Acquiring Windows Memory For Incident Response

It was a busy week. Some of you made the annual trek out to San Francisco, while the rest of you were stuck working diligently in your office. Me...well, I'm in the latter group.I'm not complaining, though, because I was one of the five finalists for Top Technical Security Blog in the 2010 Social Security Blogger Awards. And, while I didn't win, it was an honor to be included with the likes of the SANS Internet Storm Center, which did win. Plus, I won a 2010 Superior Accomplishment Award from the University of Florida, which was quite exciting. But being a restless geek, what I enjoyed most was working with some sweet memory analysis tools and pulling apart some Zeus binaries.

So, are you ready to talk about detecting malware through Windows memory analysis? Yeah, that's what I thought. First, let's recap and then look at imaging options. In my last post, I talked about how you need to get creative in your approaches to detecting malware -- or any kind of compromise. Paying attention to what is getting blocked in application whitelisting is one good way, but some other approaches include passive monitoring of DNS lookups, tracking traffic attempts to known bad IPs and domains (Malware Domains, Zeus tracker, etc.), host-based log monitoring (OSSEC HIDS), and bleeding-edge Snort rules from the Emerging Threats community.

Most of the methods I mentioned identify malware at the network level. Encryption and tunneling can make detection much more difficult, and that's where Windows memory analysis can help. The first hurdle is getting the memory for analysis. You can approach that a couple of ways. The most common method is to run a utility like Memoryze, FastDump Pro, win32dd/win64dd, or FTK Imager on the local system.

This will create an image of memory similar to imaging a hard drive. The image can then be analyzed in a variety of ways, from simple static analysis of strings to determining what processes, ports, and files were open.

The second method is to acquire the memory remotely, typically with an expensive "enterprise" forensic and incident response solution. Products like Mandiant Intelligent Response, AccessData Enterprise, Encase Enterprise, and F-Response can all be used to image memory over the network from a remote Windows system. Some of the standalone forensic tools are also gaining this ability. HBGary Responder Professional is one example that can perform acquisition remotely in addition to full memory analysis, malware analysis, and disassembly.

The final option does not actually create an image of memory. Instead, live analysis of memory is performed on a running Windows system using tools like Memoryze and F-Response. This approach has its pros and cons, but it's one worth considering based on the type of case. Take a look at Mandiant's recent webinar, "Fresh Prints: Malware Behaving Badly," and its blog entry about Audit Viewer's Malware Rating Index feature. The company discusses live analysis a bit and how the "Verify Digital Signatures" option in Audit Viewer works only during live analysis.

As you can see, there are numerous tools for imaging and accessing memory. Making the best choice will come down to your specific environment. Detecting malware through memory analysis goes beyond acquisition, but it is the biggest hurdle because without it, there's nothing to analyze. In my next post I'll dig into some of the tools for analysis and how they can help with malware detection.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.