Thursday, July 11, 2019

Extracting Pcap from a Memory Image

Continuing from "https://www.datadigitally.com/2019/06/retrieving-memory-image-remotely.html"
where memory was captured remotely with the Windows Sysinternal's tool, psexec.exe, and memory capture tool, dumpit.exe.

This post will test the net capture extractor feature of the bulk extractor tool against the previously created memory image "memdump.mem".

From bulk extractor found here: http://downloads.digitalcorpora.org/downloads/bulk_extractor/

The command that will be used is:

bulk_extractor64.exe -x all -e net -o test/ memdump.mem
This command uses the "-x all" to disable all scanners.  And the "-e net" for the net scanner option of the tool.








The "-o test/" signifies the directory to which to output the extracted net objects.

*As a note network connections related to a memory image are a great way to try and see what the machine was connected to at the time of the memory capture.
Using, the memory forensics tool, Volatility's netscan module, will provide insightful data regarding network connections at the time of the capture.  Including source and destination IP addresses, ports, protocols, and process ids (PIDs).

After running the above command the output of the bulk_extractor64.exe tool is located in the "test/" directory is as follows:
There now contains text files detailing network artifacts from the image

















This being a memory capture from a Windows 10 machine, and with the bulk extractor open source from a few years back.  I tend to wonder if offsets and structure locations in memory have changed to where certain outputs may be effected by the net scanner.

However we do get a pcap, and can view in wireshark.
It is not a complete packet capture that one may get from a network sensor.  And timestamps are off.















































Can select from the wireshark menu
Statistics --> Conversations









This will show IP address talking to each other, ports, and packet/byte numbers

We see a potential IP of interest:


64.207.134.54




Checking the reputation of the IP address on virus total we see a communicating file reported:
https://www.virustotal.com/gui/ip-address/64.207.134.54/relations











With a pretty high red reported malicious reputation:














And a description of Emotet Trojan








This is just a brief over view of a method to extract pcap from a memory image with the bulk extractor tool.  The goal would be to extract possible network indications from an image.  As previously noted the volatility suite is a great option for memory analysis.  But this may serve as a potential secondary method.

--Bryan



Reference:
SANS Internet Storm Center. (2016). SANS ISC: Extracting pcap from memory - SANS Internet Storm Center
Retrieved from https://isc.sans.edu/forums/diary/Extracting pcap from memory/20639/












1 comment:

  1. Very cool...I did the same thing in "Investigating Windows Systems"!

    Thanks for sharing this!

    ReplyDelete