0

I was wondering how could I give some advice to one of my friend when attempting to analyze live Windows machine which was infected with malware.

As far as I know, hibernation saves RAM memory contents and compresses them into hiberfile.sys file. But also there are 3rd party tools like Belkasoft RAM Capturer which read whole RAM and save to file too.

The question is: is there any big difference between those 2 memory dumps? Which one is more "detailed" or "better and more juicy" in terms of forensics?

RedS
  • 76
  • 5

1 Answers1

1

When entering hibernation:

  1. Apps and services are notified
  2. Drivers are notified
  3. User and system state is saved to disk in a compressed format
  4. Firmware is notified

(Per Microsoft's documenation on system power states.)

If an application or rootkit is so designed, it could attempt to hide or clean itself in response to the power state change. There is a timeout period after steps 1 and 2 to allow applications and drivers to prepare for suspension/termination.

This notification is both intentional and necessary: applications/services may span across multiple systems, and drivers must plan for data stored on volatile device memory to be lost. A similar notification occurs prior to system shutdown, albeit with a different status code.

A forensics-oriented tool may avoid "tipping off" the malware in some cases. It is also possible that malware from nation-state actors may detect common forensic tools.

I would expect that moderately sophisticated diskless malware will respond to power state changes, but it may not be capable of detecting forensics tools. So overall, I would expect to see an occasional benefit from using it. I cannot personally speak to the completeness or reliability of that particular tool, however.

DoubleD
  • 3,862
  • 1
  • 6
  • 14