Memory Forensics

内存取证

Comprehensive memory forensics skill for analyzing RAM dumps and volatile memory artifacts. Enables detection of malware, rootkits, process injection, credential harvesting, and other memory-resident threats that leave no disk footprint.

全面的内存取证技能，用于分析RAM转储文件和易失性内存工件。能够检测恶意软件、Rootkit、进程注入、凭证窃取以及其他不会在磁盘留下痕迹的内存驻留威胁。

Capabilities

功能

Memory Image Acquisition: Guide acquisition of memory dumps using various tools (WinPMEM, LIME, DumpIt, FTK Imager)
Process Analysis: Enumerate running processes, detect hidden/injected processes, analyze process trees
DLL/Module Analysis: Identify loaded modules, detect DLL injection, find hollowed processes
Network Connection Analysis: Extract active network connections, listening ports, socket information
Registry Hive Extraction: Extract registry hives from memory for offline analysis
Credential Extraction: Locate and extract credentials, password hashes, Kerberos tickets
Malware Detection: Detect code injection, API hooks, SSDT hooks, IDT modifications
String Extraction: Extract strings, URLs, IPs, and other IOCs from memory regions
Timeline Generation: Create memory-based timelines of process execution and system events
Rootkit Detection: Identify kernel-level rootkits, hidden drivers, DKOM techniques

内存镜像获取：指导使用各类工具（WinPMEM、LIME、DumpIt、FTK Imager）获取内存转储文件
进程分析：枚举运行中的进程，检测隐藏/注入进程，分析进程树
DLL/模块分析：识别已加载模块，检测DLL注入，找到空心进程
网络连接分析：提取活跃TCP/UDP连接、监听端口和套接字信息
注册表 hive 提取：从内存中提取注册表hive用于离线分析
凭证提取：定位并提取凭证、密码哈希值、Kerberos票据
恶意软件检测：检测代码注入、API钩子、SSDT钩子、IDT修改
字符串提取：从内存区域中提取字符串、URL、IP及其他IOC（入侵指标）
时间线生成：创建基于内存的进程执行和系统事件时间线
Rootkit检测：识别内核级Rootkit、隐藏驱动、DKOM（直接内核对象操作）技术

Quick Start

快速开始

python

from memory_forensics import MemoryAnalyzer, ProcessScanner, MalwareDetector

python

from memory_forensics import MemoryAnalyzer, ProcessScanner, MalwareDetector

Initialize analyzer with memory image

analyzer = MemoryAnalyzer("/path/to/memory.raw")

Get system profile

profile = analyzer.identify_profile() print(f"Detected OS: {profile.os_name} {profile.version}")

Scan for processes

scanner = ProcessScanner(analyzer) processes = scanner.list_processes(include_hidden=True)

Detect malware indicators

detector = MalwareDetector(analyzer) findings = detector.scan_all()

undefined

detector = MalwareDetector(analyzer) findings = detector.scan_all()

undefined

Usage

使用方法

Task 1: Memory Image Acquisition

任务1：内存镜像获取

Input: Target system requiring memory acquisition

Process:

Select appropriate acquisition tool based on OS
Verify tool integrity (hash validation)
Execute acquisition with minimal system impact
Calculate and record hash of acquired image
Document acquisition metadata

Output: Raw memory dump with integrity verification

Example:

python

from memory_forensics import MemoryAcquisition

输入：需要获取内存的目标系统

流程:

根据操作系统选择合适的获取工具
验证工具完整性（哈希校验）
以最小系统影响执行获取操作
计算并记录获取镜像的哈希值
记录获取元数据

输出：带有完整性验证的原始内存转储文件

示例:

python

from memory_forensics import MemoryAcquisition

Windows acquisition guidance

acquisition = MemoryAcquisition()

Get tool recommendations

tools = acquisition.recommend_tools( os_type="windows", os_version="10", acquisition_type="live" )

Generate acquisition command

cmd = acquisition.generate_command( tool="winpmem", output_path="E:\evidence\memory.raw", format="raw" ) print(f"Execute: {cmd}")

Create acquisition documentation

doc = acquisition.create_documentation( case_id="INC-2024-001", examiner="John Doe", target_hostname="WORKSTATION01", acquisition_tool="WinPMEM 4.0", hash_algorithm="SHA256" )

undefined

doc = acquisition.create_documentation( case_id="INC-2024-001", examiner="John Doe", target_hostname="WORKSTATION01", acquisition_tool="WinPMEM 4.0", hash_algorithm="SHA256" )

undefined

Task 2: Process Analysis

任务2：进程分析

Input: Memory image file path

Process:

Load memory image and identify OS profile
Enumerate all processes (visible and hidden)
Analyze process tree relationships
Detect anomalous processes
Identify process injection indicators

Output: Comprehensive process listing with anomaly flags

Example:

python

from memory_forensics import MemoryAnalyzer, ProcessScanner

analyzer = MemoryAnalyzer("/evidence/memory.raw")
scanner = ProcessScanner(analyzer)

输入：内存镜像文件路径

流程:

加载内存镜像并识别操作系统配置文件
枚举所有进程（可见和隐藏）
分析进程树关系
检测异常进程
识别进程注入指标

输出：带有异常标记的综合进程列表

示例:

python

from memory_forensics import MemoryAnalyzer, ProcessScanner

analyzer = MemoryAnalyzer("/evidence/memory.raw")
scanner = ProcessScanner(analyzer)

List all processes with details

processes = scanner.list_processes( include_hidden=True, include_terminated=False )

for proc in processes: print(f"PID: {proc.pid}, Name: {proc.name}, PPID: {proc.ppid}") print(f" Created: {proc.create_time}") print(f" Command Line: {proc.cmdline}") print(f" Suspicious: {proc.is_suspicious}")

processes = scanner.list_processes( include_hidden=True, include_terminated=False )

for proc in processes: print(f"PID: {proc.pid}, Name: {proc.name}, PPID: {proc.ppid}") print(f" Created: {proc.create_time}") print(f" Command Line: {proc.cmdline}") print(f" Suspicious: {proc.is_suspicious}")

Detect hidden processes

hidden = scanner.find_hidden_processes() for proc in hidden: print(f"HIDDEN: PID {proc.pid} - {proc.name}")

Analyze process tree

tree = scanner.build_process_tree() tree.print_tree()

Find orphan processes

orphans = scanner.find_orphan_processes()

Detect process hollowing

hollowed = scanner.detect_hollowing() for proc in hollowed: print(f"HOLLOWED: {proc.pid} - {proc.name}") print(f" Image path mismatch: {proc.image_mismatch}")

undefined

hollowed = scanner.detect_hollowing() for proc in hollowed: print(f"HOLLOWED: {proc.pid} - {proc.name}") print(f" Image path mismatch: {proc.image_mismatch}")

undefined

Task 3: DLL and Module Analysis

任务3：DLL和模块分析

Input: Memory image and target process(es)

Process:

Enumerate loaded DLLs for target processes
Identify unsigned or suspicious modules
Detect DLL injection techniques
Compare loaded modules to expected baseline
Extract suspicious modules for analysis

Output: Module analysis report with injection indicators

Example:

python

from memory_forensics import MemoryAnalyzer, ModuleScanner

analyzer = MemoryAnalyzer("/evidence/memory.raw")
module_scanner = ModuleScanner(analyzer)

输入：内存镜像和目标进程

流程:

枚举目标进程的已加载DLL
识别未签名或可疑模块
检测DLL注入技术
将已加载模块与预期基线对比
提取可疑模块用于分析

输出：带有注入指标的模块分析报告

示例:

python

from memory_forensics import MemoryAnalyzer, ModuleScanner

analyzer = MemoryAnalyzer("/evidence/memory.raw")
module_scanner = ModuleScanner(analyzer)

Analyze all loaded modules

modules = module_scanner.enumerate_modules(pid=4892)

for mod in modules: print(f"Module: {mod.name}") print(f" Base: 0x{mod.base_address:x}") print(f" Size: {mod.size}") print(f" Path: {mod.path}")

modules = module_scanner.enumerate_modules(pid=4892)

for mod in modules: print(f"Module: {mod.name}") print(f" Base: 0x{mod.base_address:x}") print(f" Size: {mod.size}") print(f" Path: {mod.path}")

Detect DLL injection

injections = module_scanner.detect_dll_injection() for inj in injections: print(f"INJECTION in PID {inj.target_pid}:") print(f" Technique: {inj.technique}") print(f" Injected DLL: {inj.dll_name}") print(f" Source PID: {inj.source_pid}")

Find unlinked modules

unlinked = module_scanner.find_unlinked_modules()

Detect reflective DLL loading

reflective = module_scanner.detect_reflective_loading()

Extract suspicious module

module_scanner.extract_module( pid=4892, module_name="suspicious.dll", output_path="/evidence/extracted/" )

undefined

module_scanner.extract_module( pid=4892, module_name="suspicious.dll", output_path="/evidence/extracted/" )

undefined

Task 4: Network Connection Analysis

任务4：网络连接分析

Input: Memory image file

Process:

Extract active TCP/UDP connections
Identify listening ports and services
Map connections to processes
Detect suspicious external connections
Extract connection artifacts

Output: Network connection inventory with process mapping

Example:

python

from memory_forensics import MemoryAnalyzer, NetworkScanner

analyzer = MemoryAnalyzer("/evidence/memory.raw")
net_scanner = NetworkScanner(analyzer)

输入：内存镜像文件

流程:

提取活跃TCP/UDP连接
识别监听端口和服务
将连接映射到对应进程
检测可疑外部连接
提取连接工件

输出：带有进程映射的网络连接清单

示例:

python

from memory_forensics import MemoryAnalyzer, NetworkScanner

analyzer = MemoryAnalyzer("/evidence/memory.raw")
net_scanner = NetworkScanner(analyzer)

Get all network connections

connections = net_scanner.get_connections()

for conn in connections: print(f"PID {conn.pid} ({conn.process_name}):") print(f" Protocol: {conn.protocol}") print(f" Local: {conn.local_addr}:{conn.local_port}") print(f" Remote: {conn.remote_addr}:{conn.remote_port}") print(f" State: {conn.state}")

connections = net_scanner.get_connections()

for conn in connections: print(f"PID {conn.pid} ({conn.process_name}):") print(f" Protocol: {conn.protocol}") print(f" Local: {conn.local_addr}:{conn.local_port}") print(f" Remote: {conn.remote_addr}:{conn.remote_port}") print(f" State: {conn.state}")

Find connections to suspicious IPs

suspicious = net_scanner.find_suspicious_connections( threat_intel_feed="/feeds/malicious_ips.txt" )

Get listening ports

listening = net_scanner.get_listening_ports() for port in listening: print(f"Port {port.port}/{port.protocol} - PID {port.pid}")

Detect covert channels

covert = net_scanner.detect_covert_channels()

Export to CSV

net_scanner.export_connections("/evidence/network_connections.csv")

undefined

net_scanner.export_connections("/evidence/network_connections.csv")

undefined

Task 5: Credential Extraction

任务5：凭证提取

Input: Memory image file

Process:

Locate credential storage structures
Extract password hashes (NTLM, LM)
Find Kerberos tickets
Identify cached credentials
Extract plaintext passwords (if available)

Output: Extracted credentials for further analysis

Example:

python

from memory_forensics import MemoryAnalyzer, CredentialExtractor

analyzer = MemoryAnalyzer("/evidence/memory.raw")
cred_extractor = CredentialExtractor(analyzer)

输入：内存镜像文件

流程:

定位凭证存储结构
提取密码哈希值（NTLM、LM）
查找Kerberos票据
识别缓存凭证
提取明文密码（如果可用）

输出：提取的凭证，用于进一步分析

示例:

python

from memory_forensics import MemoryAnalyzer, CredentialExtractor

analyzer = MemoryAnalyzer("/evidence/memory.raw")
cred_extractor = CredentialExtractor(analyzer)

