Is your PC hacked? RAM Forensics with Volatility

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so how can you tell if a system is hacked in this video we're going to do a deep dive into memory forensics we're going to learn how to create a memory dump how to analyze it with tools like volatility we will look at Advanced command line tools and also very simple GUI tools that everyone can use what you're looking at right now is an infected system this system is heavily infected it's infested with all sorts of malware so much so that even if we try to download an antivirus it's not going to work I'm just going to use a vows to demonstrate this we get the exe but if I try to open it this is what happens as you can see we have a fake antivirus that has hijacked our system when a system is compromised as extensively as this you may have malware in your drivers you may have malware Services operating within the system so you need an extensive forensic analysis to get started we're going to need to take a memory dump of this entire system and we're going to do that with a tool called dump it when I say memory I mean ram or volatile memory this is where all of your active programs and processes that are currently running your system are stored and the idea is if there is any malicious actor active within the system they're going to need to have a presence in that Ram in order to do something so when I say yes what's going to happen is this program is going to dump all of the data that's currently in this computer's Ram into a file and then I can take that file into another computer and start analyzing it to see what's in there the ramp dump was successful and we have a file on our desktop so this is our memory dump file it's nine gigabytes in size another thing I just want to mention is ftk imager this is a specific forensic tool it's free it allows you to do Drive forensics but what it also allows you to do is if you go into files you can capture memory so if for whatever reason dump it does not give you a good memory dump or you encounter an error afterwards try this tool you just select a destination path a name and then it's just going to capture memory I have already transferred this file I've renamed it to memdump and we're going to analyze it using an open source tool called volatility Now by default volatility is a command line tool but there is a tool you can download called volatility workbench that'll basically give you a a simple UI to operate it and I highly recommend this for beginners if you're struggling to make sense of what's happening in the command line if you're not comfortable you're much better off using this all we have to do is select the image file here you can click on browse image and do that the platform this is Windows and then click on get process list and what this is going to do is use this command line tool to generate all of the processes that are on this system and voila we now have a record of everything that's active here so let's just scroll through this as you can see we have something called process Hider that does not sound very nice so even if I had never seen the system I didn't know it was infected now I get this memory dump and I'm looking at it and I'm seeing there's a process Hider currently running in Ram and one of the things you're going to need if you're going to do forensics of any sort is an in-depth understanding of the operating system that you're analyzing so in the case of Windows CMD is command line similarly SVC host is a system process I know con host is system process although etw.exe is definitely not of course a process list while useful is not comprehensive so we're going to do some other commands that you can select here for example there is the specific command in volatility called malfind and what this is going to do is look for evidence instance of process injection certain patterns of malware behavior in memory so we're going to select it and run it once again we have our results and as you can see volatility has found a lot of suspicious patterns we've got something in search host we've got something in si host we've got etw.exe as you can see the process is still continuing apparently it was unable to read a requested page but that's okay we can scroll up and go through everything that it has found so we're seeing a lot of system process listed here so it is possible that there is some memory injection that is happening on the system where a malware is hijacking system process to do something malicious unfortunately while this workbench is pretty cool it does not have all of the commands that are available with volatility so this is where we're going to switch to the command line interface and try to get an understanding of what's happening on the network because I want to capture if there is a malicious entity on the computer that is communicating with an external hacker or I should say a malicious server just to be technically correct here so how are we going to do that well first of all we're going to need to open a terminal or command line in the location that we have volatility installed oh when I say volatility installed it just means where I have the exe fault it's a standalone tool but we are going to open a terminal here and this is where we're going to do some command line magic now if you do open Terminal by default it's going to open in Powershell you want to make sure that you are using command prompt now if you don't know how to navigate to a folder I don't want to skip over that because someone may not know this normally when you're going to open command prompt it's going to open in a system directory or a user directory like your username but you can move to any directory of your choice by selecting the path so for example this is C lab forensics I can just copy this and then you can type CD space the directory and boom you're there you need to type fall.exe and you can say a dash H and what this is going to do is give you the help file so this is a listing of all of the commands that you can run with volatility you can do a driver scan you can dump files there's a lot of stuff you can do but for now we're going to focus on the network forensics as you can see we have something here called netstat and this is going to list all network connections now there are different versions of this so this is for Mac I'm sure there's one for Windows there we go we also have something very similar called netscan but this is more a listing of network objects but it doesn't Traverse the entire structure and so we're going to use netstat so to do that we're just going to scroll down and type fall.exe and then we need to select the file of course the memory dump file that we're analyzing so we're going to type Dash