Memory Forensics: Importance of Analyzing Volatile Data

Introduction

When looking for malware in a breached computer, it can reside in many different places. Traditionally, malware would be stored and saved in a file somewhere in the hard disk of the computer. This leaves digital forensic investigators with the ability to efficiently detect injected malware within the computer’s disk. But what if malware is injected into the memory of the computer? It is not directly stored as a file and is only in computer memory, making evidence of this data volatile. Volatile data is when the data in a live system can become lost after shutting it down [5]. Attackers have found that injecting malicious processes into the computer’s memory provides a way of avoiding detection. This stealthy technique is also known as fileless or in-memory malware because it is never stored as a file on the system, which poses a significant challenge to cybersecurity and digital forensics investigators [4]. As a countermeasure, a discipline called memory forensics has been adopted in order to perform an analysis and examination on a system’s memory. This article highlights the challenges cybersecurity professionals face with fileless malware along with tools that can be paired with traditional techniques to decode injected malware.

Background

A computer’s memory resides in their Random Access Memory (RAM). RAM is a crucial component of any computer system as it allows for the computer to perform most of its everyday tasks like running applications and multitasking [7]. As mentioned earlier, RAM is volatile and it is advised to not shut off a computer once a system has been compromised. Doing so will wipe the computer’s memory and reset it. Instead, leave the breached computer on and disconnect it from any network(s) to avoid computer memory from resetting. When capturing an image of a system’s RAM, it is put into a file called a memory dump [1].

Memory forensics/analysis, also goes by the names of live analysis or RAM dump forensics, this is the process of capturing and analyzing a computer’s memory to uncover valuable digital artifacts [3]. It is a crucial aspect in uncovering hidden malware. RAM is both dynamic and exclusive, meaning that data stored is never truly saved, can change in an instant, and contains data that is not available in other sources like disk images or network captures [3]. Thus, a successful capture of malware in a memory dump will provide investigators with essential insights into the behavior of malware and other malicious software. By analyzing volatile data like computer memory, forensic experts can identify suspicious processes, detect unauthorized network connections, and uncover anomalies that indicate malware presence.

Challenges

The most obvious challenge that in-memory malware poses is the difficulties in evidence acquisition due to its volatile nature. Since the data is only temporarily saved and constantly changing, investigators are put on a time crunch, complicating their acquisition process and delaying incident response efforts [1]. Furthemore, in order to capture an accurate representation of the scene, specific timing is required since computer memory can be influenced by other factors at that specific point in time [2]. Leaving detectives with only one ideal scenario of the crime scene. A potential solution to this is to provide active and live monitoring, running multiple scans, and looking for any malicious patterns. But with the size of RAM in today’s computers typically at a minimum of 8GB, while others go over 32GB, it is much more of a tedious effort when analyzing an image of a RAM dump [4]. Additionally, it is simply unrealistic to scan large amounts of data like this consistently to find the malware before it is too late.

Another challenge posed from fileless malware is the technical skill that is required to follow through with this type of analysis. Memory forensics is a highly specialized field, which requires memory forensic investigators to have a deep technical knowledge and expertise to decipher in-memory malware [1, 2]. As a result, there is a significant skill gap in the industry, yielding a landscape of a shortage in forensic experts who understand advanced memory analysis techniques. Moreover, it is estimated that over 53% of major zero-day vulnerabilities are involved with memory corruption [4]. With fileless malware continuing to be adopted by the adversary, digital forensic professionals must match the demand for in-memory malware incident response.

More barriers to take into account are privacy and legal considerations. As with any investigation, memory forensics experts must be able to traverse within the scope of legal and ethical bounds, understanding and adhering to the legal procedures, privacy laws and regulation [1, 2]. While this adds a layer of complexity to forensic investigations, ensuring that the investigation is in compliance protects the victim’s privacy and rights.

Analysis Tools

Many of the analysis techniques used on traditional hard-disk forensics can be translated to memory forensics like string searching, pattern recognition, code obfuscation, hash analysis, and timeline analysis to name a few. However, computer memory requires a more dedicated approach. One such tool is Volatility Framework, one of the most prominent forensic tools that is open source and designed specifically for memory analysis and volatile data [2]. Volatility contains a collection of tools that can extract volatile memory artifacts like running processes, network connections, and injected code, which are essential in identifying in-memory malware. Supporting a large variety of file formats, Volatility also provides community plugins to help extend its capabilities [6]. A similar tool that some would say rivals Volatility is Rekall, which is an open source command line tool that is designed with memory forensics in mind [6]. It is originally forked from the Volatility Framework but has since evolved independently by Google. Both of these tools are popular critical analysis tools that streamline memory acquisition and analysis of malware placed in a volatile environment.

Mitigation and Response

In such a dynamic environment such as RAM, cybersecurity professionals and investigators must focus their attention on stopping threats during runtime. Polymorphic and dynamic threats such as in-memory malware can be mitigated by implementing automated moving target defense (AMTD) and/or active live analysis [1, 4]. AMTD creates a dynamic attack surface by randomizing application memory, which will stop attacks from advanced threats [4]. Coupling this with proactive live monitoring, cybersecurity professionals can perform immediate incident response, utilizing real time insights, and investigators can start the data acquisition process straight away as well.

Conclusion

As cyber threats grow more sophisticated, memory forensics has emerged as a vital technique for detecting and analyzing malware that runs in device memory. Unlike traditional malware, in-memory malware attacks leave minimal trace for cyber investigators to detect. Conducting a proper examination of memory requires facing obstacles like data volatility, advanced technical skills, and addressing privacy concerns. Despite this, a targeted and dedicated approach in memory dump analysis can alleviate the threat. By combining traditional forensics tactics with devoted tools like Volatility Framework or Rekall, forensic experts can effectively capture and examine RAM dumps. If not already, memory analysis will become a staple process for cybersecurity professionals and investigators to successfully detect malware trends and increase threat intelligence.

References

[1] Bachchas, K. S. (2023, July 31). Ram Dump: Understanding its importance and the process. Importance of RAM Dump in Digital Forensics | LevelBlue. https://cybersecurity.att.com/blogs/security-essentials/ram-dump-understanding-its-importance-and-the-process

[2] Fishbein, N., & Robinson, R. (2024, April 23). Memory Analysis 101: Understanding Memory Threats and Forensic Tools. Intezer. https://intezer.com/blog/incident-response/memory-analysis-forensic-tools/#h-challenges-that-make-manual-memory-forensics-painful

[3] Frawley, R. T. (2023, May 12). Memory forensics: Effective digital forensics investigations basics. ADF. https://www.adfsolutions.com/adf-blog/memory-forensics-101-the-basics-you-need-to-know-for-effective-digital-forensics-investigations?srsltid=AfmBOorMuKI3OAcwzlIKDm7Nqw7iOa-GR1CC89k9io1-sgGRlLym4cxT

[4] Gorelik, M. (2024, October 24). Why Should You Care About In-Memory Attacks?. Runtime Attacks In-Memory Require a Different Response. https://blog.morphisec.com/runtime-attacks-in-memory

[5] NIST. (n.d.). Volatile data – glossary: CSRC. CSRC Content Editor. https://csrc.nist.gov/glossary/term/volatile_data

[6] Top 2024 Memory Forensics Tools for Incident Response. Salvation Data Technology. (2024, June 6). https://www.salvationdata.com/knowledge/memory-forensics/

[7] What is RAM and what does RAM do?. Crucial. (2024, October 24). https://www.crucial.com/articles/about-memory/support-what-does-computer-memory-do