Section 3.4: Introduction to Memory Analysis Flashcards

1
Q

How does memory forensics differ from media forensics?

A

It is a snapshot in time. Memory is set in a format of execution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe the Kernel Debugger Data Block (KDBG)

A

It is the memory data structure that has pointers to the process list of the system. Memory tools look for this to find context in memory images.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is another alternative to finding the KDBG? Is it difficult to find?

A

Search for the Kernel Process Control Region (KPCR) offset. It has a pointer leading to KDBG. It’s not difficult, just time consuming for tools to find it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Once KDBG is found, what pointer can be retrieved? What does it contain?

A

PsActiveProcessHead pointer. This contains the EPROCESS (Executive Process Block) and contains the list of all currently running processes in memory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does each EPROCESS contain?

A

PEB, handles, threads, access tokens, and a VAD tree.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe the Process Environmental Block (PEB)

A

It holds a host of data structures that define the process such as: the commandline, the full path, and a list of linked DLLs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe the Virtual Address Descriptor (VAD) tree.

A

The tree is responsible for tracking every memory section (aka memory page) to that process. It double checks what exists on various memory sections vs what the list says. Its used to locate signs of code injections placed by modules or drivers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are outliers in memory?

A

Unlinked processes, DLLs, sockets, threads. Unmapped memory sections with execute priviledges. Hooked detections or heuristic signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Most commonly used memory analysis tool that works on all 3 operating systems? How can I find help or more information about the tool?

A

Volatility. Use [-h] for help. Type it after plugin to get info on just the plugin. Use [–info] to get list of a current profiles available. Get ready to learn Volatility 3 soon!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Methods to discover a memory’s profile

A

Search the build number in About PC. Use imageinfo or kdbgscan. Guessing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do I identify the correct memory profile with the kdbgscan output?

A

Does the build string match the suggested build? Does the kernel base say MZ true? Is there a KPCR address? Are there any processes in PsActiveProcessHead? Any modules in PsLoadedModuleList?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the Volatility imagecopy plugin used for?

A

To make crash dump or hiberation files into raw memory. It can also do VMware and VirtualBox. Use the [-O] for output file and find the profile by guessing or getting it through About PC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The six steps in analyzing memory

A

Identify rogue processes, analyze DLLs/handles, review network artifacts, search for code injectionz search for rootkits, and dump bad processes or drivers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Double-linked processes are an indication that the process is…

A

Allocated. Unlinked ones and running are done so by rootkit malware doing Direct Kernel Process Manipulation (DKPM).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Six items to analyze when reviewing processes.

A

Process name, full path, parent process, commandline, start time, and Security IDs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Name a process that is normal in workstations but abnormal in servers.

A

Microsoft Security Essentials (Msseces.exe)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Originating paths of Explorer.exe and iexplorer.exe processes.

A

Explorer belongs inside Windows folder. Iexplore belongs in Program Files folder. Both should NOT run inside system32 folder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How is it that a svchost.exe process is considered suspicious if the parent is explorer.exe?

A

It implies it was loaded after logon since explorer is the user shell vs if its loaded from Services.exe which is boot.

19
Q

Plugins to identify rogue processes

A

Pslist, psscan, pstree, malprocfind, and processbl

20
Q

If I were to see processes with zero threads and handles in the pslist output, what does it mean?

A

That it hasnt been transferred to psscan

21
Q

What does psscan in retrieve from memory?

A

Terminated process

22
Q

What is physical memory offsets and virtual memory offsets

A

Physical memory offsets are locations where I can use a hex editor to find the object. Virtual memory offsets can find the object but inside the RAM.

23
Q

What does a w3wp.exe process do maliciously?

A

It is a webshell command. It would be a good idea to see the child processes.

24
Q

What does wsmprovhost.exe indicate?

A

Remote powershell is being done to the current system by an outside system.

25
Q

Difference from seeing cmd.exe, explorer.exe, and svchost.exe as a parent process to powershell.

A

Cmd.exe means someone started powershell through it svchost.exe means and admin is, and explorer.exe through a user login.

26
Q

What is wmiprvse.exe?

A

An executable that runs on the remote system when it is being accessed by an outside system.

27
Q

What is running when I see an scrcons.exe binary inside memory?

A

A WMI Event Consumer is being run.

28
Q

Name the three baseline plugins inside Volatility.

A

Processbl, servicebl, and driverbl

29
Q

Name the process objects.

A

DLLs, Handles (File, Directory, Registry, Mutex, Events), Threads, Sockets, and Memory Sections.

30
Q

If a process needs to communicate via HTTP, what DLL file is run?

A

WININET.dll

31
Q

Process objects plugins list

A

Dlllist, cmdline, getsids, handles, & mutantscan.

32
Q

Why does Cobalt Strike run alot of sacrificial processes?

A

In order to keep the beacon and not lose access to the enterprise. Look for multiple process that look noisy. Also check multiple exited ones as they kill off once process completes.

33
Q

When running dlllist on a process, what should the commandline include?

A

At least the dll that will be loaded.

34
Q

Is it normal for the lsass.exe process to have user token permissions?

A

No.

35
Q

What information does the getsids plugin provide?

A

It provides token access information. It gives the identity and priviledges of the user who can access the process.

36
Q

How do I understand the priviledges a user has when I run getsids?

A

The first SID determines the account ID that ran it. The rest of the SIDs is group information the first SID is in.

37
Q

Explain the Unique domain identifier and Relative Identifier.

A

UID is the long string of numbers that identify the user account. RID is the four digits at the end of SID and its unique to every domain account.

38
Q

Cobalt Strike keywords that can be found in named pipes when analyzing handles.

A

MSSE-####-Server, postex, status, and \.\pipe\

39
Q

Why would an adversary compromise a process’s mutant? How does it benefit analysts finding this?

A

So that a system gets marked and doesnt get reinfected. Reverse engineers can make IOC’s out of it.

40
Q

What connection does worm malware use?

A

It uses UDP connection to establish C2 on their peer-to-peer connections.

41
Q

If I cant find processes that communicate through the network, what is another way to look for them if they were?

A

Analyze terminated sockets and the time to see if it connects with other suspicious processes.

42
Q

Give examples of normal and abnormal network behavior.

A

Process communicating to 80, 443, or 8080 ports that isnt a browser. Browsers that dont communicate through 80, 443, or 8080. Connections to external IP addresses. Web requests to an IP rather than domain. RDP (3389) connections. DNS request for unusual names. Workstation-to-workstation connections.

43
Q

Network Plugins in Volatility

A

Connections, connscan, sockets, socketscan, and netscan