Introduction

New attack techniques are constantly being developed by hackers. Hundreds of malicious programs and scripts are being written and tested to bypass security controls. It is of utmost significance to remain up-to-date with current trends and equip oneself with a diverse array of tools and techniques to align with the strategies employed by threat actors. Memory forensics is one such tool and is a critical branch of digital forensics that involves the examination and analysis of volatile memory to recover evidence and reconstruct events. Unlike traditional forensics, which focuses on persistent storage devices, memory forensics provides real-time insights into the activities and processes that have occurred on a system. Memory forensics a vital part of many digital forensic examinations and incident response engagements today.

Since the inception of the twenty-first century, fileless attacks have been steadily gaining momentum, and their prevalence is increasingly on the rise. As an illustration, a payload might be directly injected into memory using PowerShell, a phenomenon that is growing exceedingly common. Process hollowing, dynamic-link library injection, process doppelgaenger, and various other sub-techniques of process injection are utilized not solely by advanced state-sponsored threat groups but also by operators of commodity malware.

Post-exploitation frameworks, like Metasploit, Cobalt Strike are used by hackers to generate malicious payloads and inject them directly into memory. Frameworks like Cobalt Strike have become very popular with hackers, and they are ditching custom malware for this framework. Evil Corp group, whose members are believed to be behind many ransomware attacks including Gramin, used Cobalt Strike’s Beacon in their WastedLocker campaigns.

Types of Memory

Random Access Memory (RAM):  Stores temporary data and instructions that are currently being processed by the CPU.

Virtual Memory: Extends RAM by using a portion of the hard drive as a temporary storage space.

Read-Only Memory (ROM): Stores permanent instructions and data, such as the BIOS and firmware.

Memory Forensics Techniques

Live Memory Acquisition:  Captures a snapshot of the system’s memory while it is running.

Post-mortem Memory Acquisition:  Acquires memory from a powered-off system after it has crashed or been shut down.

Memory Analysis: Examines acquired memory to identify artifacts, such as running processes, loaded modules, and network connections.

Example: Uncovering Malware Activity

Consider a scenario where a system is suspected of being infected with malware. Memory forensics can be used to:

1. Acquire Live Memory: A live memory acquisition tool is used to capture a snapshot of the system’s memory while it is still running.

2. Analyze Memory: The acquired memory is analyzed using forensic tools to identify suspicious processes and loaded modules.

3. Identify Malware: The analysis reveals a previously unknown process that is communicating with a remote server known to host malware.

4. Extract Evidence: The memory dump is further examined to extract additional evidence, such as the malware’s code and configuration files

Memory Forensics Tools

Most operating systems do not have tools for creating comprehensive memory dumps. We need specialized tools for this. Volatility opensource is one such tool for extracting digital artifacts from volatile memory. It supports most of the popular operating systems.

Benefits of Memory Forensics

Real-time Analysis:  Provides immediate insights into current system activity.

Volatile Evidence Recovery: Recovers evidence that may be lost or overwritten on persistent storage devices.

Incident Response: Facilitates rapid response to security incidents and data breaches.

Malware Detection: Uncovers hidden malware that may evade traditional detection methods.

Forensic Analysis: Complements traditional forensic investigations by providing additional context and evidence.

Challenges in Memory Forensics

RAM is a very fragile in terms of evidence gathering. Even a small interaction with system can later the memory evidence and can lead to irreversible consequences. One of the most important challenges in memory analysis is data preservation. In some cases, memory dump tool can cause overload and hence can crash the running production system. Malware infected system itself can be unstable and creating memory dump may jeopardize the functioning of the system.

Conclusion

Memory forensics is a powerful tool for uncovering hidden evidence and reconstructing events in digital investigations. By examining volatile memory, forensic examiners can gain valuable insights into system activity, identify malicious behaviour, and recover critical evidence. As technology continues to evolve, memory forensics will remain an essential technique for combating cybercrime and ensuring digital security.