Extract all credentials

credentials = cred_extractor.extract_all()

Get NTLM hashes

ntlm_hashes = cred_extractor.get_ntlm_hashes() for cred in ntlm_hashes: print(f"User: {cred.username}") print(f"Domain: {cred.domain}") print(f"NTLM Hash: {cred.ntlm_hash}")

Extract Kerberos tickets

tickets = cred_extractor.get_kerberos_tickets() for ticket in tickets: print(f"Service: {ticket.service_name}") print(f"Client: {ticket.client_name}") print(f"Expiry: {ticket.expiry_time}")

Find LSA secrets

lsa_secrets = cred_extractor.get_lsa_secrets()

Extract cached domain credentials

cached = cred_extractor.get_cached_credentials()

Export credentials report

cred_extractor.export_report("/evidence/credentials_report.json")

undefined

cred_extractor.export_report("/evidence/credentials_report.json")

undefined

Task 6: Malware Detection

任务6：恶意软件检测

Input: Memory image file

Process:

Scan for known malware signatures
Detect code injection techniques
Identify API hooks and SSDT modifications
Find hidden/rootkit artifacts
Analyze suspicious memory regions

Output: Malware detection findings with IOCs

Example:

python

from memory_forensics import MemoryAnalyzer, MalwareDetector

analyzer = MemoryAnalyzer("/evidence/memory.raw")
detector = MalwareDetector(analyzer)

输入：内存镜像文件

流程:

扫描已知恶意软件签名
检测代码注入技术
识别API钩子和SSDT修改
查找隐藏/Rootkit工件
分析可疑内存区域

输出：带有IOC的恶意软件检测结果

示例:

python

from memory_forensics import MemoryAnalyzer, MalwareDetector

analyzer = MemoryAnalyzer("/evidence/memory.raw")
detector = MalwareDetector(analyzer)

Run comprehensive malware scan

findings = detector.scan_all()

Detect code injection

injections = detector.detect_code_injection() for inj in injections: print(f"Injection found in PID {inj.pid}:") print(f" Type: {inj.injection_type}") print(f" Address: 0x{inj.address:x}") print(f" Size: {inj.size}")

Scan with YARA rules

yara_matches = detector.scan_yara( rules_path="/rules/malware_rules.yar" ) for match in yara_matches: print(f"YARA Match: {match.rule_name}") print(f" PID: {match.pid}") print(f" Offset: 0x{match.offset:x}")

Detect API hooks

hooks = detector.detect_api_hooks() for hook in hooks: print(f"Hook: {hook.function_name}") print(f" Original: 0x{hook.original_address:x}") print(f" Hooked: 0x{hook.hook_address:x}")

Check SSDT integrity

ssdt_mods = detector.check_ssdt()

Detect DKOM (Direct Kernel Object Manipulation)

dkom = detector.detect_dkom()

Export IOCs

detector.export_iocs("/evidence/memory_iocs.json")

undefined

detector.export_iocs("/evidence/memory_iocs.json")

undefined

Task 7: Registry Analysis from Memory

任务7：内存中的注册表分析

Input: Memory image file

Process:

Locate registry hives in memory
Extract hives to disk
Parse registry keys and values
Identify suspicious registry entries
Extract persistence mechanisms

Output: Registry analysis with persistence indicators

Example:

python

from memory_forensics import MemoryAnalyzer, RegistryAnalyzer

analyzer = MemoryAnalyzer("/evidence/memory.raw")
reg_analyzer = RegistryAnalyzer(analyzer)

输入：内存镜像文件

流程:

在内存中定位注册表hive
将hive提取到磁盘
解析注册表键和值
识别可疑注册表条目
提取持久化机制

输出：带有持久化指标的注册表分析结果

示例:

python

from memory_forensics import MemoryAnalyzer, RegistryAnalyzer

analyzer = MemoryAnalyzer("/evidence/memory.raw")
reg_analyzer = RegistryAnalyzer(analyzer)

List available registry hives

hives = reg_analyzer.list_hives() for hive in hives: print(f"Hive: {hive.name} at 0x{hive.virtual_address:x}")

