
computer is powered off. By capturing a memory dump, investigators can preserve valuable evidence that
might otherwise be lost.
Moon Sols Windows Memory Toolkit
Moon Sols Windows Memory Toolkit is a powerful tool specifically designed for memory dumping on
Windows systems. It offers several features that make it ideal for forensic investigations:
Multiple Dumping Methods: The toolkit supports various memory dumping methods, including
physical memory dumps, crash dumps, and hibernation file conversion. This flexibility allows
investigators to choose the most appropriate method for the situation.
Hash Verification: The toolkit includes built-in hash functions (MD5, SHA-1, SHA-256) to ensure
the integrity of the memory dump. This feature helps prevent tampering and ensures the evidence's
admissibility in court.
Network Transfer: The toolkit can transfer memory dumps over a network, enabling remote
acquisition of evidence from compromised systems.
Ease of Use: The toolkit is designed with a user-friendly interface, making it accessible to both
novice and experienced investigators.
Volatility Framework
Once a memory dump is acquired, it needs to be analyzed to extract meaningful information. This is where
the Volatility Framework comes in. Volatility is an open-source memory forensics framework that provides
a wide range of plugins for analyzing memory dumps. These plugins can identify running processes,
network connections, malware artifacts, and other critical information.
Memory Forensics Process
The typical memory forensics process involves the following steps:
1. Acquire a memory dump using a tool like Moon Sols Windows Memory Toolkit.
2. Analyze the memory dump using the Volatility Framework.
3. Identify and extract relevant artifacts such as malicious processes, network connections, and
malware signatures.
4. Correlate the findings with other evidence to build a comprehensive understanding of the incident.
Benefits of Memory Forensics
Memory forensics offers several advantages in cybersecurity investigations:
Uncover Hidden Threats: Memory analysis can reveal malicious activities that might not be visible
through traditional disk forensics.
1|Page
� Identify Rootkits and Advanced Malware: Memory forensics is particularly effective in detecting
rootkits and other advanced malware that hide themselves from the operating system.
Understand Attacker Behavior: By analyzing memory, investigators can gain insights into the
attacker's techniques, tools, and objectives.
Faster Incident Response: Memory forensics can help accelerate incident response by quickly
identifying the scope and impact of an attack
Accessing VM Memory Files
Accessing VM memory files depends heavily on the virtualization platform you're using. Here's a
breakdown of common platforms and how to access those files:
VMware
Snapshots: VMware allows you to create snapshots of a VM's state, including memory. These
snapshots are stored as files on the datastore where the VM resides. The key files are:
o .vmsn: Contains the VM's configuration and state.
o .vmem: Holds the actual memory contents.
Accessing the files:
1. Create a snapshot of the VM, ensuring "Snapshot the virtual machine's memory" is checked.
2. Locate the VM's folder on the datastore. You can do this through the vSphere Client or ESXi host
client.
3. Download the .vmsn and .vmem files.
Important Note: The .vmem file alone is not directly usable for memory forensics. You need to use
VMware's vmss2core utility to convert these files into a format that tools like Volatility can
understand.
Microsoft Hyper-V
Memory dumps: Hyper-V can generate memory dumps of a VM, which can be used for analysis.
Accessing the files:
1. You'll need the Windows SDK installed on the Hyper-V host.
2. Use the livekd64.exe utility (found within the SDK) to capture a memory dump. This requires
specifying the VM name, the path to the Windows SDK debuggers, and the desired output
path for the dump file.
Proxmox VE
Memory dumps: Proxmox also offers the ability to dump VM memory.
Accessing the files:
1. Go to the "Monitor" tab of the VM.
2. Use the dump-guest-memory command to create a memory dump. You can choose between
ELF or Windows crashdump format.
2|Page
� Note: For Windows crashdump format, the VM needs to have a vmcoreinfo device and the latest
virtio-win drivers installed.
General Considerations
File sizes: Memory dump files can be very large, often matching the VM's RAM size.
Tools: Once you have the memory dump, you'll need specialized tools like the Volatility Framework
to analyze it.
Permissions: Accessing VM memory files might require administrator or root privileges on the host
system.
