CST 3510

Memory Analysis

Learning Slides 1
Module Introduction

David Neilson
Overview
These learning slides are here to provide a brief introduction to
the subject and some of the main details around the module.
• Memory analysis background
• Module Structure
• Learning Materials
• Support

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 2

 Computer Memory - RAM
• Each digital device requires a working memory to enable its
proper functioning.
• The main working memory is commonly referred to as Random
Access Memory (RAM).
• Also referred to as Primary Memory, it should not be confused
with Secondary Memory (disk storage).
• Unlike disks which provide permanent storage, RAM is a volatile
store of data and will lose its contents if power is removed.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 3

Computer Memory
• For every action performed on a digital device, a record of it will
have passed through main memory at some point.
• Some of this data persists once it has been used keeping it
preserved while the power remains.
• In this module you will learn how to extract this data and select
the correct tools to identify and analyse it.
• Can be hard to acquire full picture as it is constantly changing
and updating its contents.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 4

Brief History of Memory Analysis
• Historically disk analysis formed the basis for the majority of
forensic analysis.
• Memory Analysis developed during early 2000’s in response to
increasing no. of digital incidents and more sophisticated
attacks.
• Early work consisted of mostly ‘unstructured analysis’.
• Primitive tools/search methods e.g. grep, strings, hex analysis etc
• In 2005 Digital Forensic Research Workshop (DFRWS)
released annual forensic challenge
• Windows memory sample to promote research in to field.
• https://github.com/dfrws/dfrws2005-challenge
• Led to creation of a number of memory analysis tools
• KntTools (Garner, 2005), VolaTools (Walters & Petroni), Volatility
Framework (Volatility Foundation,2007)
© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 5
Forensic Value of Memory Analysis
• Over the next 15 years the importance and amount of research
attached to this area of study has significantly increased.
• Rise in the use of encryption and the need to detect and
prevent increasingly sophisticated malware/attacks.
• A lot of data that is held in RAM may never be written to
physical disk and so if volatile data is not collected then may
miss vital information stored.
• There are artefacts of high forensic and investigative value e.g.
encryption keys, passwords, clipboard etc
• Analysis of its contents form an essential part of any security
prevention policy or forensic investigation.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 6

Applications for Memory Analysis
• Malware Analysis
• To dissemble and understand Malware e.g. persistence methods
• Digital Investigation
• Recover evidence in form of digital artefacts to explain digital event.
• Incident Response
• To identify and mitigate against ongoing security incidents or cyber
attacks.
• Security Research
• Pen Testing and other related methods allow for vulnerabilities to be
identified before they are exploited
• Quite often will involve some form of comparative analysis
• Comparing current state with a clean state (or other previous
states) to identify when changes to a system or attack took place.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 7

Memory Dumps
• The contents of memory can be extracted as a Memory Dump
– can in some ways be considered an image of the RAM.
• Can be extremely large depending on size of system acquired
from. 32 Gigabyte RAM = 32 GB size dump.
• Use of hash values serve little purpose as it is not possible to
prevent the contents from changing during the acquisition as
with disk forensics.
• But as investigators would still create one at the point of
completion to ensure that no changes take place after
acquisition.
• In terms of acquisition there are number of different methods,
but we will look closer at this topic in Learning Week 2.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 8

What information can be extracted?
• Number of important artefacts can be recovered from memory
which are never written to disk during normal operation.
• Running Processes
• Active Network Connections
• Encryption Keys
• System& User Credentials
• Clipboard Data
• Registry Hives
• Temporary Data
• Environment Variables
• Some of this data may well get written to disk e.g. process
memory pages which are placed on disk due to system
resource constraints.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 9

Malware Analysis
• Whilst we will be considering the topic from a forensic
perspective our main focus for analysis will be on the detection
of Malware.
• Malicious software (Malware) refers to wide range of
software/code designed with a harmful intent.
• Malware employ many different evasion techniques to enable
persistence and propagation.
• It often does this by manipulating and modifying the data
structures of the host OS.
• Many of these can only be detected through analysis of the
Memory system.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 10

