Windows Memory Analysis and Forensics



Windows Memory Acquisition


     <<>>      Acquisition from Live Systems

ü      Win32dd.exe

ü      Mdd.exe

ü      Memorize

<<>>      Dead System

ü      Hybernation file hyberfil.sys

  • Contain compressed RAM image



C:\win32dd winxp_memory.img

Windows Memory Analysis


<<>> windows 2000 Memory

ü      Memparser

  • Ability to load and examine processes
  • Extract information from memory for specific process
  • Saving the contents of process memory to file, strings
  • Other more specific info can be extracted

 <<>> Windows XP and Vista

ü      Memoryze

  • Windows based analysis capability
  • Author Jmie butler and peter silberman
  • Recommended to use Auditviewer for GUI analysis
    • Batch scripts that analyze memory image and live machine


<<>> XP SP 2

ü      Volatility

  • Framework for analysis of volatile memory images
  • It is series of python scripts





Case Study: XP 2 with Root Kit


General IR Scan

ü      Run  fport to see all network connection on what ports

ü      Run pslist to list all processes running

Nothing Suspicious

Scan using volatility


ü      #python volatility pslist –f /path/to/xpimage.img


There is a backdoor process nc.exe (netcat)

ü      Lets list all opensockets using volatility   Checkout the create time to see if this process loads on booting or not.

ü      Identify the parent rootkit.

ü      Retreive the process from the memory 

Conclusion on Rootkit Analysis


CASE 2 : Pass the Hash

Analyse Hiberfil.sys


ü      Hiberfil.sys is compressed, so first decompress

ü      Now you can proceed as stated above using volatility.


Passwords in Memory : where is the Hash?


ü      Find Registry hives in memory

ü      Find SYSTEM  and SAM Hives

ü      Dump Hashes from those hives

ü      Crack Passwords with Hashes.

More Info:

1. Find Registry hives in memory


ü      Plugin hivescan will scan the memory image and pullout memory locations of registry hives. You can take any of these locations to start analyzing.

2. Find SYSTEM  and SAM Hives

      Plugin hivelist takes the offset and starts scanning from that location for any registry entries.

ü      Software has application setting

ü      SAM has security related information

ü      SYSTEM has hardware related information

We have to note them down as there is syskey protection for SAM to defend cracking passwords from SAM database. This syskey breaks the key into four keys and place in four different location in SYSTEM hive.


3. Dump Hashes from SAM and SYSTEM hives


Plugin hashdump retrieves the hashes of all user accounts stored in SAM.



4. Crack the Passwords using Hashes.


            Use Password cracker like Ophcrack, John the Ripper, Rainbow tables online



Registry Examination


RegRipper is a perl script that analyzes the memory dump from specified registry hive-address we retrieved previously and specify the hivetype.

Now we got the registry settings.


All the tools can be found in SANS Investigative Forensic Toolkit Workstation


About Uma Mahesh

A Creator/Equilizer. Creator/Equalizers are catalysts for positive, well-organized change. They never settle for the status quo. Instead, they see the opportunity for innovation in the processes that others have long taken for granted. They respect what's already operating, but they can't help but want to improve upon it. Their special combination provides innovation tempered with profound logic. They have incredible discernment. Should their efforts fail, they are unhesitating in accepting responsibility. They don't wallow in self-pity but rather see these missed attempts as critical steps on the path to success.
This entry was posted in Articles, security, Tutorials and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s