RAM Forensics: The Analysis and Extraction of

Malicious processes from memory Image using GUI

based Memory Forensic Toolkit
Mr. Vivek Ravindra Sali Mrs. H.K.Khanuja
Dept. of Computer Engineering Dept. of Computer Engineering
Marathwada Mitra Mandal’s Marathwada Mitra Mandal’s
College of Engineering College of Engineering
Karvenagar, Pune Karvenagar, Pune
[email protected] [email protected]
n

Abstract— In today’s world the use of internet and significant role in a process of digital investigation process.
information technology has grown up very rapidly. Due to The volatile memory contains many important artifacts
increasing use of Internet the amount of cyber crimes have which can be used in forensic investigation process. The
been increased. Hence it’s become a very challenging task information may contain passwords, event logs,
for the cyber crime investigator to not only finds out the root cryptographickeys, process information and other vital data
cause of the crime but also to prove it correctly in the court related to number of processes running in a ystem[2][8].The
of law. Computer Forensics is the science of investigating collection of volatile data from a victimized computer
the computer system to obtain the digital evidences to find system under investigation can be done using a conventional
out the root cause of cyber crimes. Memory forensics is one approach known as Live Response approach. In this
of the branches of the Computer Forensics. The present approach the investigator first establishes a trusted
techniques of memory forensics like Live Response and command shell to acquire the data for investigation process.
Memory Imaging, used by investigators during analysis and Volatile memory analysis using a Live Response method
seizure operations involves either carrying the live analysis helps to collect all relevant evidences from a system. These
of volatile memory(RAM) of victimized computer system or evidences can be used to prove any incident occurred that
by making the image of the RAM of suspect as machine and might have compromised a system resulting into a cyber
performing post analysis on different machine. In this paper crime[2].Another method to analyze a volatile memory is to
Memory imaging approach of RAM analysis is used to find perform memory image analysis.The analysis of a volatile
out the malicious processes using the GUI based tool that memory is performed by capturing an image of RAM
can analyze the volatile memory artifacts those are affected known as memory dump.Digital forensics contains the
by malwares .The architecture of extracting the malicious collection, validation, analysis,interpretation, documentation
processes is mentioned. and presentation of the digital evidences[15].Digital
Index Terms— Digital investigation, digital evidence, GUI Forensics investigator make use of forensics tools in an
Framework, computer forensics, volatile memory dump, investigation process, which are present in commercial and
Live Response, YARA Scanner. open domains. Depending upon the requirement of analysis,
forensic toolkits are categorized like file system and data
I. INTRODUCTION analysis tools, memory analysis tools, disk analysis tools,
The computing resources and Internet play a significant role registry analysis tools, Internet analysis tools and many
as vital business tool to provide the necessary information to more analysis tools. The commonly used toolkits for
an individual. Due to massive use of the Internet, cyber analyzing file systems are Encase,FTK,X-Ways, Nuix,
crimes have been increased. Cyber crime is any illegal Sleuthkit, DFF, Snorkeland LibForensics. Of these
activity which involves a computer system or its related tools,Encase, FTK and X-Ways are commercial toolkits
systems or their applications. Today solving any cyber while Sleuthkit, DFF and LibForensics are in open domain.
crime put up new challenges for a digital forensics To extract the malicious processes from the processes of
investigator [5]. Digital forensics is the process of memory image dump, the file signature scanner tool known
uncovering and interpreting an electronic data. The goal of as YARA tool can be used. The YARA is an open source
investigation is to preserve the evidence that is obtained tool designed to help malware researcher to identify and
during an investigation process. This evidence is termed as classify malware samples. It uses the efficient pattern-
digital evidence which must be preserved to reconstruct the matching rule. YARA supports the use of three different
past events. The analysis of volatile memory plays a very types of strings for pattern-matching:
(a) Hexadecimal Strings

