Memory Acquisition Tools
Combating today’s advanced malware requires skill and an advanced toolset. The most common incident response procedure that we see in smaller organizations is to identify infected machines and simply run malware scanners (Malwarebytes, Spybot, etc…) until the scan comes back clean. This “scan until clean” mindset often results in repeated infections and gives the organization a false sense of security. Malware scanners suffer from the same weaknesses that standard antivirus programs suffer from, and that is that they are signature based and can only discover malware that has already been found and reported. And yes, if you enable your AV’s heuristic capabilities you will get better detection rates but most organizations don’t go that route because it takes time to tune the false positives and eats system resources; unless your organization has dedicated security staff most network operators simply don’t want (or have the time) to deal with managing an AV infrastructure. If your organization’s incident response procedure is to “scan until clean” or “wipe and reload” you really are missing out on opportunities to gain valuable operational intelligence. Without any information about how you are being exploited and what the extent of the intrusion is, the organization is simply responding to isolated incidents and will be stuck in an endless loop of frustration.
Arguably one of the best places to gain valuable attack intelligence is from the memory contents of a compromised machine. The very first action taken on a suspect machine should be to acquire the active memory before modifying the system by running any malware tools. These memory acquisitions or “dumps” can be given to trained forensic analysts for quick analysis or stored in a library for future use. The process of acquiring live memory from a running machine used to be difficult and required specialized training, tools now exist that allow a first responder with limited knowledge to easily perform this task. In this blog posting we will cover three easily used (and free) tools to acquire memory from a suspect machine and each of these tools can acquire both 32 and 64 bit memory from Windows operating systems. Note: the responder must run all these tools with administrative privileges.
This tool is arguably the easiest to use and can be placed on and run from a USB stick. Simply double-clicking the tool will open a window and dump the memory to the same location as the tool. There are no options with this tool, just click and run. Below is a screenshot of the tool in action dumping memory from a Windows 7 Professional (32bit) workstation.
The resulting file is created and automatically named with the hostname and acquisition date. The resulting file is typically the size of the installed RAM but is often slightly larger due to page swapping.
Winpmem is a command line tool; this tool has a few options and allows you to specify the filename and location. Winpmem comes as two separate executables (winpmem & winpmem_write) and like DumpIt can be run from a portable USB drive. Winpmem gives you feedback and a shows progress as it runs. The syntax “winpmem_1.4.exe memory.raw” will dump the memory to a file named “memory.raw” The graphic below is winpmem dumping the same Windows7 memory as before.
FTK Imager Lite
FTK Imager Lite is a GUI based tool that can also be run from a USB drive, just unzip the download file and double-click the “FTK Imager.exe” file. FTK Imager Lite has a larger footprint and does much more than acquiring memory images, this tool is a reduced version of AccessData’s full forensic software package and has numerous capabilities. Acquiring a memory image is straightforward, just click the memory acquisition button (which happens to look just like a memory stick) and give it a filename and path. The graphic below is FTK Imager Lite dumping the same Windows7 memory as before.
The time required to acquire live memory varies and is dependent on the destination media type, all three memory acquisitions referenced in this article were all completed in under 15 seconds when the output file location was the local disk, expect longer times when larger amounts of RAM are present and the output file is being written to a USB device. Although the output filenames that were used in this article were short, it is always a good practice to be as descriptive as possible when creating the dump files so they are easily recognizable when needed.
In future articles we will be showing some techniques for working with and extracting data from saved memory dumps.
Authored By: Scott Burkhart, GCFA, GCIA, MCSE