In the chapters covered so far, we looked at the concepts, tools, and techniques that are used to analyze malware using static, dynamic, and code analysis. In this chapter, you will understand another technique, called memory forensics (or Memory Analysis).
Memory forensics (or Memory Analysis) is an investigative technique which involves finding and extracting forensic artifacts from the computer's physical memory (RAM). A computer's memory stores valuable information about the runtime state of the system. Acquiring the memory and analyzing it will reveal necessary information for forensic investigation, such as which applications are running on the system, what objects (file, registry, and so on) these applications are accessing, active networks connections, loaded modules, loaded kernel drivers, and other information. For this reason, memory forensics is used in incident response and malware analysis.
During incident response, in most cases, you will not have access to the malware sample but you may only have the memory image of a suspect system. For instance, you may receive an alert from a security product about a possible malicious behavior from a system, in that case, you may acquire the memory image of the suspect system, to perform memory forensics for confirming the infection and to find the malicious artifacts.
In addition to using memory forensics for incident response, you can also use it as part of malware analysis (where you have the malware sample) to gain additional information about the behavior of the malware post-infection. For instance, when you have a malware sample, in addition to performing static, dynamic, and code analysis, you can execute the sample in an isolated environment and then acquire the infected computer memory and examine the memory image to get an idea of the malware's behavior after infection.
Another reason why you use memory forensics is that some malware samples may not write malicious components to the disk (only in memory). As a result, disk forensics or the filesystem analysis might fail. In such cases, memory forensics can be extremely useful in finding the malicious component.
Some malware samples trick the operating system and live forensic tools by hooking or by modifying operating system structures. In such cases, memory forensics can be useful as it can bypass the tricks used by the malware to hide from the operating system and live forensic tools. This chapter introduces you to the concept of memory forensics and covers tools used to acquire and analyze the memory image.