Windows Memory Forensics using Open Source Tools
Memory Forensics is forensic analysis of computer’s memory dump, according to Wikipedia. In short, first we have to create the dump of the main memory and then for further analyzing the dump, we use several Dump Analysis tools.
Memory Forensics include the both Volatile and Non-Volatile information. For those who are unaware, Volatile information is that is present inside the RAM and vanishes once the system is power down. Non-Volatile information is present inside the storage which is saved in system even when it is power down.
In this blog, I’ll be demonstrating about the Capturing and Analysis of Volatile Information of Windows System, with the practicals of Tools and Techniques and what to capture and how to analyze the captured files.
Guidelines for Collecting Volatile Information
A predefined standard by Internet Engineering Task Force (IETF) released a document titled Guidelines for Evidence Collecting and Archiving also known as RFC 3227, which explains the collection of evidence should start with most volatile item and end with least volatile item.
The link for the official document for reference:
I’ll not discuss about the full guideline here, but the important points that we have to cater while performing Volatile dump.
First is the Order of Volatility which discuss about the most Volatile evidence to the least Volatile evidence. Order of Volatility for a typical system:
- Registers, Cache
- Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory
- Temporary File Systems
- Disk
- Remote Logging and Monitoring Data
- Physical Configuration. Network Topology
- Archival Media
What things to avoid while collection of the Volatile Data:
- Don’t shutdown until completed the evidence collection
- Don’t trust any program on system
- Don’t run programs that modify the access time of all files on system
- When removing external avenues for change note that simply disconnecting or filtering from network may trigger detection when they are off the net and wipe evidence (i.e. removing any network connection or any source of communication within the network may destroy some evidences)
Capability of the Software/Program for performing Volatile Information Gathering:
- Program for examining processes
- Program for examining system state
- Program for doing bit-to-bit copies
- Programs for generating check-sums and signatures
- Programs for generating core images and for examining them
- Scripts to automate evidence collection
What are the free tools available?
The following tools mentioned are the best available, user-friendly and powerful tools that are available for free of-course but not only limited to these tools, cause hell number of scripts are available on Github which you can check and explore.
- FTK Imager (https://accessdata.com/product-download/ftk-imager-version-4-5)
- Belkasoft RAM Capture (https://belkasoft.com/ram-capturer)
- MagnetForensics RAM Capture (https://www.magnetforensics.com/resources/magnet-ram-capture/)
- Microsoft Sysinternals (https://docs.microsoft.com/en-us/sysinternals/)
- Nirsoft Launcher (https://launcher.nirsoft.net/downloads/)
- Volatility Framework (https://www.volatilityfoundation.org/)
- Volatility Workbench (https://www.osforensics.com/tools/volatility-workbench.html)
- FireEye Redline (https://www.fireeye.com/services/freeware/redline.html)
Note: For Volatility Framework, you may have to install Python version 2 or version3 depending upon the version of Volatility Framework for running the software.
Also, there is Lite version of FTK Imager which you can directly run from any USB to perform Volatile acquisition of the system. The only issue is while imaging via FTK Imager Lite, it may perform some writing on RAM while some changes in memory that may tamper the evidence.
Getting Started with FTK Imager
According to the official Exterro website (https://www.exterro.com/ftk-imager), FTK Imager is a data previewing and imaging tool that quickly assess electronic evidence to determine if further analysis with forensic tool such as Forensic Toolkit (FTK) is warranted.
Some features of FTK Imager:
- Data Previewing and Imaging
- Perfect Copies and Forensic Images
- Hash Reports
- Forensic Image Mounting
- Capture and View APFS Images (Apple Forensic Image)
Apart from these features, FTK Imager has some useful features:
- Recovery of Deleted Data at some extent
- Capturing Live RAM
- Decryption of AD1 Image
After completing the setup of FTK Imager in system, the window looks like this:
From the File option in top-left corner, we can select on of three options to get started:
- Add Evidence Item
- Add all Attached Devices (Storage devices present in system)
- Image Mounting (External Forensic Image Mount)
For now, we’ll go with Add Evidence Item -> Logical Drive -> <Select any Drive from system>. And that will show our drive on the Evidence Tree in the left.
