Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. Rekall provides cross-platform solutions on Windows, Mac OSX, and Linux. Additionally, as stated above each operating system has it’s own memory acquisition tool provided by Rekall called pmem.

Install/Setup of Rekall and pmem

Install/Setup Rekall on Windows, Linux, and Max OSX

Install/Setup Rekall for Windows 10 64-bit 

1. Download and Install Rekall Windows binary

Install/Setup Rekall for Windows 10 64-bit via pip

• Windows Rekall plugin list

1. Download and Install Python 2.7
2. Download and Install Microsoft Visual C++ Compiler for Python 2.7
3. Open Command prompt as Administrator
4. cd C:\Python27\Scripts
   cd C:\Python27\Scripts
5. .\pip.exe install virtualenv
   .\pip.exe install virtualenv
6. virtualenv.exe C:\Users\<username>\dev
   virtualenv.exe C:\Users\<username>\dev
7. cd C:\Users\<username>
   cd C:\Users\<username>
8. .\dev\Scripts\activate.ps1
   .\dev\Scripts\activate.ps1
   1. If it fails due to the Execution-Policy run
      Set-ExecutionPolicy RemoteSigned
      Set-ExecutionPolicy RemoteSigned as an Administrator
9. pip install setuptools pip wheel
   pip install setuptools pip wheel
10. pip install rekall-agent rekall
    pip install rekall-agent rekall
    1. If you get the error “Could not find a version that satisfies the requirement pypiwin32==220 (from rekall-core=1.7.0rc1->rekall-agent) (from versions: 219)
       No matching distribution found for pypiwin32==220 (from rekall-core=1.7.0rc1->rekall-agent)”, see the previous section.
       

Install/Setup Rekall for Ubuntu Desktop 16.04 64-bit

• Linux Rekall plugin list

1. sudo apt-get update -y
   sudo apt-get update -y
2. sudo apt-get install python-pip python-dev libssl-dev libncurses5-dev -y
   sudo apt-get install python-pip python-dev libssl-dev  libncurses5-dev -y
3. pip install virtualenv
   pip install virtualenv
4. virtualenv /tmp/MyEnv
   virtualenv /tmp/MyEnv
5. source /tmp/MyEnv/bin/activate
   source /tmp/MyEnv/bin/activate
6. pip install --upgrade setuptools pip wheel
   pip install --upgrade setuptools pip wheel
7. pip install pandas
   pip install pandas
8. pip install rekall-agent rekall
   pip install rekall-agent rekall

Install/Setup Rekall for CentOS  7 Sever 64-bit

• Linux Rekall plugin list

1. yum install python-pip python-devel redhat-rpm-config openssl-devel gcc libffi-devel ncurses-devel -y
   yum install python-pip python-devel redhat-rpm-config openssl-devel gcc libffi-devel ncurses-devel -y
2. pip install virtualenv
   pip install virtualenv
3. virtualenv /tmp/MyEnv
   virtualenv /tmp/MyEnv
4. source /tmp/MyEnv/bin/activate
   source /tmp/MyEnv/bin/activate
5. pip install --upgrade setuptools pip wheel
   pip install --upgrade setuptools pip wheel
6. pip install pandas
   pip install pandas
7. pip install rekall-agent rekall
   pip install rekall-agent rekall

Install/Setup Rekall for Mac OSX(Sierra)

• OSX Rekall plugin list

1. mkdir ~/rekall
   mkdir ~/rekall
2. cd rekall
   cd rekall
3. virtualenv MyEnv
   virtualenv MyEnv
4. source MyEnv/bin/activate
   source MyEnv/bin/activate
5. pip install --upgrade setuptools pip wheel
   pip install --upgrade setuptools pip wheel
6. pip install rekall
   pip install rekall

Install/Setup pmem on Windows, Linux, and Mac OSX

Memory dump vs. live analysis

Memory dumps and live analysis have there place and time in security.  Live analysis creates a device on the operating system that has direct access to live memory that Rekall can use. Additionally, live analysis will typically be used in an incident response scenario during the eradication phase to quickly mitigate an incident. Furthermore, Rekall has an API feature that uses OS calls for live analysis of system, such as, WMI queries on Windows. Memory dumps will make an image of the contents of memory at the time of the dump. Memory dumps are typically taken to be analyzed in more detail at a later date or saved as an incident response artifact.

