Malware Forensic Field Guides: Tool Box Chapter 2 Memory Forensics: Analyzing Physical and Process Memory Dumps for Malware Artifacts
In Chapter 2 we discussed approaches to interpreting data structures in memory. There are a number of memory analysis tools that you should be aware of and familiar with. In this section, we explore these tool alternatives, often demonstrating their functionality. This section can also simply be used as a “tool quick reference” or “cheat sheet,” as there will inevitably be times during an investigation where having an additional tool that is useful for a particular function would be beneficial, since you may have little time to conduct research for or regarding the tool(s). It is important to perform your own testing and validation of these tools to ensure that they work as expected in your environment and for your specific needs.
| Name: Encase Enscripts |
| Page Reference: 113 |
| Author/Distributor: Guidance Software |
| Available From: http://www.guidancesoftware.com/ |
| Description: Memory analysis capabilities have been developed for EnCase using EnScripts. These are currently maintained at http://cci.cocolog-nifty.com/blog/ and have some basic functions similar to Volatility. The output of the PsScan component of the Memory Forensic EnScript is shown in the following figure: |
 |
| Name: FTK |
| Page Reference: 100 |
| Author/Distributor: AccessData |
| Available From: https://www.accessdata.com |
| Description: FTK has basic memory parsing capabilities, which can be utilized by importing a memory dump and reviewing the parsed information under the Volatile tab. |
|
| Name: Memoryze/AuditViewer |
| Page Reference: 101 |
| Author/Distributor: Mandiant |
| Available From: http://www.mandiant.com/products/free_software/memoryze/ |
| Description: Memoryze and the associated AuditViewer are used to analyze physical memory acquired from many versions of Windows. Several batch scripts are provided with Memoryze to facilitate common analysis tasks. • Process.bat extracts details about processes, including malicious code injection. • DriverSearch.bat extracts details about drivers . • HookDetection.bat looks for common hooking methods . • DriverWalkList.bat provides a linked list of modules and drivers . These batch scripts rely on XML configuration files and require the command-line options to be explicity set to true or false to produce desired results in XML format. An example of the command line for Process.bat is provided here. C:\>Process.bat -input E:\FuTo-Rootkit.dmp -output E:Analysis -handles true -ports true -sections true -injected true Customized scripts can be created to perform specific combinations of analysis. Audit Viewer provides a graphical user interface for examining the XML output created by Memoryze as shown in the following figure. |
 |
Helpful Switches:
|
l
| Name: PTFinder |
| Page Reference: 102 |
| Author/Distributor: Andreas Schuster |
| Available From: http://computer.forensikblog.de/files/ptfinder/ |
