While I was reading the latest edition of 2600 (Winter 2011) I came across an article called RAM Dumping that I found to be very interesting. I did some experimenting with the methods in the article and had some results that were surprising so I decided to blog about my findings. Memory dumps can be very useful when you’re trying to debug an application crash but until now I haven’t used memory dumps for anything besides that. Many people may not realize that even after a program closes some of its data remains in memory. Memory dumps can reveal some of this old data and anything else that is hiding in your RAM.
What is a memory dump?
A memory dump is a binary file that contains the complete contents of your systems memory. If your computer has 6GB of memory then a memory dump file from your machine will be 6GB in size as well. Memory dumps are sometimes referred to as core files although typically a core file only contains the memory from a specific program, not the entire system.
Here is the basic idea of this memory dump analysis.
1. Create a memory dump file using Moonsols
2. Copy the dump file to a Linux box
3. Run a forensic analysis using Foremost
To get started you will need to download a copy of Moonsols Windows Memory Toolkit (Community Edition). They also offer a Professional version with lots of other features but it’s not free like the community edition. You will also need access to a Linux box for the actual analysis. If you don’t have a dedicated Linux system then a bootable version of Ubuntu or Backtrack would work as well.
Moonsols doesn’t come with an installer, its just an archive containing some files. Create a folder on your C drive called Moonsols and extract the contents of the file you downloaded to it. In your Moonsols folder you’ll have several files, the two you want to worry about for now are win32dd.exe and win64dd.exe. If you are creating a dump on a 64-bit system you have to use win64dd, otherwise use win32dd.
To start the memory dump open a command prompt and enter the directory where you extracted Moonsols, then run the program. The /f option sets the location and name of the dump file, make sure you have enough disk space at the location you select.
win64dd -d /f c:\memory.dmp
It can take several minutes to write the dump file depending on how much memory you have. When the process finishes you will see something similar to the screenshot below
Analysis using Foremost
Now that we have a dump file we need to analyze it using Foremost. Foremost recovers files by looking at the headers, footers, and internal data structures of memory or disk images. Its only available for Linux so you will need to either copy your dump file to your Linux system, or boot your computer using an Unbuntu or Backtrack live CD.
You should be able to install Foremost using the package manager of your Linux distro, or you can install it from source.
Gentoo/Funtoo – emerge foremost
Ubuntu – apt-get install foremost
To run the analysis your command should look something like the example below. The -t option specifies the type of files to look for in the dump file. I recommend using -t all but you can also use -t jpeg if you only want to search for images for example. Foremost can take a few minutes to finish running. When it is finished it will create and output folder that will contain a directory for each file type and also a text file called audit.txt
foremost -t all memory.dmp
Interpreting the output
After Foremost is finished I recommend copying the output back to a Windows machine for easier analysis. A lot of the output ends up being corrupted since memory is constantly being written and rewritten but a lot of the files will be intact. You’ll have to sort through the output but you will most likely find some interesting things. During my testing I ran into a interesting find. As soon as I copied the output back to my Windows box my virus scanner started going crazy detecting all kinds of infected .exe files in the output. I was shocked by this, how could all of these infected files have been in my memory? And why did not virus scanner not detect them in my systems memory? I ran a full system scan on my computer just to make sure it wasn’t infected. The scan did not find anything other than the files in the Foremost output folder.
Apparently these viruses hadn’t executed or infected my system but were just hiding in system RAM. The more I thought about it the more sense it made,Virus scanners are designed to detect infected files and malicious running processes but they don’t dig through all of the memory your system.
If your just looking to get a better idea of what is going on in your own computer or you are doing a forensic analysis of a machine memory dumps can be very useful. Analyzing these dumps can also be a good way to capture viruses and malware that may be hiding in RAM. Program writers often compile audio and photo files directly into executable files, these files wouldn’t be directly accessible without dumping memory. If you don’t like the idea of things being hidden from you on your own computer dump your memory and see what it holds.