As I mentioned in my last post, the main goal of this project was to examine and recreate ways in which malicious users may make use of RAM disks in order to cover their tracks or conceal the fact that they were present on a machine at all. Previously I had mounted a RAM disk, dropped some files on it, and then dismounted the disk in order to search for remnants of files in RAM after the disk was gone. As I said, the entire structure of the disk and the files located within are indeed deleted after dismounting the disk. For this portion of the research, however, I took a closer look at how malware interacts with a system when it is being run solely from a RAM disk.
Forensic Artifacts
In order to recreate a scenario in which an executable (whether malicious or not) was run from a RAM disk, I wrote a short Python script to use a CLI RAM disk mounting software to accomplish the following:- Mount a virtual disk
- Download a standalone executable to the disk
- Run the executable
- Dismount the disk
As you can see below, an entry for autoruns.exe (the executable I used for the test) is present in the Shim Cache Parser output, including the path of the RAM disk it was run from:
After
finding a way to prove that an executable was run from a RAM disk, I
chose a piece of malware to run the same script on, to see if it acted
similarly to the standalone executable.
After
running the malware from the virtual disk and the local system and
comparing the artifacts left behind, it became obvious that it runs in
virtually the same exact way and leaved behind the same artifacts
regardless of the location of the original executable. This is mostly
due to the fact that the first thing the malware does is delete itself
and recreate a new executable in a temporary directory, as seen below in
the ouput of Noriben, a malware analysis tool:
Conclusions
After a semester long of research, I was able to ultimately determine that virtual RAM disks operate extremely similarly to other mountable media such as USB drives. Consequently, virtual RAM disks should not pose much of a challenge to forensic investigators. Executables run from the RAM disk operate nearly identically to those that are run locally, and leave the same artifacts for proving they were executed. Additionally, malicious software that was run from RAM still leaves artifacts on the operating system level. The only real obstacle that RAM disks introduce is the fact that when a disk is dismounted, all files that were on the disk are completely deleted and unrecoverable.
Overall this was a great project to work on and I enjoyed learning about the structure and operations of RAM disk mounting software, as well as recreating ways in which a forensic examiner might handle a case involving a RAM disk.
Overall this was a great project to work on and I enjoyed learning about the structure and operations of RAM disk mounting software, as well as recreating ways in which a forensic examiner might handle a case involving a RAM disk.