what else other tha...
 
Notifications
Clear all

what else other than memory dump

13 Posts
9 Users
0 Likes
794 Views
(@d4n13l4)
Posts: 12
Active Member
Topic starter
 

Hello

I'm trying to use memory dumps to investigate malware detections on some computer from the company I work

So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.

I have access to navigation logs, firewall logs and antivirus console but this don't help me with this part.

What else do I need besides the memory dump of the machine to determine this.

Thanks for your help.

 
Posted : 26/06/2018 10:48 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hello

I'm trying to use memory dumps to investigate malware detections on some computer from the company I work

So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.

I have access to navigation logs, firewall logs and antivirus console but this don't help me with this part.

What else do I need besides the memory dump of the machine to determine this.

Thanks for your help.

Besides what is in memory, you need to check what traces remain in the OS (please read the Registry assuming it is a Windows of some kind) and in the various logs and what is on disk.

As usual a full timeline is what is advised
https://github.com/log2timeline
https://github.com/log2timeline/plaso

jaclaz

 
Posted : 26/06/2018 12:40 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

If your budget allows, I recommend purchasing OSForensics from Passmark, which will allow you to forensically image the computer in question, perform a memory dump, and also perform timeline analysis of activities taking place around the time of infection.

 
Posted : 26/06/2018 4:24 pm
Hwallbanger
(@hwallbanger)
Posts: 32
Eminent Member
 

Depending upon your budget, you could also use Open Source tools in combination with some commercial tools for capturing both RAM and Hard drive images and then analyze these images like you would with the OSForensic tool(s).

You will learn (like I did) how to use FTKimager within the Lynda training course - "Learning Computer Forensics". This product is one of the oldest commercial tools (current version 4.2 or earlier i.e. 3.2) all work within Windows environment. I use a much earlier version 2.5.3 loaded as a portable version that executes within Win7 from a Thumb/Flash drive and you can save the image as a "dd" image format.

FTKimager also comes in a Command Line Interface format that will operate in Windows, Mac, & linux and here is the CLI instruction PDF web-page. If you wish to use this tool from a Flash drive here is the instruction Web page for your convenience.

You will come across the Open Source tools in many other tool sets/distributions such as CAINE , SIFT Workstation Distro (SANS Investigative Forensic Toolkit), Kali Linux Distro Tools, etc.

These same tool sets will also contain The Volatility Framework which is a completely open collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples. You will also notice that these tool sets usually contain either or both The Sleuth Kit and/or Autopsy forensic analysis tool-set.

Most of these tools have a customization capability with the use of plug-ins. Plug-ins provide the flexibility with these tools that have this built-in feature. Here are some links to the other mentioned tools

FTK imager 4.2

FTK imager 3.2

Volatility GitHub Site

Open Source Digital Forensics Tools (TSK & Autopsy)

I have tried to present an Open Source choice to a commercial choice even though I presented FTKimager. You will find in CAINE and SIFT other tools capable of creating an image of the selected hard drive.

You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.

Please review these tools and make your selection. I have presented some of the well known tools in this field for your edification.

 
Posted : 26/06/2018 8:36 pm
(@randomaccess)
Posts: 385
Reputable Member
 

You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.

as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.

What I would be pushing is documentation. Document what you've done, and what you've found.

 
Posted : 27/06/2018 6:37 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.

as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.

What I would be pushing is documentation. Document what you've done, and what you've found.

Yupp, write blockers are generally for law enforcement and dealing with court cases. It does not hurt to use one if you got one, unless it fails to detect the drive (not uncommon) and needs to be excluded.

 
Posted : 27/06/2018 7:00 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm trying to use memory dumps to investigate malware detections on some computer from the company I work

So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.

Which OS and version?

With the AV detection, you should have a full path to the file, so that might give you some kind of indication as to where to start, in order to determine the initial infection vector (IIV).

From there, a mini-timeline created using selected files might be the most valuable and revealing way to approach determining the IIV.

 
Posted : 27/06/2018 10:37 am
Hwallbanger
(@hwallbanger)
Posts: 32
Eminent Member
 

I'm trying to use memory dumps to investigate malware detections on some computer from the company I work

So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine. - d4n13l4


as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.

What I would be pushing is documentation. Document what you've done, and what you've found. -randomaccess

What randomaccess suggests is very appropriate and what you use to document would pretty much depend upon how he wishes to document and which tools. It would make the task somewhat easier or much more time consuming. Since this is a Windows system, anyone have any tools to suggest ?

I would guess that this is more of a Blue Team type situation ? But wouldn't you not want to at some point, just-in-case, want to have the collected evidence ready for a possible court use besides stopping this attack and making secure corrections and protections ?

What has been your policies and experiences ? To just stop and correct the attack and move on or to potentially provide your experience and evidence to a prosecutor ? This would be interesting to know, too ….

 
Posted : 27/06/2018 9:55 pm
(@d4n13l4)
Posts: 12
Active Member
Topic starter
 

thank you all for your replies

i've considered the registry checks, doing a timeline with the help of volatility mftparser and other plugins

and yes AV detection gave me the path or I was able to get in from registry in some cases but I was wondering if it's possible to know from which site specifically did the user get the file, we have McAfee so I can only see it came from the browser but that is it.

the machines are mainly win 7 and 10

my ultimate goal is to find where the user got the malicious file to find other users who might also visited that site and might have another similar undetected malware

 
Posted : 03/07/2018 2:27 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

I'd also consider running a virtual machine from the forensic image and monitor network activity coming from the potentially infected machine. There might be more calls to foreign IP addresses than was captured in the memory dump at the time that was done.

You can also do a packet analysis of what the machine is trying to send out as part of that process. This might give you clues of where to look next on the computer.

Steve

 
Posted : 03/07/2018 3:09 pm
Page 1 / 2
Share: