Although analyzing information provided in a system’s memory is not a new trick, the tools that help us automate these tasks are still new. The three products that I am currently using to help me with memory analysis are Volatility(Vol), Mandiant’s Audit Viewer (MAV), HBGary’s Responder Field Edition (RFE). These tools are very helpful and provide a wealth of system information that can help an analyst understand what is happening on a system without using tools that could be circumvented through techniques such as kernel hooking. Although this post is not meant to be an analysis of each of these separately, I would like to say that there are cool features in each tool that the others do not provide. Here are a couple of examples:
- RFE provides a malware report summary that provides additional information pertaining different types of kernel hooks detected.
- Audit Viewer highlights specific processes when searching on key words.
- RFE allows the analyst to drill down into a hex dump of the memory and even performs some disassembly.
- Vol provides very clean outputs for placing information in reports.
- Audit Viewer shows if a network connection is LISTENING or ESTABLISHED.
I included the “etc” because, obviously, there are more but you should investigate the other “quirks” for yourself.
Now, you can see that these tools definitely do perform differently but thus far it is mainly just style and information presentation. Well, style and presentation are not the only ways that these tools differ. They also differ in the how they look at specific information within the image of a system’s memory. I found a good example when searching for active network connections. The scenario is that a piece of malware was attempting to connect to a server on the Internet to perform some assumed malicious activity. Through other analysis techniques the IP address was known to me and, in fact, I could search the system’s memory image and receive hits on the IP address in memory.
I initially used RFE to parse the system’s memory and it gave me some great detail about each process, Internet activity, keyword searches, etc. But when I reviewed the information for the specific process that I believed was connecting to the remote system I did not receive any information about port activity. In fact, the Network tab for the process did not display any information (no ESTABLISHED connections, no LISTENING ports). So I checked the network connections for all processes and, as you can see in the image below, it provided no details about connections to the Internet. All of the connections listed here are either loopback or internal to the network. (To view the full image just right-click and select “View Image”.)
So, I decided to see what MAV would show me. I did this because I had noticed that MAV did display LISTENING and ESTABLISHED information for each connection. But, when I pulled up the specific process in MAV I was provided with information that RFE did not provide me. That is that the process I was investigating, svchost with PID 1052, was actually LISTENING on TCP port 3389.
Since I received conflicting information and the memory came from a Windows XP system, I decided to see what information Vol would provide to me. Using the sockscan2 plugin I scanned the memory for open sockets. This provided me with a wealth of information about open sockets. Actually, as you can see, it provided me with more open socket information than that provided by RFE (although not shown, it provided more information than MAV as well.)
Next I ran Vol’s connscan2 plugin. Expecting the same information as that provided by RFE and MAV I was completely taken off guard by what Vol displayed. Active network activity between the PID I was investigating and the server on the Internet.
What is the moral of this post? All of these great tools have functionality differences due to the different levels of experience and specific goals of each tool’s team of developers. Analysts need to understand these differences through testing and implementation. Additional insight may come from utilizing a variety of analysis tools rather than just relying on one or, as we have seen here, even two tools. Certainly, running all of your data analysis through multiple tools every time is not the best use of your time. But doing so on a periodic basis will help add strength to your conclusions while also keeping you up-to-date with the differences and the development progression of each tool.
UPDATE: I should have mentioned earlier that I have contacted the developers for each of these tools. Although this is the first time most of them have heard about it I have opened a ticket with HB Gary’s support concerning displaying ESTABLISHED connections. They have been very responsive to this and all of my other requests and recommendations.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.