Install/Setup Winpmem for Window

Winpmem for Windows memory dump

1. Download Winpmem
2. Open Powershell as an Administrator
3. cd C:\Users\<users>\Downloads
   cd C:\Users\<users>\Downloads
4. .\winpmem.exe -o mem.raw
   .\winpmem.exe -o mem.raw

Winpmem for Windows  live memory analysis

1. Download Winpmem
2. Open Powershell as an Administrator
3. cd C:\Users\<users>\Downloads
   cd C:\Users\<users>\Downloads
4. .\winpmem.exe -l
   .\winpmem.exe -l
5. rekal -f \\.\pmem
   rekal -f \\.\pmem
6. Enter
   pslist
   pslist
7. .\winpmem.exe -u
   .\winpmem.exe -u

Rekall load memory module WITHOUT PMEM

1. rekal live
   rekal live

Install/Setup Linpmem for Ubuntu 16.04

Linpmem for Ubuntu 16.04 memory dump

1. wget
   wget 
   https://github.com/google/rekall/releases/download/v1.5.1/linpmem-2.1.post4
   https://github.com/google/rekall/releases/download/v1.5.1/linpmem-2.1.post4
2. chmod +x linpmem-2.1.post4
   chmod +x linpmem-2.1.post4
3. ./linpmem-2.1.post4 -o mem.aff4r
   ./linpmem-2.1.post4 -o mem.aff4r

Linpmem for Linux live memory analysis

• LINUX has no live memory analysis ability :(((( 

Install/Setup Macpmem for Mac OSX

Macpmem for Mac OSX memory dump

• I want to give a shot out to ponderthebits.com for his guide on setting up OSXpmem!

1. Download the latest OSXpmem
   1. Latest version can be downloaded here
2. unzip osxpmem.osxpmem-2.1.post4.zip
   unzip osxpmem.osxpmem-2.1.post4.zip
3. ./osxpmem.app/osxpmem -o <output directory>
   ./osxpmem.app/osxpmem -o <output directory>
   1. Depending on your version of Mac OSX(El Captain up) you will receive a bunch of errors, if so continue
   2. In newer version of Mac all Kext drivers must be signed and owned by root
4. kextutil -t osxpmem.app/MacPmem.kext/
   kextutil -t osxpmem.app/MacPmem.kext/
   1. This tool will test loading the kext and if there are errors it will let use know
5. chown -R root:wheel osxpmem.app/
   chown -R root:wheel osxpmem.app/
6. osxpmem.app/osxpmem -o mem.aff4
   osxpmem.app/osxpmem -o mem.aff4

Macpmem for Mac OSX live memory analysis

1. kextload osxpmem.app/MacPmem.kext/
   kextload osxpmem.app/MacPmem.kext/
2. rekall -f /dev/pmem
   rekall -f /dev/pmem
   1. Will need to use this command with sudo to read
      /dev/pmem
      /dev/pmem
3. osxpmem.app/osxpmem -u
   osxpmem.app/osxpmem -u

Rekall API

The Rekall API uses OS APIs to analyze memory. Please keep in mind this API is susceptible to malware manipulation if the malware has control at the kernel level. Shout out and recognition for this next section belongs too “Using Grr and Rekall for scalable memory analysis“.

