Memory in Computer Forensics chapter 14

Questions and Answers

What is a characteristic of volatile memories?

They are only used in hard drives

They are non-volatile and can be rewritten multiple times

They retain their contents even after power is shut off

They only hold their contents while power is applied (correct)

What is the fundamental building block of RAM?

Clusters

Sectors

Memory cells (correct)

Registers

What does a high voltage denote in a memory cell?

A 1 in binary (correct)

A damaged memory cell

A 0 in binary

An empty memory cell

What determines the number of memory cells per address in a RAM chip?

The number of bits in the RAM chip

What is the most common type of memory used today?

DRAM

Why is volatile memory critical in forensics?

Because it loses data when power is shut off

What is the primary function of the Memory Address Register (MAR)?

To hold the addresses in memory

What is the main difference between the stack and the heap in memory allocation?

The stack is automatically managed, while the heap is manually managed

What is the purpose of the Translation Lookaside Buffer (TLB)?

To cache recently used mappings of virtual addresses to physical addresses

What is the consequence of a program allocating memory from the heap but not deallocating it?

The program will consume more memory, potentially leading to a system crash

What is the function of a page table?

To map virtual addresses to physical addresses

What happens when a virtual address is not found in the Translation Lookaside Buffer (TLB)?

The page table is searched

What is the primary issue with volatile memory in terms of data retention?

It loses its contents when power is turned off

What is the fundamental difference between a RAM chip and a traditional hard drive?

The way they organize data

What determines the number of memory cells per address in a RAM chip?

The number of bits in the RAM chip

What is the purpose of a memory cell in a RAM chip?

To store a bit of binary information

Why is it not necessarily true that a 64-bit computer has 64-bit RAM?

The RAM is a separate component from the computer

What is a common application of SRAM?

CPU caches and registers

What is the primary function of the Memory Data Register (MDR)?

To store data being transferred to and from memory

What is the result of a program allocating memory from the heap without deallocating it?

The system may crash due to memory consumption

What is the purpose of the page table?

To map virtual addresses to physical addresses

What happens when a process uses virtual addresses?

The process gives the impression of working with contiguous sections of memory

What is the first step in translating a virtual address to a physical address?

Search the Translation Lookaside Buffer (TLB)

What is the characteristic of the stack in memory allocation?

It is automatically allocated and managed

What is the primary purpose of the Volatility tool?

To analyze memory dumps for specific data

What does the profile in Volatility indicate?

The operating system of the machine the memory dump was taken from

What is the format of the Volatility commands?

Plug-ins used to scan a memory dump for specific data

What is the purpose of the first Volatility command?

To get information about Volatility and ensure it is working properly

What is the typical extension of a memory dump file?

.mem,.bin,.dump, or.raw

What is required to use Volatility effectively?

A profile that matches the memory dump used

What does the plist command display in a memory dump?

A list of processes with their IDs, threads, and handles

What is the purpose of the psscan command in malware investigations?

To find processes that previously terminated or were hidden

What information does the svcscan command provide about services in a memory dump?

The process ID, offset, order, start method, and service type of each service

What is SERVICE_WIN32_SHARE_PROCESS in the context of svcscan?

A service type flag that indicates a Win32 service that shares a process with other services

What is the primary difference between the plist and pstree commands?

plist lists processes in a flat list, while pstree lists them in a hierarchical tree

What is the purpose of the pstree command?

To display the processes in a hierarchical tree

What is the benefit of using the psscan command in malware investigations?

It can find processes that previously terminated or were hidden

What is the offset in the context of the svcscan command?

The actual location in memory of a service

What is the purpose of the svcscan command?

To list the details of all services that were in memory

What is the benefit of using Volatility commands in digital forensics?

They can provide detailed information about processes and services in a memory dump

What is the primary function of Volatility?

Analyzing memory dumps for specific data

What is the purpose of the first Volatility command?

To get information about Volatility to ensure it is working properly

What is indicated by the profile in Volatility?

The operating system of the machine the memory dump was taken from

What is the format of Volatility commands?