Investigating Processes in Memory Dumps
Memory dumps are a snapshot of a computer's memory at a specific point in time. They can be used to
troubleshoot problems, analyze malware, and investigate security incidents.
Here are some tools and techniques for investigating processes in memory dumps:
Volatility: This is a powerful open-source memory forensics framework that can be used to analyze
memory dumps from Windows, Linux, and macOS systems. Volatility can extract a wide range of
information from memory dumps, including running processes, network connections, and loaded
drivers.
Rekall: This is another open-source memory forensics framework that is similar to Volatility. Rekall
can also be used to analyze memory dumps from a variety of operating systems.
Rekall memory forensics framework
Windows Debugger (WinDbg): This is a Microsoft tool that can be used to debug Windows
systems. WinDbg can also be used to analyze memory dumps from Windows systems.
3|Page
� Windows Debugger (WinDbg)
Process Explorer: This is a free tool from Microsoft that can be used to view information about
running processes on a Windows system. Process Explorer can also be used to analyze memory
dumps from Windows systems.
Process Explorer
Here are some tips for investigating processes in memory dumps:
Start by identifying the processes that are running in the memory dump. This can be done using
tools like Volatility or Rekall.
Once you have identified the processes, you can start to analyze them. This may involve looking
at the process's memory usage, loaded modules, and network connections.
If you are looking for malware, you can use tools like Volatility's malfind plugin to identify
suspicious code.
If you are investigating a security incident, you can use memory forensics to identify the source
of the attack.
Here are some additional resources that you may find helpful:
Memory Forensics: The Art of Memory Analysis by Michael Hale Ligh, Andrew Case, Jamie
Levy, and Harlan Carvey
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac
by Michael Hale Ligh, Andrew Case, Jamie Levy, and Harlan Carvey
SANS Institute Memory Forensics Training
4|Page
� Code Injection and Extraction
Code injection is a technique used by attackers to introduce (inject) malicious code into a program or
system, thereby changing its behavior or stealing data. This is typically achieved by exploiting
vulnerabilities in the target system, such as insufficient input validation.
Code extraction, on the other hand, refers to the process of retrieving or recovering source code or other
sensitive information from a system or application. This can be done through various means, including
reverse engineering, memory analysis, or exploiting vulnerabilities.
Here are some key points to consider:
Code injection is a type of attack, while code extraction can be used for both malicious and benign
purposes (e.g., security analysis).
Prevention of code injection often involves techniques like input validation, parameterized queries,
and using secure coding practices.
Detection of code injection can be achieved through intrusion detection systems, log analysis, and
code reviews.
Code extraction can be used to identify vulnerabilities, understand software functionality, or recover
lost code. However, it can also be used for malicious purposes, such as stealing intellectual property
or creating exploits.
Some common types of code injection attacks include SQL injection, cross-site scripting (XSS), and
command injection. These attacks exploit vulnerabilities in different parts of a system, such as databases,
web applications, or operating system commands.
Detecting and Capturing Suspicious Loaded DLLs
Detecting and capturing suspicious loaded DLLs is a crucial aspect of security monitoring and incident
response. Here's a breakdown of methods and techniques:
1. Understanding DLLs and Their Role
Dynamic Link Libraries (DLLs) are essential components in Windows operating systems. They
contain code and data that can be shared by multiple programs simultaneously.
Legitimate DLLs are loaded by applications to perform various functions. However, attackers can
exploit this mechanism to load malicious DLLs, gaining control over the application or the system.
2. Detection Techniques
Event Logs: Windows event logs record various system activities, including DLL loading events.
Analyzing these logs can reveal suspicious DLLs.
o Event ID 4688: Process Creation (can show command-line arguments, including DLL
paths)
o Event ID 7: Image Loaded (specific to DLL loading)
Sysmon: Sysmon is a powerful tool from Microsoft that provides detailed information about system
events, including DLL loading. It can be configured to monitor specific DLLs or suspicious
patterns.
Endpoint Detection and Response (EDR) Solutions: EDR solutions offer advanced capabilities for
monitoring and analyzing endpoint activity, including DLL loading. They often use machine learning
and behavioral analysis to identify suspicious DLLs.
