Memory Forensics
Guides and Theory
Dump full process memory
(procdump requires systinternals procdump.exe)
Powershell Memory Capture
Where the Microsoft Storage namespace is available (known not to be available in Win7), PowerShell can be used to invoke a native live memory dump.
Live Triage of Memory
Shout-out to Matt Graeber, Jared Atkinson and Joe Desimone for the awesome work that has gone into these scripts. Note: Not all tested, appears to work with a standard Meterpreter payload, and by default with Cobalt Strike.
Locate Possible Shellcode within process via Injected Thread
Obtain Possible Shellcode within process as Hex
Obtain Possible Shellcode within process as Hex
Basic Memory Analysis via PowerShellArsenal
Locate Possible Shellcode Address Space
Find Meterpreter in Process Memory:
Ref: Meterpreter Wiki
Find Cobalt Strike in Process Memory:
In memory files locked by OS
To obtain these files while they’re in use you can use a low level file extractor such as RawCopy
hiberfil.sys (RAM stored during machine hibernation)
%SystemRoot%\hiberfil.sys
pagefile.sys (Virtual memory used by Windows)
%SystemDrive%\pagefile.sys
swapfile.sys (Virtual memory used by Windows Store Apps)
%SystemDrive%\swapfile.sys
Volatility
pageVolatilityOther Tools
https://github.com/jschicht/RawCopy - Commandline low level file extractor for NTFS
Belkasoft Live RAM Capture Tool - Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably extract the entire contents of computer’s volatile memory—even if protected by an active anti-debugging or anti-dumping system.
Redline - Redline®, FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
Memoryze - Mandiant’s Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.
MAGNET RAM Capture - MAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.
Volexity Surge - Volexity’s Surge Collect offers flexible storage options and an intuitive interface that any responder can run to eliminate the issues associated with the corrupt data samples, crashed target computers, and ultimately, unusable data that commonly results from using other tools.
LiveKD - Written by the Legendary Mark Russinovich, LiveKD allows you to run the Kd and Windbg Microsoft kernel debuggers, which are part of the Debugging Tools for Windows package, locally on a live system. Execute all the debugger commands that work on crash dump files to look deep inside the system.
aeskeyfind - Illustrates automatic techniques for locating 128-bit and 256-bit AES keys in a captured memory image.
WinPMem - The Memory forensics utility found within the Velociraptor toolset.
rsakeyfind - rsakeyfind is a tool that locates BER-encoded RSA private keys in MEMORY-IMAGE. If a MODULUS-FILE is specified, it will locate private and public keys matching the hex-encoded modulus read from this file.
dumpscan - Dumpscan is a command-line tool designed to extract and dump secrets from kernel and Windows Minidump formats. Kernel-dump parsing is provided by volatility3.
Resources
MemLabs - Educational, CTF-styled labs for individuals interested in Memory Forensics
SANS Memory Forensics CheatSheet
Last updated