Wednesday, April 11, 2012

Malware Memory Analysis

Acquiring RAM From A Live System

In the not so far past, it was common practice when encountering a system that needed to be acquired or has been compromised to disconnect the power from the system in order to save the "state" of the system to be forensically analyzed later. We have since learned that valuable data is lost when the system is powered off and all attempts to collect this volatile data should be capture before the system is powered off. This may include but not limited to the following:
  • current network connections
  • running processes
  • current mapped drives or shares
  • Users currently logon
  • system memory

Acquiring the memory from a system is a relatively new item to acquire when it comes to collecting volatile data. It wasn't until the recent years that we learn how to analyze this data in order to extract the valuable data contain within the memory.

Some of this valuable data that can be found in the memory consist of the following:

  • Current process and DLLs
  • Network connections
  • Unencrypted password
  • Registry entries

There are many tools available that you can use to acquire the live memory from a system. Below is a list of some of the popular free tools:

Tool OS Comments
FTK Imager Windows
  • Lite version does not need to be installed and can run from usb
HBGary FastDump Windows
  • Support only 32bit
  • up to 4 gigs of RAM
  • Does not support Vista, Windows 2003, Windows 2008
MoonSols DumpIt Windows
  • works with both x86 (32-bits) and x64 (64-bits) machines
Mandiant Memoryze Windows Officially Supports:
  • Windows 2000 Service Pack 4 (32-bit)
  • Windows XP Service Pack 2 and Service Pack 3 (32-bit)
  • Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
  • Windows 2003 Service Pack 2 (32-bit)
  • Windows 2003 Service Pack 2 (64-bit)
  • Windows 7 Service Pack 0 (32-bit)
  • Windows 7 Service Pack 0 (64-bit)
  • *Windows 2008 Service Pack 1 and Service Pack 2 (32-bit)
  • Windows 2008 R2 Service Pack 0 (64-bit)
dd *nix
  • Comes standard on most *nix systems
  • can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem)

Mac Memory Reader Mac
  • It executes directly on 32- and 64-bit target machines running Mac OS X 10.4 through 10.7 and requires a PowerPC G4 or newer or any Intel processor.

Once you acquire the system memory, then comes the task of extracting the data from the image. Below are three tools that can be used to extract this data and over the next couple of blog postings, I will use each tool on the same memory samples to evaluate the ease of use of each program along with their differences. I will utilize and evaluate each program as a person that has not had any formal training on using each tool or malware analysis but can deploy common troubleshooting skills to identify the threats contained within each memory sample. All samples used for this evaluation will be acquired from the publicly available sample found on the Google Code - Volatility page.

The three applications used for memory analysis are:

  • Volatility
  • Mandiant Redline
  • HBGray Responder (community edition)


  1. A parent class can send a message to its child, but the child cannot.

  2. The information about HBGary's FastDump is somewhat misleading. There is a version of FastDump (called FastDump Pro) which supports 64bit systems running 4+ Gigabytes of RAM.