Extract hive to file

reg_analyzer.extract_hive( hive_name="SYSTEM", output_path="/evidence/SYSTEM_hive" )

Query specific key

value = reg_analyzer.query_key( hive="SOFTWARE", key_path="Microsoft\Windows\CurrentVersion\Run" )

Find persistence mechanisms

persistence = reg_analyzer.find_persistence() for entry in persistence: print(f"Persistence: {entry.location}") print(f" Value: {entry.value}") print(f" Type: {entry.persistence_type}")

Get recently modified keys

recent = reg_analyzer.get_recent_modifications(hours=24)

Search registry for pattern

matches = reg_analyzer.search(pattern="*.exe", include_values=True)

undefined

matches = reg_analyzer.search(pattern="*.exe", include_values=True)

undefined

Task 8: String and IOC Extraction

任务8：字符串和IOC提取

Input: Memory image or specific memory regions

Process:

Extract ASCII and Unicode strings
Identify URLs, IPs, domains
Find email addresses and file paths
Extract potential C2 indicators
Correlate IOCs with threat intelligence

Output: Extracted IOCs categorized by type

Example:

python

from memory_forensics import MemoryAnalyzer, IOCExtractor

analyzer = MemoryAnalyzer("/evidence/memory.raw")
ioc_extractor = IOCExtractor(analyzer)

输入：内存镜像或特定内存区域

流程:

提取ASCII和Unicode字符串
识别URL、IP、域名
查找电子邮件地址和文件路径
提取潜在C2指标
将IOC与威胁情报关联

输出：按类型分类的提取IOC

示例:

python

from memory_forensics import MemoryAnalyzer, IOCExtractor

analyzer = MemoryAnalyzer("/evidence/memory.raw")
ioc_extractor = IOCExtractor(analyzer)

Extract all IOCs

iocs = ioc_extractor.extract_all()

Get URLs

urls = ioc_extractor.extract_urls() for url in urls: print(f"URL: {url.value}") print(f" Found at: 0x{url.offset:x}") print(f" Process: {url.process_name}")

Get IP addresses

ips = ioc_extractor.extract_ips() for ip in ips: print(f"IP: {ip.value} ({ip.geo_location})")

Get domains

domains = ioc_extractor.extract_domains()

Get file paths

paths = ioc_extractor.extract_file_paths()

Extract strings from specific process

proc_strings = ioc_extractor.extract_strings( pid=4892, min_length=4, encoding="both" # ascii and unicode )

Correlate with threat intel

enriched = ioc_extractor.enrich_iocs( threat_feed="/feeds/threat_intel.json" )

Export IOCs in STIX format

ioc_extractor.export_stix("/evidence/memory_iocs.stix")

undefined

ioc_extractor.export_stix("/evidence/memory_iocs.stix")

undefined

Task 9: Rootkit Detection

任务9：Rootkit检测

Input: Memory image file

Process:

Check kernel integrity
Detect hidden drivers
Analyze SSDT/IDT modifications
Find DKOM artifacts
Identify inline kernel hooks

Output: Rootkit detection results with remediation guidance

Example:

python

from memory_forensics import MemoryAnalyzer, RootkitDetector

analyzer = MemoryAnalyzer("/evidence/memory.raw")
rootkit_detector = RootkitDetector(analyzer)

输入：内存镜像文件

流程:

检查内核完整性
检测隐藏驱动
分析SSDT/IDT修改
查找DKOM工件
识别内核内联钩子

输出：带有修复指导的Rootkit检测结果

示例:

python

from memory_forensics import MemoryAnalyzer, RootkitDetector

analyzer = MemoryAnalyzer("/evidence/memory.raw")
rootkit_detector = RootkitDetector(analyzer)

Run comprehensive rootkit scan

results = rootkit_detector.scan_all()

Check for hidden drivers

hidden_drivers = rootkit_detector.find_hidden_drivers() for driver in hidden_drivers: print(f"Hidden Driver: {driver.name}") print(f" Base: 0x{driver.base:x}") print(f" Size: {driver.size}")

