windows Memory Forensics

windows Memory forensics plays a vital role in incident response and digital forensics. Here are the primary purposes and benefits

Detection of Malicious Activities:

Process Analysis
DLL & Handle Analysis
File & Registry Analysis
Network Analysis
User & Session Information
Memory Dumps
Module & Driver Analysis
Malware & Anomaly Detection
Miscellaneous
Memory Dumping & Extraction
Memory Artifacts
Event Log Extraction
Lateral Movement Detection
Registry-based Persistence Detection
Timeline Creation

IN this section , I am going to talk about Linux Memory Forensics with Volatility 3

Analyze the Memory Dump

python3 vol.py -f <memory_dump> <plugin_name> [options]

-f <memory_dump>: Path to the memory dump file.
<plugin_name>: Volatility 3 plugin to use
--pid <process_id> # optional

1.Process Analysis

    pslist: Lists running processes.
    pstree: Shows running processes in a tree structure.
    psscan: Scans for process structures in memory.
    pidhashtable: Retrieves processes using the PID hash table.
    psenv: Displays the environment variables of a process.
    cmdline: Displays the command line arguments for processes.
    
vol.py -f <memory image> windows.cmdline --pid <process_id>

2.DLL & Handle Analysis


    dlllist: Lists loaded DLLs for each process.
    ldrmodules: Lists the loaded modules (DLLs) in a process's memory.
    handles: Shows the open handles for each process.

vol.py -f <memory image> windows.dlllist --pid <process_id>
ldrmodules: Helps in detecting hidden or unlinked DLLs loaded in a process

3.File & Registry Analysis

    filescan: Scans for file objects in memory.
    dumpfiles: Extracts files from memory to disk.
    printkey: Displays the contents of a registry key.
    regscan: Scans for registry objects in memory.
    dumpregistry: Extracts registry hives to disk.
    mftscan.MFTScan:  to see the file creation
    windows.registry.userassist : Shows user-executed programs and files - Provides timestamps and execution counts- seful for identifying user activity and potential execution of malicious files
    windows.registry.hivelist : Lists all registry hives loaded on the system
    windows.registry.printkeys : Prints all keys and values of a given registry hive
    windows.registry.printkeys --hive NTUSER.DAT --key "Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"
    windows.mftscan.ADS : Scans for Alternate Data Stream
    windows.dumpfiles --name "C:\\Windows\\System32\\config\\SAM"
     
vol.py -f <memory image>  windows.dumpregistry --dump-dir /path/to/dump

Listing Registry Hives:This will list the memory addresses and paths to the registry hives stored in the memory image
vol.py -f  <memory image>     windows.registry.hivelist
Extracting Specific Registry Key:
vol.py -f  <memory image>     windows.registry.printkey --offset <hive_offset> --key "<registry_key_path>"

4.Network Analysis connections

    connections: shows the connections.
    netscan: Scans for network connections (both active and terminated).
    connscan: Scans for network connections.
    sockets: Lists active socket connections.

5.User & Session Information

    getservicesids: Retrieves the SID (Security Identifier) of services.
    sessions: Lists details about user sessions.
    sockscan: Scans for socket objects.
    prefetch:Check for indicators of recent execution

6.Memory Dumps


    memmap: Displays the memory map of a process.
    vaddump: Dumps the virtual address space of a process.
    dumpfiles: Dumps the memory content

Dump the PowerShell process memory:
Once you've identified the PID of the PowerShell process, use the windows.memmap and windows.dumpfiles plugins to dump the memory of the process:
     vol.py -f memory.mem windows.memmap --pid <PID>
This command will display the memory-mapped regions of the PowerShell process. Afterward, use windows.dumpfiles to dump the memory content:
     vol.py -f <memory image> windows.dumpfiles --pid <PID> --dump-dir .

Run memmap to inspect the memory of the process.
Use dumpfiles to dump the memory content of the PowerShell process

Why Sequential Usage is Important:
    Step 1 (windows.memmap) helps you understand and verify the memory structure of the process, ensuring that you're targeting the correct memory regions.
    Step 2 (windows.dumpfiles) allows you to actually extract the process’s memory for deeper analysis (e.g., extracting Cobalt Strike beacons, malware, etc.)

