Memory forensics is the science of analyzing computer memory, both volatile and non-volatile that reveals a vast array of analytical points in regards to the state of which the machine was in during memory image acquisition. Memory forensics is paramount to the analyses of volatile memory of a computer system, which contains numerous artifacts that may prove to be useful during a digital forensics investigation.
For this demonstration I used FTK Imager to capture a memory image of Windows 10 running as a virtual machine inside of VMware Fusion 8 hypervisor with Mac OS X EL Capitan as the host operating system. I used Volatility framework for memory analytics. Figure 1 below is a screenshot of FTK Imager dumping the memory image file to the E:\ drive under the filename memdump.mem.
Figure 2 below is the pslist or “running processes list” output screen from Volatility Framework. Running processes are useful to digital forensics because it reveals all of the running processes that were running at the time of the capture. This allows a digital forensics investigator to discriminate against which processes are valid and which ones are deemed potentially malicious. Other useful information revealed using the pslist option is: Processes ID (lower number indicates higher priority apps), threads (basic unit to which the operating system allocates processor time to a specific process), star times and process names.
Figure 3 below is the 2nd tool used in from the Volatility Framework toolset. Netscan reports on all network connections that were open, closed, or sleeping during the memory image dump. The local address includes information in regards to the local IP address and port that was used as a connection to the foreign address/port, which is simply the address and socket of the remote system. The process ID and owner of the process also could provide clues as to what application initiated the network connection. Other useful information included are the protocol used and memory address location.
The third and final output in this experiment is the psxview as seen in figure 4 below. This plugin provides and overview of each process, which can be cross-referenced against various aspects to help determine whether or not a process is rogue or malicious in nature. For example, hidden processes could be revealed if the pslist field was false and all other fields were true. Session indicates all processes that attach to a user session and Desktop reveals threads attached a desktop that can be mapped to its owning process.
Microsoft. (2017). Processes and Threads. Retrieved April 16, 2017, from https://msdn.microsoft.com/en-us/library/windows/desktop/ms684841(v=vs.85).aspx
THE VOLATILITY FOUNDATION. (2017). VOLATILITY FOUNDATION. Retrieved April 16, 2017, from http://www.volatilityfoundation.org Jain, L. (2016, May 4). Memory Forensics. Retrieved April 16, 2017, from http://resources.infosecinstitute.com/memory-forensics/#gref