Analyze SSDT

ssdt_hooks = rootkit_detector.analyze_ssdt() for hook in ssdt_hooks: print(f"SSDT Hook: {hook.function}") print(f" Expected: 0x{hook.expected:x}") print(f" Actual: 0x{hook.actual:x}")

Check IDT (Interrupt Descriptor Table)

idt_mods = rootkit_detector.analyze_idt()

Detect inline hooks in kernel

inline_hooks = rootkit_detector.detect_inline_hooks()

Check kernel callbacks

callbacks = rootkit_detector.analyze_callbacks() for cb in callbacks: print(f"Callback: {cb.type}") print(f" Address: 0x{cb.address:x}") print(f" Module: {cb.module}")

Generate rootkit report

rootkit_detector.generate_report("/evidence/rootkit_analysis.html")

undefined

rootkit_detector.generate_report("/evidence/rootkit_analysis.html")

undefined

Task 10: Memory Timeline Analysis

任务10：内存时间线分析

Input: Memory image file

Process:

Extract timestamps from memory structures
Correlate process creation times
Analyze recent file handles
Build execution timeline
Identify temporal anomalies

Output: Memory-based timeline of system activity

Example:

python

from memory_forensics import MemoryAnalyzer, MemoryTimeline

analyzer = MemoryAnalyzer("/evidence/memory.raw")
timeline = MemoryTimeline(analyzer)

输入：内存镜像文件

流程:

从内存结构中提取时间戳
关联进程创建时间
分析最近的文件句柄
构建执行时间线
识别时间异常

输出：基于内存的系统活动时间线

示例:

python

from memory_forensics import MemoryAnalyzer, MemoryTimeline

analyzer = MemoryAnalyzer("/evidence/memory.raw")
timeline = MemoryTimeline(analyzer)

Generate comprehensive timeline

events = timeline.generate()

for event in events: print(f"{event.timestamp}: {event.event_type}") print(f" Source: {event.source}") print(f" Details: {event.details}")

events = timeline.generate()

for event in events: print(f"{event.timestamp}: {event.event_type}") print(f" Source: {event.source}") print(f" Details: {event.details}")

Get process timeline

proc_timeline = timeline.get_process_timeline()

Get network timeline

net_timeline = timeline.get_network_timeline()

Find events around specific time

window = timeline.get_events_around( timestamp="2024-01-15T10:30:00", window_minutes=30 )

Export to timeline format

timeline.export_csv("/evidence/memory_timeline.csv") timeline.export_json("/evidence/memory_timeline.json")

Generate visual timeline

timeline.generate_html_report("/evidence/timeline_report.html")

undefined

timeline.generate_html_report("/evidence/timeline_report.html")

undefined

Configuration

配置

Environment Variables

环境变量

Variable	Description	Required	Default
`VOLATILITY_PATH`	Path to Volatility installation	No	System PATH
`YARA_RULES_PATH`	Default YARA rules directory	No	./rules
`SYMBOL_PATH`	Path to debug symbols	No	None
`THREAT_INTEL_FEED`	Threat intelligence feed URL	No	None

变量	描述	必填	默认值
`VOLATILITY_PATH`	Volatility安装路径	否	系统PATH
`YARA_RULES_PATH`	默认YARA规则目录	否	./rules
`SYMBOL_PATH`	调试符号路径	否	None
`THREAT_INTEL_FEED`	威胁情报源URL	否	None

Options

选项

Option	Type	Description
`profile`	string	Force specific OS profile
`output_format`	string	Output format (json, csv, html)
`verbose`	boolean	Enable verbose output
`use_yara`	boolean	Enable YARA scanning
`parallel`	boolean	Enable parallel processing

选项	类型	描述
`profile`	string	强制指定特定操作系统配置文件
`output_format`	string	输出格式（json、csv、html）
`verbose`	boolean	启用详细输出
`use_yara`	boolean	启用YARA扫描
`parallel`	boolean	启用并行处理

