Logo
RSS Feed

๐Ÿบ RAM

Created: 01.06.2023

*Memory is the best evidence, although the hardest to preserve. If you recall Frozen II, “Water has memory” - same story. Even if you delete all the evidence, memory silently remembers all that. But it’s so fragile… img

KPCR - (Kernel) Processor Control Region. It points to a KDBG, Kernel Debugging Data Block, a structure maintained by the Windows kernel for debugging purposes. KPCR’s offset is fixed on Windows XP but differs in later versions. There are two ways to find KDBG: scan for its signature or find the KPCR and then follow the offset specified. Why do we even need this KDBG? It has a pointer PsActiveProcessHead which points to the list of processes (called EPROCESS) with all the information about those dudes.

img

Each EPROCESS has two essential structures: PEB (Process Environment Block) and VAD (Virtual Address Descriptors). PEB contains ๐Ÿพ path to the executable, ๐Ÿพ command line that spawned the process, ๐Ÿพ linked list of DLLs used. VAD is a balanced tree structure that keeps track of all pages allocated for this process (virtual addresses).

PEB contains several doubly-linked lists that can be helpful when spotting hiding malware: ๐Ÿพ InLoadOrderModule list (InLoad) - doubly-linked list ๐Ÿพ InInitializationOrderModule list (InInit) - doubly-linked list ๐Ÿพ InMemoryOrderModule list (InMem) - doubly-linked list

Collection

Why even bother collecting RAM?

  • User Activity –> File usage and knowledge. Prove someone did something or used something. Common artefacts: Prefetch, ShimCache, Web browser, $MFT (master file table).
  • Encryption –> Key files and passwords. Standard tools: hashcat, passware.
  • Host compromise –> Processes, network activity, malware, rootkits, persistence.

…force a crash and subsequently produce a memory dump as a mechanism for collecting volatile data. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.

๐Ÿ“˜ dd if=\\.\PhysicalMemory of=memory.img conv=noerror # requires elevated privileges.
# โ€˜\\.\PhysicalMemoryโ€™; a second device, โ€˜\\.\DebugMemoryโ€™

โ—๏ธ All loaded device drivers on modern systems must be digitally signed. โ—๏ธTo be loaded on servers, drivers now must pass the Windows Hardware Quality Labs certification. The forensic workaround is not yet clear.

Live

๐Ÿพ RAM image (bit-by-bit copy of RAM). It can be acquired for all PC, there are certain complications with a Mac. Also, you can collect RAM data for mobile devices for separate processes only. Virtual machines are usually stored in a separate file once the system is suspended. ๐Ÿพ Network connections, ARP cache ๐Ÿพ Process tree

๐Ÿ› ๏ธ WinPMEM, ๐Ÿ› ๏ธ DumpIt, ๐Ÿ› ๏ธ F-Response and SIFT, ๐Ÿ› ๏ธ Belkasoft Live RAM Capturer, ๐Ÿ› ๏ธ MagnetForensics Ram Capture

Dead

๐Ÿพ Hibernation files. Exist on major OS (Windows, Mac, Linux). For Windows - hyberfil.sys. It’s a RAM capture made by OS when the PC falls asleep ๐Ÿ’ค. ๐Ÿ“‚ %SystemDrive%\hyberfil.sys ๐Ÿพ Page files. ๐Ÿ“‚ %SystemDrive%\pagefile.sys. Partial RAM. ๐Ÿพ Swap files. ๐Ÿ“‚ %SystemDrive%\swapfile.sys (Win8+ and 2012+). Partial RAM, suspended modern applications swapped to disk. ๐Ÿพ Crash dumps. ๐Ÿ“‚ %WINDIR%\MEMORY.DMP, it’s a full RAM copy.

๐Ÿ›  Belkasoft RAM Capturer. ~4Mb footprint in RAM, slow. Magnet RAM Capturer - huge footprint, fast. Dumpit - the fastest, the smallest footprint (didn’t work on Win10 on a VM Parallels on macOS). All of the aforementioned tools run in kernel mode! FTK Imager - big footprint, user mode, doesn’t work on VM (in my case). Benchmark the tools yourself from time to time. Redline, Fast Dump (fdpro.exe). Sumuri’s Interception (included with Paladin). Exploits some memory bug on some OS for machines that have either Thunderbolt or a Firewire to overwrite the admin’s password in memory.

