Memory Forensics: Pull Process & Network Connections from a Memory Dump

In the previous article, we learned how to pull passwords from a memory dump file. This time, we will cover viewing a process list and network connections out of captured memory files.

Volatility’s “pslist” command can be used to view the processes that were running on a Windows system:

volatility pslist -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile for some reason they are showing up as a single)

From the output of the command, we see the physical memory location, process name and the PID number of all process that were running on the system. This helps deduce if something was running on the computer that should not have been and as you will see in a future article, allows you to view programs that may be running under the process.

The next step is to view all network connections that were active from the memory dump:

volatility netscan -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile)

The data returned shows all network connections, including the process name, source and destination IP addresses – including ports. This is just a short snip of what was actually returned, the actual list is easily twice as long. This information helps the analyst see if there were any strange network connections active. Or can help the penetration tester gain valuable information about the network.

The last command that we will look at this time is “bioskbd“.

volatility bioskbd -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile)

As you can see there is no data returned on this memory dump. But what does “bioskbd” actually do? This interesting command has the ability to pull passwords that are resident from the bios cache buffer. Though most newer systems (like the system that this memory dump was taken from) purge the bios keyboard buffer, many older ones did not. On an old system you might be able to retrieve BIOS boot passwords, or even the passwords for disk encryption systems.

That’s it for this post, on the next Memory Forensics post, we will take a look at pulling malware samples off of a system infected with STUXNET!

Memory Forensics: How to Pull Passwords from a Memory Dump

Last time, we talked about a quick and easy way to get a memory dump on a Windows based PC. This time, we will cover pulling passwords out of captured memory files.

Several programs exist for memory analysis, we will be using “Volatility” from Volatile Systems. If you are performing your analysis on a Windows system I recommend downloading the stand alone .exe version. If you don’t then you will also need to install Python.

Once Volatility is installed, we need to get some information from the memory dump. Open up a command prompt and run the following command:

volatility imageinfo -f memorydumpfilename.raw

This command gives you several pieces of information, for now, we just need to know the profile type of the memory dump, in this case Win7SP1x86. We will use this in the next few steps.

Now, we need the hive list so we can get the starting location in memory of where the registry information resides:

volatility hivelist -f memdumpfilename.raw –profile=Win7SP1x86 (Use double dashes in front of profile for some reason they are showing up as a single)

We now have a list of where several key items are located in the memory dump. Next, we will extract the password hashes from the memory dump. To do this we need to know the starting memory locations for the system and sam keys. We look in the dump above and copy down the numbers in the first column that correspond to the SAM and SYSTEM locations. Then output the password hashes into a text file called hashs.txt:

volatility hashdump -f memdumpfilename.raw –profile=Win7SP1x86 -y 0x87c1a248 -s 0x8bfaa008 > hashs.txt  (double dashes in front of profile)

Open the hash dump file in a text editor and you should see hashes of all the user’s passwords:

Now, if you are using Windows XP and have passwords shorter than 14 characters (LM passwords), you can run them through a password cracker like John the Ripper. Or better yet,  you can copy the long alphanumeric string after the user id number (500 or 1000 numbers) and paste them in Objectif Sécurité’s Online XP Hash cracking program. This utility cracks most LM based password hashes in 5 seconds or less. For more information see  Cracking 14 Character Complex Passwords in 5 Seconds.

This will not work on Windows 7 passwords or XP passwords longer than 14 characters though. These hashes are stored in the more secure NTLM format and can take a lot longer to crack. One cool thing though is that you do not need to crack the NTLM hash to get access to a system. You can log into a system using the hash itself as the password!

The password could be a simple 14 character password or a complex 32 character monster, it does not matter. You can still use the hash to get a command prompt. For more information see NTLM Passwords: Can’t Crack it? Just Pass it!

This really goes to show that passwords really are not as safe as one might think. Dual or multiple authentication systems are really the way to go on secure systems.

Well, that wraps up pulling passwords off of a memory dump, next we will learn how to view the active network connections and processes from a memory dump.

If you enjoyed this tutorial check out my new book, totally updated for 2018!

Basic Security Testing with Kali Linux, 3rd Edition

Memory Forensics: How to Capture Memory for Analysis

There are several ways to capture memory from a Windows machine for analysis, but want an easy one? I mean a really easy one? Then look no further than MoonSols “DumpIt“.

MoonSols, the creator of the ever popular “win32dd” and “win64dd” memory dump programs have combined both into a single executable that when executed creates a copy of physical memory into the current directory. Just throw DumpIt onto a USB drive or save it on your hard drive, double click it, select yes twice and before you know it you have a complete copy of your machine’s memory sitting on disk.

The only thing you need to make sure of, especially if using a USB drive is that it is large enough to hold the file that is created. The memory dump will be a little larger than the size of your installed RAM. So, for instance, a machine with 4GB RAM will produce about a 5 GB file.

Malware Analysts use memory dumps to analyze malicious software. Once you have the memory dump, you can perform some very interesting analysis on it, like viewing what processes and programs were running on the machine, and what network connections the system had.

You can even pull passwords from them, which we will look at next time.

** Part 2Memory Forensics: How to Pull Passwords from a Memory Dump