978-1-5386-5257-2/18/$31.00 c 2018 IEEE

(b) Text Strings based on ASCII text contemporary forensic and analysis tools based on different
(c) Regular Expressions functionalities supported by these tools. Different
In this paper the out of above mentioned few tools, DumpIt, capabilities of some tools are studied to examine one or
Volatility and YARA Scanner tool are used to perform an more sources of digital evidence.
analysis of the RAM Image to retrieve the relevant memory Methodology Used: Memory artifacts for digital evidence
artifacts like processes. The User can write set of rules for composition using FS meta data.
YARA Signature Scanner to find the malicious processes. Scope of Work: The study highlighted the importance of
The rule includes text strings, Hexadecimal Strings and meta data and its use across the heterogeneous sources of
regular expressions which contains file signature pattern of digital evidences. Most of the memory forensic tools acquire
“.exe” file of the malware. FS metadata one at a time instead of grouping them for
analysis.
Scope of Improvement: Grouping of relevant memory
II. REVIEW OF LITERARURE artifacts and identification of meta data based association
Timothy Vidas [1] discussed about the benefits and can be achieved using FIA and FACE architecture.
drawbacks of traditional incidence response methods. R. Raines et al.[5] proposed the malware recognition via
Methodology Used: RAM analysis using RAM duplication static heuristic methodology. The experiment was carried
technique. out on 32 bit Portable Executable(PE) files. Samples of file
Scope of Work: RAM Duplication technique provides least Strings were taken using the hex dump tool.
but similar information that incident response tools can Methodology Used: Obtaining the file Strings of PE files
provide. Even more information can be gained from RAM using HexDump tool.
duplicate.RAM acquisition permits the user to analyze the Scope of Work: Pattern recognition techniques can play a
contents after first response and it enables RAM data to be substantial role in malware detection especially in cyber
considered more precious and additional source as a static situation awareness and assurance. The MaTR system uses a
evidence item in digital forensics investigation process straightforward process for detecting malware using only a
Scope of Improvement: Disk Forensics technique can be program’s high-level structural data.
used to obtain the relevant information about the memory Scope of Improvement: The hybrid solution using MaTR
Amer Aljaedi et al.[2] Proposed the comparison between approach and other static heuristic approaches like KM
two memory analysis approaches like Live Response and retest and commercial antivirus product can provide the
memory imaging. Memory imaging can be an alternative 100% detection of unknown malware samples.
approach to retrieve and recover volatile data. Live response
approach of memory analysis can be a troublesome as it can A] Different Approaches of Volatile Memory Analysis:
overwrite the potential evidences such as terminated and Volatile memory forensics have recently gained more
cached processes which will be ignored during this focus as it can be granted as an effective resource to obtain
approach. more accurate evidences to find out the cyber
Methodology Used: Memory Image Analysis. criminals[12].The digital evidences obtained from RAM
Scope of Work: Analysis of the processes and internet analysis of victimized computer system can be obtained by
artifacts. There might be chances of being overwritten of the mainly 2 approaches:
Terminated and cached processes. 1) Live Response Approach
Scope of Improvement: In memory imaging analysis 2) Memory Image Approach
process the vital evidences like cached processes, some Live Response Approach of RAM Analysis is the
Internet artifacts can be extracted directly from the memory conventional way where the forensic investigator establishes
dump. Also more memory artifacts like hidden processes, a trusted shell in the victimized machine to contact the
system log files, passwords, network logs etc. can be kernel[2].The Live Response approach is not much reliable
analyzed from memory image. as there are few chances of the alteration of the memory
Robert J. McDown et al.[3] have presented the study of artifacts due to loadable modules of the software installed.
seven open source RAM acquisition forensic tools those are The Live Response Approach cannot perform the analysis of
compatible to work on 64-bit windows operating system, the hidden or terminated processes [2][12].
were compared in the study. Memory Imaging Approach besides allows forensic
Methodology Used: RAM acquisition tools like Memory Investigator to acquire the RAM Image or dump using the
Reader Belkasoft are used. Memory Imager forensic tool. The dump is then analyzed
Scope of Work: The Command line approach of forensic using memory forensic tools to find out the required
investigation can provide information about the parameters memory artifacts offline to obtain the digital evidences.
like total execution time, platform limitations, reporting Digital forensics is very useful to identify such offensive
capabilities, shared and proprietary DLLs, modified registry attacks by providing various techniques to determine the
keys and invoked files through the analysis. origin of incidents like cyber crime. Different techniques of
Scope of Improvement: The command line tools use may detecting the malwares were proposed to find out these
affect on increase in time required for investigation process. malwares from the computer system. As the malwares got
The GUI based tools can be used to make the investigation entry into the system they become active to infect the
process quicker to avoid more time consumption in number of processes as well as other memory artifacts. The
remembering the need of complex sequences of commands. malware detection approaches involves two basic
Sriram Raghvan et al.[4] presented the study of methodologies:

