07 - Memory Forensics

Question 1

What is a memory image?

Answer 1

Memory image: sample of the state of the physical memory at a given point in time.

Question 2

To translate a virtual address to a physical address, perform how many steps?

Answer 2

3 steps:
Compute the Page Directory Entry (PDE)
Compute the Page Table Entry (PTE)
Compute the Physical Address (PA)

Question 3

In the IA-32 architecture, CR3 contains the physical address of …?

Answer 3

the initial structure used for address translation.
The CR3 register is updated during context switches when a new task is scheduled.

Question 4

On Linux, shared kernel space is at the top or bottom of the available address space?

Answer 4

top.

Question 5

No user space layout (Linux) o stack está em cima ou em baixo?

Answer 5

Cima.

Question 6

The kernel uses the list of active processes to maintain a set of active processes. Is this list exported to userland?

Answer 6

No.

Question 7

The init_task variable is statically allocated within the kernel, initialized at boot, has a PID of 0, and has a name of swapper. Does it appear in process lists generated through the ps command or /proc?

Answer 7

No.

Question 8

What is volantility?

Answer 8

Volatility: A memory analysis framework.

Question 9

Forensic interpretation of memory dumps:

Answer 9

Method #1: Tree / list traversal
Method #2: Fingerprint / pattern search

Question 10

Memory reconstruction approaches’ pros/cons.

Answer 10

Method #1: Tree / list traversal:
- Can stitch together more related records from kernel perspective
- Can miss unlinked, dead structures (Con)

Method #2: Fingerprint / pattern search:
- Find unlinked, dead structures (warm reboot)
- Can work with imperfect dumps
- Less context without following related structures/objects (Con)
- Susceptible to rubbish (Con)

Question 11

O que é fileless malware?

Answer 11

Fileless malware é malware que não escreve um binário persistente no disco (ou escreve muito pouco). Em vez disso, ele executa e mantém suas funcionalidades na memória (RAM) usando mecanismos legítimos do sistema — por exemplo, interpretadores de script, carregamento dinâmico de código em processos confiáveis, abuso de ferramentas administrativas (PowerShell, WMI, Python, etc.). O objetivo é evitar a detecção por scanners que vasculham ficheiros em disco.
Traditional methods of digital forensics searching in persistent
storage would find it difficult with assessing this type of malware;
making tools like Volatility all the more important.

Question 12

Identifying malicious processes.

Answer 12

Usually, look at what processes were running when the RAM dump was captured
- Malware can hide but it must run :) -> Looking at the running processes of a device is always a great way to try and identify any malware that may be running on the device

Question 13

What does pslist do?

Answer 13

pslist: lists running processes.
pslist: shows the network connections associated with the RAM dump

Question 14

What does pstree do?

Answer 14

pstree: helps to get an idea of what process spawned another process.
Can also help detect malicious processes masquerading as legitimate Windows processes:
- Masquerading occurs, e.g., by naming the running malware process after legitimate Windows processes

Question 15

When a RAM dump is captured do network connections at the time the capture was taken will also be stored within the captured memory?

Answer 15

Yes.

Question 16

What is Symantec?

Answer 16

Symantec runs a monitoring service that keeps a searchable database of malicious URLs
- Let’s visit Symantec Site Review and see if we find information about these IPs.

Question 17

What are Indicators of compromise (IOCs)?

Answer 17

Serve as forensic evidence of potential intrusions on a host system
or network. These artifacts enable us to detect intrusion attempts or
other malicious activities.

Question 18

Examples of IOCs?

Answer 18

• Unusual traffic going in and out of the network
• Unknown files, applications, and processes in the system
• Suspicious activity in administrator or privileged accounts

Question 19

What is procdump?

Answer 19

procdump: This will extract the executable and all of the associated DLLs.

Question 20

What are 5 tradeoffs when choosing the acquisition technique?

Answer 20

• Time of installation: prior to incident or post incident
• Access to system: local or remote
• Access to main memory: pure hardware vs. software
• Required privileges: user vs. administrator
• Impact on system: live vs. post mortem

Question 21

Two main factors can be used to help make a decision when choosing the acquisition technique.

Answer 21

• Atomicity: how close to the present memory state can the forensic
  memory snapshot be retrieved;
• Availability: whether the tools necessary to perform memory
  acquisition are available or not;

Question 22

Software-based: User level tools for acquisition.

Answer 22

Based on user-level tools for memory dumping
- Acquire copy of physical memory (e.g., Data-Dumper)
- Dump the memory contents of a process to a file (e.g., PMDump)
Strengths of this technique:
- Good for incident scenarios
- Capturing forensic image even in situations with little time
Weaknesses of this approach:
- Work on specific operating systems only, E.g., several tools resort to OS-provided device interfaces like /dev/mem that are disabled in many cases for security reasons
- Applications must be loaded into memory before execution
- Depends on functions of the OS, E.g., rootkit may deny access to physical memory or modify the RAM
- May require administrator/root privileges

Question 23

What is ptrace?

Answer 23

Userland debugging interface that Linux provides:
- The interface is limited for robust memory acquisition, because it can acquire pages only from running processes, which misses all kernel memory, freed pages, and other data;
- The only time you should use ptrace as an acquisition method
is when you are interested in the code and data of only one
process, such as related to a piece of malware.

Question 24

Software-based: Kernel level drivers for acquisition.

Answer 24

Leverage a kernel driver / module to access physical memory without restrictions, aceder à RAM de forma controlada.
e.g. -> fmem, Linux Memory Extractor (LiME).

Question 25

Software-based: Several methods for acquisition.

Answer 25

Crash dumps Operating system injection Hibernation file Virtual machine imaging

Question 26

Software/hardware-based: Warm and cold boots for acquisition.

Answer 26

Warm boots refer to reboot methods in which power is never removed from the memory module (e.g., press reset button). Cold boot refers to reboot methods in which power is removed from the memory module (e.g., pull the plug and reboot).

Question 27

Does RAM retains memory during reboots as long as power is provided?

Answer 27

Yes.

Question 28

Hardware-based: Dedicated hardware card for acquisition.

Answer 28

Use of special hardware card to obtain forensic image of a computer’s RAM. It uses Direct Memory Access (DMA). (So it doesn't envolve the CPU) No need to know credentials for the target system(s), as physical access suffices (a placa não pede autenticação ao sistema operativo - ela lê a RAM “por baixo” do OS.) Beneficial when installed on critical servers Limitations: prior installation of PCI card before its use; very expensive.

Question 29

O que é DMA?

Answer 29

DMA é um mecanismo que permite a um dispositivo (por exemplo, uma placa de rede, disco, ou uma placa PCI dedicada) transferir dados directamente entre si e a memória RAM sem passar pela CPU para cada byte. Em vez de a CPU ler/escrever cada bloco de dados, o dispositivo configura uma operação DMA (endereço, tamanho) e o controlador de memória faz a transferência autonomamente. Vantagem: reduz carga na CPU e acelera transferências grandes (I/O eficiente).

Question 30

Hardware-based: Special hardware bus for acquisition.

Answer 30

Alternative to PCI cards, one can read volatile memory via IEEE 1394 bus – Firewire - Firewire devices have direct access to the computer’s memory Limitations: - Firewire only permits acquisition of the first 4GB of RAM, which can severely limit your success for largememory systems.

Question 31

Decision matrix: Availability vs. Atomicity

Answer 31

Decision matrix helps investigators in choosing a specific memory acquisition technique. An ideal acquisition method is characterized by both a high atomicity and availability.