Memory Forensics: Where to Start
Have you ever received an image of RAM as part of a forensic case, but didn't really know where to being in the analysis process? To the analyst, RAM is just a large blob of data with minimal structure, at least not the structure that we are expecting to see when it comes to operating systems.
So where do you start? This article talks about the different artifacts that can be found when conducting RAM analysis, and the process one could follow to conduct RAM analysis on a computer intrusion. For the sake of this article, we will define a computer intrusion as any unauthorized access of a computer system. This article includes some helpful tips and tricks that can be used when conducting RAM analysis.
So exactly what is RAM? To quote Wikipedia, “Random Access Memory (RAM) is a form of computer data storage.” This information storage container is volatile, meaning it can easily be flushed and is not used for long term storage. A computer stores information in a memory address, which can later be retrieved by a computer's hardware device, or a software application. Any actively used information or data by a computer program or hardware device will run through the system's RAM at the time it is being used. This is what makes RAM so important when conducting computer forensics. So why is RAM analysis not a part of every computer forensic investigation? There are two main reasons.
- Procedural: Is it okay for law enforcement or first responders to introduce artifacts to the computer system? For RAM to be acquired the target system has to be running and a collection program has to be introduced to the computer system and executed, hence leaving an acquisition footprint. With the advances in malware technology, acquisition of RAM might provide the only evidence that a crime or intrusion was committed. Over time the court system will begin to adopt the fact that law enforcement or first responders have introduced footprints onto the target system during RAM acquisition. Documentation by those conducting the acquisition is key.
- Physical: If the computer is shutdown the contents of RAM have been flushed from the computer wiping away all active information in the RAM.
This article focuses on what can be found when conducting RAM analysis and the process flow that a forensic analysis might take when conducting an investigation. RAM artifacts include any piece of data that is used by a software application or hardware device. Depending on the forensic case being investigated, the list of possible artifacts obtained from a running computer could be quite large. Any input or output from a computer program will travel through memory. Its stay in RAM will depend on the size of the RAM and the computer’s need to place new information in previously occupied, but no longer used, sections of RAM. The section below contains a sample of nine types of artifacts that can be found on a running computer system, and why their existence is important to forensic analysis. This list is by no means exhaustive.
- Past and current network connections. This valuable information will contain the remote IP address and port number used in network connections. This information is critical when investigating a computer intrusion, identifying the remote destination the malware is communicating with, the source of child pornography, or the destination of a company's exfiltrated data. The ports used could also be an identifier of the type of traffic that was used as the communication vector, such as HTTP, SMTP, FTP, or some obscure port identified and associated with malware.
- List of running processes at the time of RAM capture. A list of active programs running when the RAM was acquired could provide analysts with some insight on how the system was being used. Visual inspection of a system's desktop or through Task Manager would provide a superficial knowledge of what is running on a system, such as Firefox, Outlook, or Limewire. What will not be revealed from a visual inspection is a process running such as a rootkit, a hidden Trojan used to exfiltrate data or allow remote access, or the keylogger that is siphoning all important user data.
- User names and passwords. Think about how many times users input their user name and password to access an account, whether it is for the local system, or a remote system. This authentication is used to access e-mail, social networking accounts, or their home's wireless access point.
- Loaded Dynamically Linked Libraries (DLL). Being able to list all the DLLs associated with a running process would allow the identification of a malicious DLL that has injected itself into a process. This was a very effective method for the Zeus botnet.
- Contents of an open window. This would include any keystrokes into Webmail, an e-mail client, values into a form field, and an IM chat client and chat sessions, including participants. This list could be extensive.
- Open registry keys for a process. Imagine how crucial it would be to be able to identify registry keys associated with a malicious process. By being able to associate open registry keys to a certain process, an analyst could tie functionality to that process, such as networking capabilities, encryption, or being able to associate the secure identifier (SID) to the user account who started the process. It is also important to identify the method used by the malware to sustain reboot. This information can be identified from the relationships between a process and its registry keys. Just remember that the registry values will be those that are “open” at the time of the RAM acquisition. However, the registry key that was responsible for the malware surviving a reboot could still be listed in RAM and could be found by dumping the address space for that process.
