Performing memory analysis in incident response investigations can be tedious and challenging because of the lack of commercial options for processing memory samples, no all-in-one open-source tools to process samples, and a shortage of the knowledge and skill to do so. Recognizing this, CrowdStrike Services created SuperMem, an open-source Windows memory processing script that helps investigators consistently and quickly process memory samples in their investigations.
SuperMem can be found on the CrowdStrike GitHub repository here.
What Is SuperMem?
SuperMem, or “winSuperMem.py,” is a Python script that will parse Windows memory samples in a consistent, quick and selective way. It is backed by a triage-type methodology that makes the tool easy to use and therefore more accessible to forensic analysts. The triage-type methodology consists of three types: Quick, Full and Comprehensive.
- Quick: Very limited processing
- Full: More in-depth processing
- Comprehensive: “Everything but the kitchen sink” processing
Why Did We Create It?
Inspired by vShot, we wrote SuperMem to support the memory forensic community by providing a script to assist in parsing Windows memory samples during an incident response investigation. Our main considerations in the development process have been:
- Ease of use, while remaining feature-rich. SuperMem was created with very few command line switches to allow for ease of use but still be packed with processing power. After satisfying all of the dependencies of the script, you can run SuperMem with as little as three command switches.
- Analytical accessibility. SuperMem outputs data in accessible formats where possible, such as CSV and body file. Additionally, the structure of the output is stored into individual directories per the processing function.
- Extensibility. As artifacts change, new ones are discovered, and tools are developed, forensic analysts need a way to easily update their tools to accommodate. SuperMem is written in a modular framework where additional processing functions can be added. To add additional processing, you would simply need to create and add the function to the preferred triage type. SuperMem is also highly configurable, as it is written in Python3 and is structured for maximum configuration.
- Speed and progress updates. As forensic analysts ourselves, we want our tools to provide updates regarding progress and to be as efficient as possible so that we can be most effective with our time. Where possible, SuperMem updates you with the progress of processing and estimated time-to-completion per processing stack. Additionally, SuperMem is multi-threaded for speed, where the threads can be adjusted based on your system specifications.
What Does SuperMem Do?
SuperMem currently consists of one Python script, “winSuperMem.py,” that is meant for processing Windows memory images. By running SuperMem with a specified triage type (Quick, Full or Comprehensive), the script will process the memory sample in several ways. The current processing functions that SuperMem include are: Volatility 3. Depending on the selected triage type, SuperMem will run selected Volatility 3 plugins. Volatility 3 was chosen for SuperMem because of its speed and output format. Additionally, each plugin can be configured with unique arguments.- Volatility 2. Depending on the selected triage type, SuperMem will run selected Volatility 2 plugins including community-developed plugins. Each plugin can be configured with unique arguments.
- Bulk Extractor. Every triage type will run Bulk Extractor with default parameters on the memory image.
- Strings. Every triage type will run Unicode, ASCII and Big-Endian strings on the memory image.
- EVTXtract. Depending on the selected triage type, SuperMem will run EVTXtract on the memory image with default parameters.
- Extract Files. Depending on the selected triage type, SuperMem will attempt to dump files such as loaded DLLs, drivers, processes, registry hives and other specific file types and paths.
- Collect IOCs. Depending on the selected triage type, SuperMem will attempt to collect non-private IP addresses from the Volatility 3 NetScan output and add them to an IOC.csv file.
- Plaso. Depending on the selected triage type, SuperMem will run log2timeline across the entire output directory parsing dumped files and Volatility output. Then SuperMem will run psort on the output and generate a super timeline of activity.
- Yara. For comprehensive triage only, SuperMem will run Yara based on a supplied Yara file across the dumped drivers, processes and DLLs. At this time, Yara scanning on the entire memory image has not been integrated as it is likely to take an extreme amount of time and potentially generate lots of noise.
Quick Triage
- Volatility 3
- Strings
- Bulk Extractor
Full Triage
- Quick Triage
- Volatility 3 +
- Volatility 2
- EVTXtract
- Dump Files (only specified files and paths)
- Dump Registry Hives
- Plaso
- Gather Network IOCs
Comprehensive Triage
- Full Triage
- Dump Loaded DLLs, Processes and Drivers
- Yara
How Can You Use It?
Setup
SuperMem has several dependencies as it is marrying several forensic tools to process the memory sample. You will first need to install or have the following tools:- Python 3 for running the script and Volatility 3
- Python 2 for running Volatility 2
- Strings
- Volatility 3
- Volatility 2 with community plugins
- Bulk Extractor
- Plaso/Log2Timeline
- Yara
SuperMem has a few Python dependencies that can be installed with the following command:
pip3 install -r requirements.txt
After you have installed all of the required tools and dependencies, you will need to update the global variables at the top of the Python script to point to the install path of the tools.
# Globals Likely Needing Updated
THREADCOUNT = 12
EVTXTRACTPATH = "/usr/local/bin/evtxtract"
VOL3PATH = "/usr/bin/vol3"
VOL2PATH = "/usr/bin/vol.py"
VOL2EXTRAPLUGINS = "/usr/share/volatility/plugins/community.html"
BULKPATH = "/usr/bin/bulk_extractor"
LOG2TIMELINEPATH = "/usr/bin/log2timeline.py"
PSORTPATH = "/usr/bin/psort.py"
YARAPATH = "/usr/bin/yara"
STRINGSPATH = "/bin/strings"
YARARULESFILE = "/path/to/yara/Yarafile.txt"
Execution
Once the script has been configured with the paths to the tools, you can execute SuperMem with the following example command:python3 winSuperMem.py -f memdump.mem -o output -tt 3
This command will perform comprehensive processing on the memory sample “memdump.mem” and output to the directory “output.” Additionally, you can optionally supply the –profile= command switch to speed up the processing of Volatility 2 plugins if you know the profile.
Once the script has completed executing, you will have an output directory for each of the unique processing functions.
How to Read the Output
The following is the output directory structure of comprehensive triage:- BEoutputdir: Bulk Extractor output
- DumpedDllsOutput: Dumped DLLs loaded into processes
- DumpedFilesOutput: Dumped files in memory
- DumpedModules: Dumped loaded drivers
- DumpedProcessOutput: Dumped running processes
- DumpedRegistry: Dumped loaded registry hives
- EVTxtract: Extracted data with EVTxtract
- IOCs.csv: Collected IPs identified in the output data set
- Logging.log: Logging for the script
- Plaso: Plaso master timeline
- Strings: Unicode, Ascii, Big Endian strings output
- Volatility2: Volatility 2 plugin output
- Volatility3: Volatility 3 plugin output
- Yara: Yara matches
Conclusion
With SuperMem, Windows memory analysis, especially in an incident response investigation, can be consistent and streamlined. Also, with a selection of triage types, analysts can pick the option that best suits their needs for the investigation to decrease processing time.
Additional Resources
- For more CrowdStrike tools to help your security team, visit https://github.com/CrowdStrike.
- Learn more about how CrowdStrike Services helps organizations train for, react to and remediate a breach quickly and effectively.