Static Analysis: Examining DLL files without executing them can reveal suspicious characteristics,
such as:
5|Page
� o Unusual file size: A DLL that is significantly larger or smaller than expected might be
suspicious.
o Missing or invalid digital signature: Legitimate DLLs are usually digitally signed to ensure
their authenticity.
o Unusual imports or exports: DLLs that import or export functions that are not relevant to
their purpose might be suspicious.
o Strings or code patterns: Examining the strings or code patterns within a DLL can reveal
suspicious activity, such as network communication or data manipulation.
Dynamic Analysis: Executing the application in a controlled environment (sandbox) and monitoring
its behavior can reveal suspicious DLL loading. This can include:
o Monitoring API calls: Observing the API calls made by the application can reveal
suspicious DLL interactions.
o Memory analysis: Examining the memory of the application can reveal loaded DLLs and
their behavior.
3. Capturing Suspicious DLLs
Memory Forensics: If a suspicious DLL is loaded in memory, memory forensics techniques can be
used to capture the DLL for further analysis.
Disk Imaging: Creating a disk image of the affected system can preserve the suspicious DLLs for
later analysis.
Network Capture: If the suspicious DLL communicates with a remote server, network capture can
be used to capture the network traffic for analysis.
4. Tools and Resources
Windows Event Viewer: Built-in tool for viewing Windows event logs.
Sysmon: System monitoring tool from Microsoft.
Process Monitor: Tool for monitoring file system, registry, and process activity.
Cuckoo Sandbox: Open-source sandbox for malware analysis.
Volatility: Memory forensics framework.
5. Best Practices
Keep software updated: Regularly patching software vulnerabilities can prevent attackers from
exploiting them to load malicious DLLs.
Use strong passwords: Strong passwords can prevent attackers from gaining access to systems and
loading malicious DLLs.
Implement application whitelisting: Allow only trusted applications to run on the system.
Monitor system activity: Regularly monitor system logs and events for suspicious activity.
Use security software: Install and maintain up-to-date security software, such as antivirus and anti-
malware solutions.
Finding Artifacts in Process Memory
Memory forensics is a powerful technique for finding artifacts in process memory. It involves capturing a
snapshot of a computer's RAM and then analyzing it to uncover hidden information. This can be crucial in
incident response, malware analysis, and digital forensics investigations.
Here's a breakdown of the process and what you can find:
1. Memory Acquisition
Tools: Several tools are available for acquiring memory, including:
o Volatility: A popular open-source framework for memory forensics.
6|Page
� o Rekall: Another open-source memory forensics framework.
o FTK Imager: A commercial tool with memory acquisition capabilities.
o Magnet RAM Capturer: A commercial tool specifically designed for memory capture.
Process: The goal is to capture a complete and accurate snapshot of the system's RAM without
altering its contents. This often involves using specialized drivers or techniques to minimize
interference.
2. Memory Analysis
Once you have a memory image, you can use various techniques to analyze it:
Process Listing: Identify running processes, their PIDs, and associated DLLs. This can reveal
suspicious processes or injected code.
DLL Analysis: Examine loaded DLLs to identify malicious code or unusual imports/exports.
Network Connections: Discover active or past network connections, revealing communication with
remote servers or command-and-control infrastructure.
Command-Line History: Recover executed commands, providing insights into user activity or
attacker actions.
Registry Hives: Analyze registry data loaded in memory, potentially revealing malware
configuration or persistence mechanisms.
File Handles: Identify open files, which can expose accessed data or hidden files.
Memory Strings: Search for specific strings in memory, such as passwords, encryption keys, or
fragments of malicious code.
Code Injection: Detect injected code by looking for unexpected code sections or API hooking.
Malware Signatures: Scan for known malware signatures or patterns in memory.
3. Artifacts You Can Find
Malware: Injected code, malicious DLLs, rootkits, or other malware components.
User Credentials: Passwords, usernames, or other authentication information.
Encryption Keys: Keys used for encrypting data, potentially allowing for decryption.
Network Information: IP addresses, domain names, or other network-related data.
Sensitive Data: Confidential documents, financial information, or personal data.
Evidence of Activity: Command-line history, browser history, or other traces of user or attacker
actions.
