Security and Forensic Analysis of the Ram of a Computer Infected by a Malware ()
1. Introduction
Forensic analysis of the RAM is the practice of collecting and organizing information found on an electronic device for investigative purposes. It is important to know both the technologies and the methods and frameworks investigators use in this field [1]. Technological progress has led to transformations within our society, thus shaping our individual and professional daily lives. The concurrent emergence of big data, artificial intelligence and the Internet of Things has substantially reshaped the business landscape, integrating these innovations as fundamental elements. These technologies, which have become omnipresent, are undergoing perpetual evolution, systemically redefining the methods of communication and work. Thus, this observed technological metamorphosis has significantly revolutionized human interactions and content transmission processes. However, with this increasing integration into our lives and professional environments, these technological advances have also given rise to a new form of crime operating in cyberspace (such as phishing, denial of service attacks, ransomware, etc.). The rise of certain cybercrime activities has greatly complicated the work of digital investigators, particularly with regard to malware. Thus, the objective of this research lies in the forensic analysis of the RAM of computers compromised by a cyber virus attack, exploring the methodologies, techniques and tools required to extract crucial information from this essential element of the system computer science. While traditional forensic investigation techniques focused primarily on hard drives and files, examining RAM provides an invaluable window into the state of the system at the time of infection, allowing a detailed understanding of activities. malicious activities in progress.
2. Methodology
Forensic analysis of the RAM of a virus infected computer requires a precise methodology to extract crucial information without altering the data. This methodology requires in-depth computer forensics expertise and the proper use of specialized tools to extract and analyze RAM without compromising the data. There’re some problems that must be paid attention in the process of electronic evidence collection. The investigator should know the techniques and methods of cybercrime scene protection [2].
So during our work, the first step in our methodology consists of setting up a secure working environment called Sandbox. For the realization of our project, the choice of our environment fell on VirtualBox, a virtualization software which allows the creation of virtual machines on a host system. On this environment, we installed Ubuntu 18.04.6 victim machines and the CSI Linux machine which will be used to carry out the analysis.
The second step was to infect our machines with Erabus malware. There are many ways in which a machine can become infected with virus malware. Regarding our work in this research, we had extracted the malicious malware in a victim’s computer and then executed it in the Ubuntu virtual machine so that they were infected. One of the prerequisites was an internet connection during the analysis, so that the malware could communicate with the C&C server and thus describe its true behavior. Non-availability of internet prevents the malware from running as it cannot download encryption keys etc.
Then, it was essential to obtain samples of the RAM of the compromised machines by performing dumps using forensic tools such as LiME in its version 1.9.1.
Finally, we analyzed the data using the volatility framework to look for signatures, suspicious behavior and traces of ransomware in the memory. It is important to master the application tools that you will use for the investigation of RAM [3].
Figure 1 describes the different stages of our work methodology. So our work methodology was summarized according to the following points:
Setting up the work environment;
Attack of the virtual machine;
Collection of data through memory captures;
Analysis of dumps.
Figure 1. Methodology used.
3. Traditional Analysis Compared to Forensic Analysis of RAM
Memory forensics is the process of capturing the execution memory of a device and then analyzing the captured output for the presence of malware. Unlike hard drive forensics, where a device’s file system is cloned and every file on the drive can be retrieved and analyzed, memory forensics focuses on the programs in question. Running on a device while capturing the memory dump.
In practice, the first step in memory investigation is to obtain a copy of the contents of volatile memory called Memory Dump. Once this step has been executed successfully, the dump should be analyzed. In this case, evidence is extracted by analyzing and interpreting operating system constructs.
The traditional investigation approach poses a certain number of difficulties:
The difficulty linked to the identification of the traces left by the virus in the RAM;
The lack of an appropriate technique for examining network connections;
The difficulty of reconstructing the chronological sequence of malicious actions;
The difficulty associated with extracting relevant data without altering the integrity of the digital evidence;
The difficulty linked to traditional analysis which requires large storage capacity.