Examples

示例

Example 1: Incident Response Memory Analysis

示例1：事件响应内存分析

Scenario: Investigating a potential ransomware infection

python

from memory_forensics import MemoryAnalyzer, ProcessScanner, MalwareDetector, NetworkScanner

场景：调查潜在勒索软件感染

python

from memory_forensics import MemoryAnalyzer, ProcessScanner, MalwareDetector, NetworkScanner

Load memory dump from infected system

analyzer = MemoryAnalyzer("/evidence/infected_host.raw")

Step 1: Identify suspicious processes

scanner = ProcessScanner(analyzer) suspicious = scanner.find_suspicious_processes() print(f"Found {len(suspicious)} suspicious processes")

Step 2: Check for known ransomware indicators

detector = MalwareDetector(analyzer) ransomware_iocs = detector.scan_yara("/rules/ransomware.yar")

Step 3: Identify C2 connections

net_scanner = NetworkScanner(analyzer) external_conns = net_scanner.find_external_connections() suspicious_c2 = net_scanner.check_against_threat_intel("/feeds/c2_ips.txt")

Step 4: Extract encryption keys (if in memory)

keys = detector.find_crypto_keys()

Step 5: Generate comprehensive report

analyzer.generate_report( output_path="/evidence/ransomware_analysis.html", include_timeline=True, include_iocs=True )

undefined

analyzer.generate_report( output_path="/evidence/ransomware_analysis.html", include_timeline=True, include_iocs=True )

undefined

Example 2: Credential Theft Investigation

示例2：凭证窃取调查

Scenario: Investigating Mimikatz or similar credential harvesting

python

from memory_forensics import MemoryAnalyzer, CredentialExtractor, ProcessScanner

analyzer = MemoryAnalyzer("/evidence/dc_memory.raw")

场景：调查Mimikatz或类似的凭证窃取行为

python

from memory_forensics import MemoryAnalyzer, CredentialExtractor, ProcessScanner

analyzer = MemoryAnalyzer("/evidence/dc_memory.raw")

Look for Mimikatz artifacts

scanner = ProcessScanner(analyzer) mimikatz_indicators = scanner.search_command_lines( patterns=["sekurlsa", "logonpasswords", "lsadump"] )

Extract compromised credentials

extractor = CredentialExtractor(analyzer) credentials = extractor.extract_all()

Check for Kerberos ticket theft (Golden/Silver ticket)

tickets = extractor.get_kerberos_tickets() for ticket in tickets: if ticket.is_suspicious(): print(f"ALERT: Suspicious ticket for {ticket.service_name}")

Document affected accounts

extractor.generate_affected_accounts_report("/evidence/compromised_accounts.csv")

undefined

extractor.generate_affected_accounts_report("/evidence/compromised_accounts.csv")

undefined

Example 3: Rootkit Investigation

示例3：Rootkit调查

Scenario: Investigating suspected kernel-level compromise

python

from memory_forensics import MemoryAnalyzer, RootkitDetector, ModuleScanner

analyzer = MemoryAnalyzer("/evidence/server_memory.raw")

场景：调查疑似内核级入侵

python

from memory_forensics import MemoryAnalyzer, RootkitDetector, ModuleScanner

analyzer = MemoryAnalyzer("/evidence/server_memory.raw")

Comprehensive rootkit analysis

rootkit_detector = RootkitDetector(analyzer)

Check kernel integrity

integrity = rootkit_detector.verify_kernel_integrity() if not integrity.is_clean: print("ALERT: Kernel modifications detected!") for mod in integrity.modifications: print(f" - {mod.description}")

Find hidden components

hidden_drivers = rootkit_detector.find_hidden_drivers() hidden_processes = rootkit_detector.find_hidden_processes()

Analyze all hooks

all_hooks = rootkit_detector.find_all_hooks()

Generate remediation guidance

rootkit_detector.generate_remediation_guide("/evidence/rootkit_remediation.md")

undefined

rootkit_detector.generate_remediation_guide("/evidence/rootkit_remediation.md")

undefined

Limitations

局限性

Memory analysis accuracy depends on image acquisition quality
Encrypted memory regions may not be analyzable
Some anti-forensics techniques may evade detection
Profile identification may fail for custom or rare OS versions
Large memory dumps (>32GB) may require significant processing time
Credential extraction requires appropriate access permissions
YARA scanning effectiveness depends on rule quality

