-
Notifications
You must be signed in to change notification settings - Fork 37
Incident Response and Forensics
Obtaining memory capture from machines can be done in numerous ways, live machines (turned on) can have their memory captured with one of the following tools:
- FTK Imager - Link
- Redline - Link *Requires registration but Redline has a nice GUI
- DumpIt.exe
- win32dd.exe / win64dd.exe - *Has fantastic psexec support, great for IT departments if your EDR solution doesn't support this
These tools will typically output a .raw file which contains an image of the system memory.
Offline machines can have their memory pulled easily if their drives aren't encrypted. For Windows systems %SystemDrive%/hiberfil.sys
hiberfil.sys, better known as the Windows hibernation file contains a compressed memory image from the previous boot. Microsoft Windows systems use this to provide faster boot-up times.
Here's a quick sampling of the memory capture process/file containing a memory image for different virtual machine hypervisors:
- VMware - .vmem file
- Hyper-V - .bin file
- Parallels - .mem file
- VirtualBox - .sav file *This is only a partial memory file. You'll need to dump memory like a normal bare-metal system for this hypervisor
./volatility_2.6_lin64_standalone -f 'file' imageinf-
./volatility_2.6_lin64_standalone -f 'file' --profile=WinXPSP2x86- pslist
- psxview
- netscan
- ldrmodules
- malfind
- apihooks
- dlllist
It is a tool from FireEye that allows us to analyze the memory of a Windows, Linux, or MacOS endpoint. Some of the things that we can do are:
- Collect registry data (Windows hosts only)
- Collect running processes
- Collect memory images (before Windows 10)
- Collect Browser History
- Look for suspicious strings