Command-line interface with a specific format

What is the purpose of the plug-ins in Volatility?

To scan the memory dump for specific data

What is the typical extension of a memory dump file?

.mem,.bin,.dump,.raw

What is the primary function of the psscan command in Volatility?

To find processes that previously terminated or were hidden by a rootkit

What information does the plist command display in a memory dump?

The processes that were in the memory dump, including their PID, PPID, threads, and handles

What is the purpose of the svcscan command?

To display the services that were in memory when the memory dump was taken

What is the benefit of using the hollowfind command in Volatility?

To detect hollowing techniques in a memory dump

What is the purpose of the pstree command in Volatility?

To display the processes in a hierarchical tree, showing their relationships

What is the offset in the context of the svcscan command?

The actual location in memory of a service

What is the purpose of the psxview command in Volatility?

To display information about a specific process ID

What is the benefit of using the psscan command in malware investigations?

It can find hidden processes in a memory dump

What is the purpose of the modscan command in Volatility?

To search for drives, including unlinked drivers

What is the purpose of the dlldump command in Volatility?

To provide dynamic link libraries (DLLs) associated with specific processes

What is the primary characteristic of viruses?

They are software that self-replicates

What is the importance of patch management in cybersecurity?

It ensures that vulnerabilities are addressed before they can be exploited

What is ransomware?

A type of malware that encrypts files and demands payment

Why is Wannacry a noteworthy virus?

It exploited a known vulnerability that had a patch available

What is the purpose of categorizing malware?

To understand the characteristics of malware

What is the relationship between malware categories?

They are not strict and often overlap

What type of malware is Crypto Locker an example of?

Ransomware

What is the primary function of a logic bomb?

To execute malicious activity when a certain condition is met

What is the purpose of a Trojan Horse?

To deliver a virus

What is the purpose of DLL injection?

To force a targeted program to load a malicious DLL

What is the main characteristic of a worm?

It self-propagates

What is the primary purpose of spyware?

To monitor the computer’s activities

What is FinFisher?

Software made for the use of law enforcement

What is Zwangi?

A type of malware that redirects URLs and takes periodic screenshots

What is Crypto Wall?

A type of ransomware

What is the primary issue with spyware?

It exfiltrates data

What is the result of listing a DLL in the registry entry HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs?

The DLL will be loaded into every process that loads User32.dll

What is the purpose of the Volatility command printkey?

To view any particular registry key

What is the technique of creating a process in a suspended state, and then resuming it with malicious code?

Process hollowing

What is indicated by the presence of calls such as VirtualAllocEx() and CreateRemoteThread() in a memory dump?

The presence of a process hollowing

What is the characteristic of memory sections marked as Page_Execute_ReadWrite and having no memory-mapped file present?

It is a sign of process hollowing or DLL injection

What is the purpose of the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerAppCertDLLs?

To load a DLL into every process that calls the Win32 API functions

What is the primary characteristic of viruses?

They are any software that self-replicates

What is the significance of the Wannacry virus in the context of malware investigations?

It highlights the importance of patch management in cybersecurity

What is the relationship between malware categories?

They are flexible and often overlapping

What is the purpose of dividing malware into categories?

To help in analysis and understanding of malware

What is ransomware?

A type of malware that demands payment in exchange for restoring access to data

What is the primary difference between macro viruses and polymorphic viruses?

Macro viruses are created via macros in documents, while polymorphic viruses are created via executable files

What is the effect of listing a DLL in the registry entry HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs?

It will be loaded into every process that loads User32.dll.

What is process hollowing also known as?

Process replacement

What is the purpose of the Volatility command printkey?

To view any particular registry key

What can be a sign of process hollowing or injection in memory dumps?

Calls to VirtualAllocEx() and CreateRemoteThread().

What is the significance of memory sections marked as Page_Execute_ReadWrite and having no memory-mapped file present?

It is a sign of process hollowing.

What is the purpose of creating a process in a suspended state in process hollowing?

To allow the malware to execute without being detected.

What is the primary function of a worm?

To self-propagate and spread to other systems

What is the purpose of DLL injection?

