Note: This post originally appeared on the SANS Forensics blog
As memory forensics has become better understood and more widely accomplished, tools have proliferated. More importantly, the capabilities of the tools have greatly improved. Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. We are also seeing novel ways to attack the problem. One of the more interesting developments I have been following lately is the advent of live memory analysis.
I credit the free Mandiant Memoryze tool with popularizing the idea of performing live memory analysis, and I believe it is a revolutionary change. The idea itself could be as controversial as creating a memory image was just a few years ago. Do you remember the naysayers questioning how our forensic analysis could possibly be valid if we were to run our imaging applications on the live system? Shouldn’t we still be pulling the plug? What would they say if we now told them we were going to play “Find the Hacker” on that same live system? Luckily it turns out that the system impact of doing a live analysis versus (or in addition to) taking a memory image is minimal. And the benefits are great:
- Inclusion of the system pagefile, providing a more complete picture of memory
- Digital signature checks of process and driver executables
- More accurate heuristics matching
- Faster triage capability
Keep in mind that live analysis occurs by accessing physical memory, and not relying upon API calls, open handles, or debuggers. Thus it is just as effective at defeating advanced malware and rootkits as analyzing a standard memory image. Convinced yet? If so, here is how to perform a live memory analysis with the new free tool, Redline:
For previous users of Memoryze, Redline is essentially a shiny new front end to replace the Audit Viewer GUI. It was designed to make memory forensics approachable to a larger audience and improves upon many of Audit Viewer’s most popular options, like DLL injection detection and the Malware Rating Index (MRI). Redline uses Memoryze in the background to “audit” memory — essentially turning all that seemingly chaotic and unstructured data into the processes, drivers, and memory sections understood by the operating system. Redline can create these audits from an existing memory image or it can kick off a live analysis on the current system (see Figure 1). While the latter feature can be useful, it does require installation of the Redline and .NET binaries, which may not be feasible or desired.
Performing Live Memory Analysis via USB
To accomplish live memory analysis, our tool has to be more sophisticated than one used for standard memory acquisition. A full memory audit must be conducted to identify all of those processes, drivers, and other artifacts we leverage during memory forensics. Redline includes a default configuration script for just this purpose. For the smallest footprint possible on the target system, consider running the audit from a USB device. This can be done without any installation on the target system and the results can be saved to any location. Once the live analysis is complete, the results can be reviewed on your forensic workstation at your leisure. The process is simple:
- Install Redline on your workstation (download here)
- Copy the resulting “Mandiant Redline” folder to your USB device (Default installation path: C:\Program Files\Mandiant\Mandiant Redline)
- Attach USB device to target system and open a command prompt with Administrator permissions
- Navigate to the proper folder:
\Mandiant\Redline\Memoryze\x86\ for 32 bit operating systems
\Mandiant\Redline\Memoryze\x64\ for 64 bit operating systems
- Run the following command (assuming USB device mounted on G:\):
memoryze.exe -o G:\results -f -script “G:\Mandiant Redline\Configuration\DefaultMemoryzeAudit.xml” -encoding none
-o Location to save results
-f Force creation of output folder
-script Identifies which memory audits to run
-encoding Allows alternate output formats such as gzip and AFF
- Move results to forensic workstation and start a new Redline analysis session using the “From a Memoryze Output Directory” option (Figure 2)
- You will notice that the resulting output of the audit will be significantly smaller than a full memory image. This is due to it being the minimal set of information necessary to populate Redline’s analysis features. For this reason, it is often a good idea to follow your live audit with a full memory capture if time permits.
- If USB is not an option in your environment, the same process can be conducted using other media, such as a CD-R. In this situation, output could be redirected to a network share or equivalent.
- Check the Memoryze page for the full list of operating systems supported.
- Questions, comments, or feature requests? The Redline forums can be found here.
- Special thanks to Ted Wilson at Mandiant and the Redline / Memoryze development teams!
Chad Tilbury, GCFA, has spent over twelve years conducting computer crime investigations ranging from hacking to espionage to multi-million dollar fraud cases. He teaches FOR408 Windows Forensics and FOR508 Advanced Computer Forensic Analysis and Incident Response for the SANS Institute. Find him on Twitter @chadtilbury or at http://ForensicMethods.com.