Performing Memory Analysis

Endpoint security is part of the threat domain of an organization. It forms a foothold for attackers by bypassing perimeter defense. It is usually the medium of attack on a network by serving as a hideout for backdoor. Majority of malware attack the memory and few attack the disk and this has brought a significant shift to memory analysis.

For example An employee’s laptop got compromised at their home (may be his/her children entered malicious site) or at a local coffee shop and the adversary found their right way into juicy middle of our enterprise

Memory analysis is widely used by threat hunters and forensic analyst to perform malware analysis. It involves the analysis of dumped memory image of a victim/target infected malicious system. Malware analysis is the process of determining the functionalities, origin and potential impact of a given malware sample. Memory analysis is a must have skill for any investigative analyst be it intelligence or forensic. Memory analysis help investigative analyst to understand different processes and services running on a victim machine, it gives better understanding of the current events on the system as at the time it was dumped either malicious or not malicious.

In order to perform memory analysis, imaging (bit — by — bit) of the memory must be done. This can be done using different tools such as FTK, Autopsy and DumpIT. After imaging, analysis follows with the use of different such as volatility and redline. In order to effectively analyze the memory, the following knowledge/skill is worthy

•Identify core operating system processes

•Know their legitimate execution path

•Understand parent — child processes

  • Detect anomaly such as
  • Wrong parent — child processes
  • Check Mis-speling
  • Wrong extension
  • Wrong execution path

Basic Processes in Windows

Basic Windows OS Process
Basic Windows OS Process
Basic Windows OS process

Other processes

•Lsm.exe

•Taskhost.exe

•Explorer.exe

•wmiPrvse.exe

•Sihost.exe

•Dwm.exe

•MsMpEng.exe

Read more https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads

Best tools for analysis

  1. Volatility
  2. Redline

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Olajumoke Oloyede

I am a Cyber Threat Intelligence Analyst, Cybersecurity Trainer and Cybersecurity Researcher