Dump Memory Objects of Interest Live Memory Scanning

Many Volatility 3 plugins have an option to “--dump” objects: Powerful capabilities exist to scan processes for anomalies on
pslist, psscan,dlllist, modules, modscan, malfind live systems. Useful for hunting and memory research.

Memory Forensics Cheat Sheet v3.0

vol.py -f mem.img windows.pslist.PsList --pid 840 --dump Administrator command terminal is required
Extraction plugins also exist for other Windows memory objects:
Moneta POCKET REFERENCE GUIDE
windows.memmap.Memmap Memory scanning tool looking for dynamic/unknown code, suspicious PE
image regions, and advanced indicators of compromise SANS Institute by Chad Tilbury
windows.filescan.FileScan http://dfir.sans.org http://sans.org/for508
https://github.com/forrest-orr/moneta
windows.dumpfiles.DumpFiles -p Process IDs to scan (* for all)
windows.mftscan.MFTScan -m ioc Scan only suspicious memory regions (-m * for all)
Purpose
-d Dump selected process memory to local file system
windows.svcscan.SvcScan --filter Limit scans to reduce false positives This reference supports the SANS Institute FOR508 Advanced Incident
(* | unsigned-module | metadata-modules | clr-heap | clr-prvx | wow64-init) Response, Threat Hunting, and Digital Forensics Course. It is not intended to
be an exhaustive resource for MemProcFS, Volatility , or any other tools.
Memory Analysis with YARA moneta64.exe -m ioc -p * --filter * -d Volatility is a trademark of the Volatility Foundation. The SANS Institute is
not sponsored, approved by, or affiliated with the Volatility Foundation.
Volatility 3 VadYaraScan Hollows_Hunter
--yara-file Text file of YARA rules Identifies potential process implants, shellcode, hooks, and in-memory patches
https://github.com/hasherezade/hollows_hunter
vol.py –f mem.img windows.vadyarascan --yara-file rules How To Use This Document
/pname Scan specific processes by name
/pid Scan specific processes by PID Memory analysis is one of the most powerful tools available to
MemProcFS YARA Integration
/dnet Set policy for skipping .NET processes
MemProcFS includes built-in YARA signatures from Elastic Security forensic examiners. This guide aims to document and simplify
/hooks Detect code patches and inline hooks (noisy)
Add to Command line: -license-accept-elastic-license-2-0 the overwhelming number of tools and available capabilities.
/dir Directory to save dumps and reporting
Built-in YARA hits: M:\forensic\csv\findevil.csv
hollows_hunter64.exe /pid 1290;454 /dir .\Output Windows memory analysis can generally be split into six steps:
Include Custom Signatures: -forensic-yara-rules rules
Custom YARA hits: M:\forensic\yara 1. Identify Rogue Processes
Get-InjectedThreadEx
Find suspicious threads (and associated processes) indicative of code injection 2. Analyze Process Objects
https://github.com/jdu2600/Get-InjectedThreadEx 3. Review Network Artifacts
Memory Acquisition
Get-InjectedThreadEx.exe > .\output.txt 4. Look for Evidence of Code Injection
Execute command terminal as Administrator 5. Audit Drivers and Rootkit Detection
WinPmem Alternate Windows Memory Locations 6. Dump Memory Objects of Interest
https://github.com/Velocidex/WinPmem
-d Output to <filename> Hibernation File (Compressed) In this reference guide we outline the most useful MemProcFS
-l Load driver for live memory analysis C:\hiberfil.sys and Volatility capabilities to support these six stages of
winpmem_mini_x64_<version>.exe -d D:\mem.img (64-bit) memory forensics. Further information is provided for:
Page and Swap Files
C:\pagefile.sys ➢ Memory Acquisition
Magnet DumpIt
https://for508.com/dumpit C:\swapfile.sys (Windows 8+ \ Server 2012+) ➢ Live Memory Scanning
/OUTPUT Image destination ➢ Using Indicators of Compromise
/ TYPE Memory output format (RAW | DMP) Crash Dump
C:\Windows\MEMORY.DMP ➢ Alternate Windows Memory Locations
/NOCOMPRESS Do not compress output when > 32GB
DumpIt.exe /TYPE DMP /OUTPUT D:\mem.img In rare instances locations can differ from the defaults (except hiberfil.sys)
© 2023 SANS Institute Memory_FOR_CheatSheet_3.0 1
 MemProcFS Getting Started with Volatility 3 Analyze Process Objects
MemProcFS (Windows Memory Analysis) Getting Help (Windows / Linux / Mac Memory Analysis) dlllist - List of loaded DLLs by process
https://github.com/ufrisk/MemProcFS https://github.com/volatilityfoundation/volatility3
