Memory Forensics in Incident Response

Question 1

When did the change from rudimentary string searching to recovering process information in memory forensics?

Answer 1

The DFRWS 2005 challenge.

Question 2

At what event did many professionals agree that “pulling the plug” is no longer acceptable?

Answer 2

The SANS Forensics Summit in 2008. (p8)

Question 3

Why do some guides still recommend pulling the plug instead of performing memory forensics?

Answer 3

A lot of the guides are distributed to people with absolutely no computer training (law enforcement).

Question 4

Why are memory forensics important?

Answer 4

Nearly everything of interest traverses RAM.

Question 5

Why is memory becoming less volatile and more like a secondary file system?

Answer 5

It’s becoming larger.

Question 6

What are volatile registry keys?

Answer 6

Registry keys that can be updated and only survive in memory.

Question 7

p12 needed?

Answer 7

?

Question 8

What is \Device\PhysicalMemory?

Answer 8

A handle in the Windows filesystem that, prior to Windows 2003 SP1, could be used to address and copy physical memory.

Question 9

When did \Device\PhysicalMemory go away?

Answer 9

Windows 2003 SP1

Question 10

What is HIPS?

Answer 10

Host Intrusion Protection Software

Question 11

When do Windows drivers have to be signed?

Answer 11

64 bit systems

Question 12

How do you access physical memory on Windows systems?

Answer 12

Pre 2003 SP1, \Devices\PhysicalMemory. Post 2003 SP1 requires a driver.

Question 13

What is WinPMEM?

Answer 13

A memory dumping tool for Windows. It allows read only or read write access.

Question 14

What is Redline?

Answer 14

A tool that is used for Windows memory analysis. Can also perform live memory analysis.

Question 15

How can you perform memory analysis on a system that’s already been shut down?

Answer 15

Copies of ram that are automatically created, like hibernation files in Windows. Crash dump files as well.

Question 16

What is the filename that Windows uses to create a copy of memory when the system goes into hibernation?

Answer 16

hiberfil.sys

Question 17

What portions of memory are included in hiberfil.sys?

Answer 17

Everything. It’s a complete copy.

Question 18

What is a Windows crash dump file named?

Answer 18

memory.dmp in %WINDIR%. If it’s a full crash dump, it’ll be a complete copy of memory. (See footnotes on p14)

Question 19

Why is analysis of chat applications difficult?

Answer 19

Many don’t log communications to disk, so the only place to find the information may be in memory.

Question 20

What is DumpIt?

Answer 20

A simple memory dumping tool from MoonSols that dumps memory from 32 or 64 bit Windows systems to the curent working directory.

Question 21

Where’s the best place to run DumpIt.exe?

Answer 21

A large capacity thumb drive, because it dumpts to CWD.

Question 22

What does DumpIt cost?

Answer 22

It’s free.

Question 23

How is memory usually stored on disk with virtualization products?

Answer 23

It’s often a raw copy of memory, so can be analyzed with standard memory analysis tools.

Question 24

In which virtualization products is the on-disk memory image a copy of raw memory?

Answer 24

VMWare, Microsoft Server 2008 Hyper-V, and Parallels.

Question 25

How is the on-disk memory image for VirtualBox different from most other virtualization products?

Answer 25

It only holds memory in use, not a complete image of memory. (16)

Question 26

What is the fallback plan to analyze memory on a virtual machine if the on-disk image analysis won’t work?

Answer 26

Run a memory acquisition tool within the virtual guest.

Question 27

What product can be used to analyze virtualization product memory?

Answer 27

Volatility

Question 28

What are the common file suffixed for virtual memory files?

Answer 28

.vmem - VMware raw memory
.vmss - VMware contains memory image
.vmsn - VMware contains memory image
.bin - Microsoft Hyper-v memory image
.vsv - Microsoft Hyper-v save state
.mem - Parallels raw memory image
.sav - VirtualBox partial memory image
(16)

Question 29

Where are memory images found?

Answer 29

p16.

Question 30

Rajid Mitra case

Answer 30

p18

Question 31

What is hiberfil.sys?

Answer 31

A Windows hibernation file a compressed copy of RAM at the time of hibernation.

Question 32

How can you decompress hiberfil.sys?

Answer 32

Volatility’s imagecopy or MoonSols hibr2bin.exe

Question 33

What files can analyze Windows hibernation files natively?

