You are viewing 'volatile memory'
Memory Forensics Comes into the Light
Recently, fileless malware has shown up in numerous LinkedIn articles, blog posts and research papers. It’s being discussed as the “new” threat to watch out for. I agree that this is an important topic, but I do not agree that it is a new threat. Rather, it has been a threat long ignored and is now being rapidly exploited by attackers.
To give some information about the threat, fileless malware is found only in memory, not in a file on disk. This attack is actually using Meterpreter code inside the physical memory of a domain controller. Along with the presence of Meterpreter, analysts discovered the use of PowerShell scripts within the Windows Registry. For those who are unaware, Meterpreter is a tool from the Metasploit framework, a free hacking tool commonly used by both penetration testers and criminal hackers. Once the attackers have successfully installed Meterpreter, they use various scripts to install a malicious service on the targeted host. After... read more >
Not All Is Lost When You Lose Your Memory
Some time ago I wrote a blog, Memory: It’s What’s for Dinner, about the importance of capturing volatile data and memory analysis. I also provided an intro for memory analysis in Hunting Malware with Memory Analysis and More Memory Fun. What happens if you are not able to grab memory? Obviously, a full memory capture of the suspect system will give you the best chance at recovering volatile information from the system but if you can’t, not all is lost.
Hibernation and page files contain data that can help put the pieces of the puzzle back together. The hibernation... read more >
Top Ten Recommended Steps for an Incident Response
There may be an occasion when a governmental authority, or your own ISP, will contact your organization and state that one of your organization owned IPs is talking to known bad IPs.
Your first instinct is probably to stop the communication. Your second instinct may be to poke around the system(s) to figure out why there was communication to the bad IPs.
Although these are understandable steps, the poking actions could be altering artifacts that are critical to finding which and why these programs, services and processes are doing the communicating.
If your company does not have an incident response plan with a team or expertise to execute a plan, I highly recommend having at least one manager and one technical employee trained to properly gather, preserve, track and store forensic evidence.
These employees should be the very first contacted in the case of a possible ... read more >
May 09, 2013 - Posted by Jeremy Scott to
Memory is the new vogue and rightfully so. My Solutionary teammate, Susan Carter, recently posted a related blog. Ironically, we were both crafting our posts about the same time but I want to drive home the importance of capturing volatile data and performing memory analysis.
In the past, forensics examinations involving computer systems were always performed by immediately disconnecting any compromised or infected hosts from the network. This is done with a “hard shutdown” or what has become known as “pulling the plug” and immediately acquiring a forensics image acquisition of the hard drive. The rationale for doing this as the first step is to preserve the state of the hard disk.
Now, the first step in any incident response scenario should be capturing the volatile data at the onset. This has become critical to identifying the extent of the compromise or infection. In... read more >
Many pieces of malware exist that have been written to live solely in memory and never touch the hard drive, effectively evading any analysis that only looks at the physical disk. The bad guy can hide malware on your computer system very effectively, but it must run in order to do its bad things. Within the depths of the volatile memory (RAM) on your system are traces of activity that can help identify if bad things are lurking on your computer.
Volatile memory holds data that does not exist anywhere else:
- Encryption keys
- Running processes
- Files that each process had/has open
- DLLs loaded by each process as well as command line invocation of a process
- Code associated with a running process
- Open sockets
- Active network connections
There are many tools available to help you create a memory dump. These include tools like... read more >