Malware Types
We will study some examples of the following during the module.
• Viruses
• Self-replicating programs which attach to legitimate files/software,
spreading when they are executed.
• Trojans
• Disguise themselves as legitimate files/software and trick user into
downloading/executing and then steal data, maintain access etc
• Ransomware
• This type of malware encrypts a user’s file system removing access
to their data. Ransom is requested in exchange for decryption key.
• Rootkits
• These hide their presence and activity by manipulating the main
components of the host OS.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 11

Malware Types
• Keyloggers
• These record keystrokes entered into a digital device. Goal of the
attacker is to steal personal information that enables further crime.
• Worms
• Are standalone malware which are able to spread without attaching
to other files.
• Spyware
• Collects information about a user’s activity on a digital device to
exploit this data in some way, surveillance, advertising.
• Botnets
• This is a network of compromised devices known as ‘bots’ or
‘zombies’. Can be used for DDoS attacks or mass distribution of
spam email.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 12

Previous experience
• Builds on a lot of the skills you learnt in all of your modules
last year.
• Need to understand Hexadecimal notation and offsets
• Create images and other dumps of data.
• Extract data sets and use other tools and software to analyse
their contents.
• Detect suspicious behaviour and activity.
• Reconstruct events to try and tell a story of how a digital
device reached its state at the time of capture.
• Identify and perform analysis of key OS structures e.g.
registry, event logs.
• Network architecture and security methods.
• Work with command lines and Linux.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 13

On this module you will learn
• The main methods for acquisition of memory and their
limitations.
• Gain greater experience using both Windows and Linux
command lines.
• Build on the Python you have already learnt to create your
own scripts that interrogate the memory sample.
• Learn how to create your own plugins for Volatility.
• Gain a much deeper understanding of system internals.
• Learn how rootkits and malware infect systems and hook
features of the OS to maintain their hidden persistence.
• How to identify suspicious activity through analysis of real-
world examples.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 14

Module Structure
• Module focuses on the memory systems of two major OS.
• Linux Analysis – Learning weeks 1-6
• Windows Analysis – Learning weeks 7-12
• Each week there are 3 different learning sessions to attend.
• Workshop – 2 hours
• Laboratory Sessions – 3 hours
• Online Sessions – 1 hour
• In addition to this you will be expected to read any learning
slides and view any key concept video for that given week.
• Details for each weekly session and its learning topics can be
found in the module handbook.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 15

 Workshops
• Main aim is to establish the key knowledge required to
understand the lab work properly.
• Each one will start with a very quick review of the main topics,
objectives, and learning materials for the week.
• Consist of a mixture of demonstration, class discussion, and
group-based exercises.
• You will be placed into workshop groups to complete questions
and exercises related to the weekly topics.
• To prepare for these sessions student should make use of the
learning slides and the core text (see later slide).

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 16

Lab Sessions
• These provide practical examples of how to explore the
memory sample and detect malicious activity.
• In a typical teaching week, there will usually be 2 learning
topics each with its own set of Lab Exercises.
• The Lab will be split into 2 learning halves effectively and we
will take a 10-minute break (for those who wish), at the halfway
point.
• For each learning topic there will be a short introduction to the
exercises for that topic, or a demonstration where necessary.
• At the completion of the exercises your lab tutor will quickly
review the material and go through the answers.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 17

Lab Work and Setup
• The majority of work we carry out will take place within virtual
machines (VM).
• The main analysis VM for the module is a Kali Linux distribution
which contains many useful tools.
• CST3510-MemoryAnalysis.ova
• The default one used in the labs can be found on Unihub for
download and has Volatility installed.
• Copies are also on machines in H104 at C:\CST3510
• The other main piece of software we will be using for analysis
is Volatility.
• Volatility is an open-source memory forensics framework.
• Provides set of command line tools which can parse the
memory structures of the dump – more detail in the labs.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 18