Malfind. https://www.linkedin.com/pulse/process-injection-detection-malfind-britton-manahan/

Determine the correct profile (Vol2)

Volatility 3 deduces the profile itself. With vol2, you need to do that manually. Two plugins are available for that: kdbgscan and imageinfo.

โœ๏ธ A useful note, use ๐Ÿ“˜ export VOLATILITY_LOCATION and ๐Ÿ“˜ export VOLATILITY_PROFILE so that you won’t have to specify --profile and -f options every time.

kdbgscan is very slow since it has to scan the image to find the KDBG. The latest OS versions encrypt KDBG; thus, volatility needs to find KdCopyDataBlock to decrypt it, making it work even slower. So, once you get the offset (virtual offset of KDBG on Vista- and KdCopyDataBlock on Win8+), use -g or --kdbg option with other plugins to speed up the analysis since some modules will try to find this structure on their own (pslist, for instance).

kdbgscan will spill out several possible guesses, and you must choose the right one. Of course, it helps if you know the OS and the patch version and can explicitly provide it. But when it’s not an option, try several options to see which one yields any good-looking results (Kernal Base Matches MZ set to True, PsActiveProcessHead and PsLoadedModuleList showing the reasonable number for a live system, KPCR address is provided).

imagescan can give you additional info that’s useful for the investigation: ๐Ÿพ capture time (system time) and DTB (directory table base).

How to determine if the profile is correct?

Convert To Raw

Several other formats can contain RAM residues: crash dumps, hibernation and swap files, virtual machine RAM, and live firewire sessions. To normalise the data so that volatility can feast on it, use imagecopy plugin.

hyperfil.sys

๐Ÿ“‚ %SystemDrive%\hiberfil.sys

Compressed RAM dump at the moment of hibernation. On Win8+ - new format and greater frequency.

โ—๏ธDoesn’t work on VMs.

On Win8+ the file is zeroed out (leaving only 4K at the beginning), hence the new artefact is smaller. Also, Fast Startup is now taking over, which means it logs the user out before creating a hibernation file. Hence, the file is even smaller.

๐Ÿ“˜ powercfg.exe # to see the hibernation settings
๐Ÿ“˜ powercfg.exe /hibernate on # turn hibernation on

Decompression tools ๐Ÿ› ๏ธ: Volatility, imagecopy, hibr2bin.exe, Hibernation Recon. Analysis tools ๐Ÿ› ๏ธ: BulkExtractor, Magnet AXIOM, Volatility, Passware.

Structure:

Field Content
Header PO_MEMORY_IMAGE structure
Page list An array of physical page
Processor State CONTEXT + KSPECIAL_REGISTERS
Memory Range Array n Header: NextTable page, Number of entries. Entries: Destination page + Checksum.
Xpress compressed block p Magic \x81\x81xpress (>Win2K). Compressed data
Xpress compressed block p+1
Memory Range Array n+1

Win8+ - new file format.

Not as common, but just as good. imagecopy plugin converts different formats into raw format to speed up. Hiberfile - compressed. Determine the OS profile and run the plugin.

vol.py -f crash.dmp --profile=Win7SP2x64 imagecopy -O crash2mem.raw
vol.py -f hyberfil.sys --profile=Win7SP2x64 imagecopy -O hibir2mem.raw

C:\hiberfil.sys

C:\Memory.dmp

What is hyberfil.sys. Two types of compression.

imageinfo - to identify the profile for memory image. Running vol.py imageinfo -f hiberfil.sys is slow and inefficient. No profiles were sugested. But when we have a live capture of a system, we can use this dump to determine the profile to perfom actions with the right profile on hyberfil.sys.

pagefile.sys

๐Ÿ“‚ %SystemDrive%\pagefile.sys

When Windows system runs out of RAM, it uses HDD space to temporarily store the data from RAM. To acquire it from a live system: use https://ericzimmerman.github.io/#!index.md or FTK Imager. Get separate files using PhotoRec or using a Hex redactor (for example, 101 Editor). This file is deleted on reboot.

Properties:

Hidden True Owner SID S-1-5-32-544
System True Owner Name ะะดะผะธะฝะธัั‚ั€ะฐั‚ะพั€ั‹
Read Only False Group SID S-1-5-18
Archive True Group Name SYSTEM

To copy this file use RawCopy64.exe /FileNamePath:c:\pagefile.sys.

