Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:57 PM
John H. Sawyer
John H. Sawyer

Acquiring Windows Memory For Incident Response

It was a busy week. Some of you made the annual trek out to San Francisco, while the rest of you were stuck working diligently in your office. Me...well, I'm in the latter group.

It was a busy week. Some of you made the annual trek out to San Francisco, while the rest of you were stuck working diligently in your office. Me...well, I'm in the latter group.I'm not complaining, though, because I was one of the five finalists for Top Technical Security Blog in the 2010 Social Security Blogger Awards. And, while I didn't win, it was an honor to be included with the likes of the SANS Internet Storm Center, which did win. Plus, I won a 2010 Superior Accomplishment Award from the University of Florida, which was quite exciting. But being a restless geek, what I enjoyed most was working with some sweet memory analysis tools and pulling apart some Zeus binaries.

So, are you ready to talk about detecting malware through Windows memory analysis? Yeah, that's what I thought. First, let's recap and then look at imaging options. In my last post, I talked about how you need to get creative in your approaches to detecting malware -- or any kind of compromise. Paying attention to what is getting blocked in application whitelisting is one good way, but some other approaches include passive monitoring of DNS lookups, tracking traffic attempts to known bad IPs and domains (Malware Domains, Zeus tracker, etc.), host-based log monitoring (OSSEC HIDS), and bleeding-edge Snort rules from the Emerging Threats community.

Most of the methods I mentioned identify malware at the network level. Encryption and tunneling can make detection much more difficult, and that's where Windows memory analysis can help. The first hurdle is getting the memory for analysis. You can approach that a couple of ways. The most common method is to run a utility like Memoryze, FastDump Pro, win32dd/win64dd, or FTK Imager on the local system.

This will create an image of memory similar to imaging a hard drive. The image can then be analyzed in a variety of ways, from simple static analysis of strings to determining what processes, ports, and files were open.

The second method is to acquire the memory remotely, typically with an expensive "enterprise" forensic and incident response solution. Products like Mandiant Intelligent Response, AccessData Enterprise, Encase Enterprise, and F-Response can all be used to image memory over the network from a remote Windows system. Some of the standalone forensic tools are also gaining this ability. HBGary Responder Professional is one example that can perform acquisition remotely in addition to full memory analysis, malware analysis, and disassembly.

The final option does not actually create an image of memory. Instead, live analysis of memory is performed on a running Windows system using tools like Memoryze and F-Response. This approach has its pros and cons, but it's one worth considering based on the type of case. Take a look at Mandiant's recent webinar, "Fresh Prints: Malware Behaving Badly," and its blog entry about Audit Viewer's Malware Rating Index feature. The company discusses live analysis a bit and how the "Verify Digital Signatures" option in Audit Viewer works only during live analysis.

As you can see, there are numerous tools for imaging and accessing memory. Making the best choice will come down to your specific environment. Detecting malware through memory analysis goes beyond acquisition, but it is the biggest hurdle because without it, there's nothing to analyze. In my next post I'll dig into some of the tools for analysis and how they can help with malware detection.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-25
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node....
PUBLISHED: 2021-02-25
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in inte...
PUBLISHED: 2021-02-25
The restify-paginate package 0.0.5 for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. A Restify-based web service would crash with an uncaught exception.
PUBLISHED: 2021-02-25
A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.
PUBLISHED: 2021-02-25
Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.