Digging up memories – a deep-dive into memory forensics in the Cyber Security Essentials meetup

June 11, 2020 at 10:06

Digital forensics and incident response (DFIR) was the topic of the sixth and final meetup of the Cyber Security Essentials course, a free training program aiming to drive diversity in cybersecurity. Two Nixuans, Juho Jauhiainen and Timo Miettinen, were introducing the participants into the fascinating world of memory forensics, malware analysis, and the incident response process. But why is memory forensics important? Because it can be the only way to find what happened.

Some things only exist in memory

Memory forensics is crucial because some things only exist in memory. For example, so-called fileless malware does not have a binary file associated with it as normal processes do. However, you could be able to find the payload that downloaded it from the disk if you look closely. In addition to analyzing malware and all other running processes, examining the memory allows you to investigate, for example, open files, network communications, and find secrets, such as encryption keys.

Memory forensics is crucial because some things only exist in memory.

 

Memory forensics is all about being fast: you can even find the encryption key used by ransomware if you take the memory dump quickly. But when time goes by, the contents of the memory change, and you might lose precious evidence.

Well-written reports are the sign of a good forensicator

In the big picture, memory forensics is just one part of a five-staged digital forensic process that starts in evidence acquisition and ends in reporting. Juho highlighted that being able to write a comprehensive report about what happened is an essential skill for a forensicator.

The digital forensic process consists of five steps: evidence acquisition, memory forensics, analysis of selected files, disk forensics, and reporting.
The digital forensic process consists of five steps: evidence acquisition, memory forensics, analysis of selected files, disk forensics, and reporting.

 

Scenes from a memory

After a brief introduction to the Windows process internals and tooling, Juho and Timo led the course to do five online lab exercises. A trip down the memory lane (pun intended!) to the first meetup now came in handy, as its focus was to master the Linux command line and Kali Linux. 

The labs covered nearly all of the memory analysis steps that the SANS Institute, well-known computer security, and certification organization, lists in their Memory Forensics Cheat Sheet:

  1. Identify rogue processes
  2. Analyze process DLLs and handles
  3. Review network artifacts
  4. Look for evidence of code injection
  5. Check for signs of a rootkit
  6. Extract processes, drivers, and objects.

During three hours, the participants practiced hands-on and used Volatility's various plugins to detect when and from which operating system a memory dump was taken, identified different suspicious processes, and the user who had started the processes. Led by Timo and Juho, who gave tips and showed demos in between the exercises, the course partakers also dug into the network connections of the dubious processes and looked for evidence of code injection. 

Juho Jauhiainen demonstrating Volatility lab exercises.
Juho Jauhiainen demonstrating Volatility lab exercises.

 

This crash-course to digital forensics probably left many people hungry for more, so luckily, Juho announced the Future Female x HelSec Cyber Security Essentials Capture the Flag competition with prizes for the best players. That's a fun way to test what you've learned during the six-month course.

Want to learn more about digital forensics?

If you want to learn more about digital forensics, take a look at the SANS 3MinMax series for 3-minute explanation videos about how the steps that an attacker takes to compromise your system, and what kind of there are for different forensic purposes. Juho and Timo also recommend reading the book The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, published by Wiley.

 

Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.

Related blogs