Conventional memory forensic tools such as Volatility, and Mandiant's Redline focus on those areas of a memory image that are mapped. In the event that data is not properly mapped, these tools would be unable to extract the data and present it properly. This is one of the drawbacks of these tools for memory analysis. There is a good deal of data that will become unstructured and invisible to these tools. This could be the case when network connections are shut down or processes are exited. Even though they may not show up when the RAM is examined via Redline or Volatility, trace evidence will often still be present. One tool that is useful for extracting these traces is the Strings command which comes default to many of the Linux distributions. Strings allow a responder to search for ASCII and Unicode human-readable strings of characters. Given a set of keywords or grep commands, the forensic examiner may be able to extract additional relative data, even from RAM captures that may have been corrupted via malware or improper acquisitions.
Memory Analysis With Strings, Grep, and Regex
In a previous post on Volatility, the IP address 41.168.5.140 was identified by using the Connscan plugin. The drawback of that process of identifying IP addresses is that, if the connection has been closed and there is no activity, it may not be visible with Volatility. In that case, a way to expand the search for IP addresses resident in memory is to conduct Strings search as follows:
strings cridex.vmem | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"
This Strings search will look for any matching patterns of an IP address. When examining the Cridex memory capture, several IP addresses showed up. This includes internal IP address ranges and broadcast IP addresses. The IP addresses should be reviewed to detect which might look suspicious. An examination of the results revealed that the remote IP address 41.168.5.140 was at one time located within memory:
Once identified, a more detailed examination of the suspicious IP address should be conducted as follows:
strings cridex.vmem | grep -Fi "41.168.5.140" -C 5
The resultant output is shown below:
What is interesting about this result is that some process or executable is making a POST request towards the suspicious IP address.
Often, adversaries will use URLs that contain IP addresses within them as a delivery mechanism. It is always useful to check such possibilities in your investigation. The next command will search the memory image for any URL entries in memory:
Examining the output shows some interesting data. First, there is the URL http:// chaseonline.com/. In addition, there appears to be website coding associated with this hit. A search of various sites for data on Cridex reveals that it is often used to steal banking credentials by hooking various APIs in the web browser and redirecting that traffic for various sites, including Chase Bank.
We can also print the ASCII characters in the memory dump to see if we can find interesting artifacts of evidentiary value.
strings cridex.vmem | less
Examining the result of the above command revealed the following output. A series of domain names all themed around banks and the financial sector.
ager.com/signon*
*banking.calbanktrust.com*
*towernet.capitalonebank.com*
*businessaccess.citibank.citigroup.com*
*achieveaccess.citizensbank.com*
*www8.comerica.com*
*businessclassonline.compassbank.com*
*cashanalyzer.com*
*ebanking-services.com*
*banking.firsttennessee.biz*
*efirstbank.com*
*treas-mgt.frostbank.com*
*businessonline.huntington.com*
*ibbpowerlink.com*
*access.jpmorgan.com*
*businessportal.mibank.com*
*webbankingforbusiness.mandtbank.com*
*mbachexpress.com*
*premierview.membersunited.org*
*cashmanager.mizuhoe-treasurer.com*
*enternetbank.com*
*bankofbermuda.com*
*tdcommercialbanking*
*solutions-corporate.com*
*cbbusinessonline.com*
*constitutioncorp.org*
*corporate.epfc.com*
*epd.uscentral.org*
*login_business.asp*
*global-ebanking.com*
*itinternet.net*
*mcb-home.com/online*
*metrobankdirect.com*
*webinfocus.mandtbank.com*
*commercialservices.mandtbank.com*
To list all the executable files in the forensic image along with their source paths, the command below seem appropriate.
strings cridex.vmem | grep ".*\.exe"
An investigator may attempt to detect suspicious files based on their names and locations. However, this requires that the investigator has a very good working knowledge of the underlying operating system. Just looking blindly at filenames and locations will not produce meaningful results, unless something really sticks out. From the output of the above command, the following appears suspicious.
To list all the executable files in the forensic image along with their source paths, enter the following command.
strings cridex.vmem | grep ".*\.dll"This also requires that the investigator have a very good working knowledge of the underlying operating system to identify malicious DLLs which might result from DLL injection
This short examples show how Strings can be utilized by forensic examiners to gather more evidence and provide additional context to an incident investigation. Strings is only limited to what keywords/regex the investigator can conjure.
Post a Comment