2018 Fourth International Conference on Computing Communication Control and Automation(ICCUBEA)

1) Static malware detection the malicious processes using a Scanner tool like
2) Dynamic malware detection YARA Scanner.
4) Phase-IV Pattern matching process: Information of
Basic static analysis examines malware without viewing the Processes and files from memory image will be
actual code or instructions. The static analysis method can provided to the YARA Scanner tool, which works on
provide the information about malware like file name, MD5 pattern matching rule.
check sums or hashes, file type, file size and recognition by 5) Phase-V Report Generation: User defined rules of the
anti virus detection tools. Basic dynamic analysis actually YARA Scanner tool will process the files extracted
runs malware to observe its behavior, understand its from RAM Image and it will return the malicious and
functionality and identify technical indicators which can be genuine processes to the user.
used in detection signatures. The dynamic analysis of
malwares can provide the information about malware like Syntax of YARA rule:
file path locations, registry keys, additional files located. rule rule_name
{
III. METHODOLOGY Strings:
A. System Architecture $test string1= “Testing”
The system analyzes the malicious processes from a $test string2= {E1 D2 C3 B4}
memory dump, using the GUI based forensic toolkit Conditions:
developed in this project. This toolkit includes the memory $test_string1 or $test_string2
image analyzer like Volatility Framework and YARA }
signature scanner tool. The Volatility Framework is totally Strings: This section contains the strings/pattern/signature
open source tool , implemented in Python under the GNU that we need to match against a file. It can be Hexadecimal
General Public License (GPL v2). It is used for the string and may contain wild card combinations along with it
extraction of digital artifacts from volatile memory (RAM) or text string in the form of ASCII text that can be matched
samples. This framework provides a complete command up with condition set.
line interface to an investigator. The command line oriented Conditions: Conditions sets evaluate Boolean expressions.
tool provides a wide range of functionality to extract certain
artifacts from a RAM samples like event logs, files, C. Algorithm
information of loaded DLL’s, open network connections, Input: Directory {Extracted files1, files2 ...file n}
open registry handles etc. The target of this project is to Output: Malicious files
provide an extension to Volatility Framework i.e. a GUI Define: String pattern = $String in YARA file
based approach to analyze the memory dump and extract the File Signature Header= HDString
malicious processes. Step1: Set the string match pattern in YARA file.
Step2: Compare the $String with HDString
Step3:
if
$String is equal to HDString then Matching found;
classify the file as malicious file.
else
File is non-malicious
Step4: Repeat the procedure for complete directory input.

D. Mathematical Model
Input: {P1, P2, P3}
Functions :{ f1, f2, f3}
Output :{ Malicious and Non-malicious Processes list}
where P1, P2 and P3 are processes
Fig. 1 System Architecture
Process: P1 (RAM Image creation)
B. Work Flow of the System {
1) Phase-I Volatile Memory(RAM) Image Acquisition: Input: Capturing Running processes from volatile
Volatile memory image of a compromised or memory
victimized computer system can be acquired using a f1: Processing with Image Analyzer
forensic tool like DumpIt, LiME etc. Output: RAM Image
2) Phase-II RAM Image Analysis: In a memory imaging }
analysis process the volatile data like system logs, Process: P2 (List of extracted processes)
network logs,registry files, running processes of the {
system are analyzed using the Volatility forensic tool. Input: RAM Image
3) Phase-III Storing the process information into the f2: Extraction of processes from memory dump to
database: The analysis of RAM image provides the database
process information details, these details will be Output: Process list with information
stored into the database for its later use in identifying }
Process: P3 (Generation of evidence report )

2018 Fourth International Conference on Computing Communication Control and Automation(ICCUBEA)

{
Input: Extracted Process list from memory dump
f3: Pattern matching from database
Output: list of malicious and non-malicious
Processes
}
E. Event Diagram
Processes Objects= {P1, P2, P3}
Events= {E1, E2}
Causes of events= {f1, f2, f3}
Here the processes P1, P2 and P3 will be the processes acts
as objects which cause an event. Process P1 and P2 cause an
event E1 by using function f1 and f2 respectively. This
event E1 changes the state of process P2 to process P3
which in turn cause a new event E3 to be occurred. This
event determines the malicious process out of the genuine
processes.

