"Forensic analysis" the Art of Memory forensics-windows Forensics (Virut sample Forensics)

1. Preface

The Art of memory forensics is really a great book, where the use of volatility to analyze the description of memories can assist us in the more advanced class of Trojan analysis and forensics, here the book's commands are recorded.

2. Volatility-windows command

Similar to the analysis of Linux images, the Windows system profile is volatility-free, and no further production is required.

• Select Meta Data imageinfo

View summary information for the memory sample being analyzed. Displays information such as the operating system version used by the host, the service pack, and the hardware structure (32-bit or 64-bit), the starting address of the page catalog table, and the time it takes to get the memory image. Displays the currently supported metadata system.

• End Process Analysis Psscan

Use the Psscan command. You can find processes that were previously terminated (inactive) and that were hidden or unlinked by rootkits. The output shows Ping.exe, Ipconfig.exe two process start and exit times.

• Process List PsList

Lists the system processes, showing the offset, process name, process ID, parent process ID, number of threads, number of handles, and date/time when the process started and exited.

• Process Tree Pstree

View the processes that are listed in a tree-like manner as shown by pslist, but do not show hidden or unlinked processes. Child processes are represented by indents and periods.

• Detection of transverse motion getsids

View the SIDs (security identifiers) associated with the process, the processes that identify the malicious escalation privileges, and which processes belong to a specific user. Example with Explorer.exe as an example, where one sid (S-1-5-21-[snip]-1115) does not display the account name.
EXE is a member group of administrators. In this particular scenario, the attacker combines a poison ge (PI) remote control. (RAT) uses a pass-the-Hash (PtH) attack.

• Identify remote mapped drives

Many attackers rely on commands such as net view and net use to explore the surrounding environment. Gain read access to the server through the remote drive feature to move horizontally across the intranet.

• Identify remote mapped drives-handles

Evidence of the remote mapped drive is found in memory and can be implemented by locating the file handle. Use the handles command to view files, registry keys, mutexes, Named Pipes, events, window stations, desktops, threads, and all other types of executable objects that can be saved.

• Identify remote mapped drives

Another method of detecting remote mapping sharing can be used in combination. Check for symbolic links through the Symlinkscan plugin.

• Process Memory View Memmap
  The Memmap command shows which pages are memory-resident, given a particular process DTB. You can display the virtual address of the page, the corresponding physical offset of the page, and the size of the page. The mapping information generated by this command comes from the Get_available_address method of the underlying address space.

• Process Memory Extraction Memdump

To extract all memory-resident pages in a process, you can use the Memdump command to extract the addressable memory of the system process into a single file.

• Yara Rules scan Memory

Yara is a fast and flexible tool for Victor M. Alvarez (Http://plusvic.github.io/yara). Pattern matching within any data set. The Yarascan command can be scanned with virtual memory and can be specified with a PID scan, and the scan rule can use matching rule files in addition to characters.

3. Example Analysis-virut

"Forensic analysis" the Art of Memory forensics-windows Forensics (Virut sample Forensics)