--dump Extract DLLs from the memory image
MemProcFS.exe [options] –device <memory image> vol.py –h (show options and supported plugins)
vol.py -f mem.img windows.dlllist.DllList --pid 840
vol.py plugin –h (show plugin usage)
-device: Memory image (includes hibernation file support) cmdline - Display process command lines from PEB
-v: Enable verbose auditing in console Sample Command Line
vol.py -f mem.img plugin vol.py -f mem.img windows.cmdline.CmdLine
-pagefile0: Specify pagefile.sys file (not required)
-pagefile1: Specify swapfile.sys file (not required) Query Memory Image Metadata (OS Profile & SystemTime) getsids - Print process security identifiers
-mount: Drive letter for analysis output (M:\ is default) vol.py –f mem.img windows.info.Info
vol.py -f mem.img windows.getsids.GetSIDs
-forensic [0-4]: Start forensic scan of memory upon startup Create and use JSON Config File to Accelerate Processing
0 = not enabled (default value) vol.py --write-config –f mem.img windows.info.Info handles - List of open handles for each process
1 = forensic mode with in-memory sqlite database Pipe results to egrep to display only handles of a certain type:
2 = forensic mode with temp sqlite database deleted upon exit vol.py -c config.json –f mem.img plugin
vol.py -f mem.img windows.handles.Handles --pid 840
3 = forensic mode with temp sqlite database remaining upon exit
4 = forensic mode with static named sqlite database (vmm.sqlite3)
Output and Format Options | egrep ‘File|Key|Mutant’
These options must precede the plugin within the command-line:
-r <csv | pretty | json> Output format
Processes: Look for Evidence of Code Injection
-o folder Output folder for extracted items (useful with --dump)
Process Tree: M:\sys\proc\proc.txt Plugin specific options must follow the plugin name:
CSV (requires -forensic): M:\forensic\csv\process.csv --pid PID1,PID2 Limit data to specific process IDs (most plugins) malfind - Find suspicious RWX sections not mapped to disk
Plugin names can be shortened if they still result in a unique match: --dump Save suspicious memory sections to a folder
Process Objects:
vol.py -f mem.img -r csv windows.pslist --pid 4 vol.py -f mem.img -o tmp windows.malfind.Malfind --dump
Objects represented as files. Use a simple copy/paste for “dumping"
By PID: M:\pid
Identify Rogue Processes ldrmodules - Detect unlinked DLLs
By Name: M:\name
vol.py -f mem.img windows.ldrmodules.LdrModules
Network Artifacts:
pslist - High level view of running processes
--dump Extract process executables
Text: M:\sys\net\netstat.txt
CSV (requires -forensic): M:\forensic\csv\net.csv vol.py -f mem.img windows.pslist.PsList Audit Drivers and Rootkit Detection
psscan - Deep scan of memory for EPROCESS blocks modules - View list of loaded kernel drivers
Code Injection and Anomaly Detection (requires -forensic):
Text: M:\forensic\findevil\findevil.txt vol.py -f mem.img windows.psscan.PsScan --dump Extract listed drivers
CSV: M:\forensic\csv\findevil.csv --name driver Info on named driver (can use with --dump)
pstree - Display parent-process relationships
vol.py -f mem.img windows.modules.Modules --name ks.sys
--pid Display mini-process tree for single parent process
Cached Files (requires -forensic):
Extracted files in virtualized file system: M:\forensic\files vol.py -f mem.img windows.pstree.PsTree modscan - Scan for loaded, unloaded, and unlinked drivers
List of available cached files: M:\forensic\csv\files.csv --dump Extract all available drivers
Review Network Artifacts vol.py -f mem.img -o tmp windows.modscan.ModScan --dump
Other Analysis Capabilities (most require -forensic):
netstat - Display data from network tracking structures ssdt - Output System Service Descriptor Table
Virtualized Registry: M:\registry
MFT Virtualized File System: M:\forensic\ntfs vol.py -f mem.img windows.netstat.NetStat
vol.py -f mem.img windows.ssdt.SSDT
Drivers: M:\forensic\csv\drivers.csv
Services: M:\forensic\csv\services.csv netscan - Deep scan for network connections and sockets driverirp - Print driver IRP (major function) tables
Scheduled Tasks: M:\forensic\csv\tasks.csv --include-corrupt Relax validation for more results
vol.py -f mem.img windows.driverirp.DriverIrp
Forensic Timeline: M:\forensic\csv\timeline_all.csv vol.py -f mem.img windows.netscan.NetScan

© 2023 SANS Institute Memory_FOR_CheatSheet_3.0 2