How to Perform Memory Analysis
How to Perform Memory Analysis
Malware threats are a very serious problem in information security nowadays. Dangerous hackers are inventing new techniques on a daily basis to bypass security layers and avoid detection. Thus it is time to figure out how to analyse memorydumps as.
In this Article we are going to learn:
- Dissecting Memory
- Memory Management
- Computer Forensic analysis steps
- Digital Evidence acquisition
- Memory Acquisition
- Memory Analysis
- Volatility Framework
- Memory Analysis Best Practices
Malware analysis is the art of determining the functionality, origin and potential impact of a given malware sample, such as a virus, worm, trojan horse, rootkit, or backdoor. As a malware analyst, your main role is to collect all the information about the malicious software and have a good understanding of what happened to the infected machines. Like any process, to perform a malware analysis you typically need to follow a certain methodology and a number of steps.
Memory malware analysis is widely used for digital investigation and malware analysis. It refers to the act of analysing a dumped memory image from a targeted machine after executing the malware to obtain multiple numbers of artefacts including network information, running processes, API hooks, kernel loaded modules, Bash history, etc. ... This phase is very important because it is always a good idea to have a clearer understanding of the malware capabilities.
- Process list and the associated threads
- networking information and interfaces (TCP/UDP) • Kernel modules including the hidden modules
- Opened files in the kernel
- Bash and commands history
- System Calls • Kernel hooks
If we are going to learn how to analyse memory dumps we need first to explore what memory is? and how it works.
Memory is a vital component in the computer architecture. Computers are composed by:
The full architecture is described in the following graph:
In memory analysis, we are dealing with RAM s.
A __RAM (pronounced ramm) is an acronym for random access memory, a type of computer memory that can be accessed randomly; that is, any byte of memory can be accessed without touching the preceding bytes. RAM__ is found in servers, PCs, tablets, smartphones and other devices_, such as printers. __ RAM is volatile _
The memory is divided into 4,096-byte memory chunks named pages, to facilitate internal handling. The 12 least significant bits are the offset; the rest is the page number. On the recent x86 architecture, For example, the Linux kernel divides the virtual space, usually 4 GB into 3 GB dedicated to UserLand, and 1 GB for kernel land. This operation is named segmentation. The kernel uses a page table for the correspondence between physical and virtual addresses. To manage the different regions of memory, it uses a virtual memory area (VMA)
The stack is a special memory space. In programming, it is an abstract data type used to collect elements using two operations: push and pop. This section grows automatically, but when it becomes closer to another memory section, it will cause a problem and a confusion to the system. That is why attackers are using this technique to confuse the system with other memory areas.
The heap is used for dynamic memory allocation. It resides in the RAM like the stack, but it is slower. The kernel heap is using the following three types of allocators:
- SLAB: This is a cache-friendly allocator.
- A simple list of blocks (SLOB): This is an allocator used in small systems. It uses a first-fit algorithm.
- SLUB : It is the default Linux allocator.
You can explore the detailed sections of memory check this great cheat sheet:
Better resolution here Memory Segmentation sheet
Memory management is an important capability of every operating system. It is also integrated into Linux kernel. Linux manages memory in a virtual way. In other words, there is no correspondence between the physical memory addresses, and the addresses used and seen by the program. This technique gives the users and developers flexibility. Linux is dealing with the following five types of addresses:
- User virtual addresses
- Physical addresses
- Bus addresses
- Kernel logical addresses
- Kernel virtual addresses
Computer Forensic analysis steps
NIST is describing Forensics as the following:
The most common goal of performing forensics is to gain a better understanding of an event of interest by finding and analyzing the facts related to that event... Forensics may be needed in many different situations, such as evidence collection for legal_ proceedings and internal disciplinary actions, and handling of malware incidents and unusual operational problems. _
Like any methodological operation, Computer forensic analysis goes through well-defined steps: Collection; Examination, Analysis and reporting. let's explore these steps one by one:
- Collection: identifying data sources and verify the integrity of it
- Examination: assessing and extracting the relevant pieces of information from the collected data
The steps are based on the NIST Guide to Integrating Forensic Techniques into Incident Response. I highly recommend exploring the Process in details (Performing the Forensic Process)
Digital Evidence acquisition
Digital evidence needs to be treated carefully because we are going to analyse them. Also, we need to use them later within the legal process. Eliézer Pereira prioritized them in his Article RAM Memory Forensic Analysis as the following from the most volatile to the least volatile:
- Routing tables, process tables, memory
- Temporary system files
- Hard drive
- Remote logs, monitoring data
- Physical network configuration, network topology
- Media files (CDs, DVDs)
The first step of memory analysis is memory acquisition by dumping the memory of a machine using a number of utilities. One of these tools is fmem, which is a kernel module to create a new device called /dev/fmem to allow direct access to the whole memory. After downloading it from their official repository and compiling it you can acquire the machine memory using this command:
# dd if=/dev/fmem of=... bs=1MB count=...
Another tool is The Linux Memory Extractor. LIME is a Loadable Kernel Module (LKM) to allow volatile memory acquisition from Linux and Linux- based devices, such as Android.
These are some free Memory Acquisition tools:
- Mdd (Memory DD) (is no longer under active development.)
A full list of useful tools can be found here: Tools: Memory Imaging (https://www.forensicswiki.org/wiki/Tools:Memory_Imaging )
After having a memory dump, it is time to analyze the memory image.
Memory Analysis with Volatility Framework
To analyse memory You can simply use volatility framework, which is an open source memory forensics tool written in Python. It is available under GPL. Volatility comes with various plugins and a number of profiles to ease obtaining basic forensic information about memory image files. To download it you can visit this website: The Volatility Foundation - Open Source Memory Forensics or GitHub - volatilityfoundation/volatility
To identify malicious network activities many experts recommend following these steps. First, you can identify Process IDs of network connections.
Later you need to map that IDs to Process Names and later terminate every step and process by collecting the artefacts by taking notes, screenshots and of course time-stamps.
Note: this section is not completed yet. The processes will be described in a detailed way. Stay tuned.
Peerlyst Articles about Memory Analysis you need to explore
- Useful PhD thesis: Advances in Modern Malware and Memory Analysis - contains 4 new proposals
- Some useful forensics tools for your forensics investigation
- How to build a Linux Automated Malware Analysis Lab
- LiME: Loadable Kernel Module Overview
- Malware analysis Frameworks
- Memory Forensics : Tracking Process Injection
In this article, we explored how to perform Malware memory analysis.
Checked the availability of tools (Thanks to Ken Pryor )
- Advanced Infrastructure Penetration Testing Chiheb Chebbi
- What is RAM - Random Access Memory? Webopedia Definition