Is your PC hacked? RAM Forensics with Volatility

So how can you tell if a system has been

hacked

? In this video, we will delve into memory

forensics

. We will learn how to create a crash dump. How to analyze it with tools like

volatility

. We will see Advanced. command line tools and also very simple GUI tools that everyone can use. What you are seeing now is an infected system, this system is highly infected, it is infested with all kinds of malware, to such an extent that even if we try to download an antivirus, it is not going to work, I am just going to use votes to demonstrate this, we get the exe but if i try to open it this is what happens as you can see we have a fake antivirus that has hijacked our system when a system is compromised.

As extensive as it is, you may have malware on

your

drivers, you may have malware services operating within the system, so you need a thorough forensic analysis to start with, we'll need to perform a core dump of this entire system and let's go. a To do that with a tool called dump it, when I say memory I mean RAM or volatile memory, this is where all the active programs and processes that are currently running

your

system are stored and the idea is if there are any active malicious actors inside the system, they will need to have a presence in that Ram to be able to do anything, so when you say yes, what will happen is that this program will dump all the data that is currently in the Ram of this computer into a file and then I can take that file to another computer and start analyzing it to see what's there.

The ramp dump was successful and we have a file on our desktop, so this is our crash dump file. It is nine gigabytes in size. Another thing I just want to mention is ftk imager this is a specific forensic tool, it's free and it allows you to do Drive

forensics

, but what it also allows you to do is if you go into the files it can capture the memory so that if for some reason the dump does not give you a good memory dump. or find an error later, try this tool, just select a destination path, a name and then it will simply grab the memory.

I already transferred this file. I renamed it memdump and we will analyze it using open source. tool called

volatility

Now by default volatility is a command line tool but there is a tool that you can download called volatility workbench which will basically give you a simple user interface to trade it and I highly recommend it to beginners if you are having difficulty in that makes sense. than what happens on the command line, if you are not comfortable, you are much better off using this, all we have to do is select the image file here, you can click on browse image and make the platform Windows and then click on get list of processes and what this will do is use this command line tool to generate all the processes that are on this system and voila, now we have a record of everything that is active here, so just scroll through this as you can see.

I have something called a Hider process which doesn't sound very good, so even if I had never seen the system, I didn't know it was infected, now this crash dump comes up, I look at it and I see that there is a Hider process. It is currently running on Ram and one of the things you will need if you are going to perform any type of forensic analysis is a deep understanding of the operating system you are analyzing, so in the case of Windows CMD it is the command line similarly, SVC host is a system process.

I know that with host it is a system process, although etw.exe is definitely not of course a list of processes, although useful it is not exhaustive, so let's do some other commands that you can select here, e.g. , over there. is the volatility specific command called malfind and what this is going to do is look for evidence of process injection instance, certain patterns of malware behavior in memory, so we're going to select it and run it one more time, we'll have our results and , like you I can see that volatility has found many suspicious patterns.

We have something on the search host. We have something on the host yes. We have etw.exe. As you can see the process is still continuing, apparently a request could not be read. page, but that's okay, we can scroll up and review everything it has found, so we see a lot of system processes listed here, so there may be some memory injection happening on the system where a malware is hijacking the system. Unfortunately, while this workbench is pretty cool, it doesn't have all the commands that are available with volatility, so this is where we'll switch to the command line interface and try to understand what's happening on the network because I want to capture if there is a malicious entity on the computer that is communicating with an external hacker or should I say a malicious server just to be technically correct here, then how are we going to get it right in the first place?

We will need to open a terminal or command line in the location where we have volatility installed. Oh, when I say volatility installed, it just means that where I have the exe error, it's a standalone tool, but we're going to open up a terminal here and this is it. where we're going to do some command line magic now, if you open Terminal by default it will open in Powershell, you want to make sure you're using the command prompt now if you don't know how to navigate to a folder. I don't want to skip that because someone might not know this normally when you open the command prompt it will open in a system directory or a user directory like your username but you can move to any directory of your choice by clicking in selecting the path, for example, this is C lab forensics.

I can just copy this and then you can write to the CD space, the directory and boom, you're there, you type fall.exe and you can say a dash H and what goes. What you need to do is give it the help file, so this is a list of all the commands that you can run with volatility. You can perform a driver scan. You can dump files. There are many things you can do but for now let's focus on network forensics, as you can see we have something here called netstat and this will list all the network connections.

