Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
41 views4 pages

System Memory

This document discusses analyzing the memory of computer systems for evidence during incident investigations. It focuses on the types of evidence found in system memory, tools and techniques for analyzing memory images, and how to interpret memory analysis results. The SANS six-part methodology and a network connections methodology for memory analysis are described. Finally, the document introduces three memory analysis tools: Mandiant Redline, Volatility, and Rekall.

Uploaded by

SADRONU
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
41 views4 pages

System Memory

This document discusses analyzing the memory of computer systems for evidence during incident investigations. It focuses on the types of evidence found in system memory, tools and techniques for analyzing memory images, and how to interpret memory analysis results. The SANS six-part methodology and a network connections methodology for memory analysis are described. Finally, the document introduces three memory analysis tools: Mandiant Redline, Volatility, and Rekall.

Uploaded by

SADRONU
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Analyzing System Memory

7
For the longest time, law enforcement and other organizations performing digital forensic
tasks associated with incident investigations often relied on methodologies that focused on
evidence contained within the hard drive. Procedures dictated that the system be powered
down and the hard drive removed for imaging. While this methodology and associated
procedures were effective at ensuring the integrity of the evidence, this overlooked the
wealth of information that was contained within the Random Access Memory (RAM), or
memory for short, of the targeted system. As a result, incident response analysts began to
focus a great deal of attention on ensuring that appropriate methods were employed that
maintained the integrity of this evidence, as well as giving them a platform in which to
obtain information of evidentiary value.

This chapter will focus on the types of evidence that can be located within the memory of a
system, the tools and techniques available to incident response analysts, and finally, how to
analyze this information to obtain a clear understanding of how the system was
compromised. In addition, these techniques can also be integrated into the analysis of other
evidence, such as network log files and files located on the targeted system.

Memory evidence overview


When discussing analyzing the memory of a system, there are two terms that are used
interchangeably. The first is RAM. RAM is the portion of the computer internal systems
where the operating system places data utilized by applications and the system hardware
while that application or hardware is in use. What makes RAM different from storage is the
volatile nature of the data. Often, if the system is shut off, the data will be lost.
Analyzing System Memory

SANS six-part methodology


The SANS institution makes use of a six-part methodology for the analysis of memory
images. This process is designed to start from an overall view of what is running to
identifying and accessing the malicious software. The SANS methodology follows the
following steps:

1. Identify rogue processes: Malware often hides its behavior behind processes that
on the surface may seem legitimate. Uncovering these involves identifying what
processes are running, the location in the operating system they are running
from, and verifying that only legitimate processes are in use. Sometimes
processes are hidden in plain sight where adversaries change a single letter in a
process name. Other times, they will attempt to execute a process from an
illegitimate source.
2. Analyze process DLLs and handles: Once a process or multiple processes have
been identified as rogue, the next step is to examine the DLL files associated with
the process as well as other factors such as account information.
3. Review network artifacts: Malware, especially multi-stage malware, requires
connection to the internet. Even systems that are fully compromised often beacon
out to C2 servers. Active and listening network connections are contained within
the memory of these systems. Identifying external host IP addresses may give
some insight into what type of compromise has taken place.
4. Look for evidence of code injection: Techniques such as process hollowing and
unmapped sections of the memory are often used by advanced malware coders.
Memory analysis tools assist analysts with finding the evidence of these
techniques.
5. Check for signs of a rootkit: Achieving persistence is a goal with many external
threat actors. If they are able to achieve the initial compromise of the system, it is
critical that they maintain that.
6. Dump suspicious process and drivers: After locating any suspicious processes or
executables, analysts need to be able to acquire them for later analysis with
additional tools.

[ 156 ]
Analyzing System Memory

Network connections methodology


In many incidents, the first indication that a system is compromised is attempted or
completed connections to external hosts. Detection mechanisms such as firewalls or web
proxies may indicate that a system or systems are attempting to communicate with suspect
external hosts. From this starting position, it may be possible to identify potential malware
on a system:

1. Suspicious network connections: Conducting a review of network connections


on hosts that have been associated with external connections will often provide
the process that is attempting to communicate.
2. Process name: Examining the process from the network connections allows
analysts to perform similar actions found within the SANS methodology. It is
advisable for the analyst to also determine if the identified process is one that
often requires a network connection.
3. Parent process ID: Further insight into the parent process is useful in
determining if the process is legitimate and has a legitimate need to
communication via a network connection.
4. Associated entities: Finally, examining the associated DLLs and other artifacts
brings us to the stage where they can be acquired and analyzed.

Tools
There are several tools available to analysts for the review of memory images. For the
purposes of this chapter, three tools will be examined. The first of these, MandiantRedline,
is a GUI-based memory analysis tool that examines memory images for signs of rogue
processes and scores them based upon several factors. The remaining tools, Volatility and
Rekall, are command-line tools that allow analysts to drill into the details of the memory
image and identify potential malicious code.

Redline
One powerful tool that analysts should include in their toolkits is Mandiant Redline. This
Microsoft Windows application provides a feature rich platform for analyzing memory
images. These features include the ability to create a memory collector, although the tool
will work with memory captures that have been performed via tools previously discussed.
There is also the ability to utilize previously discovered Indicators of Compromise (IOCs)
to aid in the examination. The tool can be downloaded at
fireeye.com/MandiantRedline/FireEyeRedline.

[ 157 ]

You might also like