Memory Forensics

Guides and Theory

Dump full process memory

(procdump requires systinternals procdump.exe)

procdump -ma [processID]

Powershell Memory Capture

Where the Microsoft Storage namespace is available (known not to be available in Win7), PowerShell can be used to invoke a native live memory dump.

$ss = Get-CimInstance -ClassName MSFT_StorageSubSystem -Namespace Root\Microsoft\Windows\Storage;
Invoke-CimMethod -InputObject $ss -MethodName "GetDiagnosticInfo" -Arguments @{DestinationPath="[LOCATION]\dmp"; IncludeLiveDump=$true};

Live Triage of Memory

Shout-out to Matt Graeber, Jared Atkinson and Joe Desimone for the awesome work that has gone into these scripts. Note: Not all tested, appears to work with a standard Meterpreter payload, and by default with Cobalt Strike.

Locate Possible Shellcode within process via Injected Thread

Import-Module .\Get-InjectedThread.ps1
Get-InjectedThread

Obtain Possible Shellcode within process as Hex

(Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join ''
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join ''

Obtain Possible Shellcode within process as Hex

(Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'

Basic Memory Analysis via PowerShellArsenal

import-module .\PowerShellArsenal.psd1
Find-ProcessPEs
Get-ProcessStrings
Get-ProcessMemoryInfo -ProcessID {PID}
Get-VirtualMemoryInfo

Locate Possible Shellcode Address Space

Get-ProcessMemoryInfo {PID} | ? {$_.AllocationProtect -eq "PAGE_EXECUTE_READWRITE"}

Find Meterpreter in Process Memory:

Ref: Meterpreter Wiki

Find-ProcessPEs {PID} | ?{$_.ModuleName -eq "metsrv.dll" -OR $_.ModuleName -eq "ext_server_stdapi.dll" -OR $_.ModuleName -like "ext_server_*.dll"} | FL ProcessID,ModuleName,Imports;
$A=$(gps | Select -exp Id); foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "metsrv.dll"} | FL ProcessID,ModuleName,Imports};
$A=$(gps | Select -exp Id);	foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "metsrv.dll" | FL ProcessID,ModuleName,Imports};
$A=$(gps | Select -exp Id);	foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "metsrv.dll" -OR $_.ModuleName -eq "ext_server_stdapi.dll" -OR $_.ModuleName -like "ext_server_*.dll"} | FL ProcessID,ModuleName,Imports};

Find Cobalt Strike in Process Memory:

Find-ProcessPEs {PID} | ?{$_.ModuleName -eq "beacon.dll" -OR $_.ModuleName -eq "beacon x64.dll" -OR $_.ModuleName -eq "beacon.x64.dll"} | FL ProcessID,ModuleName,Imports;
$A=$(gps | Select -exp Id); foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "beacon.dll"} | FL ProcessID,ModuleName,Imports};

In memory files locked by OS

To obtain these files while they’re in use you can use a low level file extractor such as RawCopy

hiberfil.sys (RAM stored during machine hibernation)

  • %SystemRoot%\hiberfil.sys

pagefile.sys (Virtual memory used by Windows)

  • %SystemDrive%\pagefile.sys

swapfile.sys (Virtual memory used by Windows Store Apps)

  • %SystemDrive%\swapfile.sys

Volatility

pageVolatility

Other Tools

  • https://github.com/jschicht/RawCopy - Commandline low level file extractor for NTFS

  • Belkasoft Live RAM Capture Tool - Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably extract the entire contents of computer’s volatile memory—even if protected by an active anti-debugging or anti-dumping system.

  • Redline - Redline®, FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

  • Memoryze - Mandiant’s Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.

  • MAGNET RAM Capture - MAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.

  • Volexity Surge - Volexity’s Surge Collect offers flexible storage options and an intuitive interface that any responder can run to eliminate the issues associated with the corrupt data samples, crashed target computers, and ultimately, unusable data that commonly results from using other tools.

  • LiveKD - Written by the Legendary Mark Russinovich, LiveKD allows you to run the Kd and Windbg Microsoft kernel debuggers, which are part of the Debugging Tools for Windows package, locally on a live system. Execute all the debugger commands that work on crash dump files to look deep inside the system.

  • aeskeyfind - Illustrates automatic techniques for locating 128-bit and 256-bit AES keys in a captured memory image.

  • WinPMem - The Memory forensics utility found within the Velociraptor toolset.

  • rsakeyfind - rsakeyfind is a tool that locates BER-encoded RSA private keys in MEMORY-IMAGE. If a MODULUS-FILE is specified, it will locate private and public keys matching the hex-encoded modulus read from this file.

  • dumpscan - Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3.

winpmem.exe -o test.aff4 -dd
winpmem.exe -o test.raw --format raw -dd

Resources

Last updated