# windows Memory Forensics Detection of Malicious Activities: * Process Analysis * DLL & Handle Analysis * File & Registry Analysis * Network Analysis * User & Session Information * Memory Dumps * Module & Driver Analysis * Malware & Anomaly Detection * Miscellaneous * Memory Dumping & Extraction * Memory Artifacts * Event Log Extraction * Lateral Movement Detection * Registry-based Persistence Detection * Timeline Creation IN this section , I am going to talk about Linux Memory Forensics with Volatility 3 Analyze the Memory Dump `python3 vol.py -f [options]` * `-f `: Path to the memory dump file. * ``: Volatility 3 plugin to use * `--pid ` # optional ### 1.Process Analysis ``` pslist: Lists running processes. pstree: Shows running processes in a tree structure. psscan: Scans for process structures in memory. pidhashtable: Retrieves processes using the PID hash table. psenv: Displays the environment variables of a process. cmdline: Displays the command line arguments for processes. vol.py -f windows.cmdline --pid ``` *** ### 2.DLL & Handle Analysis ``` dlllist: Lists loaded DLLs for each process. ldrmodules: Lists the loaded modules (DLLs) in a process's memory. handles: Shows the open handles for each process. vol.py -f windows.dlllist --pid ldrmodules: Helps in detecting hidden or unlinked DLLs loaded in a process ``` *** ### 3.File & Registry Analysis ``` filescan: Scans for file objects in memory. dumpfiles: Extracts files from memory to disk. printkey: Displays the contents of a registry key. regscan: Scans for registry objects in memory. dumpregistry: Extracts registry hives to disk. mftscan.MFTScan: to see the file creation windows.registry.userassist : Shows user-executed programs and files - Provides timestamps and execution counts- seful for identifying user activity and potential execution of malicious files windows.registry.hivelist : Lists all registry hives loaded on the system windows.registry.printkeys : Prints all keys and values of a given registry hive windows.registry.printkeys --hive NTUSER.DAT --key "Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist" windows.mftscan.ADS : Scans for Alternate Data Stream windows.dumpfiles --name "C:\\Windows\\System32\\config\\SAM" vol.py -f windows.dumpregistry --dump-dir /path/to/dump Listing Registry Hives:This will list the memory addresses and paths to the registry hives stored in the memory image vol.py -f windows.registry.hivelist Extracting Specific Registry Key: vol.py -f windows.registry.printkey --offset --key "" ``` ### 4.Network Analysis connections ``` connections: shows the connections. netscan: Scans for network connections (both active and terminated). connscan: Scans for network connections. sockets: Lists active socket connections. ``` ### 5.User & Session Information ``` getservicesids: Retrieves the SID (Security Identifier) of services. sessions: Lists details about user sessions. sockscan: Scans for socket objects. prefetch:Check for indicators of recent execution ``` ### 6.Memory Dumps ``` memmap: Displays the memory map of a process. vaddump: Dumps the virtual address space of a process. dumpfiles: Dumps the memory content Dump the PowerShell process memory: Once you've identified the PID of the PowerShell process, use the windows.memmap and windows.dumpfiles plugins to dump the memory of the process: vol.py -f memory.mem windows.memmap --pid This command will display the memory-mapped regions of the PowerShell process. Afterward, use windows.dumpfiles to dump the memory content: vol.py -f windows.dumpfiles --pid --dump-dir . Run memmap to inspect the memory of the process. Use dumpfiles to dump the memory content of the PowerShell process Why Sequential Usage is Important: Step 1 (windows.memmap) helps you understand and verify the memory structure of the process, ensuring that you're targeting the correct memory regions. Step 2 (windows.dumpfiles) allows you to actually extract the process’s memory for deeper analysis (e.g., extracting Cobalt Strike beacons, malware, etc.) ``` ### 7.Module & Driver Analysis ``` modules: Lists kernel modules (drivers) loaded in memory. modscan: Scans for kernel modules in memory. driverscan: Scans for driver objects in memory. ``` ### 8.Malware & Anomaly Detection ``` malfind: Identifies potentially malicious code in process memory. apihooks: Detects API hooks used by rootkits or malware. mutantscan: Scans for mutexes in memory, often used in malware. ssdt: Displays the System Service Descriptor Table (often altered by rootkits). callbacks: Lists callback functions, which can be used by rootkits. yarascan: Scans memory using YARA rules for malware detection. ``` ### 9.Miscellaneous ``` windows.info: Shows basic information about the Windows memory image. timeliner: Creates a timeline of activities from memory. hibinfo: Extracts hibernation information. verinfo: Shows the version information of the Windows kernel. ``` ### 10.Memory Dumping & Extraction ``` procdump: Dumps the executable of a process from memory. moddump: Extracts kernel modules. vboxinfo: Extracts information from VirtualBox processes moddump: Dumps kernel modules (useful for malware analysis): vol.py -f windows.moddump --dump-dir /path/to/dump Dumping a Process : vol.py -f windows.procdump --pid --dump-dir /path/to/dump --pid: Specifies the process ID to dump. --dump-dir: Defines the directory where the dumped file will be saved. ``` ### 11.Memory Artifacts ``` vadinfo: Lists the virtual address descriptors of a process. vadtree: Displays virtual memory allocations in a tree structure. vaddump: Dumps the virtual address space of a process vol.py -f vaddump --pid 1234 -D output ``` *** ### Extracting Event Logs: ``` evtlogs: plugin allows you to extract and analyze Windows Event Logs from memory dumps python3 vol.py -f windows.evtlogs ``` ### Detecting Lateral Movement: ``` getsids: The plugin extracts SIDs assigned to each running process, allowing analysts to see the user accounts and groups vol.py -f windows.getsids Benfit: 1-etecting Privilege Escalation: By examining SIDs, you can determine if a non-privileged process somehow gained privileged access, which may point to exploitation 2-Identifying Suspicious Users or Accounts: If a process is running under an unexpected or malicious account, this may indicate that an attacker has used a compromised account 3- Finding Malicious Processes: Attackers often inject or spawn processes under accounts with elevated privileges to remain hidden. getsids helps in identifying these processes ``` ### Registry-based persistence: ``` handles:dentifying registry keys that a process has opened, specifically looking for signs of persistence mechanisms. vol.py -f windows.handles --pid < process PID > Common registry-based persistence keys to look for are: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run For system startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run For user logons: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ``` ### Create a Timeline: ``` Use the timeliner plugin to extract a chronological sequence of events from the memory dump, helping you build a timeline of the attack or suspicious activities vol.py -f windows.timeliner --output-file timeline.csv ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mahmoud-shaker.gitbook.io/dfir-notes/windows-memory-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.