SuperMem: A Free CrowdStrike Incident Response Tool for Automating Memory Image Processing

September 24, 2021

| | From The Front Lines
Performing memory analysis in incident response investigations can be tedious and challenging because of the lack of commercial options for processing memory samples, no all-in-one open-source tools to process samples, and a shortage of the knowledge and skill to do so. Recognizing this, CrowdStrike Services created SuperMem, an open-source Windows memory processing script that helps investigators consistently and quickly process memory samples in their investigations. SuperMem can be found on the CrowdStrike GitHub repository here.

What Is SuperMem?

SuperMem, or “winSuperMem.py,” is a Python script that will parse Windows memory samples in a consistent, quick and selective way. It is backed by a triage-type methodology that makes the tool easy to use and therefore more accessible to forensic analysts. The triage-type methodology consists of three types: Quick, Full and Comprehensive.

 

  • Quick: Very limited processing
  • Full: More in-depth processing
  • Comprehensive: “Everything but the kitchen sink” processing
Note: winSuperMem.py was developed in a Linux environment and not tested running on Windows. Configuration of the script to run on a Windows system should be possible.

Why Did We Create It?

Inspired by vShot, we wrote SuperMem to support the memory forensic community by providing a script to assist in parsing Windows memory samples during an incident response investigation. Our main considerations in the development process have been:

 

  • Ease of use, while remaining feature-rich. SuperMem was created with very few command line switches to allow for ease of use but still be packed with processing power. After satisfying all of the dependencies of the script, you can run SuperMem with as little as three command switches.

     

  • Analytical accessibility. SuperMem outputs data in accessible formats where possible, such as CSV and body file. Additionally, the structure of the output is stored into individual directories per the processing function.
  • Extensibility. As artifacts change, new ones are discovered, and tools are developed, forensic analysts need a way to easily update their tools to accommodate. SuperMem is written in a modular framework where additional processing functions can be added. To add additional processing, you would simply need to create and add the function to the preferred triage type. SuperMem is also highly configurable, as it is written in Python3 and is structured for maximum configuration.
  • Speed and progress updates. As forensic analysts ourselves, we want our tools to provide updates regarding progress and to be as efficient as possible so that we can be most effective with our time. Where possible, SuperMem updates you with the progress of processing and estimated time-to-completion per processing stack. Additionally, SuperMem is multi-threaded for speed, where the threads can be adjusted based on your system specifications.

What Does SuperMem Do?

SuperMem currently consists of one Python script, “winSuperMem.py,” that is meant for processing Windows memory images. By running SuperMem with a specified triage type (Quick, Full or Comprehensive), the script will process the memory sample in several ways. The current processing functions that SuperMem include are: Volatility 3. Depending on the selected triage type, SuperMem will run selected Volatility 3 plugins. Volatility 3 was chosen for SuperMem because of its speed and output format. Additionally, each plugin can be configured with unique arguments.
  1. Volatility 2. Depending on the selected triage type, SuperMem will run selected Volatility 2 plugins including community-developed plugins. Each plugin can be configured with unique arguments.
  2. Bulk Extractor. Every triage type will run Bulk Extractor with default parameters on the memory image.
  3. Strings. Every triage type will run Unicode, ASCII and Big-Endian strings on the memory image.
  4. EVTXtract. Depending on the selected triage type, SuperMem will run EVTXtract on the memory image with default parameters.
  5. Extract Files. Depending on the selected triage type, SuperMem will attempt to dump files such as loaded DLLs, drivers, processes, registry hives and other specific file types and paths.
  6. Collect IOCs. Depending on the selected triage type, SuperMem will attempt to collect non-private IP addresses from the Volatility 3 NetScan output and add them to an IOC.csv file.
  7. Plaso. Depending on the selected triage type, SuperMem will run log2timeline across the entire output directory parsing dumped files and Volatility output. Then SuperMem will run psort on the output and generate a super timeline of activity.

     

  8. Yara. For comprehensive triage only, SuperMem will run Yara based on a supplied Yara file across the dumped drivers, processes and DLLs. At this time, Yara scanning on the entire memory image has not been integrated as it is likely to take an extreme amount of time and potentially generate lots of noise.
Note: The goal for SuperMem is eventually to only use Volatility 3, but unfortunately there is not enough plugin support at this time and it is still being developed, so Volatility 2 is still needed. The processing functions per triage type can be seen below:

Quick Triage

  • Volatility 3
  • Strings
  • Bulk Extractor

Full Triage

  • Quick Triage
  • Volatility 3 +
  • Volatility 2
  • EVTXtract
  • Dump Files (only specified files and paths)
  • Dump Registry Hives
  • Plaso
  • Gather Network IOCs

Comprehensive Triage

  • Full Triage
  • Dump Loaded DLLs, Processes and Drivers
  • Yara
A detailed list of each Volatility plugin used in Quick triage, Full triage and Comprehensive triage modes is listed in the “winSuperMem.py” Python script.

How Can You Use It?

Setup

SuperMem has several dependencies as it is marrying several forensic tools to process the memory sample. You will first need to install or have the following tools:

 

SuperMem has a few Python dependencies that can be installed with the following command:
pip3 install -r requirements.txt
After you have installed all of the required tools and dependencies, you will need to update the global variables at the top of the Python script to point to the install path of the tools.
# Globals Likely Needing Updated
THREADCOUNT = 12
EVTXTRACTPATH = "/usr/local/bin/evtxtract"
VOL3PATH = "/usr/bin/vol3"
VOL2PATH = "/usr/bin/vol.py"
VOL2EXTRAPLUGINS = "/usr/share/volatility/plugins/community.html"
BULKPATH = "/usr/bin/bulk_extractor"
LOG2TIMELINEPATH = "/usr/bin/log2timeline.py"
PSORTPATH = "/usr/bin/psort.py"
YARAPATH = "/usr/bin/yara"
STRINGSPATH = "/bin/strings"
YARARULESFILE = "/path/to/yara/Yarafile.txt"

Execution

Once the script has been configured with the paths to the tools, you can execute SuperMem with the following example command:
python3 winSuperMem.py -f memdump.mem -o output -tt 3
This command will perform comprehensive processing on the memory sample “memdump.mem” and output to the directory “output.” Additionally, you can optionally supply the profile= command switch to speed up the processing of Volatility 2 plugins if you know the profile. Once the script has completed executing, you will have an output directory for each of the unique processing functions.

How to Read the Output

The following is the output directory structure of comprehensive triage:
  • BEoutputdir: Bulk Extractor output
  • DumpedDllsOutput: Dumped DLLs loaded into processes
  • DumpedFilesOutput: Dumped files in memory
  • DumpedModules: Dumped loaded drivers
  • DumpedProcessOutput: Dumped running processes
  • DumpedRegistry: Dumped loaded registry hives
  • EVTxtract: Extracted data with EVTxtract
  • IOCs.csv: Collected IPs identified in the output data set
  • Logging.log: Logging for the script
  • Plaso: Plaso master timeline
  • Strings: Unicode, Ascii, Big Endian strings output
  • Volatility2: Volatility 2 plugin output
  • Volatility3: Volatility 3 plugin output
  • Yara: Yara matches

Conclusion

With SuperMem, Windows memory analysis, especially in an incident response investigation, can be consistent and streamlined. Also, with a selection of triage types, analysts can pick the option that best suits their needs for the investigation to decrease processing time.

 

Additional Resources

Breaches Stop Here