| Description: PTFinder Perl scripts developed by Andreas Schuster to methodically search a memory dump for the signature of EPROCESS and ETHREAD data structures. No conversion between virtual and physical addresses (http://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html). E:\PTFinder>ptfinder_xpsp2.pl --nothreads FUTo-memory-20070909.dd No. Type PID TID Time created Offset PDB Remarks ---- ---- ------ ------ ------------------- ------------------- ---------- 1 Proc 0 0x00544640 0x00039000 Idle 2 Proc 664 2007-09-09 18:12:25 0x0104ab50 0x03f49000 csrss.exe 3 Proc 1852 2007-09-09 18:12:00 0x0104c818 0x0aa13000 logonui.exe 4 Proc 592 2007-09-09 18:12:23 0x0106f788 0x02f2b000 smss.exe 5 Proc 1204 2007-09-09 18:17:32 0x01168a18 0x0001b000 helix.exe 6 Proc 4 0x01218020 0x00039000 System 7 Proc 736 2007-09-09 18:12:29 0x020cd7d8 0x05649000 services.exe 8 Proc 748 2007-09-09 18:12:29 0x02151668 0x05689000 savedump.exe 9 Proc 1808 2007-09-09 18:19:56 0x026c7420 0x0e906000 dd.exe 10 Proc 688 2007-09-09 18:12:27 0x03cf0850 0x04e5f000 winlogon.exe 11 Proc 756 2007-09-09 18:12:29 0x05683da8 0x0566f000 lsass.exe 12 Proc 928 2007-09-09 18:12:34 0x05cc9da8 0x06208000 ibmpmsvc.exe 13 Proc 956 2007-09-09 18:12:34 0x0626bd80 0x06299000 svchost.exe 14 Proc 1080 2007-09-09 18:12:34 0x063d46a0 0x06467000 svchost.exe 15 Proc 1228 2007-09-09 18:12:36 0x06b00020 0x06aec000 svchost.exe 16 Proc 1260 2007-09-09 18:12:36 0x06cb0728 0x06ce5000 svchost.exe 17 Proc 1452 2007-09-09 18:12:38 0x07509da8 0x075a6000 spoolsv.exe 18 Proc 1604 2007-09-09 18:12:44 0x07daec18 0x07d94000 QCONSVC.EXE 19 Proc 0 2007-09-09 18:12:45 0x07e26b50 0x07e8f000 skls.exe 20 Proc 412 2007-09-09 18:13:05 0x08df4da8 0x08ded000 explorer.exe 21 Proc 632 2007-09-09 18:13:07 0x09783c48 0x09897000 igfxtray.exe 22 Proc 280 2007-09-09 18:13:08 0x098b2960 0x098fb000 hkcmd.exe 23 Proc 656 2007-09-09 18:13:08 0x099da6a8 0x09a4a000 LTSMMSG.exe 24 Proc 828 2007-09-09 18:13:08 0x09afb288 0x09b82000 tp4serv.exe 25 Proc 404 2007-09-09 18:14:15 0x09afb508 0x0e27a000 wuauclt.exe 26 Proc 1024 2007-09-09 18:13:08 0x09c3fda8 0x09ba9000 rundll32.exe 27 Proc 1236 2007-09-09 18:13:09 0x09cec2c0 0x09fed000 Qctray.exe 28 Proc 1100 2007-09-09 18:13:09 0x09e4da28 0x09e6d000 TPHKMGR.exe 29 Proc 372 2007-09-09 18:19:56 0x09f05020 0x09774000 cmd.exe 30 Proc 1284 2007-09-09 18:13:09 0x09f6b6a8 0x0a093000 dirx9.exe 31 Proc 0 2007-09-09 18:13:10 0x0a10fbe8 0x0a039000 skl.exe 32 Proc 976 2007-09-09 18:13:16 0x0bc35898 0x0c03b000 msmsgs.exe |
| Name: Responder |
| Page Reference: 103 |
| Author/Distributor: HBGary |
| Available From: http://hbgary.com/ |
Description: Responder facilitates forensic analysis of physical memory acquired from many versions of Windows by automatically extracting various details. In addition to providing a list of processes and open handles, Responder extracts URLs, usernames, passwords, keys and other information from memory dumps. The graphical user interface enables a digital investigator to navigate memory dumps in various ways, and has a keyword search feature.  |
The professional version of Responder has some more advanced features for malware analysis, effectively supporting integrated dissassembly of executables in memory dumps. The Digital DNA (DDNA) feature attempts to identify malicious code automatically based on various characteristics and provides associated weight values.
