memory forensics

investigation

harder questions

report feedback

findings

84%

• Terry editing receipts
• Terry selling customer equipment
• Charlie extorting SWExpert
• Charlie selling secrets to project2400

additional findings

You had to find one of the following

• CCleaner
• Terry’s keylogger
• Cygnus hex editor
• Prefetch files for the image editor

style

78%

Just a checklist

• Qualifications of the investigator
• Declaration
• Hashes of the files
• Instructions provided
• Tools used (with versions)

explaining the evidence

74%

• If you mention something, explain it
  • e.g. a tool: what is autopsy, what does it do??
  • e.g. a concept: what is a hash, or hex??!?
• A layperson should be able to understand the report (e.g. the jury, a judge, etc)
• Don’t make assumptions before you give evidence
• Explain your findings, don’t make conclusions until the end

screenshots

72%

• some people didn’t include any, which is brave
• if there’s something important in the screenshot, highlight it
• include screenshots in the investigation section, not just the appendix
• the images should link to what you’re talking about
• if you’re attaching images, or files, include their hashes, locations, paths, etc

structure

68%

• separate different “findings” into sections, don’t just have everything in one big blob
• label things: number each paragraph/attachment so you can reference them later
• tables are fantastic & make it really easy to follow
• make my viewing experience pleasurable pls and ty

conclusion

57%

• reference the specific evidence in your conclusion
• actually answer the question from the instructions
• really important, it shouldn’t be 50 words.
• You should be giving your opinion on what you think happened, don’t necessarily place blame (unless you can be sure a certain party did it)

reflection part a

68%

• The evidence asked for was generally okay, but the justifications for it were generally a bit weak
• what would you do with the evidence
• how would this evidence strengthen your case?
• be specific!

reflection part b

55%

• the questions should be questioning the integrity of the report, not you as a person
• don’t give a soft-ball questions “damn why this report so good”, you should be attacking your report, findings holes in it
• reference things discussed in the lectures (only using one tool, lack of evidence)

overall

the report should be a story

walkthrough

anyone want to volunteer?

memory forensics

what is it?

• investigating a dump of the RAM from a computer system

when is this useful

when?

when is this useful

• there’s a lot you can’t get from a harddisk image

  • if/when a program was executed
  • how it was executed (arguments, lifespan)

• some malware never touches the disk

fileless malware

• even if it never touches disk, at some point, it has to be in memory
• process hollowing: when a legitimate process is paused, duplicated, and then it’s executable memory is replaced with malicious code
• this can bypass simple AVs which ignore whitelisted/trusted services

read more here and here

what could you find in memory?

what

what could you find in memory?

• recently executed commands
• running processes, and their code/DLLs
• drivers & daemons
• passwords, security keys, security information

collecting memory dumps

• RAM is volatile, you can’t capture it after the computer is shutdown
• It can be hard to collect when it’s live (you don’t want to change the machines state)

when could collecting memory be difficult?

• if the data is stored in a datacenter/cloud provider
  • how would you collect it?

volatility

cause RAM is volatile lol

list all the processes

• windows.pstree
  • get processes tree (not hidden)
• windows.pslist
  • get process list (EPROCESS)
• windows.psscan
  • get hidden process list (e.g. malware)

dumping a process

• windows.dumpfiles --pid <PID>
  • get the executable & DLLs
• windows.memmap --dump --pid <PID>
  • get all memory resident pages
• windows.dllist --pid <PID>
  • list the DLLs used by a process

see how a process was started

• windows.cmdline
  • shows the arguments used for the process
• windows.envars [--pid <pid>]
  • display process environment variables
• windows.handles --pid <pid>
  • show files, threads, etc a process has opened

registries

• windows.registry.hivescan
  • TODO
• windows.registry.hivelist
  • TODO
• windows.registry.printkey -K "Path\To\Key"
  • TODO

viewing files

• windows.filescan
  • TODO
• windows.dumpfiles
  • TODO
• windows.dumpfiles --virtaddr <o>
  • TODO
• windows.dumpfiles --physaddr <o>
  • TODO

networking

• windows.netscan
  • TODO
• windows.netstat
  • TODO

pattern match strings

• windows.strings --strings-file ./strings_file
  • TODO
• windows.vadyarascan --yara-rules "https://" --pid <PIDS>
  • TODO
• yarascan.YaraScan --yara-rules <R>
  • TODO

dumping hashes

• windows.hashdump
  • grab common windows hashes (SAM+SYSTEM)
• windows.cachedump
  • grab domain cache hashes inside the registry
• windows.lsadump
  • grab lsa secrets

reference list

• command list can be found here
• some other stuff