Join Us!

what else other tha...
 
Notifications
Clear all

what else other than memory dump  

  RSS
d4n13l4
(@d4n13l4)
New Member

Hello

I'm trying to use memory dumps to investigate malware detections on some computer from the company I work

So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.

I have access to navigation logs, firewall logs and antivirus console but this don't help me with this part.

What else do I need besides the memory dump of the machine to determine this.

Thanks for your help.

Quote
Posted : 26/06/2018 11:48 am
jaclaz
(@jaclaz)
Community Legend

Hello

I'm trying to use memory dumps to investigate malware detections on some computer from the company I work

So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.

I have access to navigation logs, firewall logs and antivirus console but this don't help me with this part.

What else do I need besides the memory dump of the machine to determine this.

Thanks for your help.

Besides what is in memory, you need to check what traces remain in the OS (please read the Registry assuming it is a Windows of some kind) and in the various logs and what is on disk.

As usual a full timeline is what is advised
https://github.com/log2timeline
https://github.com/log2timeline/plaso

jaclaz

ReplyQuote
Posted : 26/06/2018 1:40 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

If your budget allows, I recommend purchasing OSForensics from Passmark, which will allow you to forensically image the computer in question, perform a memory dump, and also perform timeline analysis of activities taking place around the time of infection.

ReplyQuote
Posted : 26/06/2018 5:24 pm
Hwallbanger
(@hwallbanger)
Junior Member

Depending upon your budget, you could also use Open Source tools in combination with some commercial tools for capturing both RAM and Hard drive images and then analyze these images like you would with the OSForensic tool(s).

You will learn (like I did) how to use FTKimager within the Lynda training course - "Learning Computer Forensics". This product is one of the oldest commercial tools (current version 4.2 or earlier i.e. 3.2) all work within Windows environment. I use a much earlier version 2.5.3 loaded as a portable version that executes within Win7 from a Thumb/Flash drive and you can save the image as a "dd" image format.

FTKimager also comes in a Command Line Interface format that will operate in Windows, Mac, & linux and here is the CLI instruction PDF web-page. If you wish to use this tool from a Flash drive here is the instruction Web page for your convenience.

You will come across the Open Source tools in many other tool sets/distributions such as CAINE , SIFT Workstation Distro (SANS Investigative Forensic Toolkit), Kali Linux Distro Tools, etc.

These same tool sets will also contain The Volatility Framework which is a completely open collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples. You will also notice that these tool sets usually contain either or both The Sleuth Kit and/or Autopsy forensic analysis tool-set.

Most of these tools have a customization capability with the use of plug-ins. Plug-ins provide the flexibility with these tools that have this built-in feature. Here are some links to the other mentioned tools

FTK imager 4.2

FTK imager 3.2

Volatility GitHub Site

Open Source Digital Forensics Tools (TSK & Autopsy)

I have tried to present an Open Source choice to a commercial choice even though I presented FTKimager. You will find in CAINE and SIFT other tools capable of creating an image of the selected hard drive.

You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.

Please review these tools and make your selection. I have presented some of the well known tools in this field for your edification.

ReplyQuote
Posted : 26/06/2018 9:36 pm
randomaccess
(@randomaccess)
Active Member

You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.

as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.

What I would be pushing is documentation. Document what you've done, and what you've found.

ReplyQuote
Posted : 27/06/2018 7:37 am
MDCR
 MDCR
(@mdcr)
Active Member

You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.

as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.

What I would be pushing is documentation. Document what you've done, and what you've found.

Yupp, write blockers are generally for law enforcement and dealing with court cases. It does not hurt to use one if you got one, unless it fails to detect the drive (not uncommon) and needs to be excluded.

ReplyQuote
Posted : 27/06/2018 8:00 am
keydet89
(@keydet89)
Community Legend

I'm trying to use memory dumps to investigate malware detections on some computer from the company I work

So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine.

Which OS and version?

With the AV detection, you should have a full path to the file, so that might give you some kind of indication as to where to start, in order to determine the initial infection vector (IIV).