7.Module & Driver Analysis

    modules: Lists kernel modules (drivers) loaded in memory.
    modscan: Scans for kernel modules in memory.
    driverscan: Scans for driver objects in memory.

8.Malware & Anomaly Detection

    malfind: Identifies potentially malicious code in process memory.
    apihooks: Detects API hooks used by rootkits or malware.
    mutantscan: Scans for mutexes in memory, often used in malware.
    ssdt: Displays the System Service Descriptor Table (often altered by rootkits).
    callbacks: Lists callback functions, which can be used by rootkits.
    yarascan: Scans memory using YARA rules for malware detection.

9.Miscellaneous

    windows.info: Shows basic information about the Windows memory image.
    timeliner: Creates a timeline of activities from memory.
    hibinfo: Extracts hibernation information.
    verinfo: Shows the version information of the Windows kernel.

10.Memory Dumping & Extraction


    procdump: Dumps the executable of a process from memory.
    moddump: Extracts kernel modules.
    vboxinfo: Extracts information from VirtualBox processes

moddump: Dumps kernel modules (useful for malware analysis):
    vol.py -f <memory image> windows.moddump --dump-dir /path/to/dump
Dumping a Process : 
    vol.py -f <memory image> windows.procdump --pid <process_id> --dump-dir /path/to/dump
      --pid: Specifies the process ID to dump.
      --dump-dir: Defines the directory where the dumped file will be saved.

11.Memory Artifacts

vadinfo: Lists the virtual address descriptors of a process.
vadtree: Displays virtual memory allocations in a tree structure.
vaddump: Dumps the virtual address space of a process

vol.py -f  <memory image>  vaddump --pid 1234 -D output

Extracting Event Logs:

    evtlogs: plugin allows you to extract and analyze Windows Event Logs from memory dumps
    python3 vol.py -f <memory image>  windows.evtlogs

Detecting Lateral Movement:

getsids: The plugin extracts SIDs assigned to each running process, allowing analysts to see the user accounts and groups 
vol.py -f  <memory image>  windows.getsids

Benfit:
1-etecting Privilege Escalation: By examining SIDs, you can determine if a non-privileged process somehow gained privileged access, which may point to exploitation
2-Identifying Suspicious Users or Accounts: If a process is running under an unexpected or malicious account, this may indicate that an attacker has used a compromised account
3- Finding Malicious Processes: Attackers often inject or spawn processes under accounts with elevated privileges to remain hidden. getsids helps in identifying these processes

Registry-based persistence:

handles:dentifying registry keys that a process has opened, specifically looking for signs of persistence mechanisms.
vol.py -f  <memory image>  windows.handles --pid < process PID > 

 Common registry-based persistence keys to look for are:
        HKLM\Software\Microsoft\Windows\CurrentVersion\Run
        HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 For system startup:
        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 For user logons:
       HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
       HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
       HKCU\Software\Microsoft\Windows\CurrentVersion\Run
       HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Create a Timeline:

Use the timeliner plugin to extract a chronological sequence of events from the memory dump, helping you build a timeline of the attack or suspicious activities 
vol.py -f <memory image> windows.timeliner --output-file timeline.csv

NextWindows Registry Forensics

Last updated 4 months ago

pslist: Lists running processes. pstree: Shows running processes in a tree structure. psscan: Scans for process structures in memory. pidhashtable: Retrieves processes using the PID hash table. psenv: Displays the environment variables of a process. cmdline: Displays the command line arguments for processes. vol.py -f <memory image> windows.cmdline --pid <process_id>

dlllist: Lists loaded DLLs for each process. ldrmodules: Lists the loaded modules (DLLs) in a process's memory. handles: Shows the open handles for each process. vol.py -f <memory image> windows.dlllist --pid <process_id> ldrmodules: Helps in detecting hidden or unlinked DLLs loaded in a process

