Skip to content

Memory Forensics Overview

Memory Forensics

Cyber Kill Chain

Describes how a malware is delivered to the system

[Diagram — add to assets/ if available]

Why is memory forensics used?

  • Idea about user activity – File usage examination – Did someone do something on a system??
  • Host Compromise – memory forensics to identify suspicious processes, network activity, malware, persistence.
  • “Malware can hide but it has to run”
  • Memory forensics can help to detect malware by looking for specific indicators or anomalies that suggest malicious activity.
  • Memory forensics can also provide a snapshot of the malware's behaviour and functionality, which can help to identify its purpose, origin, and impact.

Processes

  • Process is an application or part of an application being executed in memory (Booting OS, opening word doc, spreadsheet etc are supported by number of processes running on the system).
  • Processes are Created , suspended, terminated by OS
  • PID- process ID number, PPID –parent PID , the processes that spawned the child process (in investigations tracing back the process that spawned the malicious process is imp to understand events that led to compromise of the system)
Windows Core Processes

[Diagram — add to assets/ if available]

Triage

Interpreting processes for investigative leads

  • Parent-child mismatch: When a process has the wrong parent
  • Example: svchost.exe should have services.exe as parent - if it doesn't, it's suspicious
  • Multiple instances: Some processes should only run once (single-instance)
  • Example: lsass.exe should only have one instance - more than one indicates malware
  • Investigators use cheat sheets listing expected parent processes for each Windows process