It’s quite a while since I did any real in-depth incident response forensics. I’ve kept my hand in with the odd job and a bit of reading every now and then but I will be involved in a lot of incident response work for my new job (I’ll be working in Africa). As with all of these posts, primarily intend to refresh my memory or document new ‘bits and pieces’ that I have picked up. My memory’s like a sieve so I’d be lost without some form of reference point.
Equivalent to this
Today I’ll be documenting some of the basics commands available in Volatility. This is by no means an exhaustive RAM analysis tutorial. It’s just here as a reminder of some of the commands that are available.
In the words of the project team: ‘The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.’
The first thing you’ll need to do is create an image of the RAM of your target computer. For a while I’ve been looking for a stable 32 and 64 bit software utility to enable this. Moonsol’s DumpIt seems to be the answer. DumpIt can be put onto a removable media device and although I haven’t tested it on Vista and Windows 7 machines (unsure about Windows 8 just now), I believe it’s compatible.
I’ve cribbed from a variety of website and books to produce the examples below. They’re all listed in the reference section. The RAM image is of the Zeus sample taken from Volatility’s website.
If you don’t know the details of the operating system that your RAM image was taken then you can run the Volatility ‘imageinfo’ command as shown below:
Next, it is prudent to discover the processes running on your system when the RAM image was taken. Two useful commands are PSScan and PSList. PSList is, however, susceptible to DKOM (Direct Kernel Object Manipulation). This means that doubly linked lists that point to the EProcess structures in which process details are stored can be overwritten which enables the hiding of processes. PSScan, however, works by looking for these EProcess structures and hence hidden processes can be discovered.
So, first the PSScan command was executed (the screenshots aren’t great – I’d not setup my VM too well):
Nothing super-interesting here – so we try looking at PSScan and comparing the results:
Spend time examining the processes. For instance, if you find two instances of lsass.exe running on a system, you should investigate further. You should find that a legitimate version lsass.exe of is launched by winlogon.exe so you should find that the parent process for it is winlogon.exe. If it isn’t then you’ve found a problem. You will need to become familiar with the system processes and their parents to help you. You should also compare PSList and PSScan results to see if you can find hidden processes. There are plugins for Volatility called PSScan3 and PSDiff that will automate this comparison process for you.
Another method of hidden process discovery is to use the CSRPSLIST plugin. This tool compares an EProcess scan with the data stored by the csrss process. Csrss holds information on all processes other than itself and those that started before it which are usually (system idle, system and sms.exe). I mention this because it is good to know and certainly true for systems with XP SP1 and SP2 installed.
You can examine network connections with connscan, as below:
Process 856 is connecting to 172.16.176.143. Process 856, according to PSList, is svchost.
You can use the malfind plugin to search for PE headers within process listings (abridged screenshot):
So an executable file (note the MZ signature) of interest was found within process 856. It is also worth noting that malfind has a useful ‘-Y’ flag that can be used in conjunction with its Yara rules to find characteristics associated with malware.
A scan of this file, which we have extracted, shows that malwarefind has indeed found malware!
And just to show you DLLList – which is covered more indepth here :
Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code by Michael Ligh (Author), Steven Adair (Author), Blake Hartstein (Author), Matthew Richard (Author)
Malware Forensics Field Guide for Windows Systems: Digital Forensics Field for Windows Systems
By Cameron H. Malin, Eoghan Casey and James M. Aquilina