Chapter 3: Memory

Forensics
1. Introduction
2. Memory Acquisition
3. Memory Structure
4. Memory Concepts
5. Memory Analysis
6. Windows Registry
Reading: Textbook Chapter 2
1
Introduction
• Memory forensics relies on capturing live memory from a
running computer system.
• RAM analysis consists of performing forensic analysis on the data
gathered from the live computer.
• After conducting a memory dump on any live machine to
capture RAM, the memory image can be used to determine
information about:
• running programs, the operating system, and the overall state of a
computer, as well as to locate deleted or temporary information that
might otherwise not be found on a normal image.

2
Introduction (ctd.)
• Until recently, RAM analysis and capture was not a mandatory
step in investigations, or even in triage situations where
analysts were attempting to gather forensic data on site.
• However, with new tools that allow entry into locked systems
and with the growing importance of temporary files, RAM
analysis is quickly becoming a pivotal and mandatory part of
the digital forensics process.

3
Introduction
Why Memory Forensic?
• Everything in the OS traverses RAM
• Processes and threads
• Malware (including rootkit technologies)
• Network sockets, URLs, IP addresses
• Open files
• User generated content
• Passwords, caches, clipboards
• Encryption keys
• Hardware and software configuration
• Windows registry keys and event logs

4
Introduction (cont.)
Memory Forensics – Basic Approach
• Ideal analysis includes physical memory data (from RAM) as well as Page
File (or SWAP space) data

5
Memory Acquisition
Memory can be acquired "LIVE" or "DEAD"
Swap space on live or dead systems
■ PAGEFILE.SYS
■ /private/var/vm/swapfile
■ Swap Partitions

Live Memory:
■ \\.\PhysicalMemory
■ \\.\DebugMemory
■ Device Drivers
■ Hardware memory imagers
■ Firewire (provides DMA)

6
 Memory Acquisition (ctd.)
Options for RAM acquisition
- Different approaches to acquire physical memory images: software and hardware oriented.

Hardware Acquisition (very hard to do)

■ Main idea: to bypass the operating system by means of a physical device. The
dedicated hardware will open a dedicated communication port to copy the contents of
the physical memory.
■ Main Technologies:
外围组件互连

■ Tribble: uses a dedicated PCI (Peripheral Component Interconnect) card for

memory acquisition.

■ FireWire bus: supports among other functionalities such as high-speed

communication and data-transfer, physical access to the system memory.

■ Advantage: the absence of interaction with the operating system avoids risk of writing
data to the target memory => DMA (Direct memory access)
■ Disadvantage: systems using DMA can be attacked by exploiting same feature
7
Memory Acquisition (cont.)
Options for RAM acquisition (cont.)

Software Acquisition

■ Data Dumper (DD): A common tool used for acquiring an

image of physical memory is data dumper

■ Windows crash dump utility: copy of the RAM and extra debugging
information Internally when a crash dump occurs.

Hibernation Files and Virtual Machines

■ Hibernation File
■ Contains a compressed RAM Image
%SystemDrive%/hiberfil.sys

■ VMWare stores "Ram" in FILENAME.vmem

8
Memory Acquisition (ctd.)
Potential problems with acquiring live memory:

Speed:
■ Memory changes fast; it won’t be consistent.

Availability:
■ Software methods can be blocked by attacker.

Integrity:
■ Software changes the memory map
■ You can't get all the memory

9
Memory Acquisition (ctd.)
• Some Initial factors to
consider before acquiring
memory:
- Is the machine currently booted?
- If the machine was a virtual instance, was it suspended
or shut down?
- If the machine is booted, can it be snapshotted or
suspended?
- What OS and version is it running?
- Does the acquisition tool you are about to use output
in a format that is compatible with your analysis tool?
- If not, do you have the proper tools to convert the
resultant image?

