Last Updated: 2013-11-19 03:08:10 UTC
by Mark Baggett (Version: 1)
There should be little argument that with today's threats you should always acquire a memory image when dealing with any type of malware. Modern desktops can have 16 gigabytes of RAM or more filled with evidence that is usually crutial to understanding what was happening on that machine. Failure to acquire that memory will make analyzing the other forensic artifacts difficult or in some cases impossible. Chad Tilbury (@chadtilbury) recently told me about a new memory acquisition tool that I want to share with the ISC readers. It is called winpmem. It is written by Michael Cohen. It is free and it is available for download here. Here is a look at it.
After downloading and expanding the zip file you will see the following components:
You can see there are two executables. They are named winpmem_1.4.exe and winpmem_write_1.4.exe. I'll come back to winpmem_write_1.4.exe later. There is also a "binaries" directory that includes a couple of device drivers and a Python script. That sounds like fun! I'll come back to that one later as well. For now, lets talk about winpmem_1.4.exe. If you run it without any parameters you will get a help screen. It looks like this:
If you want to use winpmem to acquire a raw memory image, all you have to do is provide it with a filename. A copy of all the bytes in memory will be saved to that file. For example:
c:\> winpmem_1.4.exe memory.dmp
This will create a raw memory image named "memory.dmp" suitable for analysis with Volatility, Mandiants Redline and others. The tool can also create a crash dump that is suitable for analysis with Microsoft WinDBG. To do so you just add the "-d" option to your command line like this:
c:\> winpmem_1.4.exe -d crashdump.dmp
Now, some of you may be thinking, "So what! I can already dump memory with dumpit.exe, Win32dd.exe, win64dd.exe and others." Well, you are right. But if you have malware that is looking for those tools, now you have another option. While winpmem might look like a mild mannered memory acquisition tool, it actually has super powers. The BEST part of winpmem (IMHO) is in those components that I conveniently glazed over. I'll take a look at winpmem_write_1.4.exe and, better yet, that Python script in my next journal entry.
Interest in Python? Check out SANS SEC573. Python for Penetration testers! I am teaching it in Reston VA March 17th!
Click HERE for more information.
Follow me on twitter? @MarkBaggett