Answer 33

BulkExtractor
Magnet Forensics Internet Evidence Finder
Volatility
Belkasoft Evidence Center

Question 34

What windows command line tool manages hibernation files?

Answer 34

powercfg.exe (review the options p 20)

Question 35

What is memory forensics?

Answer 35

Study of data captured from memory of a target system, including RAM and virtual memory.

Question 36

How is memory analysis different from traditional media forensics?

Answer 36

• Data is a snapshot in time, with dramatic changes possible moment to moment
• Complicated to establish context because there’s more information than just files and directories
• Data is formatted for execution, not to be extracted and understood, so analysis is more complicated.

Question 37

How is memory analysis similar to media forensics?

Answer 37

• Still requires forensically clean procedure
• Still requires putting memory in context, but memory has a more complicated architecture than disk filesystems.
• Still requires analyzing the raw results to understand what the data means

Question 38

Why is forensic capture of memory more complicated than of media?

Answer 38

Executing a program to capture memory modifies memory.

Question 39

What is the KDBG?

Answer 39

Kernel Debugger Datablock (lots more on p.24)

Question 40

What are the three traditional malware detection methods?

Answer 40

Signature, contradiction, heuristic/behavioral (26)

Question 41

What are the processes to find the first hit in memory analysis?

Answer 41

1. Identify rogue processes
2. Analyze process DLLs and handles
3. Review network artifacts
4. Look for evidence of code injection
5. Check for rootkit signature
6. Dump suspicious processes and drivers

Question 42

Redline

Answer 42

p. 27-

Question 43

EPROCESS blocks

Answer 43

p. 35-

Question 44

Analyzing processes

Answer 44

p. 37

Question 45

How does Redline identify rogue processes?

Answer 45

p. 40-

Question 46

What is MRI?

Answer 46

Malware Risk Index. (42)

Question 47

What are the two components in MRI?

Answer 47

1. Behavior rule set

2. Verification of digital signatures

Question 48

What are the three types of rules in the behavior rule set?

Answer 48

1. Process path verification
2. Process user verification
3. Process Handle Inspection (does a process like svchost have a handle to cmd.exe?)
4. DLL load order issues (evidence of DLL hijacking)

Question 49

What is required for Redline digital signature checking?

Answer 49

It can only be done in live memory analysis.

Question 50

What other things does Redline check for?

Answer 50

1) Unmapped processes
2) Processes started by command shell
3) DLL load order/hijacking
4) Expected command line arguments

Question 51

Redline heirarchical process view?

Answer 51

p48

Question 52

HBGary Responder product?

Answer 52

p48

Question 53

What things should you check all processes for?

Answer 53

1) Correct image/executable names
2) Correct file location (path)
3) Correct parent process
4) Correct command line and parameters
5) Start time information
6) Security identifies (SID)

Question 54

What is the Windows per-process limit on kernel handles?

Answer 54

2^24 (52)

Question 55

What is a handle in windows?

Answer 55

A pointer to a resource such a file directory registry key, mutex or semaphore, or event.

Question 56

What are the components of a process in Windows?

Answer 56

DLLs, handles, threads, memory sections sockets.

Question 57

What is a VAD?

Answer 57

In Windows, it’s a Virtual Address Descriptor tree and maintains a list of assigned memory sections.

Question 58

What is a socket?

Answer 58

A network connection endpoint.

Question 59

What process does Conflicker/Kido inject itself into?

Answer 59

svchost.exe

Question 60

How can you detect Conflicker/Kido?

Answer 60

Only by looking at process objects. Because it uses injection into svchost.exe, SID, launch time, path, and parent process are normal.

Question 61

What is Least Frequency of Occurrence?

Answer 61

The principle that anything related to malware should be uncommon on a system or enterprise. Sorting a list based on occurrences and looking at the least frequently occuring items can be useful. (56)

Question 62

If an object appears in one process, what does that mean?

Answer 62

It might be a sign of malice, but not always. There are legitimate objects that only appear in one windows process.

Question 63

How many signatures does Redline ship with?

Answer 63

Less than 50, but you can create your own.

Question 64

Poison Ivy Remote Access tool?

Answer 64

(62)

Question 65

Creating redline signatures?

Answer 65

(62)

Question 66

List network artifacts

Answer 66

• suspicious ports
• suspicious connections
• suspicious processes (should it be communicating over the network at all?)

Question 67

What are some examples of unusual network behavior?