4. Tools and Techniques
Volatility: Offers a wide range of plugins for analyzing memory, including process listing, DLL
analysis, network connection discovery, and more.
Rekall: Similar to Volatility, providing a comprehensive framework for memory forensics.
Memory Forensics Frameworks: Tools like The Sleuth Kit (TSK) and Autopsy can be used to
integrate memory analysis with other forensic techniques.
YARA: A pattern-matching tool that can be used to scan memory for known malware signatures or
other patterns.
5. Challenges and Considerations
Anti-Forensics: Attackers may use techniques to evade memory forensics, such as memory hiding
or anti-analysis techniques.
Memory Volatility: RAM is volatile, meaning its contents can be lost when the system is shut
down. Therefore, it's crucial to capture memory as soon as possible after an incident.
Analysis Complexity: Analyzing memory can be complex and time-consuming, requiring expertise
in memory forensics techniques and tools.
7|Page
�Tips for Effective Memory Analysis:
Prioritize: Focus on the most relevant processes or areas of memory based on the incident or
investigation.
Use Multiple Tools: Combine different tools and techniques to get a comprehensive view of
memory contents.
Correlate: Correlate findings from memory analysis with other forensic evidence, such as disk
images or network logs.
Stay Updated: Keep up with the latest memory forensics techniques and tools, as attackers are
constantly evolving their methods.
Identifying Injected Code with Malfind and YARA
Understanding the Tools
Malfind (Volatility Plugin): malfind is a plugin for the Volatility memory forensics framework.
It's designed to identify hidden or injected code within a process's memory. It achieves this by
analyzing the memory regions and looking for characteristics like:
o Unusual memory protection (e.g., PAGE_EXECUTE_READWRITE)
o Code that isn't associated with any loaded DLLs
o Memory regions with executable code but no corresponding file on disk
YARA: YARA is a powerful pattern-matching tool that allows you to define rules to identify
specific strings, byte sequences, or other patterns within files or memory. These rules can be used to
detect known malware signatures, suspicious code snippets, or other artifacts of interest.
How They Work Together
1. Memory Acquisition: First, you need to acquire a memory dump of the system you want to analyze.
This can be done using tools like Volatility, Rekall, or commercial memory acquisition tools.
2. Malfind Analysis: Use the malfind plugin within Volatility to identify potentially injected code.
malfind will analyze the memory regions of the target process and highlight any suspicious areas.
3. YARA Scanning: Once you've identified potential areas of injected code with malfind, you can use
YARA to scan those specific memory regions. This allows you to:
o Confirm the presence of known malware by matching against YARA rules
o Identify specific code patterns or artifacts within the injected code
o Gain further insights into the functionality or purpose of the injected code
Example Workflow
1. Acquire Memory: volatility -f memory.dump imageinfo (to identify the correct memory
profile)
2. Run Malfind: volatility -f memory.dump --profile=<profile> malfind -p <PID> -D
<output_directory> (replace <PID> with the process ID and <output_directory> with a
directory to save the output)
3. Scan with YARA: volatility -f memory.dump --profile=<profile> yarascan -Y
<yara_rules_file> -p <PID> (replace <yara_rules_file> with the path to your YARA rules)
Benefits of Combining Malfind and YARA
Increased Accuracy: malfind helps pinpoint suspicious areas, reducing the scope for YARA
scanning and improving efficiency.
Enhanced Detection: YARA rules provide a powerful way to identify known malware or specific
code patterns that might not be obvious through memory region analysis alone.
Deeper Analysis: Combining the results of both tools provides a more comprehensive understanding
of the injected code and its potential impact.
8|Page
�Important Considerations
YARA Rule Quality: The effectiveness of YARA scanning depends on the quality and
comprehensiveness of your YARA rules.
Anti-Forensics: Attackers may use techniques to evade detection, such as code obfuscation or anti-
analysis techniques.
Memory Volatility: Memory is volatile, so it's essential to acquire memory as soon as possible after
an incident.
By effectively using malfind and YARA together, you can significantly improve your ability to identify and
analyze injected code within process memory, aiding in incident response and malware investigations.
9|Page
