Section 3.4: Introduction to Memory Analysis Flashcards
How does memory forensics differ from media forensics?
It is a snapshot in time. Memory is set in a format of execution.
Describe the Kernel Debugger Data Block (KDBG)
It is the memory data structure that has pointers to the process list of the system. Memory tools look for this to find context in memory images.
What is another alternative to finding the KDBG? Is it difficult to find?
Search for the Kernel Process Control Region (KPCR) offset. It has a pointer leading to KDBG. It’s not difficult, just time consuming for tools to find it.
Once KDBG is found, what pointer can be retrieved? What does it contain?
PsActiveProcessHead pointer. This contains the EPROCESS (Executive Process Block) and contains the list of all currently running processes in memory.
What does each EPROCESS contain?
PEB, handles, threads, access tokens, and a VAD tree.
Describe the Process Environmental Block (PEB)
It holds a host of data structures that define the process such as: the commandline, the full path, and a list of linked DLLs.
Describe the Virtual Address Descriptor (VAD) tree.
The tree is responsible for tracking every memory section (aka memory page) to that process. It double checks what exists on various memory sections vs what the list says. Its used to locate signs of code injections placed by modules or drivers.
What are outliers in memory?
Unlinked processes, DLLs, sockets, threads. Unmapped memory sections with execute priviledges. Hooked detections or heuristic signatures.
Most commonly used memory analysis tool that works on all 3 operating systems? How can I find help or more information about the tool?
Volatility. Use [-h] for help. Type it after plugin to get info on just the plugin. Use [–info] to get list of a current profiles available. Get ready to learn Volatility 3 soon!
Methods to discover a memory’s profile
Search the build number in About PC. Use imageinfo or kdbgscan. Guessing.
How do I identify the correct memory profile with the kdbgscan output?
Does the build string match the suggested build? Does the kernel base say MZ true? Is there a KPCR address? Are there any processes in PsActiveProcessHead? Any modules in PsLoadedModuleList?
What is the Volatility imagecopy plugin used for?
To make crash dump or hiberation files into raw memory. It can also do VMware and VirtualBox. Use the [-O] for output file and find the profile by guessing or getting it through About PC.
The six steps in analyzing memory
Identify rogue processes, analyze DLLs/handles, review network artifacts, search for code injectionz search for rootkits, and dump bad processes or drivers.
Double-linked processes are an indication that the process is…
Allocated. Unlinked ones and running are done so by rootkit malware doing Direct Kernel Process Manipulation (DKPM).
Six items to analyze when reviewing processes.
Process name, full path, parent process, commandline, start time, and Security IDs
Name a process that is normal in workstations but abnormal in servers.
Microsoft Security Essentials (Msseces.exe)
Originating paths of Explorer.exe and iexplorer.exe processes.
Explorer belongs inside Windows folder. Iexplore belongs in Program Files folder. Both should NOT run inside system32 folder.