- Open files for a process. Being able to list open files associated with a process would reveal any open files that are currently being used by the identified malicious process. This is helpful in identifying a resident file that is logging keystrokes, or user names and passwords. This is also important in identifying a configuration file used by a malicious process, even if it is encrypted on disk. This file could then be found in memory and its contents read.
- Unpacked/decrypted versions of a program. One of the most valuable contributions that memory forensics can provide to an analyst is the ability to carve out an identified malicious process out of memory. If a malicious file or binary is encrypted on a hard drive the analyst would have a very hard time decrypting the file in order to obtain its contents. However, every file that is read or is executed will have to unpack or decrypt itself to run. By following the process below, the malicious file could be identified, carved out of memory, and analyzed through static analysis or by scanning with an anti-virus tool.
- Memory resident malware. Memory resident malware is becoming more prevalent. There is malware in the wild that will only reside in a system's memory, leaving no footprints on the system's hard drive. Any data collected could also just be stored in memory before being exfiltrated to a remote system.
Like anything else, starting something without experience can be a daunting task. Where do you start? The same holds true for RAM analysis. Below is a good starting process for conducting RAM analysis. There are many different ways to tackle a forensic investigation and it mostly depends on the the quality and quantity of information the analyst has before beginning the analysis. Below is a process that could be applied to many different types of computer forensic investigations. (NOTE: The information below would be obtained using memory analysis tools that have the functionality to collect networking connections, process information, and registry and file information. Two popular memory forensic tools used to collect such information are Volatility and HBGary. The former is a free tool and will be referenced in this article).
Figure 1 shows the process starting with the identification of a suspicious network connection. Using one of the connection options from Volatility any active or recently closed network connections can be extracted from RAM. A series of WHOIS queries and some open source research can begin to narrow down the network connections. The process below might have to be repeated a few times to further reduce the entries on the list. It should also be noted that the best analysis will come from correlating data from both the RAM capture and artifacts from the hard drive.
Figure 1:The Memory Analysis Process
Identifying a malicious network connection can be executed by interviewing the system owner, analyzing a user's Internet history files to identify the frequency a domain or IP addresses was visited, or by examining any network logs that capture outbound traffic, if there were any. Malware will usually communicate with an outside entity on a set time frame, in intervals, and usually with the same packet size, unless the malware is exfiltrating data. Visual analysis of the network logs would quickly identify these trends. Using Volatility, once the network connections are extracted, they will be listed with an associated process ID (PID). Using Volatility's pslist, an analyst can now determine the name of the program that was associated with the network connection. This will be done by mapping the PID to the process name. Sometimes the name of the program and its location are a dead giveaway to a seasoned analyst. Finding a program initiating a network connection when that is not part of its functionality is suspicious. Figure 2 shows the previously mentioned progression of finding a suspicious network connection and mapping it to the process ID and then to the process name. Each step along the way is collecting more artifacts to build a case. Each of these steps will also include time-stamps, which can further increase the case artifacts.
Figure 2: The Memory Analysis Progression
The collection of artifacts now consists of an IP address (port number), process ID, and associated process name, all three having time-stamps. Knowing these artifacts is crucial. The time stamps will allow the analyst to conduct time-line analysis and correlate with artifacts from the hard drive. Do not take the time stamps found while conducting analysis on the hard drive at face value. It is known that some malware will alter the Standard Information Attribute time stamp in attempts to throw off an investigation. This is one of the benefits of conducting memory analysis, as malware is not yet conducting anti-forensics within RAM. Knowing the process ID will also provide the parent process ID (PPID). This parent process ID was responsible for starting the malicious process that initiated the suspicious network connection. This information is getting the analyst one step closer to being able to identify what was originally executed that started the network connection.
Tip: Volatility has the ability to save certain command output to a “.dot” format. This “.dot” format can be read by visualization programs like Graphiz (www.graphviz.org), which will provide a graphical representation of the PID to PPID relationship. Visualization provides easy to follow relationship between malicious processes and those used as a vehicle. See the blog article on Mapping Process ID Structures Graphically at www.edgepointforensics.com.
At this stage in the process, a file resident on the drive has been identified. If the malware is a separate, confined program, as opposed to a malicious code injecting itself into a running process, the steps below can be taken to research the program.