10
Memory Acquisition (ctd.)
Memory File Format
Most commonly used memory dump formats are:
•RAW memory dump.
•Supported by most acquisition tools
•Common Extensions: .raw, .bin, .dd, .mem
•Windows crash dump.
•Common Extensions: .dmp
•Windows hibernation files. 休眠文件
•File Name: hiberfil.sys (in root of system
volume by default)
•Common Extensions: .sys
•Pagefile
•Swap space on windows
•Filename: pagefile.sys (in root of system
volume by default)
•Common Extensions: .sys
•VMEM (VMWare virtual machines and other
virtualization technologies)
•Common Extensions: .vmem, .vmss
•Aff4 (generic container format based on .zip)
•Common Extensions: .aff4
11
 Memory Structure
Logical memory: the
address space, assigned to
Two memory views: "Physical" and "Logical" a logical partition, that the
operating system perceives
as its main storage
Physical memory: total
amount of memory
installed in the computer.
E.g., if the computer has
two 64MB memory
modules installed, it has a
total of 128MB of physical
memory.

12
Memory Structure (ctd.)
Paging
• Provides the ability to virtualize the linear address space.
• Simulates a large linear address space with a modest amount of physical
memory and disk storage.
• Each 32-bit linear address space is broken up into fixed-length sections, called
pages, which can be mapped into physical memory in an arbitrary order.
• When a program attempts to access a linear address, this mapping uses
memory-resident page directories and page tables to translate the linear
address into a physical address.

13
Memory Structure (ctd.)
• Address Translation

14
Memory Structure (ctd.)
• How to do a Page Lookup?

15
Memory Concepts
Process Management
• A process is an instance of a program executing in memory.
• The operating system is responsible for managing process creation, suspension, and
termination.
• When a program executes, a new process is created and associated with its own set of
attributes, including a unique process ID and address space.
• A process provides the execution environment, resources, and context for
threads to run.
• A thread is the basic unit of CPU utilization and execution. A thread is often
characterized by a thread ID, CPU register set, and execution stack(s), which help
define a thread’s execution context.

16
 Memory concepts (ctd.)
Executive Objects
• A great deal of memory forensics involves finding and analyzing executive objects

• The OS, in particular Windows, uses (C-like) structures to organize related data
and attributes, these include all Kernel objects, e.g., process, threads, etc.

• Executive objects: structures with various headers for managing services such as
naming, access control, and reference counts
执行对象：具有各种标头的结构，用于管理服务，例如命名、
访问控制和引用计数

17
Memory Concepts (ctd.)
Executive Objects
• Data – content of objects (data block | page frame)

• Metadata – provides details about any given object (i.e. internal data
structures)

18
 Memory Concepts (cont.)
Basic Process Resources
Acronym
SID: security identifier

- When a process is created and a

region of virtual address space is
allocated – through VirtualAlloc API
– the memory manager creates a
VAD (Virtual Address Descriptor)
for it.

- VAD: data structure that contains the

various elements of the process
virtual addresses, e.g. the base
address, access protection, the size of
the region, name of mapped files, etc.

19
 Memory Concepts (cont.)
Process Organization
• Processes are chained/linked together in a doubly link list structure

• The structure can be rendered as tree, i.e. process tree

20
Memory Analysis
Memory Analysis for Malware
Steps for memory analysis to identify indicators of
compromise: Check Running processes, Check executable’s names,
parent processes, and executable’s paths,
when they started command line parameters,
1. Identify rogue processes security identifiers, DLLs,
流氓 etc.
2. Analyze process objects
Check established
3. Review network artifacts network connections
and associated
processes
4. Look for evidence of code injection

5. Check for signs of rootkits

6. Dump suspicious processes and drivers

21
Memory Analysis (ctd.)
Baseline Processes
Identify what is expected and use it as a reference of what to expect
Initial Baseline
Require a basic understanding of the core processes loaded by the OS upon boot and
when a user logs on
Initial process baseline (for Windows systems - only samples)

22
Memory Analysis (ctd.)
Baseline Processes (cont.)
Initial process baseline for logon (Windows systems – only samples)

23
 Baseline Processes (cont.)
smss.exe: session manager subsystem
System.exe
csrss.exe: client/server runtime subsystem
wininit.exe: windows initialization
smss.exe lsa.exe: local security authority
lsm.exe: load session manager
winlogon.exe: Windows logon process
csrss.exe wininit.exe winlogon.exe services.exe: service control manager

lsass.exe lsm.exe services.exe logonUI.exe

userInit.exe
svchost.exe
rdpclip.exe explorer.exe

24
Memory Analysis (ctd.)
Volatility – Memory Analysis Tool

An open-source tool for analyzing windows memory dumps

Created by Aaron Walters and Nick L. Petroni Command-line memory forensic tool
■ Open Source (unlike prior systems) •Primarily Windows-focused
■ Written in Python
•Linux (Android) & Mac support now
available
Extracts: •Modular, portable
■ Image date & time
■ Memory map for each running process
■ Network sockets
■ DLLs loaded for each process
■ Lots more.