In view of all these difficulties and the growing threat of virus, it is appropriate to integrate forensic analysis of RAM on computers compromised during computer attacks and especially with regard to virus. Forensic Investigations can be difficult with hard drive [4].
The advantages of forensic analysis are:
Forensic analysis makes it possible to extract relevant data from RAM without altering the integrity of the digital evidence;
Forensic analysis of the RAM of a virus infected system can reveal indicators to identify specific processes related to malware activity and operation;
Analyzing network connections after a virus attack can help determine outgoing communications to the command server.
Malware is one of the most advanced malware which uses computer resources and services to encrypt system data once it infects a system and causes large financial data losses to the organization and individuals [5].
4. Setting Up the Attack System
We install the LiME tool on Ubuntu 18.04.6 in order to perform a memory dump of the victim machine.
sudo apt update sudo apt upgrade
git clone https://github.com/504ensicsLabs/LiME.git
Figure 2 shows the cloning of the LiME git repository on the victim Ubuntu machine.
Figure 2. Cloning the LiME repository on the victim machine.
cd LiME/src && make
We now install Volatility Using pip
sudo python3 setup.py install
Regarding the work of this research, we had extracted the malicious virus in a victim’s computer and then executed it in the first Ubuntu virtual machine so that they were infected. We then reproduced the infection in the other Ubuntu virtual machines while remaining in our controlled environment. During the attack, one of the prerequisites was to maintain an internet connection so that the malware could communicate with the C&C server and thus describe its true behavior.
Figure 3 shows the Ubuntu 18.04.6 virtual machine before the malware attack. The next step is to infect our virtual machine.
Figure 3. Capture of the victim machine before the virus attack.
Figure 4 comes from the victim machine after infecting the machine with malware. We find that our files have been encrypted and a ransom message has been dropped by the cybercriminal namely the readme_for_unlock.txt file.
Figure 4. Capture of the victim machine after attack.
5. Result and Discussion
5.1. Memory Extraction Result
Memory forensics, where you have a chance to analyze and determine if a given sample is malware or not without going for complex reverse engineering techniques is the best solution [6]. When a computer is infected with irus, the dump memory process can be tricky because the ransomware can interfere with normal system operations. However, the above process could be considered. In the case of a computer infected with virus, the priority is to contain and isolate the infection as best as possible to prevent its spread. Memory dump can be difficult to perform due to the destructive or intrusive nature of the virus. The memory of the infected machine was extracted with LiME using the following command:
sudo insmod lime-$(uname -r).ko "path=/path/to/save/destination format=lime"
Figure 5 illustrates the result of the memory capture of our infected machine. As shown in the image above, our memory dump is 4 gigabytes which is exactly the size of the RAM of the Ubuntu machine. Memory forensics has come to the forefront as a formidable instrument in the ongoing struggle against malware, providing researchers with the means to examine these threats within their operational environment and extract valuable insights from the behaviors they exhibit while active [7].
Figure 5. Memory dump capture.
It is crucial to note that memory capture may require elevated privileges and should be done carefully to avoid modifying the target system’s memory. It is also possible to do the Memory Dump via the network with LiME. Verifying the integrity of the memory dump to ensure that it was not altered during capture was carried out by calculating the MD5 hash of the original memory dump and that of the extracted file. The two operations are illustrated in the figures below. The result gives the same Hash indicating that the dump has not been altered.
Calculation of the Md5 hash from memory directly on the ubuntu machine
Calculating the Md5 hash from memory directly on the CSI Linux machine
These figures show the hash calculations just after the dump in the victim machine then in the CSI machine which will be used for the analysis. The observation made is that the two hashes are identical, which makes it possible to verify the integrity of the dump.
