Windows memory analysis

Analysis of physical memory from Windows systems can yield significant information about the target operating system. This field is still very new, but holds great promise.

Data types

Data types typical to the WINAPI are documented by Microsoft in MS-DTYP 1.

Sample Memory Images

Getting started with memory analysis can be difficult without some known images to practice with.

• The 2005 DFRWS: Memory Analysis Challenge published two Windows 2000 Service Pack 1 memory images with some malware installed.
• The Digital Forensics Tool Testing project has published a few Windows memory images.
• The CFReDS Project has created some downloadable memory images.
• A number of RAM images can be downloaded from https://belkasoft.com/x. Images include ones with Gmail emails, Skype activity, Paltalk chats, browser URLs etc.

See Also

• Memory analysis
• Tools:Memory Imaging
• Pagefile.sys
• Memory Limits for Windows Releases, Microsoft MSDN.

History

During the 1990s, it became a best practice to capture a memory image during incident response. At the time, the only way to analyze such memory images was using strings. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the Digital Forensic Research Workshop published a Memory Analysis Challenge. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by Chris Betz, introduced a tool called memparser. The second, by George Garner and Robert-Jan Mora produced KnTList.

At the Blackhat Federal conference in March 2007, AAron Walters and Nick Petroni released a suite called Volatools. Although it only worked on Windows XP Service Pack 2 images, it was able to produce a number of useful data. Volatools was updated and re-released as Volatility in August 2007, and is now maintained and distributed by Volatile Systems.

Bibliography

2012

• Defeating Windows memory forensics, by Luka Milkovic, 29C3: 29th Chaos Communication Congress

2011

• Tracking Stuxnet's Footprint Through Memory, by Michael Ligh, Open Memory Forensics Workshop

2010

• Extracting Windows Command Line Details from Physical Memory, by Richard Stevens and Eoghan Casey, DFRWS

2009

• Robust Signatures for Kernel Data Structures by B. Dolan-Gavitt, et al., ACM Conference on Computer and Communications Security

2008

• Lest We Remember: Cold Boot Attacks on Encryption Keys, Usenix Security 2008 (Best student paper)
• Pushing the Limits of Windows: Physical Memory, by Mark Russinovich, Technet Blogs, July 21, 2008
• The impact of Microsoft Windows pool allocation strategies on memory forensics, by Andreas Schuster, DFRWS 2008
• Finding Digital Evidence In Physical Memory, by Mariusz Burdach, Black Hat Federal, 2008
• Forensic Memory Analysis: Files mapped in memory, by Ruud van Baar, DFRWS 2008
• Forensic Analysis of the Windows Registry in Memory, by Brendan Dolan-Gavitt, DFRWS 2008

2007

• Beyond The CPU: Defeating Hardware Based RAM Acquisition (part I: AMD case), by Joanna Rutkowska COSEINC Advanced Malware Labs
• Forensic Memory Analysis: From Stack and Code to Execution History, by Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007
• BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software, by Bradley Schatz, DFRWS 2007
• The VAD Tree: A Process-Eye View of Physical Memory, by Brendan F Dolan-Gavitt, DFRWS 2007

2006

• Searching for Processes and Threads in Microsoft Windows Memory Dumps, by Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006
• Using every part of the buffalo in Windows memory, by Jesse D. Kornblum, DFRWS 2006

External Links

• NTAPI Undocumented Functions
• MS-DTYP: Windows Data Types
• Catalog of key Windows kernel data structures
• Jesse Kornblum Memory Analysis discussion on Cyberspeak
• Attacking the Windows kernel, by Jonathan Lindsay, BlackHat 2007
• Malware Analysis Tutorial 7: Exploring Kernel Data Structure, by Dr. Fu, December 14, 2011
• Windows Virtual Address Translation and the Pagefile, by Michael Cohen, October 31, 2014

Kernel debugging

• Advanced Windows Debugging: Memory Corruption Part II—Heaps, by Daniel Pravat and Mario Hewardt, November 9, 2007
• Finding Kernel Global Variables in Windows, by Brendan Dolan-Gavitt, April 16, 2008
• Finding the Kernel Debugger Block, by Michael Cohen, November 18, 2012
• Do we need the Kernel Debugging Block?, by Michael Cohen, February 21, 2014

Volatility Labs

• MoVP 1.1 Logon Sessions, Processes, and Images
• MoVP 1.2 Window Stations and Clipboard Malware
• MoVP 1.3 Desktops, Heaps, and Ransomware
• MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection
• MoVP 2.2 Malware In Your Windows
• MoVP 2.3 Event Logs and Service SIDs
• MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem
• HowTo: Scan for Internet Cache/History and URLs
• MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes
• MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti
• MoVP 3.4: Recovering tagCLIPDATA: What's In Your Clipboard?
• MoVP 4.1 Detecting Malware with GDI Timers and Callbacks
• MoVP 4.2 Taking Screenshots from Memory Dumps
• MoVP 4.4 Cache Rules Everything Around Me(mory)
• OMFW 2012: Malware In the Windows GUI Subsystem
• OMFW 2012: Reconstructing the MBR and MFT from Memory
• OMFW 2012: The Analysis of Process Token Privileges
• OMFW 2012: Mining the PFN Database for Malware Artifacts

WinDBG

• SwishDbgExt - Incident Response & Digital Forensics Debugging Extension