Saturday, October 10, 2020

Capturing Windows Memory

It has been a while since my last post. Changing jobs pointed me in a different direction for a while but as George and Frank Constanza would say. "I'm back baby!"


I recently had to look into windows memory capture to do some offline analysis of running processes.

My normal 'goto' tool for taking a forensic image and memory capture is usually FTK Imager. It is pretty robust and ninja proof. 

You can copy the install directory to an external USB and it will run nicely as a portable version. When we run this it obviously loads into memory which be present when we capture the system memory.

I started to think of if there were any other tools that could do memory analysis and compare some of there features such as 

  1. Memory Footprint - smaller and less processes is better
  2. Portable - I don't really want to install it on the system in question
  3. Fast - Memory capture is often the first stage of a Incident Response so I it to be fast
  4. Access privilege required - do I need to be admin or can I run this a least privilege user.
  5. Stand alone - Do I need to buy the whole forensic suite or can I just get the memory capture tool
  6. Price - gratis is good but a low cost good tool is OK too.
  7. Easy of use - I don't want to fumble in the field with pesky undocumented command line switches.

While there has been numerous blogs on some of the available tools I was mainly interested on the footprint and speed. If the tool was loaded into memory the risk is that some of the data of interest may be popped out.

After some quick browsing it seems the current options are (in no order of preference):

  1. FTK Imager
  2. Belkasoft
  3. Magnet RAM
  4. Process Hacker
  5. Winen
  6. MDD
  7. Mandiant Memoryze
  8. WindowsSCOPE
  9. WinPmem
  10. Dumpit
The next step was to see if my google fu was able to find the memory capture applications as some of these have dropped on and off  hosting sites. 

FTK Imager

Used for forensic imaging and live viewing of disks but can also do memory capture.
Has the option to capture pagefile.sys at same time which is nice.
It does require you to install it first (not on your target machine) then copy the install directory to a USB for portable use.  

Time: 2m:37s
Memory: 11.6MB
Install Directory of FTK Imager

FTK Imager GUI

FTK Imager GUI options

FTK Imager Memory Footprint


Belkasoft - RAM-CAPTURER

Simple to use from a USB.
Time: 2m:22s
Memory: 7.7MB.

Belkasoft RAM Capturer Install directory



Belkasoft RAM Capturer GUI

Belkasoft RAM Capturer Memory Footprint

Magnet - RAM

Has the option to segment but otherwise pretty straightforward.
Time: 4m:01s
Memory: 6.8MB


Magnet RAM Install Directory

Magnet RAM GUI

Magnet RAM Memory Footprint

Process Hacker

While this is a powerful tool it is more granular than required and probably better for live analysis as it allows you to inspect individual processes and dump the memory used by them but not a total memory dump.

Process Hacker Install directory

Process Hacker GUI

Process Hacker Memory Footprint


MDD

I couldn't get this to work successfully. 😢


 

Mandiant Memoryze

This downloads as an msi for installing but it can be run from an USB without installing by using a command line option to install it onto a USB.

msiexec /a E:\Download\\MemoryzeSetup3.0.msi /qb TARGETDIR=E:\Memory_Acquisition\Mandiant_memoryze

It doesn't appear to have support after Win 7 so the testing of this one on hold.

WindowsSCOPE

This requires a $1 to try it registration but looking and the 1 year cost of  $7,699 for a single year decided not to pursue this. 

DumpIt

This app disappeared for a while and I was very keen to test it. A new version came back via the author Matt Suiche at https://my.comae.com but even though I created an account I could never login ?? and got a Failed to Fetch error when logging in. If anyone has tested a newer version let me know.


It does a capture in place so if you run it from an external USB make sure it is big enough for the capture as it doesn't allow you to select a destination location. 

Time: 2m:34s
Memory: 7.1MB
DumpIt Install Directory


DumpItcommand line

DumpIt Memory Footprint


Testing Summary

So the major features I was looking for were a small footprint, easy to use and speed. The table below shows a summary of the four tools that met our needs.




For speed, Belkasoft is slightly faster on my DELL laptop but it will depend on the system you are running it on. 

Magnet RAM has the smallest footprint at 6.8MB.

FTK Imager is also fast, with slightly larger footprint but it has more than just RAM capture functionality. It can also forensically acquire hard drives so if I wanted to also do a forensic disk image or forensically copy files it maybe easier to use this than changing programs. 

But, if I had to just do a memory capture Belkasoft or Magnet RAM might be a good choices.  
 
DumpIt may be a nice choice if I just wanted a simple double click and it stores it in the same directory. 


Now to analyse the memory captures.... that may be for another post.

Until the next post TheHexNinja says:

Memory Capture 
Easy When You Know Your Tools  
Now To Analyse 


References

1. Tool URLs
2. The following article describe some of the methods the memory applications use to obtain the dump in kernel mode: ZwOpenSection with ZwMapViewOfSection, MmMapIoSpace
and MmMapMemoryDumpMdl








No comments:

Post a Comment