SANS Digital Forensics and Incident Response Blog

Memory forensics: A practical example

We have an incident with a local company computer. It has all the antimalware protections, Host IPS and Windows GPO that prevent people from executing nasty things, but still we notice something suspicious on the network and it seems to be used to exfiltrate information. What should we do to get clues about what is happening?

Memory forensics can help us here. We need to get a memory image first. This will be done using Mantech MDD tool (http://www.mantech.com/msma/mdd.asp):

After we have the image, we need to use a tool that is able to get the artifacts inside it so we get evidence for our case. We will use the Volatility framework (https://www.volatilesystems.com/default/volatility). It's an open source tool made in Python that is able to dig into Windows XP memory images and gather information like the sockets created, the process list, the DLL list loaded by each process, the active connections for each process, the memory address for a process, the opened files for each process, active registry keys for each process. Let's see its usage typing python volatility:

Let's see the process list and try to find something odd. We need to type python volatility pslist -f memory.dmp:

Now we have something. PID 2316 seems to be a netcat. Let's see if it is currently performing any transfer by checking active connections on the host typing python volatility connections -f memory.dmp:

No transfer is currently being made. Could netcat be listening? Let's check for any created sockets by typing python volatility sockscan -f memory.dmp:

Now we have something!! Netcat seems to be listening on tcp (Protocol 6) port 1234. You can check protocol numbers here. Where is it writing? Let's check for opened files by typing python volatility files -f memory.dmp:

Seems to be it's waiting for an excel file ready to be taken out. I'll show more cases in future posts.

Manuel Humberto Santander Peláez is the Chief Information Security Officer of Empresas Públicas de Medellín E.S.P.. He currently holds GCFA, GCIA, GNET, GCFW, GCIH and GSEC.

4 Comments

Posted August 11, 2009 at 7:18 PM | Permalink | Reply

Drew Freyman

Does anybody know of a similar software tool for Mac OS X?

Posted August 12, 2009 at 2:46 AM | Permalink | Reply

Juan D. Pineda

Excellent article as always''

Posted August 12, 2009 at 6:29 AM | Permalink | Reply

Yaggi

Hello Manuel,
This is wonderful, im glad that every test I made (by following the blog) is a success. please continue sharing your knowledge especially Forensic on Virus infection..

Posted August 22, 2009 at 1:39 PM | Permalink | Reply

Kush Wadhwa

Can you share the memory dump?