Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/8/2010
02:24 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

New Analysis Tools For Windows Memory

Last week I looked at some creative uses of log analysis for detecting malware, and ways to acquire Windows physical memory for analysis. What I've seen time and time again is where those in charge of security don't even bother to log information from their systems and applications, leading them to a much larger incident response scenario than if they could detect it sooner.

Last week I looked at some creative uses of log analysis for detecting malware, and ways to acquire Windows physical memory for analysis. What I've seen time and time again is where those in charge of security don't even bother to log information from their systems and applications, leading them to a much larger incident response scenario than if they could detect it sooner.It's situations like those where the incident process could have been much quicker and less time-consuming had they been regularly performing simple searches on logs to know what's going on within their network. Log analysis is tedious work; I won't deny that, but it can save a lot of headaches later on. Yeah, I know. Enough preaching about logs...let's dig into some of the tools for analyzing those dumps of Windows memory we talked about acquiring on Friday.

So, now that you have an image or direct access to Windows memory, what are you going to do with it? There's a large number of tools that have been released in the last few years to aid with this. Two of my recently updated favorites are HBGary Responder Pro and the tag-team duo of Memoryze and Audit Viewer. There are certainly others, but I find myself going back to them more often lately because they work well, and they support more versions of Windows.

AccessData's Forensic Toolkit (FTK) newest version 3 does deserve an honorable mention because the latest version adds some great memory analysis features not available in previous versions. It also combines analysis of the Windows pagefile and a memory dump for a more complete picture of what's going on. This is something that most other tools do not do with the exception of Responder Pro. Memoryze will use the pagefile, but only during live analysis. There may be some others but I'm not aware of them at this time.

I like Responder Pro because it has really well-laid out interface and will acquire memory, analyze memory, disassemble binaries (executables), record an executable's behavior, and more. It comes with FastDump Pro that will acquire memory and the pagefile in addition to "probing" processes so that parts of memory that have been paged out to the page file will be pushed up into physical memory prior to imaging.

Last week, I was testing a few Zeus executables I pulled from the Zeus Tracker. With Responder's Recon utility, I was able to load the malware and it traced all of the behavior so I could see what modifications were made to the file system, the Windows Registry, and associated network connections. There is a timeline feature that lets you walk through the changes and showed a graph of program execution similar to what you see when you disassemble an executable in IDA Pro. Very cool stuff.

The combination of Mandiant's Memoryze and Audit Viewer is a powerful, free solution for both memory acquisition and analysis. On the analysis front, Audit Viewer provides a GUI to the XML reports generated by Memoryze. It's tabbed interface makes it easy to dig through the results for all processes, files, directories, registry keys, DLLs, strings, ports, and more. There's other features, too, besides the standard memory analysis such as marking processes red that have injected DLLs and the new Malware Rating Index.

Now, you've got the tools to do acquisition and analysis of Windows memory. Go out and start testing the tools to see what fits best for you organization's incident response procedures. Having memory on hand will greatly enhance your ability to determine the who, what, and how of security incident.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.