Answer 67

A non-browser communicating over port 80/443/8080
A browser communicating over a port other than 80/443/8080.
Connections to unexplained IP addresses
Web requests directly to an IP
RDP connections (3389) particularly from odd IPs.
DNS requests for unusual names

Question 68

How are RDP connections usually managed?

Answer 68

They’re usually routed through a VPN concentrator.

Question 69

What is TDL3/TDSS?

Answer 69

(69)

Question 70

Redline memory string analysis

Answer 70

(71)

Question 71

What things should you search for in memory?

Answer 71

Known bad IPs, domains, or filenames. http://, https://, ftp:/.

Question 72

Zeus

Answer 72

(71)

Question 73

How common is DLL injection in modern malware?

Answer 73

Very common.

Question 74

How does DLL injection work?

Answer 74

Allocate space in a running process, shove the DLL into it, create a new thread to load the DLL into the process.

or

Hook a process’s filter functions using SetWindowsHookEx().

Question 75

How do you load a DLL into a running process?

Answer 75

VirtualAllocEx()

CreateRemoteThread()

Question 76

What is the symptom of DLL injection?

Answer 76

An unnamed memory section containing executable code attached to a victim process.

Question 77

What is process hollowing?

Answer 77

Start a copy of a legitimate system process, pause the process, de-allocate some of the original code and replace it with malicious code.

Question 78

What is the advantage of process hollowing?

Answer 78

It retains the original executable’s process image name, path, and command line. Camouflage.

Question 79

How is a memory page marked executable?

Answer 79

Page_Execute_ReadWrite (72)

Question 80

What does it mean for a memory page to be unmapped?

Answer 80

It’s not backed by a file on disk.

Question 81

How do you identify process hollowing?

Answer 81

If the image binary is not backed by a file on disk (unmapped), it’s a strong indicator of process hollowing. (77)

Question 82

Zeus

Answer 82

(78-9)

Question 83

Stuxnet

Answer 83

(83-5)

Question 84

Process hollowing example

Answer 84

(83-5)

Question 85

Why have malware authors resorted to techniques like hiding in plain sight?

Answer 85

More advanced techniques like code injection are easy to find with memory analysis, and tools like Redline makes it easy.

Question 86

How do most rootkits work?

Answer 86

By hooking legitimate system functions and redirecting output.

Question 87

What is SSDT?

Answer 87

The System Service Descriptor Table (89)

Question 88

What is IDT?

Answer 88

(89)

Question 89

What is IAT?

Answer 89

(90)

Question 90

What is IRP?

Answer 90

(90)

Question 91

Storm/SSDT hooking

Answer 91

(91)

Question 92

Commonly hooked functions?

Answer 92

NtEnumerateKey
NtEnumerateValueKey
NtQueryDirectoryFile
(91(

Question 93

Why is it hard to identify malicious I/O Request Packet hooks?

Answer 93

There are so many legitimate hooks that have to be eliminated first. Lots of 3rd party drivers.

Question 94

What is a good method to identify malicious I/O Request Packet hooks?

Answer 94

Least Frequency of Occurrence. Most malware hooks sparingly and may hook functions that no or few other applications do.

Question 95

What is the Storm Worm?

Answer 95

A spam bot.

Question 96

How does Storm hide network activity?

Answer 96

It hooks IRP_MJ_DEVICE_CONTROL function within tcpip.sys.

Question 97

openports?

Answer 97

93

Question 98

What does a rootkit do?

Answer 98

It hides the existence of system object like processes, files, registry keys, and network artifacts.

Question 99

How do you dump a process in Redline?

Answer 99

Processes tab in Analysis Data Pane, double click the process of interest within the Table View pane and select MRI Report from the Full Detailed Information tabs at the bottom fo the window. That contains “Acquire Process Address Space”

Question 100

Where does Redline dump a process memory image?

Answer 100

By default %user profile%\AppData\Local\Temp\AgentAcquisition in a password protected zip archive (prevents AV quarantining)

Question 101

Driver aquisition

Answer 101

99

Question 102

What does \??\ indicate?

Answer 102

An “extended length path” in Windows. (99)

Question 103

What options exist for analyzing a process and drivers once they’ve been extracted?

Answer 103

• Scan for malware

* Study the assembly code (ugh…)

Question 104

What does virustotal.com do?

Answer 104

Scans a file with over 40 different AV engines.