Now there are different versions of this, so this is for Mac. I'm sure there is one for Windows. There we go, we also have something very similar called netscan, but it's more of a list of network objects, but it doesn't go through the entire structure, so we'll use netstat, to do that we'll just scroll down and type fall.exe and then we need to select the file, of course, the memory dump file that we're looking at, so we'll type Dash F and then the name of the file, which is mem dump, we almost typed meme dump in there, that's fun too, let's type windows Dot netstat and this command will traverse all the network structures within the crash dump and give us our results.

There are many things here and again. This is where you will need experience to examine this and discover exactly what you are looking for. I'm going to ignore 0.0.0.0, it's loopback addresses, all that, and I'm going to look for anything that looks suspicious, for example, if we go to the top. There are several foreign addresses here, some of them may be Microsoft, but you can look at parameters such as port name. Take this one, for example. We have a foreign IP that we have an active connection to on port 4342, so I'm just going to copy this and we'll try to figure out where this IP is located so we can do that.

I'm just going to do an IP address lookup. This is my IP.com address. I'm just going to type in our culprit here and click on get IP details and as you can see this is located somewhere in Iceland uh so there's an active connection from my computer to rejavik in Iceland and I can see which ISP. is associated, you can view the services or data. center, it is probably a static IP, and the host name is VPS Dash, this point is VPS, by the way, it generally means virtual private server. If we go back to our results, we can find another one, let's try to scan and you will get a very clear result so you can I understand why my computer would connect to Microsoft Corporation, but what I don't understand is why I am making a connection to Iceland.

This is a way to find suspicious network activity where a hacker may be connecting to your system or malware. on your system it may be calling home, so by looking at all this data in memory I can now make a determination. I highly suspect that this computer is infiltrated, even if I didn't know there was something wrong with the system and we have already isolated some suspicious connections and some processes that could be indicators of compromise. Now just out of curiosity I wanted to show you what's actually inside the core dump if we open it with a text editor, as you can see we have a lot of random characters and the reason you're seeing this is because it's just a code dump. computer, it is not coded in a way that makes sense to you and that is why we need to use command line tools like volatility, but technically there is everything here, for example, if you have a piece of ransomware that communicates with a server of command and control by sending a key that is probably somewhere here because the key must be stored in memory in order to be transmitted, finding it, however, is not something that everyone will be able to do, but if this all sounds intimidating or archaic, too There are better GUI tools you can use to analyze a crash dump, one of them is Integer Analysis, who also sponsor this video.

Now the purpose of this video. We are going to use the endpoint scanning feature that you can find in endpoint. Now intezer also has its own core dump plugin that you can also use with volatility, but to keep things simple, we'll actually use the endpoints feature as it will. do all the data collection for us, so all we have to do is click on the scanning endpoint, download the scanner and then run it on our victim system, so let's get to that now, we will need an API key that we can generate on the accounts page, but once it is entered, the scanning will start and when this process completes, we can go back to analyze.integer.com and if we go to the endpoint again, we will see my scans, we will find the last scan, the type of scan.

It is a live malware analysis, so it is very similar to analyzing a dump. If we click on it, we will find a complete system analysis, as well as a general verdict. As you can see, this one says it is infected by xmrig. miner and crypto miner and you can instantly see the advantage of a tool like this in a couple of seconds we have our eyes on the most relevant information we know that there is malware in this system we know it by the analysis with the genes of the code and we have been directed to the most relevant process tree, so as you can see, we have SI host.exe, which is on system 32, part of a system process.

You can see the exact command it is run with and then we have etw dot exe which is the malicious module embedded within the system process and it is highlighted in red, we know this is bad now we can also see other malware and where it is embedded, so this is just a direct process, it is based on the Windows brand, it has created its own folder if you look in the next one you can see that this one also has its own process and then the last one is built into gllhost.exe. Interestingly, here we have two hosts dll, as you can see, this is the trusted module from Microsoft, it is the actual host dll. and then of course we have the malicious host dll right next to it and if we look at the verdict here it says memory replaced this is like a case of process hijacking so if you want to try this yourself analyze.integer.com they also have very good customer support so if you have any questions or want to try out some of their business features I definitely suggest you contact them because they are very friendly and may be able to accommodate your needs now that it concludes. the video, but don't go anywhere because we're having a live Discord Workshop right after the premiere.

I'll be there and we'll do some live memory forensics. We'll take a look at some of your systems and see what we find and also if you have any questions about something you just saw you can jump into the voice chat so I'll see you at the event in a minute but please like and share the video. If you enjoyed it, producing in-depth videos like this takes a lot of effort, so if you'd like to see more, let me know in the comments below. I'm also planning on making a follow up video where I clean up this infected system, get rid of the fake AV and all that, so make sure you're subscribed if you want to watch it will be a lot of fun.

Thank you so much for watching and as always, stay informed, stay safe.