Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only. T&Cs apply

Find out more

Memory Examination – Live

Article detailing the basics of live Windows memory (RAM) examination/analysis.

Memory Examination – Live

Information about running processes can be obtained using Windows built-in tools or third party tools. Examples of built in tools include Task Manager a GUI based program or PowerShell a command line (console) tool. An image of Task Manager is detailed below:

Screenshot of Task Manager displaying running processes.

It can be seen that many processes are currently running including 3 instances of cmd.exe. Additional columns can be selected to enhance the information about running processes. Although such columns can be selected, much more granular information is available via PowerShell and third party tools.

A total of 45 metadata fields (columns) are available for selection in Task Manager

Using PowerShell Get-Process commandlet will obtain more yet metadata fields. Type Get-Process cmd* | Format-List * to display a total of 68 metadata fields per cmd.exe process.

We can also select specific information to be displayed per process. Typing: Get-Process cmd* | Format-List name, path, starttime,mainwindowtitle,parent,id will display the following information:

Screenshot of PowerShell console.

Note the filtered metadata fields. It can be seen that each process now has an executed date and time and a parent process. This above display again indicates that 3 cmd.exe processes are running. However, only 2 Command Prompts are running, one running as a normal user and the other running with Administrator privileges. The other cmd.exe is being executed via PowerShell.

Using third party GUI based tools may be the preferred option for some users. Below is an example of the same processes using the Sysinternals Process Explorer program:

Screenshot of Process Explorer displaying running processes.

The graphical view clearly indicates the parent processes of the 3 cmd.exe processes and the image path from which they were executed.

Remember during a malware investigation that any process being executed from a user area should be deemed suspicious until it’s provenance can be proved. Any process with a non-standard parent process is also worthy of scrutiny to ensure that malware is not responsible.

Note only running processes will be identified using the above methods. Terminated processes (that could still exist in memory) may only be identified via static analysis of a memory (RAM) dump.

Additional information…

Running processes can also be obtained via a Get-CimInstance commandlet in Powershell, via WMIC or indeed via a Command Prompt.

Some other console commands are also understood by PowerShell. Copy and paste each of the following different commands into your Windows PowerShell console to obtain a generic list of running processes:

Get-Process

Get-CimInstance Win32_Process

Get-WmiObject Win32_Process (Depreciated in PowerShell 6 onwards)

WMIC Process list brief

Tasklist

Depending on the organisation, creation of a known good configuration of running processes should be considered. This can then be used in the event a malware investigation is required and will assist in the identification of erroneous process activity. Remember to keep any known good configuration up to date!

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now