Skip main navigation

Memory Examination – Live

Article detailing the basics of live Windows memory (RAM) examination/analysis.
© PA Knowledge Ltd | 7Safe Training

Memory Examination – Live

Information about running processes can be obtained using Windows built-in tools or third party tools. Examples of built in tools include Task Manager a GUI based program or PowerShell a command line (console) tool. An image of Task Manager is detailed below:

Screenshot of Task Manager displaying running processes.

It can be seen that many processes are currently running including 3 instances of cmd.exe. Additional columns can be selected to enhance the information about running processes. Although such columns can be selected, much more granular information is available via PowerShell and third party tools.

A total of 45 metadata fields (columns) are available for selection in Task Manager

Using PowerShell Get-Process commandlet will obtain more yet metadata fields. Type Get-Process cmd* | Format-List * to display a total of 68 metadata fields per cmd.exe process.

We can also select specific information to be displayed per process. Typing: Get-Process cmd* | Format-List name, path, starttime,mainwindowtitle,parent,id will display the following information:

Screenshot of PowerShell console.

Note the filtered metadata fields. It can be seen that each process now has an executed date and time and a parent process. This above display again indicates that 3 cmd.exe processes are running. However, only 2 Command Prompts are running, one running as a normal user and the other running with Administrator privileges. The other cmd.exe is being executed via PowerShell.

Using third party GUI based tools may be the preferred option for some users. Below is an example of the same processes using the Sysinternals Process Explorer program:

Screenshot of Process Explorer displaying running processes.

The graphical view clearly indicates the parent processes of the 3 cmd.exe processes and the image path from which they were executed.

Remember during a malware investigation that any process being executed from a user area should be deemed suspicious until it’s provenance can be proved. Any process with a non-standard parent process is also worthy of scrutiny to ensure that malware is not responsible.

Note only running processes will be identified using the above methods. Terminated processes (that could still exist in memory) may only be identified via static analysis of a memory (RAM) dump.

Additional information…

Running processes can also be obtained via a Get-CimInstance commandlet in Powershell, via WMIC or indeed via a Command Prompt.

Some other console commands are also understood by PowerShell. Copy and paste each of the following different commands into your Windows PowerShell console to obtain a generic list of running processes:

Get-Process

Get-CimInstance Win32_Process

Get-WmiObject Win32_Process (Depreciated in PowerShell 6 onwards)

WMIC Process list brief

Tasklist

Depending on the organisation, creation of a known good configuration of running processes should be considered. This can then be used in the event a malware investigation is required and will assist in the identification of erroneous process activity. Remember to keep any known good configuration up to date!

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education