Table 5: Experiment Procedure

Table no.6 describes the input data sets, memory artifacts

and the extracted malicious processes.

Table 6: Experimental Setup and Result

V. EXPERIMENT PROCEDURE
Fig. 2 Event Diagram 1) Registration Authentication Process:
The registration and authentication process is carried out by
the forensic investigator which is mandatory to avoid the
IV. EXPERIMENTAL SET UP AND RESULT mis-use of the tool. On successful authentication the
forensic investigator gets the privileges to use the
The memory dumps of the malware affected victimized functionalities of the tool.
computer systems are collected to detect and extract the 2) RAM Acquisition Process:
malicious processes. In this experiment signature based In this experiment procedure the Memory Imaging approach
identification of the malware is carried out using YARA of volatile memory forensic investigation is used. The RAM
Signature Scanner. The YARA Scanner uses the data set in Images of both guest VM’s are captured for analysis.
the form of the file Strings that is written with a particular 3) Determine OS Profile Information:
rule. Here the Strings of “ransomware” and “Stuxnet” The profile information of the operating system were
malwares are used to write the YARA rule files which are determined. The Profile Information determines the type of
compared with the processes from RAM Images of the OS used which is necessary to obtain the important memory
victimized computer system. After the text edit has been artifacts from the memory.
completed, the paper is ready for the template. Duplicate the 4) RAM Image Analysis Process:
template file by using the Save As command, and use the The processes from the RAM Image of the malware
naming convention prescribed by your conference for the affected or victimized VM were analyzed to get the detail
name of your paper. In this newly created file, highlight all information about each process like process name, process
of the contents and import your prepared text file. You are ID, path of the process, parent-child relationship between
now ready to style your paper; use the scroll down window processes etc. The path and name of the uploaded RAM
on the left of the MS Word Formatting toolbar. Images were stored to the database.
5) Dumping the processes from RAM Image:

2018 Fourth International Conference on Computing Communication Control and Automation(ICCUBEA)

The processes from the RA M image was extracted and
dumped into the local storage and to the database for the
future reference.
6) Extraction of the Malicious Processes:
The memory dump created was used to scan the dump files
to obtain the malicious processes. The scanning was
performed by user defined “YARA rule-file” containing the
patterns of Signature and file Strings. The “YARA rule file”
try to match the signature and file Strings pattern of each
dump file using the rule defined in the “YARA-rule file”.

The GUI based frame wok helps to get the result on the
click event which can time saving for forensic investigator
not to depend upon the long sequence of commands to
remember. Fig. 5 List of Dump files of the processes from RAM Dump

Few Screen Shots of the result are displayed here: 4. Scanning the dump files by the user defined YARA-
rule to extract malicious processes.
1. Determine the Operating System Profile for the
analysis of volatile memory artifacts

Fig. 6 List of malicious processes

VI. CONCLUSION AND FUTURE WORK

Fig. 3 Display Image Profile Information In this work, different approaches of memory analysis
and malware detection are reviewed and the most trustful
approach to collect volatile memory artifacts that is Memory
2. Obtaining the Detail information of the processes for Imaging approach is preferred. Furthermore due to increase
the analysis in the cyber crimes an efficient approach of investigation
must be followed in order to obtain the evidences as early as
possible. To extract the malicious processes from RAM
dump Signature based and String pattern matching rule-
based procedure of the YARA scanner is used. Instead of
following the command line method of volatility memory
forensic tool to analyze the processes, GUI based automated
forensics toolkit is used for the RAM analysis which can
save the time of investigation. The proposed integrated tool
provides rich GUI for memory analysis, scanning and
extracting the malicious processes from RAM Image. In
future the extracted processes can be sent for further
investigation of malware using malware forensics to find out
the root cause of the malware attack into the victimized
computer system.

