Note: This post originally appeared on the SANS Forensics blog
As memory forensics has become better understood and more widely accomplished, tools have proliferated. More importantly, the capabilities of the tools have greatly improved. Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. We are also seeing novel ways to attack the problem. One of the more interesting developments I have been following lately is the advent of live memory analysis.
I credit the free Mandiant Memoryze tool with popularizing the idea of performing live memory analysis, and I believe it is a revolutionary change. The idea itself could be as controversial as creating a memory image was just a few years ago. Do you remember the naysayers questioning how our forensic analysis could possibly be valid if we were to run our imaging applications on the live system? Shouldn’t we still be pulling the plug? What would they say if we now told them we were going to play “Find the Hacker” on that same live system? Luckily it turns out that the system impact of doing a live analysis versus (or in addition to) taking a memory image is minimal. And the benefits are great:
- Inclusion of the system pagefile, providing a more complete picture of memory
- Digital signature checks of process and driver executables
- More accurate heuristics matching
- Faster triage capability
Keep in mind that live analysis occurs by accessing physical memory, and not relying upon API calls, open handles, or debuggers. Thus it is just as effective at defeating advanced malware and rootkits as analyzing a standard memory image. Convinced yet? If so, here is how to perform a live memory analysis with the new free tool, Redline: