Full Report
John Strand // So you think you might have a compromised Windows system. If you do, where do you start? How would you review the memory of that system? What […] The post WEBCAST: Live Forensics & Memory Analysis appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Live Forensics & Memory Analysis Procedures (General)
## Overview
This information summarizes the focus of a webcast by Black Hills Information Security concerning incident response steps on a potentially compromised Windows system, specifically emphasizing initial triage, live forensics, and memory analysis techniques. The goal is to identify compromise by examining system memory and running processes.
## Technical Details
- Type: Technique (Incident Response/Forensics Methodology)
- Platform: Windows
- Capabilities: Initial triage, memory acquisition, memory analysis, command execution for compromise detection.
- First Seen: N/A (Webcast date listed is January 20, 2017, discussing general SANS 504 based material)
## MITRE ATT&CK Mapping
*Note: The article describes general forensic and detection activities rather than specific adversarial TTPs. The following mappings relate to the adversary actions that these defensive techniques are designed to detect.*
- **TA0001 - Initial Access**
- **TA0003 - Persistence**
- **TA0005 - Defense Evasion**
- **TA0007 - Credential Access**
- **TA0011 - Command and Control**
- **T1057 - Process Discovery**
- **T1055 - Process Injection**
- **T1003 - OS Credential Dumping**
## Functionality
### Core Capabilities
* Determining the starting point for investigating a potentially compromised Windows system.
* Reviewing the memory contents of a suspect system.
* Executing initial commands (the "first 10 commands") during triage to assess compromise status.
### Advanced Features
* Utilizing free sample memory dumps and command output provided by BHIS for training and skill sharpening.
* Focusing analysis based on concepts introduced in SANS 504 training.
## Indicators of Compromise
*Note: The article details a methodology for *finding* IOCs, but does not list specific IOCs from a sample compromise.*
- File Hashes: [N/A provided]
- File Names: [N/A provided]
- Registry Keys: [N/A provided]
- Network Indicators: [N/A provided]
- Behavioral Indicators: [Focus on reviewing processes, memory contents, and command output associated with compromise.]
## Associated Threat Actors
*Note: The context is focused on defensive/forensic operations, not specific threat actor usage of malware, though the techniques discussed are used to find artifacts left by various actors.*
- [N/A]
## Detection Methods
*Note: Detection methods described are the techniques used during the forensic investigation itself.*
- Signature-based detection: [Not the primary focus; methodology relies on behavioral/state analysis.]
- Behavioral detection: [Core focus: Analyzing running processes, loaded modules, and memory artifacts.]
- YARA rules if available: [Not specified, but memory analysis often involves YARA scanning.]
## Mitigation Strategies
*Note: The article focuses on post-compromise analysis, not pre-incident mitigation, though implicitly better defenses reduce the need for this level of analysis.*
- Prevention measures: [Not detailed]
- Hardening recommendations: [Not detailed]
## Related Tools/Techniques
*Tool Mentions in Context:*
- **RITA:** (Mentioned in side links, a tool often used for network traffic analysis to complement forensics.)
- **drozer Attack Framework:** (Mentioned in an unrelated link, an Android pentesting tool.)
*Related Techniques:*
- Memory Acquisition Tools (e.g., Volatility analysis setup)
- Live Triage Procedures (e.g., using built-in Windows tools or specialized forensic kits)