5.2. Result Based on Analysis of Running Processes
Examining running processes involves observing the programs and tasks currently operating within a computer system. The graphic representation below details our use of the Volatility tool to explore the RAM of our computer, affected by a virus attack. Volatility allows to find several key artifacts including different ways of listing processes, finding network connections, and using the module malfind that can detect suspicious instructions. Looking at memory analysis for use as a part of incident response, it usually comes down to finding signs of intrusions or malicious code [8].
Using “volatility psscan”, we were able to examine and identify suspicious or malicious processes that could be linked to virus activities.
python vol.py --file=/home/csi/Desktop/E001.raw --profile=Linuxubuntu_5_4_0-91-genericx64 linux_psscan
Figure 6 shows the process structures and the list of processes running at the time the memory capture was performed. It provides information on active processes, their identifiers, process owners and execution times.
Show running processes with Pslist tool: This is a command designed to scan the memory of an operating system and list all active processes at the time of memory capture. With “Pslist” we scanned the RAM to extract information about the running processes such as process identifiers (PIDs), process names, session IDs, users associated with these processes.
Figure 6. Result of the psscan command.
Figure 7. Result of the pslist command.
python vol.py --file=/home/csi/Desktop/E001.raw --profile=Linuxubuntu_5_4_0-91-genericx64 linux_pslist
Figure 7 shows an overview of the active processes at the time of memory capture. This was necessary to detect suspicious activities. Unlike pslist which focuses on active processes at the time of memory capture, psscan performs a deeper scan of memory to look for process structures, even those that might be hidden or deleted.
Displaying malicious processes with the volatility malfind tool: This command is designed to detect suspicious or potentially malicious structures in the memory of the system being scanned. In our research, it was useful for examining system memory and spotting indicators of compromise by looking for typical malware characteristics. Alternatively, it can be used to search for code injected into processes, hooks or abnormal memory modifications, signs of suspicious activity or artifacts related to attacks.
Figure 8 shows suspicious or potentially malicious memory sections. It particularly illustrates malicious processes.
Analysis of the contents of certain files with the linux_proc_maps tool: In a Linux operating system, the /proc/[PID]/maps file exposes information about the memory address space of a specific process where [PID] represents the process identifier. This information includes virtual memory ranges allocated to the process, access permissions (read, write, execute), path of loaded shared libraries (.so files), among other details.
Figure 8. Result of the malfind command.
By examining the contents of this file with the linux_proc_maps command, we interpreted this data. This provided valuable information that helped understand the behavior of processes, the areas of memory they use, the shared library files they load.
Figure 9 shows a textual representation of the virtual memory of processes running on the system. It provides detailed information about how memory is allocated and used by these specific processes.
Figure 9. Result of the linux_proc_maps command.
Filescan: This Volatility “filescan” command was used to search and scan memory for file-like objects or file structures. It was useful when searching for file-related artifacts in memory.
Timeliner: The “timeliner” command was used to create a timeline of events based on information retrieved from memory. She was able to create a temporal report organizing events or information retrieved from memory based on their timestamp, allowing us to better understand the chronological order of activities or changes in the system.
The results highlighted the critical importance of capturing the memory of a virus-infected system while detailing a thorough analysis of active processes and network connections to counter this threat. They demonstrate the superiority of the analysis of RAM compared to that of the hard drive in terms of efficiency and precision during investigations. Also, the method of extracting RAM using specific tools made it possible to identify the virus’s activity patterns and analyze its operating modes. Volatile memory forensics are at the forefront of forensic [9].
6. Conclusion
This part of our investigations highlights the invaluable value of RAM analysis in combating malware attacks. By exploring memory capture, detailed analysis of running processes, and examination of network connections, this research demonstrates the relevance and effectiveness of this approach compared to traditional hard drive analysis. This approach focused on RAM analysis, validated by the results of this study, proves to be a crucial pillar in security investigations to detect, counter and neutralize malware attacks, thus strengthening response capabilities and protection of computer systems against these threats. To combat and identify the attacks, digital forensics plays a crucial role in cyber investigations. In particular, memory forensics helps by unhiding the tons of hidden secret information [10].