To execute code within the address space of another process

What is the primary characteristic of spyware?

It can monitor a computer's activities in some fashion

What is the primary function of a Trojan horse?

To deliver malware to a system while appearing legitimate

What is the primary function of a logic bomb?

To execute malicious code when a specific condition is met

What is Crypto Wall?

A variant of Crypto Locker that encrypts files and communicates with a command-and-control server

What is the primary issue with spyware in terms of data exfiltration?

The data must be sent to some outside party

What is the primary function of FinFisher?

To monitor a computer's activities in some fashion

What is the primary function of Zwangi?

To redirect URLs and take periodic screenshots of the computer

What is the primary characteristic of Crypto Locker?

It uses asymmetric encryption to lock a user's files

What is the purpose of the Density Scout application?

To analyze file density and identify potential malware

What does the -l option do in Density Scout?

Filters files with density lower than the given value

What is the default mode of Density Scout?

ABS

How can you specify the file type to ignore in Density Scout?

Using the -S option

What is the purpose of the -o option in Density Scout?

To specify the output file

What is the benefit of using the -r option in Density Scout?

It walks recursively through directories

What is the purpose of analyzing the density of files in the WindowsSystem32 directory?

To identify files with odd density values

What type of files are mostly listed in the provided results.txt?

DLL files

What is the characteristic of the DLL files listed in the results.txt?

They have a large range of density values

What is the purpose of looking for files with odd density values?

To identify files that are substantially different from known good files

What can be inferred about the DLL files listed in the results.txt?

They are not, for the most part, Windows System DLLs

What is the purpose of analyzing the density of files in a memory dump?

To identify files with substantially different density values

Study Notes

Density Scout Tool

• Density Scout is a tool used to find malware, often used in conjunction with memory forensics
• It has various options to output data, including:
  • -a: Show errors and empties
  • -d: Just output data (Format: density|path)
  • -l: Files with density lower than the given value
  • -g: Files with density greater than the given value
  • -n: Maximum number of lines to print
  • -m: Mode (ABS or CHI)
  • -o: File to write output to
  • -p: Immediately print if lower than the given density
  • -P: Immediately print if greater than the given density
  • -r: Walk recursively
  • -s: File type(s)
  • -S: File type(s) to ignore
  • -pe: Include all portable executables by magic number
  • -PE: Ignore all portable executables by magic number

Understanding Memory

• Volatile memories only hold their contents while power is applied to the memory device
• Examples of volatile memories include:
  • Static RAM (SRAM)
  • Synchronous static RAM (SSRAM)
  • Synchronous dynamic RAM (SDRAM)
  • Field Programmable Gate Array (FPGA) on-chip memory
• The most common type of memory today is dynamic random access memory (DRAM)
• SRAM is often used for CPU caches and registers
• In RAM, the memory cell is the fundamental building block
• A memory cell is an electronic circuit that stores a bit of binary information

Memory Components

• Memory has various components, including:
  • Memory cells
  • Fetch/store controller
  • Memory address register (MAR)
  • Memory data register (MDR)

Stack vs. Heap

• The stack is computer memory that is automatically allocated and managed as needed for temporary variables within functions inside programs
• The heap is memory that programs can allocate as needed
• The heap is the source of what are commonly called "memory leaks"

Paging

• A page table is a data structure that maps virtual addresses to physical addresses
• Processes use virtual addresses; hardware (RAM) uses physical addresses
• The Memory Management Unit of the CPU stores recently used mappings in the translation lookaside buffer (TLB)
• When a virtual address needs to be translated into a physical address, the first step is to search the TLB

Analyzing Memory with Volatility

• Volatility is a command-line tool for memory analysis

• The first Volatility command is to get information about Volatility to ensure it is working properly

• The command format is: volatility [command] [options] [memory dump file]

• Examples of commands include:

  • volatility --info
  • volatility imageinfo -f [memory dump file]
  • volatility pslist -f [memory dump file]

• The profile indicates the operating system of the machine the memory dump was taken from, not the machine you are running Volatility on### Volatility Commands

• plist command: lists the processes that were in the memory dump, showing the process ID, parent process ID, number of threads, number of handles, and start date/time.