Online Sessions
• These sessions are directed to two main objectives
• Review, support and feedback
• These sessions are optional and there you do not need to attend if
you feel you have understood the content for the week.
• They will be a mix of reviewing key concepts, demos of lab work
and their solutions, and answering any other questions.
• Assessment briefings and formative/summative feedback for
your work.
• These are important sessions providing essential information about
your assessments and progress on the module.
• These sessions are ones which you must attend.
• These are clearly marked in colour (orange/yellow) in the weekly
planner.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 19

Learning Materials
• The learning materials for the module can be found on the
MyLearning page on Unihub.
• There is a separate folder for each Learning week and inside
you will find the following materials
• Learning Slides
• These provide most of the basic knowledge required to understand
the work you will carry out for that week. It will also assist in
understanding the results of your analysis in the Labs.
• These should ideally be read prior to attending the workshop and
you may need to make use of them for the workshop exercises.
• However, for a full understanding and more details you will need to
read the core text, especially for Coursework 2.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 20

Learning Materials
• Workshop Sheets
• These contain instructions, questions and exercises
• Physical copies will be given out during the workshop and
completed in your working groups during the workshop sessions
• A solutions sheet will be uploaded at the end of each workshop for
reference.

• Lab Exercise Sheets

• For most weeks you will find two lab sheets for each week as
usually there will be two learning topics each week.
• Combination of exercises and analysis questions.
• These provide experience and tests your understanding of and is
the best way to prepare yourself for the assessments.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 21

Learning Materials
• Key Concept Video
• For each week you will find a key concept video
• This introduces the main topics we will work on during that week
• Should be viewed prior to attending the workshops

• Data Files
• These may be used as demonstrations in the workshops.
• Majority of these are here to support the lab work and consist of
memory dumps, VM’s,

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 22

Module Assessment
This modules assessment is 100% coursework and there are
two pieces of work to complete this.
• Coursework 1 – 50% of module grade
• Lab Test – Linux Memory Acquisition & Analysis.
• Individual piece of work completed during Week 6 Lab Session.
• Do not miss formative practice exercise in Week 2 Lab next week.
• Multiple resit opportunities during term (see weekly planner).
• Coursework 2 – 50% of module grade
• Report – Windows Memory Investigation.
• Group and individual report of investigation into an infected
Windows image using comparative analysis.
• Provided with an infected Windows sample and must determine
what has happened.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 23

Module Core Text
• The Art of Memory Forensics
• Ligh, M.H., Case, A., Levy, J. and Walters, A., 2014. The art of memory
forensics: detecting malware and threats in windows, linux, and Mac
memory. John Wiley & Sons.
• Available on your Kortext account and you will need to read parts of
this book to pass the module successfully!

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 24

Support - Office Hours
• Monday’s 11:30-13:30 at my office in room no TG20 which can
be found in the Town Hall building.
• No appointment needed and there any time you need help or
some feedback.
• Other times I will try to answer all emails in 24hrs but not
always possible.
• For other campuses than Hendon speak with your individual
tutor for this information.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 25

Reference
• Chapter 1 - Ligh, M.H., Case, A., Levy, J. and Walters, A., 2014. The art of memory
forensics: detecting malware and threats in windows, linux, and Mac memory. John
Wiley & Sons.
• Case, Andrew, and Golden G. Richard III. "Memory forensics: The path forward." Digital
investigation 20 (2017): 23-33.
• Kleymenov, Alexey, and Amr Thabet. Mastering Malware Analysis: A malware analyst's
practical guide to combating malicious software, APT, cybercrime, and IoT attacks .
Packt Publishing Ltd, 2022.

© [email protected] CST 3510 Learning Slides 1 - Module Introduction | 26