内存分析的准确性取决于镜像获取质量
加密内存区域可能无法分析
部分反取证技术可能规避检测
对于自定义或罕见操作系统版本，配置文件识别可能失败
大型内存转储（>32GB）可能需要大量处理时间
凭证提取需要适当的访问权限
YARA扫描的有效性取决于规则质量

Troubleshooting

故障排除

Common Issue 1: Profile Detection Failure

常见问题1：配置文件检测失败

Problem: Unable to automatically detect OS profile Solution:

Manually specify profile using
```
--profile
```
option
Ensure memory image is not corrupted
Check if OS version is supported

问题：无法自动检测操作系统配置文件 解决方案:

使用
```
--profile
```
选项手动指定配置文件
确保内存镜像未损坏
检查操作系统版本是否受支持

Common Issue 2: Incomplete Process Listing

常见问题2：进程列表不完整

Problem: Known processes not appearing in output Solution:

Enable hidden process detection
Check for memory corruption
Verify image acquisition was complete

问题：已知进程未出现在输出中 解决方案:

启用隐藏进程检测
检查内存是否损坏
验证镜像获取是否完整

Common Issue 3: Slow Analysis Performance

常见问题3：分析性能缓慢

Problem: Analysis taking too long Solution:

Enable parallel processing
Use targeted scans instead of full analysis
Ensure adequate system resources

问题：分析耗时过长 解决方案:

启用并行处理
使用针对性扫描而非全面分析
确保系统资源充足

Common Issue 4: YARA Scan Errors

常见问题4：YARA扫描错误

Problem: YARA rules failing to load Solution:

Validate YARA rule syntax
Check rule file encoding (UTF-8)
Update YARA to latest version

问题：YARA规则加载失败 解决方案:

验证YARA规则语法
检查规则文件编码（UTF-8）
将YARA更新到最新版本

Related Skills

References

参考资料

Memory Analysis Reference
Volatility Plugin Guide
Memory Acquisition Best Practices

内存分析参考
Volatility插件指南
内存获取最佳实践

memory-forensics

Original

Translation

Memory Forensics

内存取证

Capabilities

功能

Quick Start

快速开始

Initialize analyzer with memory image

Initialize analyzer with memory image

Get system profile

Get system profile

Scan for processes

Scan for processes

Detect malware indicators

Detect malware indicators

Usage

使用方法

Task 1: Memory Image Acquisition

任务1：内存镜像获取

Windows acquisition guidance

Windows acquisition guidance

Get tool recommendations

Get tool recommendations

Generate acquisition command

Generate acquisition command

Create acquisition documentation

Create acquisition documentation

Task 2: Process Analysis

任务2：进程分析

List all processes with details

List all processes with details

Detect hidden processes

Detect hidden processes

Analyze process tree

Analyze process tree

Find orphan processes

Find orphan processes

Detect process hollowing

Detect process hollowing

Task 3: DLL and Module Analysis

任务3：DLL和模块分析

Analyze all loaded modules

Analyze all loaded modules

Detect DLL injection

Detect DLL injection

Find unlinked modules

Find unlinked modules

Detect reflective DLL loading

Detect reflective DLL loading

Extract suspicious module

Extract suspicious module

Task 4: Network Connection Analysis

任务4：网络连接分析

Get all network connections

Get all network connections

Find connections to suspicious IPs

Find connections to suspicious IPs

Get listening ports

Get listening ports

Detect covert channels

Detect covert channels

Export to CSV

Export to CSV

Task 5: Credential Extraction

任务5：凭证提取

Extract all credentials

Extract all credentials

Get NTLM hashes

Get NTLM hashes

Extract Kerberos tickets

Extract Kerberos tickets

Find LSA secrets

Find LSA secrets

Extract cached domain credentials

Extract cached domain credentials

Export credentials report

Export credentials report

Task 6: Malware Detection