Memory Forensics

A Practical Approach to Investigate Data Leakage with Volatility 2

Memory and Memory
Dump
Memory Dump
• A memory dump is a process
• takes all information in RAM and writes it to a
storage drive in case of an application or system
crash
• known as core dump, and blue screen of death
(BSOD) in Windows-based computers
• A memory dump is a binary file
• A memory dump helps software developers and
system administrators to diagnose, identify and
resolve the problem that led to an application or
system failure.
Memory, page is the
Virtual smallest unit of
data for memory
Memory, management

Disk

Each process can use

4GB of virtual memory

Managed by
https://www.cs.uic.edu/~jbell/CourseNotes/OperatingSystems/9_VirtualMemory.html
Memory dump
for a process
• Kernel Processor Control
Region (KPCR)
• is a data structure
used by the Windows
kernel to store
information about Each
each processor process
• From the KPCR structure, dumped
one then traverses and stored
intermediate structures to in KPCR
access interesting
structures
• such as the active
process list

https://www.researchgate.net/profile/Igor-Korkin-2/publication/
263365115/figure/fig1/AS:296534018150400@1447710627176/
Memory-dump-acquisition-process.png
Dump memory

• Pagefile.sys is a system file in Windows set aside for

your computer’s Random Access Memory (RAM).
• When your computer's RAM begins to run out of
memory, it uses the pagefile to offload data it doesn't
need, such as files and apps.
Volatility Framework - Volatile
memory extraction utility framework
• For the extraction of digital artifacts from volatile memory (RAM)
samples (dumps).
• offer visibility into the runtime state of the system
• support Win, Linux, and iOS
• Analyse raw dumps
• memory dumps, crash dumps, virtual machine snapshots, VMware dumps
(.vmem), Microsoft crash dumps, hibernation files, virtual box dumps
• An open collection of tools (plugins)
• Version 2 is implemented in Python [2.6-3.0)
• under the GNU General Public License (run, study, share, and modify )
• Provide a platform for further work in forensic research.
Pre-investigation
Volatility 2.X installation
 How to install Volatility 2?
If you have
downloaded Kali
from our GitHub,
volatility has been
pre-installed

You MUST use vol.py

Kernel Processor
Control Region
Manual install Volatility 2? (not
recommend)

for all commands starting with volatility, you MUST replace them with python2 vol.py
for example, volatility -f memdumpWin7.mem imageinfo MUST changed to python2 vol.py -f memdumpWin7.mem
Where to download the memory
image for investigations?
Download memory dump

Verify downloaded file

How to identify the image profile?
Use vol.py (NOT volatility) if you use the customized Kali from GitHub
Show all registry keys
Investigation
• Understand the Suspect and Accounts
• Understand the Suspect’s PC
• Network Forensics
• Investigate Command History
• Investigate Suspect’s USB
• Investigate Internet Explorer History
• Investigate File Explorer History
• Timeline Analysis
Understand the Suspect
and Accounts
Who was using the device?
Physical file location = {subkeys of active user profile}

=HKEY_USERS \<SID> (linked to by HKEY_CURRENT_USER)

• SID: Security Identifier: a unique, immutable identifier of a user, user

group, or other security principal.
• Users can change names but not SID
Who are associated with the device?

• Sam – HKEY_LOCAL_MACHINE\SAM
• Security – HKEY_LOCAL_MACHINE\SECURITY
• Software – HKEY_LOCAL_MACHINE\SOFTWARE
• System – HKEY_LOCAL_MACHINE\SYSTEM
• Default – HKEY_USERS\.DEFAULT
SID format details

S-1-5
S: SID
1: Version 1
5: Managed by the NT security subsystem

SID Name Description

S-1-5-18 Local System A service account that is used by the operating system.
S-1-5-19 NT Authority Local Service
S-1-5-20 NT Authority Network Service
S-1-5-21 Administrator/Guest A user account for the system administrator.
Who has SID= S-1-5-21-1716914095-909560446-
1177810406-1002?

SSHD_Server is an account made by an SSH server.., It

allows remotely log in to the computer.
Who has SID= S-1-5-21-1716914095-909560446-1177810406-1000?
Who is the default logon user?

Default automatically log on

Hive overview

represents pointers to other hives, and is normal

• Keys under HKLM\SYSTEM\CurrentControlSet\Control\hivelist
• Point to HKEY_LOCAL_MACHINE\SYSTEM
• Point to HKEY_LOCAL_MACHINE\HARDWARE

Each user has a

profile (ntuser.dat)
It is the time to review Registry

The five main root keys of registry are:

• HKEY_CLASSES_ROOT (HKCR)
• HKEY_CURRENT_USER (HKCU)
• HKEY_LOCAL_MACHINE (HKLM)
• HKEY_USERS (HKU)
• HKEY_CURRENT_CONFIG (HKCC)
HKEY_USERS (HKU)
• Contains information about all the
users who logged in to the
contains the base settings
computer at some point
for new users when they
first logon, • When log on, the current logged in
user profile is linked by HKCU
• Saved in each user's profile folder
• C:\Users\IEUser\Ntuser.dat
• C:\Users\ssh_Server\Ntuser.dat
• C:\Users\Default User\Ntuser.dat
HKEY_CURRENT_USER (HKCU)
• Does not contain any data
• A link to the subkey of HKEY_USERS
• Stores settings for currently logged-in use
• Unloaded when the user logs out
• If no profile is available, built from default user
• Control everything of the current logged user
• Environment variables
• Desktop settings,
• Network connections, printers,
• Application preferences.
• Keyboard layout
• Current logged user information
• Treasure for investigators
HKEY_LOCAL_MACHINE (HKLM)
• Contains computer hardware and software information
• Loaded at boot time from

• Store Plug-and-Play devices Infor

• Created dynamically, not stored in a file

Loaded at boot time from

HKEY_CURRENT_CONFIG (HKCC)
• It doesn't store any information itself but instead acts as a
pointer, or a shortcut, to a registry key

Noting shown here, but points to other registry

Understand the Suspect’s
PC
Motherboard layout

Peripheral
Component
Interconnec
t
Where to find CPU of the Suspect’s
PC?
Find hardware keys

Point to
Find key = “DESCRIPTION\CentralProcessor\0”

If your system has multiple processors,

they are all listed as subkeys under this
key. If your system has only one
processor, it is listed as processor 0.
How to find CPU of the Suspect’s
PC?
Print key starts from offset
0x87c459c8. Offset can be skipped
How to find other PC system
information?
Show system board, system BIOS, and
video BIOS, plus subkeys for the
processors and bus controllers
How PC enumerates devices on its
bus (data highway)?
• A bus driver services a
bridge, bus controller, or
adapter
controls
• A bus driver enumerates
the devices on its bus controls
• device's enumerator
• Respond to Plug and Play
I/O request packets
(IRPs)
Where the enumerated devices Infor
saved?
How to enumerated devices?

Enumerate devices
How Windows install device drivers?
• Almost all electronic devices contain firmware
• When plug-in, device's enumerator (e.g., PnP Bus Drivers)
• Reports Device Identification Strings from device firmware
• Hardware IDs - vendor-defined
• Compatible IDs - vendor-defined
• Windows uses Hardware IDs to
• locate the information (INF) file that best matches the device
• if not, uses compatible IDs
• Windows uses INF file to install device drivers
How to find devices connected to
PCI?

VEN_XXXX: vendor
DEV_XXXX: model of device

Common VEN_XXXX codes:

Intel – 8086
ATI/AMD – 1002/1022
NVIDIA – 10DE
Broadcom – 14E4
Atheros – 168C
Realtek – 10EC
Creative – 1102
Logitech – 046D
Search device: https://devicehunt.com/

Search driver based on hardware ID

What is the name of suspect’s
device?
Note: On a live registry, you will see
“CurrentControlSet” instead of
“ControlSet001”. Because it is not a link to
live, we need to check ControlSet001
Network Forensics
 Are there suspicious IPs (processes)
connected to the PC?
Scan network objects grep: only show TCP
Which program that was connected
to this suspicious IP address?
Find out process name of 4

Help command

Note: Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
Which program that was connected
to this suspicious IP address?
Find out process name of -1 (unidentified process) using the suspicious IP

-Y “192.168.56.5”: Define YARA pattern at IP

--output-file=any file name

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and
classify malware samples.
Find the application chrome.exe which PID=2388

The suspect used chrome to download file

Assignment
Week 6 Lab

1. Ensure vol.py is installed on your system

A. which vol.py (/home/kali/.local/bin/vol.py)
2. Identify the image profile (vol.py -f memdumpWin7.mem imageinfo)
3. Show all Registry Keys ( vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey)
4. Determine who was using the PC
a. Identify username (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -K "Volatile Environment")
b. Print Profile List to find SID (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -K "Microsoft\Windows NT\CurrentVersion\ProfileList")
C. Print the information for each individual SID (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -K "Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1716914095-909560446-
1177810406-1002")
D. Identify the defualt logon user (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon"
5. Understand the Suspect's PC
A. Find the CPU ( vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -o 0x87x59x8 -K "DESCRIPTION\System|CentralProcessor\0")
B. Find System and Video BIOS, subkeys for processor and bus controllers: vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -K "DESCRIPTION\System")
C. Find the registry key for connected devices (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -K hivelist)
D. Enumerate devices (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -K "ControlSet001\Enum"
E. Enumerate PCI Devices (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -K "ControlSet001\Enum\PCI")
F. Use https://devicehunt.com to identify driver based on hardware ID
G. Find the name of the suspect's computer (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_23418 printkey -K "ControlSet001\Control\ComputerName")
6. Network Forensics
A. Identify Suspicious IP's and processes (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_2341 netscan | grep TCPv4)
B. Which program was connected to the suspicious IP's
a. (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_2341 pslist -p 4)
b. (vol.py -f memdumpWin7.mem --profile=Win7SP1x86_2341 yarascan -Y "suspicious ip" --output-file=process_1.txt)
c. open process_1.txt in a text editor
Assignment
• Week 6 Lab

Answer the following questions:

1. What is the image profile?

2. Provide a list of Registry Keys?
3. What username has been using the computer?
4. What is the default logon user?
5. What CPU is present on the suspect computer
6. What are the video and BIOS subkeys
7. List 3 PCI devices and their drivers present on this computer
8. What is the name of the Suspect's Computer
9. Provide a list of suspicious IP's
10. Identify all applications associated with the suspect IP's