https://www.volatilesystems.com/VolatileWeb/volatility.gsp
http://volatility.tumblr.com/
25
Memory Analysis (ctd.)
Volatility – Memory Analysis Tool (cont.)
Volatility commands:
$ python volatility
Supported Commands:
! connections ! Print list of open connections
! connscan ! Scan for connection objects
! datetime ! Get date/time information for image
! dlllist ! Print list of loaded dlls for each process
! files ! Print list of open files for each process
! ident ! Identify image properties such as DTB and VM type
! modules ! Print list of loaded modules
! pslist ! Print list of running processes
! psscan ! Scan for EPROCESS objects
! sockets ! Print list of open sockets
! sockscan ! Scan for socket objects
! strings ! Match physical offsets to virtual addresses
! thrdscan ! Scan for ETHREAD objects
! vaddump ! Dump the Vad sections to files
! vadinfo ! Dump the VAD info
! vadwalk ! Walk the vad tree 26
Memory Analysis (ctd.) Process structures:
• Offset : The location in RAM of
Volatility – Memory Analysis Tool (cont.) the process, in hexadecimal
• Name : The process name, as it
• Analyzing process activity would be shown in Task
Manager
• PID : The process ID
• PPID : The parent process, i.e.,
the process that launched this
process.

A good summary of Volatility

commands compiled by the
SANS Institute is available at:
https://blogs.sans.org/computer-
forensics/files/2012/04/Memory-
Forensics-Cheat-Sheet-v1_2.pdf

27
Memory Analysis (ctd.)
Process Injection
- Technique used for running code within the address space of another process by
forcing it to load malicious code, e.g., under the form of a dynamic-link library (DLL).

- DLL injection is very common with modern

malware
- Process hollowing is another injection
technique

28
Memory Analysis (ctd.)
Process Hollowing
• Process Hollowing: a code injection technique in which the executable section of
a legitimate process in the memory is replaced with malicious code (mostly
malicious executable).
• Allow blending in malware as a legitimate process and then cause a legitimate
process to execute malicious code
• the path of the process being hollowed out will still point to the legitimate path → by
executing within the context of legitimate process the malware can bypass firewalls and host
intrusion prevention systems
• E.g. svchost.exe process hollowed out with the path still pointing to the legitimate executable
(C:\Windows\system32\svchost.exe), but only in the memory the executable section of
svchost.exe is replaced with malicious code

29
 Process Hollowing (cont.)
Working of Process Hollowing
1. Malicious Process A
starts legitimate process
B in suspended mode
A: malicious process
B: legitimate process
2. A identifies full path to B and
points to the address where B’s
executable is loaded

3. A gets the malicious 4. A determines the base

code (mostly executable) address B and then deallocates
to inject the executable section of the B

5. A allocates the memory 6. A writes the PE Header and PE

in B with read, write and sections of the executable to
execute permission inject in the allocated memory

7. A changes the start address of the 8. A resumes the suspended

suspended thread to the address of thread of B , as a result B now
entry point of the injected executable starts executing malicious code 30
 Memory Analysis (cont.)
Detecting Process Hollowing using Memory Forensics
Detecting from Parent Child Process Relationship
Example: two suspicious lsass.exe process (pid 868 and pid 1928) which were not
started by wininit.exe but these processes were started by services.exe

31
Memory Analysis (cont.)
Detecting Process Hollowing using Memory Forensics (cont.)
Detecting by Comparing the PEB and the VAD structure

- PEB structure (Process Environment Block): resides in the process

memory and keeps tracks of the full path to the executable and its
base address

- VAD structure (Virtual Address Descriptor): resides in the kernel

memory and also contains information about the contiguous process
virtual address space allocation and information about the start
address, end address and the full path to the executable

- Comparing PEB and VAD for discrepancy can tell if a process is

hollowed out.