After selecting the Drive, FTK Imager will first scan for the Master File Table of the drive to map all the files that are available as well as deleted. Opening the drive will present three folders
- Orphan Folder (A file that is no longer a parent. If folder deleted, the files within it are deleted as well or when parent folder is overwritten)
- Root Folder
- Unallocated Space
Some of the deleted data may present in Orphan or Unallocated Space, the main contents of the drive are present in Root Folder.
We can also check the Hexadecimal view of the files by using the Hex Viewer in the Right-Bottom pane.
Selecting the root folder will show us the contents of the drive. When selecting any folder, it will display the files list in File List Pane in Right. The files with Red Cross mark in the beginning are the deleted files which can also recover by clicking the right key and then selecting Export Files option.
We can also create an Image of particular file or particular directory for examination in some other tools like Forensic Toolkit (FTK), Encase Forensic etc.
FTK Imager also has an additional feature of capturing Live Memory and creating a .memdump file for further analysis. By going in the File Menu, we have an option for Capture Memory or else we have a RAM Image on Toolbar list just as a shortcut for Capturing Memory.
It has an option for capturing PageFile.sys but capturing it will take quite a time. So, selecting the destination path will create the Live RAM Dump of the system in the particular folder which will be analyzed by tools like Volatility Workbench, Volatility Framework or Redline which will be covered in further section.
How to Perform Analysis of RAM Dump?
There are a lot of tools present on Web which can perform the analysis of .mem file. But my personal favorites are the following:
- FireEye Redline
- Volatility Workbench
- Volatility Framework
All these tools are available for free and must be used by investigators who are performing Volatile Information analysis.
Getting Started with FireEye Redline
According to FireEye website, Redline is an endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and analysis and development of threat assessment profile.
Some features of Redline software:
- Audit and collect running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks and web history
- Analyze and view imported audit data, including ability to filter
- Perform Indicators of Compromise analysis
There are three options present for Collection of Data:
- Standard Collector
- Comprehensive Collector
- Indicator of Compromise (IOC) Search Collector
The Standard collection will deploy an agent. By selecting the agent on your system or we can copy that agent to any other system, the script RunRedlineAudit.bat will start collection of artifacts from the system. If performing the audit on any other system, it will save the Session in the same pen-drive in which the script is stored.
Running the script created one AnalysisSession1.mans file which will be read via Redline software by selecting the Open Previous sessions on the Dashboard. After opening the Session file in Redline, it will display the following Investigation options:
- Triage Collection from HX
- Investigating Host Based on External Investigative Lead
- Review Web History Data
- Search Data with set of Indicators of Compromise (IOC)
These options will display set of data accordingly to nature of investigation. Looking at the left pane “Analysis Data”, we can see further options:
- System Information
- Processes (Handles, Memory Sections, Strings, Ports)
- Hierarchical Processes
- Timeline
- Tags and Comments
- Acquisition History
We can analyze the dump file we created in FTK Imager with Redline software. From the dashboard, just select the options “From a Saved Memory File”
Creating a Comprehensive Collector is a bit time consuming. Cause it is more advanced then the standard version and for devices with HDD drive may take a lot amount of time.
What is Nirsoft utility and difference with Microsoft Sysinternals ?
Nirsoft is collection of small and useful freeware utilities which can be very useful when collecting Volatile Information from any system. The utilities included performs many functions be it Process Viewing, Network Information, Internet Related Information, System Information, Passwords Information etc.
Microsoft Sysinternals do cover a lot of information but there are extra features included in Nirsoft Launcher for example USB history, Browser Related information, JumpLists etc.