- If the malware is self contained, the program can be extracted from the hard drive using forensic software. Make note of the location. The process can be scanned using AV scanners, or analyzed with a static analyzer such as IDA Pro or ollydbg. If the program is encrypted on the hard drive, using Volatility's procdump, the identified process can be extracted out of the memory capture. The extraction will be in an unencrypted state. If the malicious code has been injected into a legitimate process, the file can be extracted and analyzed through the use of static analysis.
- Examine the prefetch files for the application/process.
- Using forensic software on the hard drive, analyze the time stamps associated with the network connection(s), the process ID, and parent process ID. Since the timestamps from the hard drive could have been manipulated, verify with the time stamp extracted from memory to see if there is a match. This is a good way to identify time-stomping by the malware. Conducting timeline analysis could point to a received e-mail, a Website visited (e.g. social networking site), or a thumb drive inserted into the system. This information can be crucial for finding the vector of the malware.
Tip: If you receive a hard drive to analyze but there was no RAM capture you are not completely out of luck. Through the use of tools, such as, Mount Image Pro, Virtual Forensic Computing (VFC), and VMware, a hard drive can be resurrected to acquire the RAM. There are plenty of blogs written about this, but here is the process in a nutshell:
- The imaged hard drive residing on the analyst machine is mounted with Mount Image Pro or Live View.
- Use VFC to create a VMware image.
- Use VMware to open the image. The result would be the “live” system. If the system is password protected VFC has a mechanism to bypass the password authentication process.
- At this point, pause VMware, and in the location where the VMware image is stored copy out the file with the extension .vmem. This is a copy of the VMware image's RAM.
It is important to note that the RAM file that was acquired from the aforementioned process will not contain the same information as the RAM prior to the system being imaged. That said, most malware should be able to survive a reboot and would then appear in the RAM sample just acquired through the use of VFC. It might be wise to let the system run for a while in case the malware delays its start up time. A network sniffer (Wireshark/tcpdump) should also be running to capture any network traffic.
Tip: Here is another tip to find all kinds of good artifacts related to a process of interest. It was previously discussed how all the different system data flows through RAM, such as the contents of Webmail, a browser's window, chat conversations, and the content of files accessed. How can this information be extracted? Use Volatility's vaddump tool (virtual address descriptor) to extract the address space for a process ID of interest. When executed, the tool will extract all the address space for the process and break them into chunks in the location designated. It's best to create a separate directory and direct the output there using the “-d” switch. The number of files will vary, but the naming convention will be the name of the file, the beginning and ending address space for that section, and the file extention “.dmp”, (i.e. winsvc16.exe.22cf738.76f60000-76f8bfff.dmp). It is important to specify the PID of interest, otherwise you will have hundreds of files that you didn't intend to extract. Once all the files are in the designated directory simply use strings to read all the files and point the output to one file. This file can then be browsed to see all the components of process in clear text.
A perfect example of the value of dumping the VAD on a process of interest was seeing the contents of metasploit in action on an attacker's computer system. Not only was the victim's IP address listed, but also the exploit used to compromise the system. Talk about a smoking gun.
Tip: Using Volatility's procdump, any executable found in memory can be carved out. There is an option to select just a process of interest, or all files found can be extracted. This can be used in a triage situation where you carve out all executables from RAM, placing them into a directory and then using various anti-virus scanners to scan the directory in hopes of finding malware. Through the process discussed above, when you have a process of interest you can just carve out the executable based on its process ID. It is important to remember that when a file is carved out of memory it is not the exact same file that is resident on the hard drive. This will impact the MD5 hash value.
As the advancements of malware increase, along with full disk encryption, the acquisition and analysis of RAM will be that much more important. It is evident that with the advancements of memory analysis tools, and the demonstrated wealth of forensic artifacts that are being discovered in RAM captures, the norm will be when a system's RAM will be imaged along with every hard drive.
Mark Wade is the Vice President of EdgePoint Forensics. In past careers Mark has performed digital forensics for a Federal Law Enforcement agency as a government contractor. The forensic work performed was investigating computer and network intrusion, user profiling, and various other Internet investigations. Other prior work included computer/network security for the past twelve years with specific focus in penetration testing, IDS and firewall management, incident response, and malware analysis. EdgePoint Forensics specializes in computer and network forensics, and Operational Investigative Support for cyber-crime. EdgePoint Forensics also offers computer forensics training. www.edgepointforensics.com; firstname.lastname@example.org