Memory analysis, part 2

MF and process memory dumping on Windows, collecting those all-too familiar details, page 156:

• process name and pid
• time information
• memory use
• mapping the process to its binary
• mapping the process to a user
• child processes and threads
• command line parameters
• file handles

Searching the haystack

• Try pslist (or other favorite process lister) to find pids
• userdump -p can list processes with their pids
• pmdump -list is another choice

userdump

Using userdump

• Only works on older Microsoft operating systems
• Need to use other tools to acquire useful information, such dumpchk

pmdump

• pmdump lets you easily create text dumps suitable for string searching

RPIER

• While it is much more than just a process memory collection tool, RPIER also allows you to do so.

Process Memory Dumper (pd)

• Like other programs, it allows you to list processes with its -p option.
• Its output can also be used with Memory Parser.

Linux memory analysis

• As MF mentions on page 168, it's just easier dealing with Linux. It's open source, and you can read the code to find out how processes are put together — you can even try asking the developers and other knowledgeable people.
• Unfortunately, some of the specifics from the MF book are for 2.4 kernels, and are not quite correct for 2.6/3.0 kernels.

Linux memory analysis, 2006 Blackhat presentations

Here are two good memory presentations by Burdach from a 2006 Black conference:

• First: Finding Digital Evidence In Physical Memory
• Second: Physical Memory Forensics

Linux memory analysis, simple

• Collect the executable: dd if=/proc/3655/exe of=test.dd.out
• Verify against actual binary: diff test.dd.out /bin/bash
• Collect state: gcore -o test.bash.core.3655 (or gdb -p 3655 and then use built-in gcore test.bash.3655
• Look at the state via gdb: gdb /bin/bash test.bash.core.3655
• Traditional technique: strings test.bash.core.3655

Linux memory analysis, using TSK

One of the tools that has been historically useful and is still being kept up is The Sleuthkit (aka TSK).

• Collecting process information with bin/pcat: bin/pcat -v 3155 > pcat.3155
• Try strings to see what you see.