To parse this file:

strings pagefile.sys | egrep "^https?://" # show URLs found in memory
strings pagefile.sys | grep -i "^[a-z]:\\\\" # file paths used are shown
strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" # env vars

Apply yarn rules against pagefile.

swapfile.sys

๐Ÿ“‚ %SystemDrive%\swapfile.sys

VMEM

๐Ÿ“˜ python3 vol.py -f 1.vmem windows.vadinfo.VadInfo # to view Virtual Address Descriptors ([VAD](https://resources.infosecinstitute.com/topic/finding-enumerating-processes-within-memory-part-2/)).

VirtualBox

When the VM is suspended, NOT full memory dump is saved. So, it’s tricky to parse and analyse it. Either collect RAM from within the VM itself or use volatility for some formats.

๐Ÿพ .sav - partial memory image

๐Ÿ“‚ .VirtualBox/Machines/vmname/Snapshots

VMware

โ—๏ธ Uses a more complex format that needs prior parsing, ESX.

Each snapshot has a separate .vmem file. These are not raw memory dumps but contain everything that was in RAM then.

๐Ÿพ .vmem - ram memory ๐Ÿพ .vmss - VMware saved state ๐Ÿพ .vmsn - VMware snapshot

๐Ÿ“‚ C:\XXX\My Virtual Machines\vmname (VMware workstation) ๐Ÿ“‚ dcname\dsname\dirname\vmname\ (ESX)

Hyper-V

โ—๏ธ Uses a more complex format that needs prior parsing, Hyper-V.

๐Ÿพ .bin - memory image, .vsv - save state.

๐Ÿ“‚ C:\XXX\vmname\Virtual Machines\GUID

Analysis

First, you need to understand that data in RAM is not scattered willy-nilly. Weren’t that the case, we would eventually find ourselves up a creek without a paddle.

Get the Profile Info (vol2)

imagecopy plugin is used to convert some file types into raw format. It decreases the time, needed to analyse the file. How to get the correct profile since imageinfo gives you several options and kdbscan gives even more? Below is the output from imageinfo. The purple square shows the service pack version and the green one - the correct profile with the correct service pack. The other two suggested profiles have some service pack versions appended to the end.

vol_py_imageinfo_mem_udemy

Then validate the file by listing processes that were run:

๐Ÿ“˜ vol.py -f hiberfil.raw pslist --profile=Win7SP0x86

If the output makes sense (like the one one in the picture below), the profile is correct.

vol_py_pslist_udemy

Convert to raw

hiberfil files are not as common, but just as good. imagecopy plugin converts different formats into raw format to speed up. Also saves up to 75% of memory size, therefore decreasing the time for analysis. First, determine the OS profile (for vol2) and run the plugin.

๐Ÿ“˜ vol.py -f hiberfil.sys --profile=Win7SP0x86 imagecopy -O hyber.raw
๐Ÿ“˜ vol.py -f crash.dmp --profile=Win7SP2x64 imagecopy -O crash2mem.raw
๐Ÿ“˜ vol.py -f hyberfil.sys --profile=Win7SP2x64 imagecopy -O hibir2mem.raw

Running vol.py imageinfo -f hiberfil.sys, for example, is slow and inefficient. No profiles were suggested. But when we have a live system capture, we can use this dump to determine the profile to perform actions with the right profile on hyberfil.sys.

Compression

Win8.1+ is now compressing some memory regions.

๐Ÿ› ๏ธ winmem_decompress.py. The output can’t be analysed with volatility, it’s slow. ๐Ÿ› ๏ธ win10memcompression.py

References

Expand…

[1] Magnet

[2] SDF Memory Forensics

[1] ะขะฐะนะฝั‹ ั„ะฐะนะปะฐ ะฟะพะดะบะฐั‡ะบะธ pagefile.sys: ะฟะพะปะตะทะฝั‹ะต ะฐั€ั‚ะตั„ะฐะบั‚ั‹ ะดะปั ะบะพะผะฟัŒัŽั‚ะตั€ะฝะพะณะพ ะบั€ะธะผะธะฝะฐะปะธัั‚ะฐ

[2] About hybernation files

[3] About new hybernation file format

https://resources.infosecinstitute.com/topic/finding-enumerating-processes-within-memory-part-2/

https://imphash.medium.com/windows-process-internals-a-few-concepts-to-know-before-jumping-on-memory-forensics-part-5-a-2368187685e

https://eforensicsmag.com/windows-process-internals-a-few-concepts-to-know-before-jumping-on-memory-forensics-by-kirtar-oza/

https://eforensicsmag.com/85384-2/