Memory Dump Analysis or RAM forensics, What is it?
A memory dump is a snapshot of a computer's RAM (random access memory) at a specific point in time, capturing the state of the system, including running processes, loaded drivers, open files, and other data in memory. Memory dumps are often used for debugging, forensic analysis, and diagnosing system crashes or security incidents.
Tools used to take memory dump:
For windows:
- Dumpit
- FTK imager, It is used for drive forensics, but can also allow you to take memory dump.
For linux:
- LiME( linux memory extractor)
- AVML
Tools will be useful in memory analysis:
- Volatility
- MimiKatz tool
- Intezer Analyze
- Git repo for memory dump samples
Taking Memory dump in Kali Linux:
AVML is straightforward and efficient for capturing memory in forensic investigations on Linux systems. First, open your terminal in Kali Linux and enter the command.
To download avml:
> wget https://github.com/microsoft/avml/releases/latest/download/avml
After downloading, the binary file needs to be made executable. You can do this with the chmod command:
> chmod +x avml
To ensure that the file has been downloaded and is executable, you can list the file details:
> ls -lh avml
You should see the avml file with the appropriate permissions (e.g., -rwxr-xr-x).
Take the Memory Dump:
> sudo ./avml /path/to/memory_dump.raw
Replace '/path/to/memory_dump.raw' with the location where you want to save the memory dump.
Verify the Memory Dump : > ls -lh /home/kali/memory_dump.raw
*Guide : *
Root Privileges: Memory dumping requires root access, so make sure to use sudo when running the command.
Storage Consideration: The memory dump file size will be approximately equal to the size of your system's RAM. For example, if your system has 8GB of RAM, the dump file will likely be close to 8GB. Ensure you have enough storage space available at the target location.
Safe Analysis Practices: Always analyze the memory dump on a different device, ideally within a sandboxed environment, to avoid contaminating the original system. Encrypt the dump file when transferring it to maintain its integrity and security.
Familiarity with the OS: When analyzing the memory dump, having a good understanding of common processes for that specific operating system is beneficial. This knowledge helps you quickly identify any suspicious processes that might be running on the system.
How to Encrypt the Memory dump:
Step 1: Generate a GPG Key (if you don’t have one)
> gpg --full-generate-key
Run the command, and follow the prompts to generate your key.
Step 2: To Encrypt the memory dump using GPG Passphrase:
> gpg --encrypt --recipient YourEmail@example.com /path/to/memory_dump.raw
Enter your email ID used in GPG passphrase, and location where the memory dump is stored. This can only encrypt the files, not directories. this will create a encrypted memory dump file, you can delete the original one, if you wants to.
Step 3: Decrypt the Memory Dump (When Needed):
> gpg --decrypt /path/to/memory_dump.raw.gpg > /path/to/decrypted_memory_dump.raw
Replace '/path/to/memory_dump.raw.gpg' with the location where the encrypted memory dump file is. and Replace '/path/to/decrypted_memory_dump.raw' with the file where you want the output of encrypted file to be written. Enter the passphrase or private key as prompted.
Keep the passphrase or private key secure and do not share it with unauthorized users.
Store a copy of the encrypted file in a secure location to ensure data integrity.
Memory Dump Analysis:
Volatility is a command line tool, a popular open-source framework used for analyzing memory dumps. It also has a GUI version, Its called Volatility workbench. The command line tool is more comprehensive, so we gonna learn that. we are using Volatility version 3 here:
Installing Volatility:
Update the system:
> sudo apt update
Install dependencies:
> sudo apt install python3 python3-pip git
Clone the Volatility 3 repository:
> git clone https://github.com/volatilityfoundation/volatility3.git
Navigate to the Volatility 3 directory:
> cd volatility3
Install Python dependencies:
> pip3 install -r requirements.txt
Run Volatility 3:
> python3 vol.py -h
Volatility Tool provides different commands (or "plugins") to analyze memory dumps from various operating systems (OS). The choice of command depends on the OS of the memory dump and the specific analysis you want to perform. You can see that from the output of the last command : > python3 vol.py -h
Syntax :
> python3 vol.py -f <memory_dump_file> <plugin_name>
Volatility Commands:
To get the list of all processes, for that there are two commands or plugins: linux.pslist.PsList and linux.psscan.PsScan
here's the difference:
linux.pslist.PsList : is faster and more accurate for identifying active, linked processes but can miss hidden or terminated processes.
linux.psscan.PsScan : is more thorough and can detect hidden or terminated processes, but it may include false positives and is slower. well, both commands can be used together to ensure comprehensive process enumeration in a memory dump.
Make sure you are in volatility3 dir:> cd /path/to/volatility3
> python3 vol.py -f /home/kalikali/memory_dump.raw linux.pslist
If you're Encountering the same problem like me..
That actually due to the absence of symbol file for your Linux kernel version.
A symbol file in memory forensics is like a map or guide that helps tools like Volatility understand the structure of the operating system's memory. It contains information about functions, variables, and data structures used by the operating system. When analyzing a memory dump, the symbol file helps the tool accurately interpret the raw data, making it possible to identify processes, network connections, and other key details. Without the correct symbol file, the analysis might fail or give incorrect results.
I spent a lot of the time looking for the solution, but I couldn't resolved it. well but I noticed that the windows plugins works perfectly, if you want to analyze windows memory dump. For now, In the article, we will learn how to analyze Windows memory dumps. Then, I will also cover what to do with Linux memory dumps"
Analyzing Windows Memory dump:
If you need memory dump sample, download from here: Memory Dump Sample (Windows)
windows.info
> python3 vol.py -f /path/to/memory_dump.raw windows.info
This plugin (info) extracts basic information about the Windows operating system in the memory dump, such as the version of Windows, the architecture (32-bit or 64-bit), the Service Pack version, and other OS-related details.
Run the command to get the list of all processes:
> python3 vol.py -f /path/to/memory_dump.raw windows.pslist
or
> python3 vol.py -f /path/to/memory_dump.raw windows.psscan
Redirect the output of a plugin to a file for further analysis:
> python3 vol.py -f /path/to/memory_dump.raw windows.pslist > processes.txt
windows.pslist shows active processes in the official list, while windows.psscan is more thorough and can detect both active and hidden/terminated processes.
windows.filescan
To get the list of all open files:
> python3 vol.py -f /path/to/memory_dump.raw windows.filescan
To get the list of files with specific extension or word in it:
> python3 vol.py -f /path/to/memory_dump.raw windows.filescan | grep .kdbs
It will search for files in memory dump with extension .kdbs
A .kdbs file is a database file format associated with the KeePass password manager. It contains passwords, usernames, URLs, and other sensitive information. Users can organize this information into groups and subgroups. To access the contents of a .kdbx file, you need to provide a master password, key file, or both. This adds an extra layer of security. you can open a .kdbx file on different operating systems using compatible KeePass versions or other compatible password managers.
> python3 vol.py -f /path/to/memory_dump.raw windows.filescan | grep -i password
search for any file-related structures in a memory dump that might contain the word "password" in their names or paths.
windows.filescan plugin, scans the specified memory dump for file-related structures, helping to identify open files, file handles, or even files that might have been hidden or unlinked by malware.
windows.dumpfiles
Extracting any file from Memory Image.
> python3 vol.py -f /path/to/memory_dump.raw -o /output/directory windows.dumpfiles --physaddr 0xADDRESS
Replace '/output/directory' with the location where you want to save the file. And replace '0xADDRESS' with the physical memory address of the file.
windows.malfind
To detect hidden or injected processes that could be malicious:
> python3 vol.py -f /path/to/memory_dump.raw windows.malfind
windows.dlllist
lists all the Dynamic Link Libraries (DLLs) loaded into the address space of each process in the Windows memory dump.
> python3 vol.py -f /path/to/memory_dump.raw windows.dlllist
windows.pstree
displays the running processes in a hierarchical tree format, illustrating parent-child relationships between processes.
> python3 vol.py -f /path/to/memory_dump.raw windows.pstree
windows.cmdline
retrieves the command-line arguments used to start each process.
> python3 vol.py -f /path/to/memory_dump.raw windows.cmdline
windows.netstat
lists active network connections and listening ports found in the memory dump.
> python3 vol.py -f /path/to/memory_dump.raw windows.netstat
windows.memmap
Dumps entire processes from memory. This includes everything associated with the process: executable code, loaded dynamic link libraries (DLLs), stack, heap, and other memory-mapped files.
> python3 vol.py -f "/path/to/file" -o "/path/to/dir" windows.memmap --dump --pid <PID>
dumps the memory pages of a process.
Difference:
- windows.memmap: Dumps entire process memory, used for extracting the full memory space of running processes.
- windows.dumpfiles: Extracts specific files from memory (e.g., files loaded in the page cache or mapped into memory).
That were some basic commands, I have a lot more to discuss with you.
I use volatility2 more often then volatility3
I use both volatility 2 and volatility 3 and I think volatility2 is better than volatility 3, it has more plugins, and gives more organized output.
Some useful commands in volatility 2:
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> psscan
to get the list of all processes, even hidden or terminated once.
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> cmdscan
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> consoles
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> cmdline
The cmdscan plugin extracts and displays command-line entries from the Windows registry, the cmdline plugin retrieves command-line arguments from running processes, and the console plugin captures and analyzes console (command prompt) history and output from memory.
clipboard
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> clipboard
The clipboard plugin extracts and displays the contents of the clipboard from memory, including any text or data stored there during the system's runtime. the clipboard is where copy and paste information is temporarily stored. In Windows, clipboard data is managed by the operating system and is typically stored in memory.
screenshot
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> screenshot -D <location_to save_screenshots>
To capture all the screenshots from memory dump. look at the screenshots carefully, look which application is opened, any string shown, any hash value. if you find any string, search it in memory dump, using string command:
> strings <memory dump> | grep -i "string_or_word"
Environment variables
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> envars
To view environmental variables.
Browser History
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> filescan | grep -i history
To view browser History file. download history file using dumpfiles plugin.
filescan with specific extensions
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> filescan | grep -E "\.(rar|png|jpeg|txt)$"
search files of specific extensions at onces.
hashdump
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> hashdump
get the NTLM hash value of all user's password
Practice Labs will help you better understand.
Resources & Labs:
volatility cheatsheet both vol2 & vol3
Linux Memory Dump Sample
Windows Memory Dump Sample
Labs:
Solutions of these labs are available online.
Linux Memory Dump:
I downloaded both volatility 2 and volatility 3 on Kali linux. For analyzing Windows memory dump, it works smoothly, following a simple process. For analyzing windows memory dump, you don't need to install any symbol table( In volatility 3) or no need to create profile (In volatility 2), It already has all necessary files for windows. But for analyzing Linux memory dump, I couldn't found the solution. Looking for different memory analysis tools, shifting to different VM . It didn't work out. I was trying my last attempt to solve this problem , I was using ubuntu VM its Ubuntu 2023.10.1 and I watched a video for how to setup volatility 2, the video link: Memory Forensics
I followed exactly as it mentioned in the video, but when I run the command to look for imageinfo it stucks, I waited for more than 1 hour and still no response.
determining profile based on KDBG searc......
On the Internet, user saying that sometimes it takes time, about 30 mins to 2 hours. I'll say if you want to practice linux memory dump analysis, solve labs related to linux.
Top comments (0)