Querying OS for pslist

1. rekal --live API
   rekal --live API
2. Enter
   pslist
   pslist

Structured ouput

1. describe(pslist)
   describe(pslist)

Efiltered queries

1. select * from pslist() where pid==1931
   select * from pslist() where pid==1931
2. select proc.name, proc.pid from pslist() order by proc.pid desc limit 10
   select proc.name, proc.pid from pslist() order by proc.pid desc limit 10

 

WMI Queries from Rekall on Windows

1. wmi "select * from Win32_Account"
   wmi "select * from Win32_Account"

Rekall API vs live mode

DFIR with Rekall on memory dump

SANSs Windows investigative methodology

• Youtube: BT107 Building aMuscle Memory with Rekall Memory Forensic Framework Alissa Torres

1. Identify rogue processes
2. Analyze processes DLLs and handles
3. Review network artifacts
4. Look for evidence of code injection
5. Check for signs of a rootkit
6. Dump suspicious processes and drivers

0. Open memory dump

1. attrib +R mem.aff4
   attrib +R mem.aff4
   1. Makes file read-only
2. rekall -f mem.aff4
   rekall -f mem.aff4

1. Identify rogue processes

PStree

1. pstree
   pstree – This plugin displays all known processes in a tree form (i.e. the process parents with their children). This is useful to see which process launched another process.

PSlist

1. pslist
   pslist – The pslist plugin list all the processes on windows using a variety of methods. Since it is required by all plugins which has process selectors, this plugin will, by default, list processes using all methods.

Procinfo

1. Procinfo
   Procinfo – The procinfo plugin displays basic information about a process. It takes all the usual process selectors (e.g. pid, name etc) and prints information about the PE file (using peinfo) as well as the process environment strings.

Desktops

1. Desktops
   Desktops – Enumerates desktops and desktop threads

Sessions

1. sessions
   sessions – Enumerate sessions and associated processes
   

Threads

1. threads
   threads – The threads plugin iterates over all processes and lists all threads in all processes. This is the list walking version of the thrdscan plugin.

2. Analyze processes DLLs and handles

DLL Lists

1. dlllist
   dlllist – Lists dll modules loaded into a process by following the doubly linked list of LDR_DATA_TABLE_ENTRY stored in in_EPROCESS.Peb.Ldr.InLoadOrderModuleList. DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll) and they aren’t removed until FreeLibrary is called and the reference count reaches zero.

Handles

1. handles
   handles – This plugin displays the handle table of processes. The handle table in the process stores securable kernel objects.
   

   

Filescan

1. filescan
   filescan – This will find open files even if a rootkit is hiding the files on disk and if the rootkit hooks some API functions to hide the open handles on a live system. The plugin also resolves back the _FILE_OBJECT into the owning process. This works only if the _FILE_OBJECT is actually in use (it does not work for closed files).

3. Review network artifacts

netstat

1. netscan
   netscan – Shows current network connections

netscan

1. netscan
   netscan – Shows current and PAST connections

 

4. Look for evidence of code injection

Malfind

1. malfind
   malfind – The malfind command helps find hidden or injected code/DLLs in user mode memory, based on characteristics such as VAD tag and page permissions.

LDRModules

1. ldrmodules
   ldrmodules – There are many ways to hide a DLL. One of the ways involves unlinking the DLL from one (or all) of the linked lists in the PEB. However, when this is done, there is still information contained within the VAD (Virtual Address Descriptor) which identifies the base address of the DLL and its full path on disk. To cross-reference this information (known as memory mapped files) with the 3 PEB lists, use the ldrmodules command.

 

5. Check for signs of a rootkit

Modcan

1. modscan
   modscan – The modscan command finds LDR_DATA_TABLE_ENTRY structures by scanning physical memory for pool tags. This can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits.

 PSXview

1. psxview
   psxview – Find hidden processes with various process listings.

Devicetree

1. devicetree
   devicetree – The devicetree plugin shows the relationship of a driver object to its devices (by walking _DRIVER_OBJECT.DeviceObject.NextDevice) and any attached devices (_DRIVER_OBJECT.DeviceObject.AttachedDevice).

Services

1. services
   services – Enumerate all services

SVCscan

1. svcscan
   svcscan – Scans for “_service_records”

Hooks_inline

1. hooks_inline
   hooks_inline – Detect hooks in processes and kernel memory

Hooks_eat

1. hooks_eat
   hooks_eat – Detect EAT hooks in process and kernel memory

SSDT

1. ssdt
   ssdt – The ssdt plugin enumerates the the SSDT table and resolves the addresses back to the names of the functions. Windows has two SSDTs – one for the kernel and one for the GUI subsystem (win32k driver).
   1. The System Service Descritor Table is the main interface to the kernel from user space. In the past, malware used to install hook in this SSDT in order to intercept userspace->kernel calls. In more recent versions of Windows, Microsoft has implemented PatchGuard specifically to prevent these kinds of hooks. Therefore, its very rare to see these kinds of hooks any more.

