Do we still need memory forensics today?
One question that I get asked quite frequently is, if memory forensics is still valuable today. Now as most EDR solution use some kind of memory capability to detect malware, what is the justification to still apply memory forensic techniques in our large scale incident response investigations? Obviously EDR tools do miss attacks. Even ransomware groups put a lot of effort into evading EDR detections. That is supported by the recently leaked Conti chats. In these chats, the hackers were discussing how to get their hands on a copy of a well-known EDR solution to find ways to avoid detection.
So as we established, that memory forensics can shine a light into places were other methodologies are blind we need to look at on of the major issues with memory forensics. While the way memory structures look like changes very frequently, we still don’t have too many tools supporting memory forensics, particularly if we need to scale it beyond two or three endpoints. For years, memory forensics has been dominated by tools like volatility, rekall and a few programs that would support unstructured memory forensics. All of them are meant to be used on single full memory images. While single machine memory forensics might be a good approach to deep-dive into one breached machine, it doesn’t help us very much in large-scale investigations.
These days we are lucky to have tools like velociraptor in our tool chest. Velociraptor now supports very targeted memory forensics. However, to apply it large-scale you still need to understand how memory works and where traces of attackers can hide.
So I tend to consider memory forensics critical component of modern incident response investigations because it allows investigators to identify malicious activity that may not be visible through traditional file-based forensics. Memory forensics involves the analysis of a computer’s physical memory (RAM) to identify running processes, network connections, and other important information that may be relevant to a security incident.
Memory forensics is important because modern malware and other malicious tools are designed to be stealthy and avoid detection by traditional security tools. By running entirely in memory, these tools can evade detection by antivirus software and other endpoint security tools that rely on scanning for files on disk. Memory forensics allows investigators to detect and analyze these threats by identifying and analyzing their behavior in memory.
In addition, memory forensics can be used to gather evidence that may not be available through other means. For example, if a suspect is using encryption to protect their files or communications, investigators may be able to find encryption keys or other sensitive information stored in memory that can help them decrypt the data.