Question 105

Is there a drawback to virustotal.com?

Answer 105

Anything you upload is public domain. A safer option is to upload a MD5 of the suspect file.

Question 106

List free, automated tools for examining extracted binaries.

Answer 106

Threat Expert and GFI Sandbox.

Question 107

What are the benefits of live memory analysis?

Answer 107

• Faster triage
• Includes the system pagefile
• More accurate heuristic matching
• Digital signature checks of process executables, DLLs, drivers with a known good whitelist
• Indicator of Compromise searches using pre-defined IOC files.

Question 108

Why is live analysis effective at defeating advanced malware?

Answer 108

It accesses physical memory, not relying on API calls, open handles, or debuggers.

Question 109

What is Shadow Walker?

Answer 109

Proof of concept code that pages itself out of memory when a memory acquisition tool is detected. (107)

Question 110

107 last para

Answer 110

x

Question 111

p 108-118

Answer 111

x

Question 112

What is Volatility?

Answer 112

A framework for performing digital investigations on Windows, Linux, and Mac memory images. (121)

Question 113

Where can you get Volatility?

Answer 113

It’s open source, from https://code.google.com/p/volatility/

Question 114

Where is the command reference for Volatility?

Answer 114

The Volatility wiki: https://code/google.com/p/volatility/wiki/CommandReference23 (for version 2.3)

Question 115

What is volatility written in ?

Answer 115

Python

Question 116

How do you execute Volatility?

Answer 116

vol.py -f [image] [plugin] –profile=[PROFILE]

Question 117

What are plugins for in volatility?

Answer 117

They tell the program what to do.

Question 118

What are profiles for in Volatility?

Answer 118

They specify which operating system version you’re analyzing.

Question 119

How can you pre set the memory image information in Volatility?

Answer 119

Use the VOLATILITY_LOCATION environment variable.

For example export VOLATILITY_LOCATION=file://(path)

Question 120

What Volatility plugin will determine what operating system a memory image came from?

Answer 120

imageinfo (p124)

Question 121

What flag in Volatility gives help?

Answer 121

-h

Question 122

Where do you find the Volatility options in the SANS books?

Answer 122

Book 2 p. 125.

Question 123

Where do you find the list of all volatility plugins in the SANS books?

Answer 123

Book 2, p. 126-9.

Question 124

What is Rekall?

Answer 124

A fork of Volatility that focuses on speed and performance.

Question 125

How do you execute Rekall?

Answer 125

rekall -f memory.img psscan (130)

Question 126

What is GRR?

Answer 126

Google Rapid Response (research this) p. 130.

Question 127

Which memory forensics tool requires an OS profile and which doesn’t?

Answer 127

Volatility does, Rekall doesn’t.

Question 128

Which memory forensics tool tends to lead in supporting OS versions out of Volatility and Rekall?

Answer 128

Rekall

Question 129

What is winpmem and osxpem?

Answer 129

p. 130

Question 130

Where can you get rekall?

Answer 130

https://code.google.com/p/rekall

Question 131

What does the imageinfo plugin do?

Answer 131

It’s a Volatility plugin that returns information like system date and time when the image was collected, KPCR, number of processors, operating system and service pack information.

Question 132

How can you speed up most Volatility plugins?

Answer 132

Give them the location of the KDBG using -g 0xADDRESS. Use imageinfo to get it.

Question 133

How do you find the KDBG address in Volatility?

Answer 133

imageinfo. Also the virtual address of the KdCopyDataBlock found via the kdbgscan plugin.

Question 134

What is imagecopy?

Answer 134

A volatility plugin that prepares non-standard memory images for analysis.

Question 135

What tool other than imagecopy can be used to convert hibernation images?

Answer 135

hibr2bin.exe (134)

Question 136

What are the parameters to Volatility’s imagecopy?

Answer 136

-f -O

Question 137

What Volatility plugins can be used to identify rogue processes?

Answer 137

pslist
psscan
pstree
pstotal

Question 138

Review Rogue Process plugins in Volatility

Answer 138

(138)

Question 139

What does Volatility’s pslist doe?

Answer 139

Print all running processes by following the EPROCESS linked list (even in LInux?)

Question 140

What are the important parameters of pslist?

Answer 140

-p (show information for specific process IDs)

Question 141

What does Volatility’s pslist provide for each process?