• pstree command: shows the processes in a hierarchical tree, making it clear what process started a particular process.

• psscan command: finds processes that previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit, particularly useful in malware investigations.

• svcscan command: lists details of all services that were in memory when the memory dump was taken, including the service name, type, and state.

Understanding svcscan

• Offset: the actual location in memory.
• Order: the order in which the DLL was loaded into the process.
• Start: how the service starts.
• Process ID: the standard PID.
• Display Name and Service Name: the name of the service.
• Service Type: the type of service (e.g. SERVICE_WIN32_SHARE_PROCESS, SERVICE_WIN32_OWN_PROCESS, etc.).
• Service State: whether the service is started or stopped.
• Binary Path: the path to the executable.

Additional Volatility Commands

• hollowfind command: detects hollowing techniques.
• psxview command: searches for hidden processes.
• modscan command: searches for drives, including unlinked drivers.
• moddump command: extracts kernel drivers.
• dlldump command: provides dynamic link libraries (DLLs) associated with specific processes.

Analyzing Memory with Volatility

• Volatility is a command-line tool for memory analysis.
• The first Volatility command is to get information about Volatility to ensure it is working properly.
• The basic format of commands is volatility [command] -f [memory dump file].
• Profiles indicate the operating system of the machine the memory dump was taken from.

Malware Categories

• Viruses: self-replicating software.
• Worms: self-propagating software that can spread without human interaction.
• Spyware: software that monitors a computer's activities.
• Logic Bombs: execute malicious activity when a specific condition is met.
• Trojan Horses: delivery mechanisms for malware.

Malware Techniques

• DLL injection: forcing a program to load a DLL.
• Process hollowing: disguising malware as a legitimate system process.
• Signs of process hollowing or injection: calls to VirtualAllocEx() and CreateRemoteThread(), and memory sections marked as Page_Execute_ReadWrite with no memory-mapped file present.

Famous Malware Examples

• Crypto Locker: a ransomware that utilizes asymmetric encryption to lock user files.
• Crypto Wall: a variant of Crypto Locker that also takes screenshots of the infected machine.
• FinFisher: spyware made for law enforcement, but leaked to the general public.
• Zwangi: spyware that redirects URLs and takes periodic screenshots.
• Logic Bombs: examples include David Tinley's case, where he programmed a logic bomb to cause software to fail after a period of time.### Ransomware
• Crypto Locker, discovered in 2013, utilizes asymmetric encryption to lock user files.
• Crypto Wall, a variant of Crypto Locker, was first found in August 2014, and can take screenshots of infected machines.

Worms

• A worm is a self-propagating computer virus, making it a more virulent virus.
• Worms often overlap with viruses, making categorization difficult.

Spyware

• Spyware is software that monitors computer activities, such as keyloggers and screen capture software.
• Data exfiltration is a key concern, as spyware must send data to an outside party.
• Memory forensics can help detect spyware by searching for processes creating sockets to outside IP addresses.
• Legitimate uses of spyware include parental monitoring and employer monitoring of company-owned machines.

Famous Instances of Spyware

• FinFisher, software made for law enforcement, was leaked to the public and widely used.
• Zwangi, another famous spyware, redirected URLs and took periodic screenshots of infected computers.

Logic Bombs

• Logic bombs execute malicious activity when a logical condition is met, such as a specific time or event.
• Examples include programmers inserting logic bombs into company software to delete files if their employment is terminated.

Trojan Horses

• Trojan horses are delivery mechanisms for malware, disguising themselves as legitimate software.
• Examples include the Gh0st RAT, which provided remote access to infected machines.

Malware Hiding Techniques

• DLL injection is a technique used by malware to covertly execute code on systems.
• This involves forcing a targeted program to load a malicious DLL, often using specific registry keys.

Description

Test your knowledge on volatile memories, their characteristics, and examples such as SRAM, SDRAM, and FPGA. Learn how they work and why they're crucial in computer forensics. Discover the differences between volatile and dynamic random access memory (DRAM).