F and then the file name which is mem dump almost typed meme dump there that's fun as well we're going to type windows Dot netstat and this command is going to Traverse all of the network structures within the memory dump and give us our results there's a lot of stuff here and again this is where you're going to need experience in order to sift through this and figure out exactly what you're looking for I'm going to ignore the 0.0.0.0 is the loopback addresses all of that and I'm going to look for something that looks suspicious so for example if we go all the way to the top there are several foreign addresses here some of these may be Microsoft but you can look at parameters like the port name let's take this one for example we have a foreign IP that we have an active connection to at Port 4342 so I'm just going to copy this and we're going to try to find out where this IP is located in order to do that I'm just going to do an IP address lookup this is what's my IP address.com I'm just going to type in our culprit here and click on get IP details and as you can see this is located somewhere in Iceland huh so there is an active connection from my computer to rejavik in Iceland and I can see what ISP this is associated with you can see the services or data center it's likely a static IP and the hostname is VPS Dash this dot is VPS by the way usually stands for virtual private server if we go back to our results we can find another one let's try scanning that you get a very clear result so I can understand why my computer would be making connection to the Microsoft Corporation but what I don't understand is why I'm making a connection to Iceland this is a way you can find suspicious network activity where a hacker may be connecting to your system or malware onto your system may be calling home so looking at all of this data in memory I can now make a determination I'm very suspicious that this computer is infiltrated even if I didn't know that there was anything wrong on the system and I've already isolated some suspicious connections and some processes that might be indicators of compromise now just out of curiosity I wanted to show you what's actually inside the memory dump if we open it with a text editor as you can see we've got a lot of random characters and the reason you're seeing this is be because this is just a dump of computer code it's not encoded in a way it's going to make sense to you and this is why we need to use command line tools like volatility but technically there's everything in here so for example if you have a piece of ransomware communicating with a command and control server sending a key that is probably somewhere in here because the key has to be stored in memory to be able to be transmitted finding it however is not something that everybody is going to be able to do but if all of this sounds intimidating or archaic there's also better GUI tools that you can use to analyze a memory dump one of them is integer analyze who are also sponsoring this video now the purpose of this video we're going to use the endpoint scanning feature which you can find in endpoint now intezer also has their own memory dump plugin that you can use with volatility too but to keep things simple we're actually going to use the endpoint feature as it will do all the data collection for us so all we have to do is click on scan endpoint download the scanner and then run it on our victim system so we're just going to that now we will need an API key which we can generate in the accounts page but once that's entered it's going to begin the scan and when this process is complete we can go back to analyze.integer.com and if we go to endpoint again view my scans we're going to find the last scan the scan type is live malware analysis so it is very similar to actually analyzing a dump if we click on it we're going to find a full analysis on the system as well as an overall verdict so as you can see this one it says it's infected by xmrig miner and crypto Miner and you can instantly see the advantage of a tool like this within a couple of seconds we have our eyes on the most relevant information we know there's malware on this system we know that from the analysis with the code genes and we've been directed to the most relevant process tree so as you can see we have SI host.exe this is in system 32 part of a system process you can see the exact command that's it's executed with and then we have etw dot exe which is the malicious module embedded within the system process and it's highlighted in red we know this is bad now we can also look at other malware and where it's embedded so this one it's just a direct process it's based in Windows branding it's created its own folder if you look at the next one you can see this one also has its own process and then the last one is embedded within gllhost.exe so interestingly We've Got Two dll Hosts here as you can see this is the trusted Microsoft module it's the actual dll host and then of course we have the malicious dll host right right next to it and if we look at the verdict here it says replaced memory so this is like a case of process hijacking so if you would like to try this out for yourself analyze.integer.com also they have really good customer support so if you have any questions or if you want to trial of some of their Enterprise features I would definitely suggest reaching out to them because they're very nice and they might just accommodate you now that concludes the video but don't go anywhere because we're going to have a live Discord Workshop right after this premieres I will be there and we're going to do some memory forensics live we're going to have a look at some of your systems and we'll see what we find and also if you have any questions about anything that you just watched you're welcome to drop into voice chat so I'll see you at the event in a minute but please like and share the video If you enjoyed it in-depth videos like this do take a lot of effort to produce so if you'd like to see more please let me know in the comments down below I'm also planning on making a follow-up video where we clean this infected system get rid of the fake AV and all of that so make sure you're subscribed if you want to see that it's going to be a lot of fun thank you so much for watching and as always stay informed stay secure

Info

Channel: The PC Security Channel

Views: 900,623

Rating: undefined out of 5

Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, best EDR, EDR, is your pc hacked, How to tell if your pc is hacked?, Digital forensics, forensics 101, RAM dump, Volatility, Volatility Tutorial, RAM Forensics, How to disinfect malware

Id: VK3fvNFGAzE

Channel Id: undefined

Length: 14min 29sec (869 seconds)

Published: Sat Oct 29 2022