Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/8/2010
02:24 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

New Analysis Tools For Windows Memory

Last week I looked at some creative uses of log analysis for detecting malware, and ways to acquire Windows physical memory for analysis. What I've seen time and time again is where those in charge of security don't even bother to log information from their systems and applications, leading them to a much larger incident response scenario than if they could detect it sooner.

Last week I looked at some creative uses of log analysis for detecting malware, and ways to acquire Windows physical memory for analysis. What I've seen time and time again is where those in charge of security don't even bother to log information from their systems and applications, leading them to a much larger incident response scenario than if they could detect it sooner.It's situations like those where the incident process could have been much quicker and less time-consuming had they been regularly performing simple searches on logs to know what's going on within their network. Log analysis is tedious work; I won't deny that, but it can save a lot of headaches later on. Yeah, I know. Enough preaching about logs...let's dig into some of the tools for analyzing those dumps of Windows memory we talked about acquiring on Friday.

So, now that you have an image or direct access to Windows memory, what are you going to do with it? There's a large number of tools that have been released in the last few years to aid with this. Two of my recently updated favorites are HBGary Responder Pro and the tag-team duo of Memoryze and Audit Viewer. There are certainly others, but I find myself going back to them more often lately because they work well, and they support more versions of Windows.

AccessData's Forensic Toolkit (FTK) newest version 3 does deserve an honorable mention because the latest version adds some great memory analysis features not available in previous versions. It also combines analysis of the Windows pagefile and a memory dump for a more complete picture of what's going on. This is something that most other tools do not do with the exception of Responder Pro. Memoryze will use the pagefile, but only during live analysis. There may be some others but I'm not aware of them at this time.

I like Responder Pro because it has really well-laid out interface and will acquire memory, analyze memory, disassemble binaries (executables), record an executable's behavior, and more. It comes with FastDump Pro that will acquire memory and the pagefile in addition to "probing" processes so that parts of memory that have been paged out to the page file will be pushed up into physical memory prior to imaging.

Last week, I was testing a few Zeus executables I pulled from the Zeus Tracker. With Responder's Recon utility, I was able to load the malware and it traced all of the behavior so I could see what modifications were made to the file system, the Windows Registry, and associated network connections. There is a timeline feature that lets you walk through the changes and showed a graph of program execution similar to what you see when you disassemble an executable in IDA Pro. Very cool stuff.

The combination of Mandiant's Memoryze and Audit Viewer is a powerful, free solution for both memory acquisition and analysis. On the analysis front, Audit Viewer provides a GUI to the XML reports generated by Memoryze. It's tabbed interface makes it easy to dig through the results for all processes, files, directories, registry keys, DLLs, strings, ports, and more. There's other features, too, besides the standard memory analysis such as marking processes red that have injected DLLs and the new Malware Rating Index.

Now, you've got the tools to do acquisition and analysis of Windows memory. Go out and start testing the tools to see what fits best for you organization's incident response procedures. Having memory on hand will greatly enhance your ability to determine the who, what, and how of security incident.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20327
PUBLISHED: 2021-02-25
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node....
CVE-2021-20328
PUBLISHED: 2021-02-25
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in inte...
CVE-2020-27543
PUBLISHED: 2021-02-25
The restify-paginate package 0.0.5 for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. A Restify-based web service would crash with an uncaught exception.
CVE-2020-23534
PUBLISHED: 2021-02-25
A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.
CVE-2021-27330
PUBLISHED: 2021-02-25
Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.