1. Home
    2. »
  2. Blog
    3. »
  3. Incident Response
    4. » Preparing and Building Forensic Tools for Volatile Memory Acquisition: Techniques and Best Practices [ Part 2.5 ]

Preparing and Building Forensic Tools for Volatile Memory Acquisition: Techniques and Best Practices [ Part 2.5 ]

- Posted in Incident Response by - Permalink
Preparing and Building Forensic Tools for Volatile Memory Acquisition: Techniques and Best Practices [ Part 2.5 ]

Background: In my previous article, I covered, at a high level, all the necessary actions required to prepare for volatile memory dumping in the case of a cybersecurity incident. This process is important because it provides an alternative way to deep dive into systems and helps answer the critical question: "HOW?"

Technical Cover Description: Before we dive into the process itself, let's discuss the challenges. The first challenge is choosing the best methods to successfully dump RAM. As I noted in my previous article, before performing such actions, we need to image the physical memory [ HDD / SSD / NVM ] . This step is crucial because it helps minimize any potential integrity impacts on the filesystem. Acquiring volatile memory requires running code on a live system, which cannot be done on a mounted physical drive in read-only mode.

To achieve this goal, we have two options: use enterprise tools or leverage open-source solutions to acquire memory. In this article, I will focus solely on our custom solution, which incorporates components from open-source tools. For this reason, we will use PowerShell or Bash scripts in combination with tools like WinPMEM [ Windows OS ] and LIME [ Linux / Unix OS ] . This approach is necessary because, in a scaled infrastructure, it is more efficient to deliver PowerShell or Bash scripts to automate the process, rather than logging in one by one to run these tools manually.

Technical Step This implementation needs to be divided into two parts. In the first part, we will prepare our codebase to run on the systems. In the second part, we will cover the process of analyzing the acquired memory using the Volatility framework.

Architecture preparing Our powershell or bash script need to have noted file structure

Root Folder 
-Powershell.ps1
-Bash.sh
--Additional_Files [ Folder ]
---OS TYPE [ FOLDER ]
----Architecture  Type [ Folder ]
-----Embeded_Pythons_Versions [ Files ]
-----Embeded_Virutal_Env_File [ File ]
-----Softwares_To_Acquire_Memory [ File ]
----Volatility_Framework_WHL and REPO [ FILES ]

Codebase preparing Our script should first check the architecture of the operating system it is running on, allowing it to select the appropriate memory acquisition tools. Based on the chosen solution type, you can use embedded Python to execute it or run it directly from your Bash or PowerShell script. If you're using memory acquisition software written in Python, always automate your script to create a virtual environment, ensuring that your Python execution is isolated from the main filesystem. After memory acquisition, you can decide whether to leave the .dmp or .raw file on the system or automate its exfiltration to central storage.

Example enter image description here

Volatility preparing In my example, I am deploying the Volatility memory analysis framework within a virtual environment on the machine running my script. As a result, I have successfully isolated the Volatility framework from my main operating system using virtualenv. After acquiring the memory image, I can run the following command:

python3 vol.py name.raw --profile=your_profile_name plugin_name

From the syntax, we can identify several key components:

python3: This specifies the path to the Python interpreter. vol.py: This is the main file for the Volatility framework. --profile: Each operating system has a specific profile that maps the RAM addresses correctly. Specifying the profile helps the plugin interpret the data accurately. plugin_name: This refers to the specific task that needs to be executed by the Volatility framework.

Some plugins example

  1. pstree
  2. yarascan
  3. apihook
  4. psscan

Conclusion: Memory forensics is not an easy task because you need to have knowledge of how RAM works and its key components. Before diving deep into it, it is strongly advised to read "The Art of Memory Forensics."

NOTE: 1. All those recommendations need to be done as an administrator or with elevated privileges (sudo). 2. For Windows OS, you need to disable PowerShell execution restrictions to run unsigned PowerShell scripts.

Happy hunt ! J0k3R

Tags:

Related posts

« »