How valuable would it be to be able to read another person’s mind? To know what they’re thinking or planning to do would be invaluable. Or, how valuable would it be to know what they have done in the recent past, especially if you believed they were involved in some criminal activity? Who they were talking to, or what they said. If you could recreate the events and determine the timeline of activity, information like this could help you in solving plenty of mysteries.
Examining Random Access Memory (RAM)
The same can be said for examining your computer’s random access memory (RAM). RAM is also known as volatile memory due to the information contained in it not being persistent. This means that when the computer is rebooted or shut down (other than some considerably challenging side-channel attacks), the contents of the memory are lost. Therefore, when you suspect something nefarious is going on, it is especially important to capture the contents of the memory prior to shutting down the computer.
Today’s systems have a vast amount of memory. In order for a computer to run a program or process, it first loads that program into memory. This can include malicious programs that may not even write any files to disk whatsoever to avoid detection. Additionally, some files or programs are encrypted while stored on the hard drive but when they are accessed, they’re decrypted when resident in memory. RAM can contain a treasure of information which includes keystrokes (which can disclose user names and passwords), emails, including attachments, and even the IP addresses the system is communicating with, including past connections which are no longer active. This allows forensic examiners to analyze the contents of the file or program and determine the purpose of the program and the actions it is taking. Additionally, RAM can contain:
- Encryption/decryption keys (for programs such as Truecrypt, Veracrypt, or even decryption keys for the hard drive itself, etc.)
- WEP and WPA wireless keys (allowing an intruder access to the network)
- Device drivers (which can identify potential rootkits)
- Processes running at the time the memory capture was taken
- Modules and DLLs (which can show injected code, which could identify malware)
- Credentials for enterprise accounts (clear text, hashes, Kerberos, etc)
- Contents of windows and files (can identify information such as credit card numbers, personal information, and other sensitive data)
- Potential malware that is designed to run in memory alone and is not saved on the hard drive
As you can see by the type of information available, RAM essentially contains the keys to the kingdom as well as the footprints of an attacker. Analyzing memory can provide valuable insight into the state of the computer, whether in response to an incident, or conducting proactive memory analysis to assess the health of the system and/or network. For Point of Sale (POS) networks, or other networks that process sensitive data, taking the proactive approach and analyzing system memory at regular intervals can identify potential problems whether it be an infection of malware, or whether specific programs are leaking sensitive data. This could provide notice to the client of a potential problem and shorten an incident by weeks or months and prevent the loss of sensitive data.
Finding Ransomware and ‘Zeus’
Recently, Coalfire was tasked with analyzing a memory dump of a system on a network that was infected with a variant of ransomware. During our investigation, we not only uncovered the ransomware which the company was already aware of, we found evidence of the malware “Zeus” which had been running as well. Being that Zeus targets banking information, this was especially critical to the client as this system was from their Accounting department. Based on our discovery, the client initiated a deep inspection of all other systems which found Zeus running on several more systems within the client’s administrative offices. The root cause analysis found their anti-Virus solution had not been able to detect the Zeus infection.This discovery prompted an upgrade of their anti-virus systems, aided the client in the remediation of the malware from their networks, and helped them keep their financial information secure.
We’ve implemented other, pseudo-random sample collection with other clients with similar successes. The majority of malware and attacks in today’s environment are focused on the end user or the ‘workstation’ component in an enterprise infrastructure. Accordingly, these recurring samplings are well suited to examine Point of Sale systems, medical workstations, or other multi-user systems in addition to inspecting memory from workstations of staff that handle very sensitive information.
Depending on the Operating System, capturing RAM can be accomplished by authorized personnel in a very short amount of time. However, analyzing the memory takes specific tools and training. Coalfire can assist you in capturing the RAM’s contents and has the tools and expertise to analyze the memory and provide you with the information to determine if the system is compromised, leaking sensitive information, or communicating with unauthorized IPs.