Driverirp

1. driverirp
   driverirp – This command outputs information for all drivers, unless you specify a regular expression filter.
   1. Windows drivers export a table of functions called the IRP MajorFunction table. In that table, the driver installs function handlers to handle verious types of requests from userspace. A common way to hook a legitimate driver is to replace these function pointers with a malicious function.

Object_tree

1. object_tree
   object_tree – Kernel object tree

6. Dump suspicious processes and drivers

Procdump

1. produdmp
   produdmp – This plugin dumps the mapped PE files associated with a windows process. It is equivalent to calling pedump with an image base corresponding to the VAD section of the main process executable.

Moddump

1. moddump
   moddump – To extract a kernel module from memory and dump it to disk for analysis, use the moddump command. A regular expression can be specified for the module name to dump.

DDLdump

1. dlldump
   dlldump – To extract a DLL from a process’s memory space and dump it to disk for analysis, use the dlldump command. All the usual process selectors are supported. Additionally a regular expression can be specified for the DLL name to dump.

Artifacts

1. artifact_list()
   artifact_list() – To obtain a list of artifacts
2. artifact_collector(<artifact_name>)
   artifact_collector(<artifact_name>) – Collects artifact and writes to disk

Yara scan

1. yarascan(string="Microsoft")
   yarascan(string="Microsoft") – Scan memory for the string “Microsoft”.
2. yarascan(binary_string="4120323031314d6963726f736f667420")
   yarascan(binary_string="4120323031314d6963726f736f667420") – Scan memory for a binary string
   1. The binary string is the last line of hex from the previous example, we are looking for “A.2011Microsoft.”
3. yarascan(binary_string="4120323031314d6963726f736f667420", pid=<PID>)
   yarascan(binary_string="4120323031314d6963726f736f667420", pid=<PID>) – This will scan for a binary string in a particular PID.
4. yarascan(string="malware", <scan_kernel, scan_physical, scan_process_memory>)
   yarascan(string="malware", <scan_kernel, scan_physical, scan_process_memory>) – This will scan the kernel memory, physical memory, or process memory for the string “malware”. BY DEFAULT these memory spaces are not scanned.
5. yarascan(yara_expression="<yara rule>")
   yarascan(yara_expression="<yara rule>") – This will scan using a yara rule
6. yarascan(yara_file="<location of yara rule>")
   yarascan(yara_file="<location of yara rule>") – This will scan using a yara rule from the file system
7. select * from file_yara( paths: (select path.filename from glob("c:\windows\*.exe")).filename, yara_expression: "rule r1 {strings: $a = \"Microsoft\" wide condition: any of them}")
   select * from file_yara( paths: (select path.filename from glob("c:\windows\*.exe")).filename, yara_expression: "rule r1 {strings: $a = \"Microsoft\" wide condition: any of them}") –
   1. Search for all the binaries in
      C:\Windows
      C:\Windows that contain the string “Microsoft”
8. plugins.search('select * from file_yara(paths: (select path.filename from glob("c:\windows\*.exe")).filename, binary_string: {str})', query_parameters=dict(str="Microsoft" .encode("utf-16-le").encode("hex")))
   plugins.search('select * from file_yara(paths: (select path.filename from glob("c:\windows\*.exe")).filename, binary_string: {str})', query_parameters=dict(str="Microsoft" .encode("utf-16-le").encode("hex")))
   1. Search for all the binaries in “C:\Windows” that contain the string “Microsoft” in hex format

Resources/Sources

• Youtube: BT107 Building aMuscle Memory with Rekall Memory Forensic Framework Alissa Torres
• Youtube: Windows Memory Forensics
• OSX (Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility
• Rekall Memory Forensics Cheatsheet
• Using Grr and Rekall for scalable memory analysis