Answer 141

Virtual offset of EPROCESS block
Process name
Process ID (PID)
Parent Process ID
Number of threads
Number of handles
Process start time

Question 142

What limitation does pslist have?

Answer 142

Rootkits can unlink malicious processes from the linked list rendering them invisible (really? how do they run?)

Question 143

How can you identify a terminated process?

Answer 143

It should have zero handles and zero threads.

Question 144

Note: Finding a system process with a terminated parent is suspicious.

Answer 144

.

Question 145

What is psscan?

Answer 145

A Volatility plugin that scans physical memory for EPROCESS pool allocations.

Question 146

What important parameters does psscan have?

Answer 146

None.

Question 147

How does psscan differ from pslist?

Answer 147

Psscan scans memory rather than following the EPROCESS list, so it can find unlinked/hidden processes, and processes that are no longer running.

Question 148

What information does psscan provide?

Answer 148

Physical offset of EPROCESS block
Process name
Process ID
Parent Process ID
Page directory base offset (PDB)
Process start time
Process exit time

Question 149

What’s the difference between a physical memory offset and a virtual memory offset?

Answer 149

(143)

Question 150

What is -p for Volatility plugins?

Answer 150

Process ID

Question 151

What is -o usually used for in Volatility plugins?

Answer 151

Physical offset in memory

Question 152

What does a process appearing more than once in psscan results likely mean?

Answer 152

Just that it was moved around in physical memory.

Question 153

What is pstree?

Answer 153

A volatility plugin that displays the process list as a tree.

Question 154

What important parameters does pstree have?

Answer 154

-v for verbose information including image path and command line for each process.

Question 155

What limitation does pstree have?

Answer 155

It uses the EPROCESS linked list, so doesn’t show unlinked/hidden processes.

Question 156

What is pstree useful for?

Answer 156

Visually identifying malicious processes spawned by the wrong parent process.

Question 157

What information does pstree provide?

Answer 157

Virtual offset of EPROCESS block
Process name
PID
PPID
Number of threads
number of handles
process start time
(146)

Question 158

What is pstotal?

Answer 158

A Volatility plugin that scans physical memory for EPROCESS pool allocations and identifies hidden processes only found in psscan output.

Question 159

What important parameters does pstotal have?

Answer 159

• -output-file=OUTPUT FILE
• -output=dot for vector capable output
• c or –cmd to display command line including path

Question 160

What do the pstotal color outputs mean?

Answer 160

Red - Process is absent from pslist and has no exit time. Investigate.
Grey - Process is absent from pslist but has an exit timestamp. Probably just an exited process.
Light blue - Exit time is before the most recent boot. Probably leftover in memory image.
Dark blue - Exit time is after the most recent boot
Yellow - Indication of potential PID reuse.

Question 161

What should you check all processes for when trying to identify rogue processes?

Answer 161

Correct image/executable name
Correct file location (path)
Correct parent process
Correct command line and parameters
Correct start time information

Question 162

What Volatility plugins can be used for analyzing process objects?

Answer 162

dlllist
cmdline
getsids
handles
filescan
svcscan
cmdscan
consoles

Question 163

What is dlllist?

Answer 163

A Volatility plugin that displays loaded DLLs and the command line to start each process.

Question 164

What important parameters does dlllist have?

Answer 164

-p

Question 165

How can you get the base offset for a DLL?

Answer 165

Use the Volatility dlldump plugin.

Question 166

What is a PEB?

Answer 166

Process Environment Block (156)

Question 167

What does dlllist provide for each DLL?

Answer 167

Base offset
DLL size
DLL file path

Question 168

What plugin can provide more information about DLLs than dlllist?

Answer 168

ldrmodules (156, more)

Question 169

What is getsids?

Answer 169

A volatility plugin that displays Security IDentifiers for each process?

Question 170

What important parameters does dlllist have?

Answer 170

-p

Question 171

What is S-I-5-18?

Answer 171

The SID for LocalSystem (161)

Question 172

What is S-I-5-32-544?

Answer 172

The SID for Administrators

Question 173

What is S-I-1-0

Answer 173

The SID for Everyone

Question 174

What is S-I-5-11?

Answer 174

The SID for Authenticated Users

Question 175

What is S-I-16-16384

Answer 175

The SID for System Mandatory Level

Question 176

Read “How access tokens Work”

Answer 176

http://technet.microsoft.com/en-us/libraray/cc783557(v=ws.10).aspx

Question 177

What is S-I-5-32-546?