Fig. 4 Display the details of the processes REFERENCES

[1] Timothy Vidas, 2007 Journal of Digital Forensic Practice
3. Creating the Dump files of the processes from RAM (Taylor Francis) The Acquisition and Analysis of Random Access
Dump storing them on a local storage as well as into Memory.
Database [2] Amer Aljaedi, Dale Lindskog, Pavol Zavarsky,Ron Ruhl, Fares
Almari, 2011 IEEE International Conference on Privacy,Security,

2018 Fourth International Conference on Computing Communication Control and Automation(ICCUBEA)

Risk and Trust and IEEE Conference on Social Computing, [14] I. Mohanty, and R. L. Velusamy, 2012, International Journal
Comparative Analysis of Volatile Memory Forensics. of Security, Privacy and Trust Management, Information Retrieval
[3] Robert J. McDown, Cihan Varol, Leonardo Carvajal and Lei From Internet Applications For Digital Forensic.
Chen,2016 Journal of Forensic Sciences, In-Depth Analysis of [15] Y. Kim, S. Lee, and D. Hong, 2008,ICST Proceedings of the
Computer Memory Acquisition Software for Forensic Purposes. 1st international conference on Forensic applications and
[4] Sriram Raghavan, S V Raghavan 2013 IEEE Sponsored by techniques in telecommunications, Suspects’ data hiding at
Louisville Chapter, A study of Forensic Analysis Tools. remaining registry values of uninstalled programs.
[5] R. Raines et al.,Wright-Patterson AFB, OH, USA,, Air Force [16] G. Palmer. A road map for digital forensic research. Technical
Research Laboratory, Wright-Patterson AFB, OH, USA,Journal of report, Report from the Digital Forensic Research Workshop
Computer and Security,2011. (DFRWS), November 2001.
[6] Ala Berzinji, Asian Journal f Natural Applied Sciences, [17] Sunghyuck Hong and Sungjin Lee, 2015, Indian Journal of
Sept.2016 Forensic Tools For Investigating Cyber Crimes. Science and Technology, New Malware Analysis Method on
[7] Ezer Osei Yeboah-Boateng, Elvis Akwa-Bonsu 2016 Journal Digital Forensics.
of Cyber Security, Digital Forensic Investigation: Issues of [18] Qian Chen,Robert A. Bridges,2017, arXiv preprint
Intangibility, Complications and Inconsistencies in Cyber-Crimes. arXiv:1709.08753v1,Automated Behavioral Analysis of Malware.
[8] Elick Chan, Winston Wan, Amey Chaugule, Roy Campbell [19] Eric Filiol and S˜Ac bastien Josse,2007,Springer-Verlag
2016 Publication on ResearchGate, A Framework for Volatile France,A statistical model for undecidable viral detection.
Memory Forensics. [20] Jinrong Bai,Junfeng Wang and Guozhong Zou,2014,The
[9] Arpit Patel, Nilay Mistry , 2013 International Journal for Scientific World Journal, A Malware Detection Scheme Based on
Scientific Research Development, An Analyzing of different Mining Format Information.
Techniques and Tools to Recover Data from Volatile Memory. [21] SaeedAlmarri and Dr Paul Sant,2014,International Journal of
[10] Shuaibur Rahman , M.N.A. Khan , 2015 International Journal Network Security Its Applications ,Optimized Malware Detection
of Hybrid Information Technology, Review of Live Forensic in Digital Forensics
Analysis Techniques.
[11] Felex Madzikanda, Talent Musiiwa, Washington Mtembo,
2013 International Journal of Computer Science and Technology,
Computer Forensic Considerations and Tool Selection Within an
Organization.
[12] Aaron Walters, Nick L. Petroni 2007 White Paper at Komoku
Inc.,Volatools: Integrating Volatile Memory Forensics into digital
Investigation Process.
[13] Abes Dabir, AbdelRahman Abdou, Ashraf Matrawy, 2016
International Journal of Information and Computer Security, A
Survey on Forensic Event Reconstruction System.
.

2018 Fourth International Conference on Computing Communication Control and Automation(ICCUBEA)