Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:57 PM
John H. Sawyer
John H. Sawyer

Acquiring Windows Memory For Incident Response

It was a busy week. Some of you made the annual trek out to San Francisco, while the rest of you were stuck working diligently in your office. Me...well, I'm in the latter group.

It was a busy week. Some of you made the annual trek out to San Francisco, while the rest of you were stuck working diligently in your office. Me...well, I'm in the latter group.I'm not complaining, though, because I was one of the five finalists for Top Technical Security Blog in the 2010 Social Security Blogger Awards. And, while I didn't win, it was an honor to be included with the likes of the SANS Internet Storm Center, which did win. Plus, I won a 2010 Superior Accomplishment Award from the University of Florida, which was quite exciting. But being a restless geek, what I enjoyed most was working with some sweet memory analysis tools and pulling apart some Zeus binaries.

So, are you ready to talk about detecting malware through Windows memory analysis? Yeah, that's what I thought. First, let's recap and then look at imaging options. In my last post, I talked about how you need to get creative in your approaches to detecting malware -- or any kind of compromise. Paying attention to what is getting blocked in application whitelisting is one good way, but some other approaches include passive monitoring of DNS lookups, tracking traffic attempts to known bad IPs and domains (Malware Domains, Zeus tracker, etc.), host-based log monitoring (OSSEC HIDS), and bleeding-edge Snort rules from the Emerging Threats community.

Most of the methods I mentioned identify malware at the network level. Encryption and tunneling can make detection much more difficult, and that's where Windows memory analysis can help. The first hurdle is getting the memory for analysis. You can approach that a couple of ways. The most common method is to run a utility like Memoryze, FastDump Pro, win32dd/win64dd, or FTK Imager on the local system.

This will create an image of memory similar to imaging a hard drive. The image can then be analyzed in a variety of ways, from simple static analysis of strings to determining what processes, ports, and files were open.

The second method is to acquire the memory remotely, typically with an expensive "enterprise" forensic and incident response solution. Products like Mandiant Intelligent Response, AccessData Enterprise, Encase Enterprise, and F-Response can all be used to image memory over the network from a remote Windows system. Some of the standalone forensic tools are also gaining this ability. HBGary Responder Professional is one example that can perform acquisition remotely in addition to full memory analysis, malware analysis, and disassembly.

The final option does not actually create an image of memory. Instead, live analysis of memory is performed on a running Windows system using tools like Memoryze and F-Response. This approach has its pros and cons, but it's one worth considering based on the type of case. Take a look at Mandiant's recent webinar, "Fresh Prints: Malware Behaving Badly," and its blog entry about Audit Viewer's Malware Rating Index feature. The company discusses live analysis a bit and how the "Verify Digital Signatures" option in Audit Viewer works only during live analysis.

As you can see, there are numerous tools for imaging and accessing memory. Making the best choice will come down to your specific environment. Detecting malware through memory analysis goes beyond acquisition, but it is the biggest hurdle because without it, there's nothing to analyze. In my next post I'll dig into some of the tools for analysis and how they can help with malware detection.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.