Answer 177

The SID for Guests

Question 178

What is S-I-5-32-545?

Answer 178

The SID for Users.

Question 179

SIDs are unique within…?

Answer 179

A Windows instance. Domain SIDs are unique throughout the enterprise.

Question 180

What are the three most popular SIDs?

Answer 180

LocalSystem, LocalService, NetworkService.

Question 181

What does the Volatility module handles do?

Answer 181

Prints a list of handles opened by a process

Question 182

What are the important parameters for the handles Volatility module?

Answer 182

• p PID (can comma separate multiple)

- t type (there are about a dozen on p 165.)

Question 183

What other Volatility module besides handles can be used for more rigorous searching of file handles and mutants?

Answer 183

mutantscan

Question 184

What does the Volatility svcscan module do?

Answer 184

Scans memory image for Windows service records, giving information on associated processes and drivers

Question 185

What are the important parameters for the svcscan Volatility module?

Answer 185

-v (show service DLL)

Question 186

What is a common persistence mechanism for malware?

Answer 186

Windows Service

Question 187

What should be considered suspicious if found using Volatility’s svcscan module?

Answer 187

SERVICE_AUTO_START entries should be examined.

Question 188

What is one method for finding malicious drivers?

Answer 188

Drivers can be loaded via a service, so can be found using Volatility’s svcscan module.

Question 189

What method can identify processes stopped by malware?

Answer 189

Volatility’s svcscan module.

Question 190

What capability does Volatility have that Redline doesn’t?

Answer 190

Enumeration of services

Question 191

What is a Windows Service?

Answer 191

A special type of process that is intended to be run in the background without user input.

Question 192

Windows Services canload…

Answer 192

…both process executables and drivers.

Question 193

What is the only memory analysis tool that can identify services?

Answer 193

Volatility.

Question 194

What information does svcscan provide?

Answer 194

Offset
Order
Start method (Disabled, System_Start, Boot_Start, Auto_Start, Demand_Start)
Process ID
Service Name
Display Name
Type (Process or driver)
State (Running or stopped)
Full path

Question 195

What does the -v option to svcscan do?

Answer 195

Identifies what DLL started a service by parsing the SYSTEM\CurrentControlSet\Services\Parameters\ServiceDLL registry key.

Question 196

Other than finding malicious services, what is important to do when reviewing the services that were running when a memory image was captured?

Answer 196

Also identify services which should be running, but which have been stopped.

Question 197

What services might malware stop?

Answer 197

Windows updates and antivirus. (170)

Question 198

What does SERVICE_AUTO_START indicate?

Answer 198

That a service will start on system boot.

Question 199

What is the wuaserv service?

Answer 199

(171)

Question 200

What are cmdscan and consoles?

Answer 200

Volatility modules that carve out full command histories and text console output from a memory image.

Question 201

What is csrss.exe?

Answer 201

173

Question 202

What is conhost.exe?

Answer 202

173

Question 203

How does cmdscan and consoles work?

Answer 203

By scanning the VAC tree of csrss.exe and conhost.exe, in particular the DOSKEY command history buffer kept by cmd.exe.

Question 204

How many entries does cmd.exe keep in its buffer by default?

Answer 204

50

Question 205

What structure does consoles look for?

Answer 205

CONSOLE_INFORMATION

Question 206

What is CONSOLE_INFORMATION?

Answer 206

A memory structurethat includes the console buffer, showing input and output those commands generated. It is parsed by the consoles Volatility plugin.

Question 207

What’s the difference between cmdscan and consoles?

Answer 207

Consoles only parses records from consoles active when memory was dumped. cmdscan can recover current and old remnants of command history buffers.

Question 208

What information does cmdscan provide?

Answer 208

Command process (where was history information found)
PID
CommandHistory (offset where history structure found)
(more on 174)

Question 209

What information does consoles provide?

Answer 209

175

Question 210

What process objects might provide a clue something is amiss?

Answer 210

DLLs, Handles, Services.

Question 211

What Volatility plugins provide network artifacts?

Answer 211

connections
connscan
sockets
sockscan
netscan

Question 212

What is notable about the network artifact plugins in Volatility?

Answer 212

They’re the only ones that are operating system dependent. Radical changes were made starting in Vista. With Vista or later netscan must be used.

Question 213

What do connections and connscan do?

Answer 213

They are Volatility plugins that identify network connections.