filescan: Scans for file objects in memory. dumpfiles: Extracts files from memory to disk. printkey: Displays the contents of a registry key. regscan: Scans for registry objects in memory. dumpregistry: Extracts registry hives to disk. mftscan.MFTScan: to see the file creation windows.registry.userassist : Shows user-executed programs and files - Provides timestamps and execution counts- seful for identifying user activity and potential execution of malicious files windows.registry.hivelist : Lists all registry hives loaded on the system windows.registry.printkeys : Prints all keys and values of a given registry hive windows.registry.printkeys --hive NTUSER.DAT --key "Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist" windows.mftscan.ADS : Scans for Alternate Data Stream windows.dumpfiles --name "C:\\Windows\\System32\\config\\SAM" vol.py -f <memory image> windows.dumpregistry --dump-dir /path/to/dump Listing Registry Hives:This will list the memory addresses and paths to the registry hives stored in the memory image vol.py -f <memory image> windows.registry.hivelist Extracting Specific Registry Key: vol.py -f <memory image> windows.registry.printkey --offset <hive_offset> --key "<registry_key_path>"

connections: shows the connections. netscan: Scans for network connections (both active and terminated). connscan: Scans for network connections. sockets: Lists active socket connections.

getservicesids: Retrieves the SID (Security Identifier) of services. sessions: Lists details about user sessions. sockscan: Scans for socket objects. prefetch:Check for indicators of recent execution

memmap: Displays the memory map of a process. vaddump: Dumps the virtual address space of a process. dumpfiles: Dumps the memory content Dump the PowerShell process memory: Once you've identified the PID of the PowerShell process, use the windows.memmap and windows.dumpfiles plugins to dump the memory of the process: vol.py -f memory.mem windows.memmap --pid <PID> This command will display the memory-mapped regions of the PowerShell process. Afterward, use windows.dumpfiles to dump the memory content: vol.py -f <memory image> windows.dumpfiles --pid <PID> --dump-dir . Run memmap to inspect the memory of the process. Use dumpfiles to dump the memory content of the PowerShell process Why Sequential Usage is Important: Step 1 (windows.memmap) helps you understand and verify the memory structure of the process, ensuring that you're targeting the correct memory regions. Step 2 (windows.dumpfiles) allows you to actually extract the process’s memory for deeper analysis (e.g., extracting Cobalt Strike beacons, malware, etc.)

malfind: Identifies potentially malicious code in process memory. apihooks: Detects API hooks used by rootkits or malware. mutantscan: Scans for mutexes in memory, often used in malware. ssdt: Displays the System Service Descriptor Table (often altered by rootkits). callbacks: Lists callback functions, which can be used by rootkits. yarascan: Scans memory using YARA rules for malware detection.

windows.info: Shows basic information about the Windows memory image. timeliner: Creates a timeline of activities from memory. hibinfo: Extracts hibernation information. verinfo: Shows the version information of the Windows kernel.

procdump: Dumps the executable of a process from memory. moddump: Extracts kernel modules. vboxinfo: Extracts information from VirtualBox processes moddump: Dumps kernel modules (useful for malware analysis): vol.py -f <memory image> windows.moddump --dump-dir /path/to/dump Dumping a Process : vol.py -f <memory image> windows.procdump --pid <process_id> --dump-dir /path/to/dump --pid: Specifies the process ID to dump. --dump-dir: Defines the directory where the dumped file will be saved.

vadinfo: Lists the virtual address descriptors of a process. vadtree: Displays virtual memory allocations in a tree structure. vaddump: Dumps the virtual address space of a process vol.py -f <memory image> vaddump --pid 1234 -D output

getsids: The plugin extracts SIDs assigned to each running process, allowing analysts to see the user accounts and groups vol.py -f <memory image> windows.getsids Benfit: 1-etecting Privilege Escalation: By examining SIDs, you can determine if a non-privileged process somehow gained privileged access, which may point to exploitation 2-Identifying Suspicious Users or Accounts: If a process is running under an unexpected or malicious account, this may indicate that an attacker has used a compromised account 3- Finding Malicious Processes: Attackers often inject or spawn processes under accounts with elevated privileges to remain hidden. getsids helps in identifying these processes

handles:dentifying registry keys that a process has opened, specifically looking for signs of persistence mechanisms. vol.py -f <memory image> windows.handles --pid < process PID > Common registry-based persistence keys to look for are: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run For system startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run For user logons: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Use the timeliner plugin to extract a chronological sequence of events from the memory dump, helping you build a timeline of the attack or suspicious activities vol.py -f <memory image> windows.timeliner --output-file timeline.csv