From there, a mini-timeline created using selected files might be the most valuable and revealing way to approach determining the IIV.

ReplyQuote
Posted : 27/06/2018 11:37 am
Hwallbanger
(@hwallbanger)
Junior Member

I'm trying to use memory dumps to investigate malware detections on some computer from the company I work

So far I am able to match the creation time date of the file with the time the detection was triggered in the AV but I'm not able to know how the file get in to the machine. - d4n13l4


as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.

What I would be pushing is documentation. Document what you've done, and what you've found. -randomaccess

What randomaccess suggests is very appropriate and what you use to document would pretty much depend upon how he wishes to document and which tools. It would make the task somewhat easier or much more time consuming. Since this is a Windows system, anyone have any tools to suggest ?

I would guess that this is more of a Blue Team type situation ? But wouldn't you not want to at some point, just-in-case, want to have the collected evidence ready for a possible court use besides stopping this attack and making secure corrections and protections ?

What has been your policies and experiences ? To just stop and correct the attack and move on or to potentially provide your experience and evidence to a prosecutor ? This would be interesting to know, too ….

ReplyQuote
Posted : 27/06/2018 10:55 pm
d4n13l4
(@d4n13l4)
New Member

thank you all for your replies

i've considered the registry checks, doing a timeline with the help of volatility mftparser and other plugins

and yes AV detection gave me the path or I was able to get in from registry in some cases but I was wondering if it's possible to know from which site specifically did the user get the file, we have McAfee so I can only see it came from the browser but that is it.

the machines are mainly win 7 and 10

my ultimate goal is to find where the user got the malicious file to find other users who might also visited that site and might have another similar undetected malware

ReplyQuote
Posted : 03/07/2018 3:27 pm
steve862
(@steve862)
Active Member

Hi,

I'd also consider running a virtual machine from the forensic image and monitor network activity coming from the potentially infected machine. There might be more calls to foreign IP addresses than was captured in the memory dump at the time that was done.

You can also do a packet analysis of what the machine is trying to send out as part of that process. This might give you clues of where to look next on the computer.

Steve

ReplyQuote
Posted : 03/07/2018 4:09 pm
tateconcepts
(@tateconcepts)
New Member

You really need to create this image with a Write-Blocker for a forensically sound image. But this is a different subject and you probably will find many Discussion Threads on this site about this topic, too.

as a side note as a threat hunter in a malware investigation, he probably doesn't need to follow forensic principles of creating a full image, or even a write-blocked image.

What I would be pushing is documentation. Document what you've done, and what you've found.

He better if he wishes to prosecute…

ReplyQuote
Posted : 19/07/2018 2:42 am
tateconcepts
(@tateconcepts)
New Member

thank you all for your replies

i've considered the registry checks, doing a timeline with the help of volatility mftparser and other plugins

and yes AV detection gave me the path or I was able to get in from registry in some cases but I was wondering if it's possible to know from which site specifically did the user get the file, we have McAfee so I can only see it came from the browser but that is it.

the machines are mainly win 7 and 10

my ultimate goal is to find where the user got the malicious file to find other users who might also visited that site and might have another similar undetected malware

Well if your detection was an AV, which is pretty amazing in of itself, I would start with reviewing what happened at that time of detection and prior. It's almost always delivered via browser or internal email. Additionally, look for the parent processes that were involved prior and it should lead you back to where the breakout occurred.

As it seems you may be a little late to the game, might as well try installing Redline from FireEye and gather everything. You can review web and network events to help narrow things down, in their timeline or with Time Crunch. Personally, the other methods provided are more comprehensive but it sounds like you need a quick remedy.

ReplyQuote
Posted : 19/07/2018 2:48 am
d4n13l4
(@d4n13l4)
New Member

Thanks again for all the replies.

Just to clarify I do not need this for any prosecution or similar, it's just malware investigations inside a company and if I can find the origin and then look for similar patterns in other machines even better but it's more for personal knowledge so I wanted another opinion from someone who knows more than me.

ReplyQuote
Posted : 19/07/2018 7:19 am
Share: