SANS Digital Forensics and Incident Response Blog

Malware Can Hide, But It Must Run


Article originally posted in
Author: Alissa Torres

It's October, haunting season. However, in the forensics world, the hunting of evil never ends. And with Windows 10 expected to be the new normal, digital forensics and incident response (DFIR) professionals who lack the necessary (memory) hunting skills will pay the price.
Investigators who do not look at volatile memory are leaving evidence at the crime scene. RAM content holds evidence of user actions, as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.
Although Microsoft is not expected to reach its Windows 10 rollout goal of one billion devices in the next two years, their glossiest OS to date currently makes up 22% of desktop systems according to netmarketshare.com1. By this time, as a forensic examiner, you have either encountered a Windows 10 system as the subject of an investigation or will in the near future. Significant changes introduced with Windows 10 (and actually with each new subsequent update) have required some "re-education" to learn what the "new normal" is.

Let's jump in and check out the differences that Windows 10 has brought to the world of forensics by examining some key changes in the process list. In performing memory analysis, an investigator must understand the normal parent-child hierarchical relationships of native Windows processes. This is the essence of "know normal, find evil" and allows for effective and efficient analysis. Most of you have used the Edge browser which was released with Windows 10 in Summer 2015. Whereas Internet Explorer is typically launched by explorer.exe (run by default as the user's initial process), Edge is spawned by the Runtime Broker process, which has a parent process of svchost (a system process). Edge runs as a Universal Windows Platform (UWP) application, one of the many Windows apps built to run on multiple types of devices. Runtime Broker manages permissions for Windows apps. This hierarchical process relationship deviates from one of the traditional analysis techniques we have relied on in past versions of Windows: System processes will have a parent/grandparent of the SYSTEM process and normal user processes, like browsers, will have parent lineage to explorer.exe. The screenshot below shows the hierarchical structures of a Win10 RTM system Build 10240 using Process Hacker tool.

Figure 1. Typical Hierarchy of Internet Explorer Process

Figure 2. Hierarchical Structure of Microsoft Edge and SearchUI Processes

Other new additions to the Windows process list are SearchUI.exe, the Search and Cortana application and ShellExperienceHost.exe, the Start menu and Desktop UI handler, . As Windows apps, they are both spawned from the same Runtime Broker process as Edge. In this screenshot above, the SearchUI and ShellExperienceHost processes are in gray, indicative of suspended processes. Only one Windows app is in the foreground at a time, those that are out of focus are suspended and swapped out, with process data being compressed and written to the swapfile.sys in the file system2.

Prepare for Internet connections to automatically be spawned by some of these new Win10 processes. OneDrive (formerly known as SkyDrive) has a connection to port 80 outbound and SearchUI (Cortana) creates outbound network connections as well when the user accesses the Start Menu. An example of network activity from the SearchUI process is shown below.

Figure 3. SearchUI.exe Network Connections

The memory data compression behavior first seen in Windows apps on Windows 8 has been implemented on a wider scale in Windows 10. Now when the memory manager detects "memory pressure", meaning there is limited availability for data to be written to physical memory, data is compressed and written to the page file.3 Why is this relevant to the forensic examiner? Analysis of page file data can yield fruit, uncovering trace artifacts that indicate the malware at one point resided on the system. Remember that the contents of the page file was once in physical memory. This data, though highly fragmented, is great for string searches and yara signature scans. With the implementation of Windows 10 memory compression, a new obstacle exists for such analysis.

If you have done investigations involving nefarious command line activity, it is useful to know that the cmd.exe process now spawns its own conhost.exe process as of Windows 8. This is notable because in previous Windows versions, conhost is spawned by the csrss.exe process. I am always leery of a command shell running on an endpoint, particularly one to which a web browser has a handle.

It is often difficult to discern what version of Windows 10 your target system was running at the time memory was acquired. Two significant updates have been pushed since Windows 10 initial release, Threshold 2 in November 2015 and the Anniversary edition in July 2015. Shown below is imageinfo plugin output from Rekall Memory Forensic Framework (1.5.3 Furka)3 detailing the Build Version. With so many different features added between Windows versions as well as significant changes rolled out in updates, having a tool that uses the publicly available Windows symbols, like Rekall, is key. When profiles have to be created in order to support new versions of Windows as seen in analysis tools, there is lag time. Rekall automatically detects the Windows version and uses the hosted profile from its repository by default.

Pic 4

Xbox runs on Windows 10 now and you may be among those celebrating that you can now stream console games to your computer. But how does this effect our forensic findings? Expect to see Xbox gaming services present even if they are not being used. Since malware commonly instantiates new services or hijacks existing ones as a method of persistence, again, it is good to know what normal looks like.


Hopefully a recap on how things have changed in recent versions of Windows will speed your analysis as you work to unravel the story of what evil happened on a system. Happy hunting!

SANS FOR526: Memory Forensics In-Depth course provides you with the advanced skills you need to understand the newest Windows OS changes and find the evidence that might be left in the crime scene otherwise. Learn these critical skills and master the advanced investigative methods to find evidence in volatile memory with course author Alissa Torres at SANS Security East 2017



Posted November 5, 2016 at 4:36 PM | Permalink | Reply

Nathan D

Been wondering what these services were legit.