Memory analysis overview

When discussing analyzing the memory of a system, there are two terms that are used interchangeably. The terms RAM and memory are used to describe the portion of the computer's internal systems where the operating system places data utilized by applications and the system hardware while that application or hardware is in use. What makes RAM or memory different from storage is the volatile nature of the data. Often, if the system is shut down, the data will be lost.

One change in operating systems that has had a direct impact on memory analysis is the advent of the 64-bit OS. The use of a 64-bit register allows the OS to reference a total of 17,179,869,184 GB of memory. When compared to the 32-bit OS, this is several million more times the amount of data previously available. As a result, there is a good deal of data contained within RAM at the time a system is running that is valuable in incident investigation. These include the following:

As the necessity for analyzing the memory of systems has increased, there are several tools that analysts have at their disposal. This chapter will focus on three such tools; all of them are either open source or freeware and can be deployed easily. These tools allow analysts to gain critical insight into the activity of exploits and malware that have impacted a system.

Throughout this chapter, two memory captures will be utilized. The first memory capture is from a Windows system that has been infected by the Stuxnet virus. The memory image can be downloaded from the following site: jonrajewski.com/data/Malware/stuxnet.vmem.zip. The second is another Windows system infected with the Cridex banking trojan and can be downloaded from the following site: http://files.sempersecurus.org/dumps/cridex_memdump.zip. While both of the malware infections are relatively old, they are useful for highlighting specific features of the toolsets we are going to examine.