Section 3.4: Introduction to Memory Analysis

Question 1

How does memory forensics differ from media forensics?

Answer 1

It is a snapshot in time. Memory is set in a format of execution.

Question 2

Describe the Kernel Debugger Data Block (KDBG)

Answer 2

It is the memory data structure that has pointers to the process list of the system. Memory tools look for this to find context in memory images.

Question 3

What is another alternative to finding the KDBG? Is it difficult to find?

Answer 3

Search for the Kernel Process Control Region (KPCR) offset. It has a pointer leading to KDBG. It’s not difficult, just time consuming for tools to find it.

Question 4

Once KDBG is found, what pointer can be retrieved? What does it contain?

Answer 4

PsActiveProcessHead pointer. This contains the EPROCESS (Executive Process Block) and contains the list of all currently running processes in memory.

Question 5

What does each EPROCESS contain?

Answer 5

PEB, handles, threads, access tokens, and a VAD tree.

Question 6

Describe the Process Environmental Block (PEB)

Answer 6

It holds a host of data structures that define the process such as: the commandline, the full path, and a list of linked DLLs.

Question 7

Describe the Virtual Address Descriptor (VAD) tree.

Answer 7

The tree is responsible for tracking every memory section (aka memory page) to that process. It double checks what exists on various memory sections vs what the list says. Its used to locate signs of code injections placed by modules or drivers.

Question 8

What are outliers in memory?

Answer 8

Unlinked processes, DLLs, sockets, threads. Unmapped memory sections with execute priviledges. Hooked detections or heuristic signatures.

Question 9

Most commonly used memory analysis tool that works on all 3 operating systems? How can I find help or more information about the tool?

Answer 9

Volatility. Use [-h] for help. Type it after plugin to get info on just the plugin. Use [–info] to get list of a current profiles available. Get ready to learn Volatility 3 soon!

Question 10

Methods to discover a memory’s profile

Answer 10

Search the build number in About PC. Use imageinfo or kdbgscan. Guessing.

Question 11

How do I identify the correct memory profile with the kdbgscan output?

Answer 11

Does the build string match the suggested build? Does the kernel base say MZ true? Is there a KPCR address? Are there any processes in PsActiveProcessHead? Any modules in PsLoadedModuleList?

Question 12

What is the Volatility imagecopy plugin used for?

Answer 12

To make crash dump or hiberation files into raw memory. It can also do VMware and VirtualBox. Use the [-O] for output file and find the profile by guessing or getting it through About PC.

Question 13

The six steps in analyzing memory

Answer 13

Identify rogue processes, analyze DLLs/handles, review network artifacts, search for code injectionz search for rootkits, and dump bad processes or drivers.

Question 14

Double-linked processes are an indication that the process is…

Answer 14

Allocated. Unlinked ones and running are done so by rootkit malware doing Direct Kernel Process Manipulation (DKPM).

Question 15

Six items to analyze when reviewing processes.

Answer 15

Process name, full path, parent process, commandline, start time, and Security IDs

Question 16

Name a process that is normal in workstations but abnormal in servers.

Answer 16

Microsoft Security Essentials (Msseces.exe)

Question 17

Originating paths of Explorer.exe and iexplorer.exe processes.

Answer 17

Explorer belongs inside Windows folder. Iexplore belongs in Program Files folder. Both should NOT run inside system32 folder.

Question 18

How is it that a svchost.exe process is considered suspicious if the parent is explorer.exe?

Answer 18

It implies it was loaded after logon since explorer is the user shell vs if its loaded from Services.exe which is boot.

Question 19

Plugins to identify rogue processes

Answer 19

Pslist, psscan, pstree, malprocfind, and processbl

Question 20

If I were to see processes with zero threads and handles in the pslist output, what does it mean?

Answer 20

That it hasnt been transferred to psscan

Question 21

What does psscan in retrieve from memory?

Answer 21

Terminated process

Question 22

What is physical memory offsets and virtual memory offsets

Answer 22

Physical memory offsets are locations where I can use a hex editor to find the object. Virtual memory offsets can find the object but inside the RAM.

Question 23

What does a w3wp.exe process do maliciously?

Answer 23

It is a webshell command. It would be a good idea to see the child processes.

Question 24

What does wsmprovhost.exe indicate?

Answer 24

Remote powershell is being done to the current system by an outside system.

Question 25

Difference from seeing cmd.exe, explorer.exe, and svchost.exe as a parent process to powershell.

Answer 25

Cmd.exe means someone started powershell through it svchost.exe means and admin is, and explorer.exe through a user login.

Question 26

What is wmiprvse.exe?

Answer 26

An executable that runs on the remote system when it is being accessed by an outside system.

Question 27

What is running when I see an scrcons.exe binary inside memory?

Answer 27

A WMI Event Consumer is being run.

Question 28

Name the three baseline plugins inside Volatility.

Answer 28

Processbl, servicebl, and driverbl

Question 29

Name the process objects.

Answer 29

DLLs, Handles (File, Directory, Registry, Mutex, Events), Threads, Sockets, and Memory Sections.

Question 30

If a process needs to communicate via HTTP, what DLL file is run?

Answer 30

WININET.dll

Question 31

Process objects plugins list

Answer 31

Dlllist, cmdline, getsids, handles, & mutantscan.

Question 32

Why does Cobalt Strike run alot of sacrificial processes?

Answer 32

In order to keep the beacon and not lose access to the enterprise. Look for multiple process that look noisy. Also check multiple exited ones as they kill off once process completes.

Question 33

When running dlllist on a process, what should the commandline include?

Answer 33

At least the dll that will be loaded.

Question 34

Is it normal for the lsass.exe process to have user token permissions?

Answer 34

No.

Question 35

What information does the getsids plugin provide?

Answer 35

It provides token access information. It gives the identity and priviledges of the user who can access the process.

Question 36

How do I understand the priviledges a user has when I run getsids?

Answer 36

The first SID determines the account ID that ran it. The rest of the SIDs is group information the first SID is in.

Question 37

Explain the Unique domain identifier and Relative Identifier.

Answer 37

UID is the long string of numbers that identify the user account. RID is the four digits at the end of SID and its unique to every domain account.

Question 38

Cobalt Strike keywords that can be found in named pipes when analyzing handles.

Answer 38

MSSE-####-Server, postex, status, and \.\pipe\

Question 39

Why would an adversary compromise a process’s mutant? How does it benefit analysts finding this?

Answer 39

So that a system gets marked and doesnt get reinfected. Reverse engineers can make IOC’s out of it.

Question 40

What connection does worm malware use?

Answer 40

It uses UDP connection to establish C2 on their peer-to-peer connections.

Question 41

If I cant find processes that communicate through the network, what is another way to look for them if they were?

Answer 41

Analyze terminated sockets and the time to see if it connects with other suspicious processes.

Question 42

Give examples of normal and abnormal network behavior.

Answer 42

Process communicating to 80, 443, or 8080 ports that isnt a browser. Browsers that dont communicate through 80, 443, or 8080. Connections to external IP addresses. Web requests to an IP rather than domain. RDP (3389) connections. DNS request for unusual names. Workstation-to-workstation connections.

Question 43

Network Plugins in Volatility

Answer 43

Connections, connscan, sockets, socketscan, and netscan