In incident response cases, memory analysis can often be the key to uncovering what took place on a device-especially when an attack didn’t leave an easily detectable evidence trail, like advanced persistent threats (APTs) that leverage fileless techniques.
To enhance examiner’s ability to conduct memory analysis, we have added a new option for analyzing Microsoft crash dumps in AXIOM Cyber with the integration of Comae memory analysis technology. Integrating Comae into AXIOM Cyber adds support for current Windows 11 operating systems, new insights into threats, as well as greatly improving the speed of memory processing by natively supporting Microsoft crash dumps.
Using Comae Memory Analysis in AXIOM Cyber
To analyze a memory dump with Comae in AXIOM Cyber, you first need to grab the latest version of our free tools Magnet DumpIt—a fast memory acquisition tool for Windows (x86, x64, ARM64) or Magnet RESPONSE a comprehensive evidence collection and preservation tool for IR cases. The DMP output from these free tools can be ingested by AXIOM Cyber for analysis with no need to select a memory profile for the data.
Check out the video below with Chris Cone, Forensics Consultant in which Chris walks through the process of acquiring and reviewing a memory dump using DumpIt and AXIOM Cyber:
The Importance of Memory Analysis
Modern malware can be developed to be extremely stealthy, executing only in memory to elude many traditional endpoint protection solutions, in fact it was recently reported that 77% of successful ransomware attacks are from fileless techniques that completely bypassed the victim company’s antivirus.
But as the saying goes ‘malware can hide, but it must run’. Memory analysis enables examiners to uncover processes and identify unauthorized or malicious activity on an endpoint.
“Memory data is such a crucial component of IR investigations especially with modern exploits, without it, bad actors go undetected and have the time to spread through a network, gaining access to more data.” Said Matt Suiche, Comae Founder and Magnet Forensics Director of Memory, IR & R&D. “With this memory analysis enhancement in AXIOM Cyber we are equipping IR examiners with better tools to identify and address these serious threats.”
Broader Support, New Insights, and Faster Results
One of the big benefits of the Comae integration is the speed of processing. In our internal tests we saw improvements as high as 90%+ in the speed of processing data sets with Comae, helping to get you these critical insights even faster than before.
This technology upgrade for memory analysis also adds support for current Windows 11 operating systems and additional insights into potential cyberattacks with new artifacts:
- Scheduled Tasks – Scheduled tasks can allow malicious code to be launched, downloaded, or perform tasks based on specific times or events, while remaining in memory, hiding the activities.
- Callbacks – One of the phishing scams that has been increasing significantly with a reported increase of 625% from Q1 to Q2 in 2022. This form of hybrid threats starts with an email that includes contact information for vishing (phone-based phishing). As more ransomware leverages legitimate drivers to gain kernel access to a machine, they often register kernel mode callbacks to hide their activity on a system.
- MFT (turned off by default) – The Master File Table (MFT) is a key component of Windows operating system, providing a record of the location of each file on a hard drive as well as metadata about the files including name, size, creation date, and access permissions.
- YARA Rules Scanning – YARA rules provide community-driven identification of the very latest malware and other indicators of compromise. To read more about the YARA rules in AXIOM Cyber check out this blog.
When a Crash is a Good Thing…
Memory is typically captured in one of two ways: Crash (.DMP) or Raw (.RAW) dumps. The main difference between the two options is the inclusion of additional data such as headers and metadata in crash dumps. The Comae integration in AXIOM Cyber uses crash dump files because the added information available provides a more complete dataset with added context for incident response.
To learn more about the difference between these two methods of capturing memory, check out Matt Suiche’s blog post: Full Memory Crash Dumps vs. Raw Dumps: Which Is Best for Memory Analysis for Incident Response ?
Recognizing the importance of memory analysis for incident response, Magnet Forensics acquired Comae Technologies in May of 2022. Since that time, Matt Suiche has led our memory analysis, incident response research and development team in the development of memory analysis capabilities for AXIOM Cyber and the entirety of the Magnet Forensics solutions portfolio for enterprise.
Existing Volatility memory options in AXIOM Cyber will still be available, this update adds to the options for memory analysis and will be the platform that we continue to expand and develop as we further integrate Comae into Magnet Forensics.