Question 214

What does the Volatility connections plugin do?

Answer 214

It wanks the TCP connections singly linked list to find active network connections when the memory image was taken.

Question 215

What does the Volatility connscan module do?

Answer 215

It takes a brute force approach scanning anything in memory that resembles a _TCPT_OBJECT and tries to parse it.

Question 216

What is a drawback of connscan?

Answer 216

It attempts to parse objects which might no longer be in use, and which might have been partially overwritten. The results can be incorrect.

Question 217

What information does the connscan and connections plugin provide?

Answer 217

memory offset
local ip address
remote ip address
PID

Question 218

What network artifact can signal a malicious process?

Answer 218

A PID that shouldn’t be communicating on the network but that is. A legitimate PID that exhibits this behavior may have been compromised.

Question 219

What is the effect of hibernation on Windows connections?

Answer 219

They’re all closed prior to hibernation, so connscan is still effective, but connections wouldn’t return any results.

Question 220

What should the network profile of svchost.exe be?

Answer 220

It generally shouldn’t have any external connections.

Question 221

What do the sockets and sockscan modules do?

Answer 221

They’re Volatility plugins that enumerate network sockets.

Question 222

What does the sockets plugin do?

Answer 222

It walks the singly linked list and reports information on the socket objects.

Question 223

What does the sockscan module do?

Answer 223

It scans memory images looking for _ADDRESS_OBJECT objects and parses them.

Question 224

What information does sockets and sockscan provide?

Answer 224

182

Question 225

What is an important bit of information in the socket structure, and why?

Answer 225

Creation time.

A process with a passive listening socket on a suspicious port.

Question 226

What can you learn by comparing sockets and sockscan output?

Answer 226

Which sockets were alive and which were terminated or unlinked.

Question 227

What should you focus on when reviewing network artifacts?

Answer 227

Suspicious ports
Suspicious connections
Known bad IPs
Suspicious network behavior from processes
Interesting creation times of network sockets

Question 228

What happens if you use the wrong module for network artifact scanning in Volatility?

Answer 228

No errors are generated, so you can use the wrong one without realizing it.

Question 229

What automated analysis plugins exist for Volatility

Answer 229

malsysproc
openioc_scan
baseline
processbl
servicebl
driverbl

Question 230

What does malsysproc do?

Answer 230

Automatically identifies suspicous processes

Question 231

What does openioc_scan?

Answer 231

Scans memory objects using OpenIOC signature files.

Question 232

What does baseline do?

Answer 232

Provides processbl servicebl, driverbl for baseline comparisons.

Question 233

What does processbl do?

Answer 233

Compare processes and loaded DLLs with a baseline image.

Question 234

What does servicebl do?

Answer 234

Comapres services with a baseline image.

Question 235

What does driverbl do?

Answer 235

Compares drivers with a baseline image.

Question 236

What is malsysproc designed to do?

Answer 236

Scan system processes for anomalies to find malware pretending to be legitimate system processes.

Question 237

Limitations of malsysproc?

Answer 237

Only scans common system processes (smss, csrss, winlogon, services, lsass, svchost, spoolsv, wininit), and common misspellings. (188)

Question 238

What does malprocfind do?

Answer 238

It’s a fork of malsysproc that adds useful checks like anomalous process SIDs and process hollowing.

Question 239

What does baseline do?

Answer 239

Compares memory objects found in a suspect image to those present in a known good image.

Question 240

What parameters does baseline take?

Answer 240

• B (baseline image)
• U (only show items not found in the baseline)
• K (only show items present in the baseline) (190)

Question 241

190

Answer 241

190

Question 242

List Volatility code injection plugins

Answer 242

malfind, ldrmodules

Question 243

What does malfind do?

Answer 243

It’s a Volatility plugin that scans process memory sections looking for indications of code injection, then extracts those sections for further analysis.

Question 244

What parameters does malfind take?

Answer 244

195

Question 245

195

Answer 245

195

Question 246

MZ portable executable header?

Answer 246

196

Question 247

PAGE_EXECUTE_READWRITE?

Answer 247

Is this suspicous in itself? (202)

Question 248

What assembly identifies a function?

Answer 248

PUSH EBP

MOV EBP, ESP

Question 249

What does ldrmodules do?

Answer 249

(203)

Question 250

Volatility rootkit identification plugins

Answer 250

(210)

Question 251

DKOM

Answer 251

211