Malware Can Hide, But It Must Run

by Alissa Torres, SANS Certified Instructor

It’s October, haunting season. However, in the forensics world, the hunting of evil never ends. And with Windows 10 expected to be the new normal, digital forensics and incident response (DFIR) professionals who lack the necessary (memory) hunting skills will pay the price.

Investigators who do not look at volatile memory are leaving evidence at the crime scene. RAM content holds evidence of user actions, as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.

Although Microsoft is not expected to reach its Windows 10 rollout goal of one billion devices in the next two years, their glossiest OS to date currently makes up 22% of desktop systems according to netmarketshare.com[1]. By this time, as a forensic examiner, you have either encountered a Windows 10 system as the subject of an investigation or will in the near future. Significant changes introduced with Windows 10 (and actually with each new subsequent update) have required some “re-education” to learn what the “new normal” is.

Let’s jump in and check out the differences that Windows 10 has brought to the world of forensics by examining some key changes in the process list. In performing memory analysis, an investigator must understand the normal parent-child hierarchical relationships of native Windows processes. This is the essence of “know normal, find evil” and allows for effective and efficient analysis. Most of you have used the Edge browser which was released with Windows 10 in Summer 2015. Whereas Internet Explorer is typically launched by explorer.exe (run by default as the user’s initial process), Edge is spawned by the Runtime Broker process, which has a parent process of svchost (a system process). Edge runs as a Universal Windows Platform (UWP) application, one of the many Windows apps built to run on multiple types of devices. Runtime Broker manages permissions for Windows apps. This hierarchical process relationship deviates from one of the traditional analysis techniques we have relied on in past versions of Windows: System processes will have a parent/grandparent of the SYSTEM process and normal user processes, like browsers, will have parent lineage to explorer.exe. The screenshot below shows the hierarchical structures of a Win10 RTM system Build 10240 using Process Hacker tool.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Figure 1. Typical Hierarchy of Internet Explorer Process
Figure 1. Typical Hierarchy of Internet Explorer Process
Figure 2. Hierarchical Structure of Microsoft Edge and SearchUI Processes
Figure 2. Hierarchical Structure of Microsoft Edge and SearchUI Processes

Other new additions to the Windows process list are SearchUI.exe, the Search and Cortana application and ShellExperienceHost.exe, the Start menu and Desktop UI handler. As Windows apps, they are both spawned from the same Runtime Broker process as Edge. In this screenshot above, the SearchUI and ShellExperienceHost processes are in gray, indicative of suspended processes. Only one Windows app is in the foreground at a time, those that are out of focus are suspended and swapped out, with process data being compressed and written to the swapfile.sys in the file system[2].

Prepare for Internet connections to automatically be spawned by some of these new Win10 processes. OneDrive (formerly known as SkyDrive) has a connection to port 80 outbound and SearchUI (Cortana) creates outbound network connections as well when the user accesses the Start Menu. An example of network activity from the SearchUI process is shown below.

Figure 3. SearchUI.exe Network Connections
Figure 3. SearchUI.exe Network Connections

The memory data compression behavior first seen in Windows apps on Windows 8 has been implemented on a wider scale in Windows 10. Now when the memory manager detects “memory pressure”, meaning there is limited availability for data to be written to physical memory, data is compressed and written to the page file.[3] Why is this relevant to the forensic examiner? Analysis of page file data can yield fruit, uncovering trace artifacts that indicate the malware at one point resided on the system. Remember that the contents of the page file were once in physical memory. This data, though highly fragmented, is great for string searches and yara signature scans. With the implementation of Windows 10 memory compression, a new obstacle exists for such analysis.

If you have done investigations involving nefarious command line activity, it is useful to know that the cmd.exe process now spawns its own conhost.exe process as of Windows 8. This is notable because in previous Windows versions, conhost is spawned by the csrss.exe process. I am always leery of a command shell running on an endpoint, particularly one to which a web browser has a handle.

It is often difficult to discern what version of Windows 10 your target system was running at the time memory was acquired. Two significant updates have been pushed since Windows 10 initial release, Threshold 2 in November 2016 and the Anniversary edition in July 2015. Shown below is imageinfo plugin output from Rekall Memory Forensic Framework (1.5.3 Furka)3 detailing the Build Version. With so many different features added between Windows versions as well as significant changes rolled out in updates, having a tool that uses the publicly available Windows symbols, like Rekall, is key. When profiles have to be created in order to support new versions of Windows as seen in analysis tools, there is lag time. Rekall automatically detects the Windows version and uses the hosted profile from its repository by default.

alissa-torres-halloween-final-google-docs

Xbox runs on Windows 10 now and you may be among those celebrating that you can now stream console games to your computer.  But how does this affect our forensic findings? Expect to see Xbox gaming services present even if they are not being used. Since malware commonly instantiates new services or hijacks existing ones as a method of persistence, again, it is good to know what normal looks like.

alissa-torres-halloween-final-google-docs

Hopefully a recap on how things have changed in recent versions of Windows will speed your analysis as you work to unravel the story of what evil happened on a system. Happy hunting!

[1][2], [3], [3]

About the author:

Alissa Torres is a certified instructor with SANS and the co-author/instructor of FOR526: Memory Forensics In-Depth. Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on an internal security team as a digital forensic investigator. She has extensive experience in information security, spanning government, academic, and corporate environments and holds a Bachelor’s degree from University of Virginia and a Master’s degree from University of Maryland in Information Technology. Alissa has taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She has presented at various industry conferences and numerous B-Sides events. In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GPEN, CISSP, EnCE, CFCE, MCT and CTT+.

3 thoughts on “Malware Can Hide, But It Must Run”

Leave a Comment