Some of the advantages of Nirsoft Utilities:
- Most utilities are portable and developed in C++
- Utilities doesn’t write anything to Registry or profile folder
- Utilities can also be accessed via CMD
While running the Nirsoft Launcher, you may get notifications about Threat in the tools because some of the tools reveal the password information so need not to worry, every tool is safe to use.
Nirsoft launcher has combination of all the utilities combined on one platform which includes several sections:
- Password Recovery utilities
- Network Monitoring Tools
- Web Browser Tools
- Video/Audio Related Utilities
- Internet Related Utilities
- Command-Line Utilities
- Desktop Utilities
- Outlook/Office Utilities
- Programmer Utilities
- Disk Utilities
- System Utilities
- Other Utilities
Every utility section has different programs which we can explore. But for Volatile Information gathering, there are some tools that will help us in our collection method.
In System Utilities, list of useful programs:
- AppCrashView
- BlueScreenView
- CurrProcess
- EventLogChannelsView
- ExecutedProgramsList
- FullEventLogView
- HandleCountersView
- InstalledAppView
- InstalledDriversList
- JumpListsView
- LastActivityView
- LoadedDLLView
- ProcesActivityView
- ProcessThreadsView
- RecentFilesView
- ShadowCopyView
- ShellBagsView
- TaskSchedulerView
- USBDeview
- Windows Updates history Viewer
- WinPrefetchView
In Network Monitoring Tools, list of useful programs:
- CurrPorts
- LiveTcpUdpWatch
- NetBScanner
- NetResView
- NetworkConnectLog
- NetworkOpenedFiles
- NetworkTrafficView
- ProcessTCPSummary
- TcpLogView
- WifiHistoryView
- WirelessConnectionInfo
In Disk Utilities, list of useful programs:
- AlternateStreamView
- DiskCountersView
And in Web Browser tools, list of useful programs:
- BrowserDownloadsView
- BrowserHistoryView
- Password & Cookies Viewer for different browsers
It is advised to run all these programs with admin privileges. You may explore other tools that may seek your interest and comment if that helps in analysis.
Moving on, running the USBDeview will show the list of past connected USB devices on the system with date and time. Further we can export the list in HTML format by selecting the “HTML Report” option in “Options” tab.
Getting Started with Volatility Workbench
Volatility Workbench is a GUI version of Volatility Framework developed by Passmark. Volatility Workbench is used for extracting artifacts from memory dumps.
Advantages over the command line version:
- No need of remembering command line parameters
- Simpler copy and paste
- Time stamping of the commands executed
- Support for analyzing MAC and Linux Memory dumps
On the dashboard we have option for adding the memory dump image file that we have created from FTK Imager. We have to choose the OS platform of the acquired RAM dump which in our case is Windows and the press the Get Process List button. This will extract all processes that were running at the time creating the RAM dump.
Now, we have different Volatility commands available for analysis.
Selecting the command windows.info.Info, will how the OS details and Kernel details of the system.
Further, we can check for any malware or injected code using the windows.malfind.Malfind command.
The disadvantages with Volatility Workbench are:
- Limited commands as supported in Volatility Framework
- Writing custom scripts for the Volatility analysis
For Volatility Framework, here are some links which you can go through to get hands on of the commands and information about the tool. Not all the commands are of importance but still knowing the commands and their functionalities are of great use.
Conclusion
Volatile Information is as important as Non-Volatile Information cause it may contain some critical information that would be lost if not collected first and in a proper manner. After collection of Volatile information, how to process the collected information and further what tools to use for the analysis is important for any investigator.
In this blog, I’ve tried to explain each and every point that any investigator must care about and perform the Volatile collection and analysis in a streamlined manner with the mentioned tools. I hope you enjoyed the reading and would love to hear your comments on this for further advancement and suggestions. If any step is missing or any tool that you may think of will help in collecting and analyzing the Volatile Information, kindly comment the same as well.