|
Helpful Input Options: There are two options are available when loading a memory dump into HBGary Responder that can provide additional insight from a forensic perspective: -Word list: words relevant to an investigation to search for while parsing the memory dump - Binary log: |
| Name: Volatility |
| Page Reference: 99-101; 107-108; 110-111; 114-116; 123 |
| Author/Distributor: Volatile Systems |
| Available From: https://www.volatilesystems.com/default/volatility |
| Description: Volatility grew out of the FATKit project and is written in Python, with development being led by AAron Walters. Volatility can be used to extract information about processes, network connections, open handles and other system related details. Volatility also supports plugins for customized operations such as detecting malware, extracting Registry information and recovering encryption keys. C:\>python volatility –f E:\FuTo-Rootkit –psscan Name Pid PPid Thds Hnds Time System 4 0 53 265 Thu Jan 01 00:00:00 1970 smss.exe 592 4 3 21 Sun Sep 09 18:12:23 2007 csrss.exe 664 592 11 385 Sun Sep 09 18:12:25 2007 winlogon.exe 688 592 20 502 Sun Sep 09 18:12:27 2007 services.exe 736 688 19 385 Sun Sep 09 18:12:29 2007 savedump.exe 748 688 0 -1 Sun Sep 09 18:12:29 2007 lsass.exe 756 688 19 310 Sun Sep 09 18:12:29 2007 ibmpmsvc.exe 928 736 3 29 Sun Sep 09 18:12:34 2007 svchost.exe 956 736 8 226 Sun Sep 09 18:12:34 2007 svchost.exe 1080 736 72 1025 Sun Sep 09 18:12:34 2007 <edited for length> A list and description of Volatility plugins is available at http://code.google.com/p/volatility/wiki/Plugins |
|
Helpful Plugins: Options: --info Print information about all registered objects --tz=TZ Sets the timezone for displaying timestamps -f FILENAME, --filename=FILENAME Filename to use when opening an image --output-file=OUTPUT_FILE write output in this file -v, --verbose Verbose information Supported Plugin Commands: apihooks [MALWARE] Find API hooks bioskbd Reads the keyboard buffer from Real Mode memory connections Print list of open connections connscan2 Scan Physical memory for _TCPT_OBJECT objects (tcp connections) crashdump Dumps the crashdump file to a raw file crashinfo Dump crash-dump information csrpslist [MALWARE] Find hidden processes with csrss handles and CsrRootProcess datetime Get date/time information for image dlldump Dump a DLL from a process address space dlllist Print list of loaded dlls for each process driverirp [MALWARE] Driver IRP hook detection driverscan Scan for driver objects _DRIVER_OBJECT files Print list of open files for each process filescan Scan Physical memory for _FILE_OBJECT pool allocations getsids Print the SIDs owning each process hashdump Dumps passwords hashes (LM/NTLM) from memory hibdump Dumps the hibernation file to a raw file hibinfo Dump hibernation file information hivedump Prints out a hive hivelist Print list of registry hives. hivescan Scan Physical memory for _CMHIVE objects (registry hives) idt [MALWARE] Display Interrupt Descriptor Table imageinfo Identify information for the image impscan [MALWARE] Scan a module for imports (API calls) inspectcache Inspect the contents of a cache kpcrscan Search for and dump potential KPCR values ldrmodules [MALWARE] Detect unlinked DLLs lsadump Dump (decrypted) LSA secrets from the registry malfind [MALWARE] Find hidden and injected code memdump Dump the addressable memory for a process memmap Print the memory map moddump Dump a kernel driver to an executable file sample modscan2 Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects modules Print list of loaded modules mutantscan Scan for mutant objects _KMUTANT mutantscandb [MALWARE] mutantscan extension for highlighting suspicious mutexes notifyroutines [MALWARE] Print system-wide notification routines orphanthreads [MALWARE] Locate hidden threads patcher Patches memory based on page scans printkey Print a registry key, and its subkeys and values procexedump Dump a process to an executable file sample procmemdump Dump a process to an executable memory sample psdiff Produce a process diff pslist print all running processes by following the EPROCESS lists psscan Scan Physical memory for _EPROCESS objects pstree Print process list as a tree regobjkeys Print list of open regkeys for each process sockets Print list of open sockets sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) ssdt Display SSDT entries ssdt_by_threads [MALWARE] SSDT hooks by thread ssdt_ex [MALWARE] SSDT Hook Explorer for IDA Pro (and SSDT by thread) strings Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan [MALWARE] Scan for Windows services testsuite Run unit test suit using the Cache thrdscan Scan Physical memory for _ETHREAD objects thrdscan2 Scan physical memory for _ETHREAD objects vaddump Dumps out the vad sections to a file vadinfo Dump the VAD info vadtree Walk the VAD tree and display in tree format vadwalk Walk the VAD tree verinfo Prints out the version information from PE images |
