Professional Documents
Culture Documents
By
Chirath De Alwis
What is volatile memory forensics?
Identification, preservation, extraction, analysis and representation of
volatile memory artifacts
• New process is created with its own ID (process ID) and address space
• Each process has a table of handles (or file descriptors) to kernel objects
such as files and network sockets
Process Management - Processes
• The process address space contains;
• process executable
• its list of loaded modules (DLLs or shared libraries)
• Stacks
• Heaps
• allocated memory regions containing everything from user input to application-specific data
structures
Process Management - Threads
• A thread is the basic unit of CPU utilization and execution
• Often characterized by a thread ID, CPU register set, and execution stack(s), which
help define a thread’s execution context
• Before a process can access an object, it first opens a handle to the object
• When a process is finished using an object, it should close the handle by calling the
appropriate function
Process Management – VAD Tree
• Processes are stored in Windows in Virtual Address Descriptor (VAD) tree
• Most information about processes can be retrieve from walking VAD tree
• Possible to recover all of the memory-mapped files associated with specific processes
Acquisition
Acquisition
• Converting volatile memory into non-volatile state for future analysis
Acquisition
Hardware Software
Based Based
Acquisition
• Hardware-based acquisition
• More reliable
• Expensive
Acquisition
• Software-based acquisition
• Need OS
• Widely used
• Does not contain any headers, metadata, or magic values for file type
identification
• Typically includes padding for any memory ranges that were intentionally
skipped (i.e., device memory) or that could not be read by the acquisition tool
Memory Dump Formats
• Windows crash dump
• When Windows OS crashes (Blue Screen of Death or BSOD) it dumps all the
memory information into a file on disk
• Complete memory dump – records all the contents of system memory when your
computer stops unexpectedly
• Small memory dump - records the smallest set of useful information that may help
identify why your computer stopped unexpectedly
Memory Dump Formats
Memory Dump Formats
• Windows hibernation file
• Contains a compressed copy of memory that the system dumps to disk during
the hibernation process
• EnCase proprietary
• Developed by HBGary
• It allows a target system’s physical memory and page file(s) to embed in the
same output file
• Proprietary format
Memory Dump Formats
• Virtual machine memory
• Process dump
• Small in size
• Specific patterns of values that are unique to the particular type of file in
question
Footer FFD9
Current Analysis Techniques
• Recovering memory-mapped files
• Can be recovered from walking VAD tree and pulling the objects of interest
Challenges in Memory Forensics
• Volatility
• Redline
• Rekall
• Windows SCOPE
Sample Analysis
# vol.py —f APT.img -profile=WinXPSP3x86 pstree
• iexplore.exe (PID 796) was spawned from svchost.exe (pid 884)
• Forensic Focus
URL: http://www.forensicfocus.com/
• eForensics Magazine
URL: https://eforensicsmag.com/