Announcing the BETA release of DAMM, a FOSS memory analysis platform built on top of Volatility
Memory analysis is the new(-ish) big thing in the incident response, malware analysis, digital forensics space for the moment, and so all the cool kids seem to be doing it. While memory analysis is an incredibly powerful technique, we are still kind of on the ground floor with respect to tools to help the investigator with the analysis. Our favorite tool for memory analysis here at 504ENSICS Labs is Volatility, which parses out tons of OS-level artifacts, like processes, network connections, loaded modules, etc., from memory images. Many folks already know this, but what they don’t know is that Volatility offers an API to build off of. Using this API (and a LOT of elbow grease), we have built a new tool on top of the existing Volatility infrastructure with help from the DARPA CFT program. Specifically, DAMM has the following awesome features:
* Differential analysis: the most important feature of DAMM allows you to compare the memory objects in one memory image with those in another and display only the differences, for instance displaying only the new processes, or changes in existing processes. This can be used in controlled environments where you can acquire a memory sample from a machine before a malware infection and one from after the infection; and even using an infected memory sample and comparing against a stock memory image from the same OS version.
* SQLite results storage: the option to have plugin results stored in a SQLite db for long-term storage, sharing with others, and best of all: results caching for when you have to re-run plugins (which happens – admit it!); caching makes re-running even long-running plugins instantaneous.
* Smart filtering: a type system that allows the investigator to view all memory objects that are associated with a PID, or some string; it is smart enough to know a PID apart from other numbers in the plugin results sets, as well as what attributes of a memory object should be searched for strings of interest – a significant improvement from grep-ing on text files.
* Multiple output formats: in addition to just storing results in a db, it can output in terminal formatted, TSV (for import to Excel), and a home-brewed grepable format just in case the smart filtering isn’t doing what you want.
* Warnings: DAMM has some knowledge of what should and should not be in a memory sample. It can check for correct parent/child process relationships, and correct executable paths, look for EXEs and DLLs in temp directories, and about 20 other indicators that something may be amiss.
* Support for ~30 Volatility plugins combined into ~20 DAMM plugins (pslist + psxview + cmdline = DAMM ‘processes’; modules + modscan = DAMM ‘modules’; connections, sockets, sockscan, netscan = DAMM ‘connections’, and more).
For a complete walkthrough check out the README at the download link.
Mad thanks to the Volatility team for all their hard work. We certainly couldn’t have done this without them. If you like the tool but need some help with interpreting the results, I highly recommend the definitive book on the subject of memory forensics, or even better: the definitive class on the subject.
Vico and the 504ENSICS Labs team