Introduction to Memory Acquisition – extended version
Introduction
The IT security is the most complex area inside the digital world because we are exposed to a huge number of threats and dozens of malwares (virus, Trojans, spies and worms) come up every single day, including other hundreds of variants, and it is obvious that, for a while, crackers are winning the war. Malwares are becoming more sophisticated by adding rootkits techniques in their codes, by using anti-forensic techniques to hinder the analysis by experts, by abusing of encrypted codes and lots of other tricks.
The known static and dynamic analysis still is valid, but they are difficult to execute successfully. For example, if we try to execute a dynamic analysis by using a virtual machine, we find malwares that include in its code instructions such as “sidt” (Red Pill), “str” (used to load task state segments – TSS) and “sldt” (No Pill) to detect and stop their execution while inside in a virtualized environment.
Trying to attach a debugger can be hard because malwares are using calls such as “QueryPeformanceCounter”, “GetTickCount” and SEH manipulation as anti-forensic methods to short their executions. Even usual tricks such as deploying calls such as “FindWindowsA” during a TLS callback function (called from a TLS section) to prevent a specific debugger (WinDbg, for example) to continue are commonly used. Of course, trying to analyze malware on the disk can be as difficult as trying to execute it (in a dynamic analysis) because usually they are encrypted and are using strange packers (not more the old and good UPX).
Therefore, there is only a place where we can fight against malwares with a reasonable chance to overcome it that is on the memory and here arises the best memory forensic of the world: Volatility. In my sincere opinio, the main fact that justify the choice to look for threats on memory is that most time the information resident on memory is not the same from disk. Furthermore, the information from memory is more complete.
This article we will learn how to acquire the memory by using simple and efficient techniques on Windows and Linux. On next articles, we will study the Volatility framework.