32
Memory Analysis (cont.)
Detecting Process Hollowing using Memory Forensics (cont.)
Detecting by Comparing the PEB and the VAD structure – Example
Full path to lsass.exe (pid 868) and the base address (0x01000000) where it is loaded obtained from the PEB

From VAD: full path name to the lsass.exe, not shown because the malware unmapped the lsass.exe
process, as result of that the full path name is no longer associated with the address 0x01000000

33
 Memory Analysis (cont.)
Detecting Process Hollowing using Memory Forensics (cont.)
Detecting using suspicious memory protection

- Process with memory protection (PAGE_EXECUTE_READWRITE) suggests that the particular memory
range might be concealing executable code, and this makes the process suspicious

- Any executable that is normally loaded will have a memory protection of PAGE_EXECUTE_WRITECOPY.

34
Memory Analysis (ctd.)
Process Hiding
• Main technique used by rootkits to escape detection
• Various hiding techniques exist, e.g.:
• renaming the process to something that looks like a windows process.
• hiding or masquerading as a service, run through svchost.exe
伪装
• hiding in a crowded directory (e.g. dev or Windows Systems)
• Direct Kernel Object Modification (DKOM) is a common hiding
technique used in many rootkits

35
 Memory Analysis (cont.)
Process Hiding with DKOM
• Windows kernel uses of the
EPROCESS structures to handle
processes.
• Each structure has the Process ID
(PID) and two links Flink
(Forwardlink) and (Backlink) Blink
• All processes in a Windows
system refer to each other via
pointers

36
 Memory Analysis (cont.)
Process Hiding with DKOM (cont.)
• Processes make up
a double chained
list used by tools
e.g. taskmgr.exe
(task manager)

37
 Memory Analysis (cont.)
Process Hiding with DKOM (cont.)
• DKOM technique hides a process by
unlinking its own process links and linking
the previous and next processes directly
to each other.

• When modifying the malicious process’

ActiveProcessList, its Blink and Flink are
modified to refer to their own structure.
38
Memory Analysis (ctd.)
Hidden Process Detection
• E.g. Rootkit Detection using Volatility (psxview)

39
Windows Registry
分层数据库

• Critical part of any Windows OSs - hierarchical database containing

configuration information about:
• system hardware;
• installed software (programs);
• property settings;
• profile for each user, etc.
• OS uses instructions stored in the registry to determine how installed
hardware and software should function
• e.g. typical software comes with a Windows installer that writes to the
registry during deployment

40
Windows Registry (cont.)
• Opening Windows Registry
• Type ‘regedit’ in cmd window
• Registry comprises 5 to 7 hierarchical
folders – hives.
• Folders’ names start with HKEY – Handle to a
Key.

41
Windows Registry
(cont.)
Registry Structure

• Similar structure as the

Windows directory/
subdirectory structure
• Structured into root key,
subkeys, and sub-subkeys,
which have values

42
Windows Registry (cont.)
• Information (i.e. potential evidence) that reside in the Registry make it a significant
forensics resource
• Information that can be found in the registry include:
• startup (boot-time) applications
• logs of computers that have communicated with the host
• downloaded files/programs, e.g. wiping programs to destroy evidence
• auto complete Internet Explorer passwords
• Users and the time they last used the system
• Most recently used software
• Any devices mounted to the system including unique identifiers of flash drives, hard drives, phones,
tablets, etc.
• When the system connected to a specific wireless access point
• What and when files were accessed
• A list of any searches done on the system (web site visited and typed URLs)

43
 Windows Registry – Sample Keys (cont.)
• A handful of Registry entries control the applications and services that
run at startup, e.g.:
HKLM \SOFTWARE \Microsoft \Windows \CurrentVersion\Run
HKLM \SOFTWARE \Microsoft \Windows \CurrentVersion\RunOnce
HKCU \Software \Microsoft \Windows \CurrentVersion\Run
HKCU \Software \Microsoft \Windows \CurrentVersion\Runonce

• The following Registry keys can control automatic startup of services

during boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
44
Windows Registry – Sample Keys (cont.)
• The following Registry keys can be used to set startup folder items for
persistence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

• Using policy settings to specify startup programs creates

corresponding values in either of two Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

45
 Windows Registry – Sample Keys (cont.)
• The Winlogon key controls actions that occur when a user logs on to a
computer running Windows. The following keys can automatically
launch programs:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

• Programs listed in the load value of the following registry keys run
when any user logs on:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

46