Sunday, June 23, 2019

Capturing and Retrieving a Memory Image Remotely

In some instances, particularly intrusions cases or with enterprise security, it may be necessary to acquire memory from a remote system for DFIR analysis.

Many cases there are solutions for that purpose with forensics or endpoint security tools that have agents installed that allow for this.

However, came across an excellent Incident Response tricks and tools cheatsheet resource from:
"JPMinty" @

Specifically at ""

JPMinty mentions using psexec for a live ram capture on a remote windows pc.

The command is as follows:
psexec \\remotepcname -c RamCapture64.exe "output.mem"

So I set up two Windows 10 VMs with VMWare Workstation. And wanted to simulate a remote memory capture.  
* Note this is not necessarily a forensically sound method for imaging.  Because changes will be written to the remote machine.  However if a forensic/endpoint tool fail this may be a potential backup method.  

The machine on the left is the remote PC. And the right is the forensics host to launch psexec from.


Launching a cmd prompt with admin privileges.  
And run the following command : 

* PsExec64.exe <RemotePC> -u for username and -p for password -c <The Memory Capture tool> <output memory dump file>

Download of psexec can be found at: 

Running the PsExec with the RamCapture64.exe directly, returned an ERROR



The RamCapture64.exe download unzips with some dlls and a sys file in a folder called x64.

Will use the xcopy command.
To copy the x64 folder with the RamCapture64.exe in it to the target.

But FIRST...
With the following command had to mount a share to the target drive with the following command:
The net use command with mount a share and authenticating

SECOND is using the XCOPY command to copy the memory dump tool to the target's C$ drive.
The RamCapture tool has been copied to the target.  

NEXT to initiate a remote cmd session with PsExec on the target and run the tool
Now in a remote cmd prompt

*NOTE, can skip the remote command prompt method and use psexec to just run the ".\RamCapture64.exe"

READY to run RamCapture64.exe

Memory dump completed and is located on the C:\ root of the target

While we are here let's hash the memdump.mem file.  We can use the certutil command

MD5 for memory file = b8eafad7bf112f2d565093b611a8b52b

Can exit the remote cmd session

LASTLY we can use xcopy again to bring the memdump.mem back to the Forensic host
xcopy <DESTINATION\memdump.mem> <FORENSIC HOST>

The memdump.mem file copied

The Memory Capture "memdump.mem" is now on the Forensics Host with the same MD5 hash.

This method of using xcopy and psexec is kind of the long way around.  But is not too many steps to run.

----NEXT POST----

I will be attempting to extract a pcap from the same memory dump using the bulk extractor tool.

Happy forensicating


No comments:

Post a Comment