📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Memory Structure:
  • Volatility Enumeration
  • Vol.py Cheatsheet:
  • Idrmodules:
  • Hide Processes:
  • Hunting for Handles:
  • MemProc_FS
  • Hunting for injection/FindEvil:
  • RootKits:
  • Extract Memory Objects Volatility
  • Labs:
  1. Windows
  2. Forensics
  3. Memory

Memory Forensics

PreviousPowerShell DumpNextNetwork Logs

Last updated 1 year ago

Memory Structure:

Name
Purpose
Evil

KDBG

Points to EPROCESS block.

EPROCESS:

Executive Block Process.

Each process has their own EPROCESS and it points to objects that were loaded by the PEB.

PEB:

VAD Tree

Kernel level. Contains DLLs mapped.

Private Memory

Sole memory domain of the target process. Only READWRITE privs should be in here, which makes sense for items being read and written into the stack, heap, and data files.

No executables like EXEs or DLLs should be in here. Nor should EXECUTE privileges.

Sharable Memory

Also known as mapped memory and is responsible for mapping all or part of shared files for use by process. Files like .dat and .mui are usually present here.

Expected privs: READONLY

Unexpected: EXECUTE privs

Image Mapped Memory

Part of sharable memory. Expected to see DLLs, EXEs, and drivers mapped here. Expected Privs: EXECUTE_WRITECOPY EXECUTE_READ

Unexpected Privs: EXECUTE_READWRITE

Name
Contains

EPROCESS:

  • Name of process executable (image file name)

  • PID

  • PPID

  • Location in mem (offset)

  • Creation time

  • Termination time (exit)

  • Threads assigned to process

  • Handles to other OS artifacts

  • Link to the VAD tree

  • Link to the PEB block

Considerations:

  • .24% of Priviate Memory, .014% of sharable memory, and .01% of image memory contain RWX memory pages.

  • .62% Priviate, .036% sharable, 17.5% image contain RX memory pages.

Volatility Enumeration

Vol.py Cheatsheet:

#Enumerate active and closed network sockets
vol2.py -f base-rd01-memory.img --profile=Win10x64_16299 netscan | egrep -i 'CLOSE|ESTABLISHED|Offset'
vol.py -f base-rd01-memory.img windows.netscan

#List handles with files and keys
vol.py -f base-rd01-memory.img windows.handles --pid 5848 | egrep 'File|Key'

#Get sids of specific user
vol.py -f base-rd01-memory.img windows.getsids | grep -i spsql

#List command line
vol.py -f base-rd01-memory.img windows.cmdline

#Psscan output to file
vol.py -f base-rd01-memory.img -r pretty windows.pstree > pstree.txt

Idrmodules:

Note: The base 0x100000 with InInit being "Flase" is present in all memory dumps. That is the process executable and it will not be present in the InInit list, but it should be present in the MapepdPath list. The absence of the image path in MappedPath is suspicious.

Hide Processes:

Hunting for Handles:

MemProc_FS

Hunting for injection/FindEvil:

The PE_PATCHED is a false positive due to normal memory modifications caused by 32-bit code (SysWOW64) execution.

RootKits:

Extract Memory Objects Volatility

Labs:

Windows Process Internals : A few Concepts to know before jumping on Memory ForensicsMedium
Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 5] — A…Medium
Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 2] —…Medium
Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 4] —…Medium
Manipulating ActiveProcessLinks to Hide Processes in UserlandRed Team Notes
HomeGitHub
Directory Explanations
CyberDefenders: InjectorMedium
Logo
Logo
Logo
GitHub - evild3ad/MemProcFS-Analyzer: MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIRGitHub
Windows Memory Forensics: DumpMe (CyberDefenders)Medium
Logo
Logo
Logo
Logo
Enumerating Registry Hives
Logo
Logo
Logo