Memory & Registry Analysis

Memory Analysis

Purpose

• Detect malicious processes, injected code, or hidden modules.

• Retrieve plaintext credentials, API keys, tokens, or configuration data.

• Identify active malware, rootkits, or advanced persistent threats (APTs).

Types of Memory Analysis

• Live memory analysis (during an active session)

• Dump analysis (post-mortem)

Memory Dump Collection

• Tools:

  • Task Manager: Create dump files

  • ProcDump: Command-line utility for targeted dump collection

  • DumpIt: Standalone, portable dump collector

  • WinDbg / Volatility: For advanced analysis

Analysis Workflow

1. Acquire Memory Dump

   • Use tools like Task Manager or ProcDump

2. Initial Inspection

   • Use hex editors (HxD, WinHex)

   • Extract strings (strings.exe, Volatility's strings) to identify artifacts

3. Identify Processes & Modules

   • List all processes and loaded modules

   • Detect suspicious or unexpected processes

4. Detect Malicious Artifacts

   • Code injections

   • Hooked functions

   • Hidden processes or DLLs

5. Extract Credentials and Secrets

   • Search for plaintext or encrypted credentials

   • Look for tokens, passwords, or API keys

6. Timeline & Correlation

   • Use timestamps and process activity logs

Tools for Memory Analysis

Registry Analysis

Purpose

• Detect stored credentials, configuration settings, persistence mechanisms, and malware artifacts.

• Investigate application-specific data or system-wide configurations.

Common Registry Paths

• User-specific:

  • HKEY_CURRENT_USER\Software\[Application]

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• Machine-wide:

  • HKEY_LOCAL_MACHINE\SOFTWARE\[Application]

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

• Other Locations:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Registry Analysis Workflow

1. Manual Inspection

   • Use regedit or registry editors

   • Search for suspicious or unusual keys/values

2. Automated Comparison

   • Use tools like Regshot:

     • Take a baseline snapshot

     • Perform system or application activity

     • Take a second snapshot

     • Compare differences to identify changes

3. Detection of Artifacts

   • Persistent malware: keys in startup locations

   • Stored credentials: plaintext or obfuscated passwords

   • Configuration data: connection strings, license keys, API tokens

Regshot Usage

• Open regshot.exe

• Click " Shoot First" to capture baseline

• Perform system or application process

• Click "Shoot Second"

• Click Compare to see added, modified, or deleted registry entries

5. Common Artifacts & Indicators of Malicious Activity

• Suspicious Registry Keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce

  • Random or obfuscated key names

  • Unusual values pointing to executables or scripts

• Memory Artifacts:

  • Strings revealing passwords, tokens, or URLs

  • Malicious DLLs or injected code

  • Hidden processes or threads

• File System Artifacts:

  • Suspicious executable files or scripts

  • Hidden or encrypted files

• Network Artifacts:

  • Connection strings or IP addresses found in memory or registry

  • Indicators of command and control communication

Certainly! Here is a detailed set of sample commands, workflows, and case study examples to illustrate effective Memory & Registry Analysis practices:

Sample Commands, Workflows & Case Study Examples

1. Memory Dump Collection & Analysis

A. Collecting a Memory Dump

Using Task Manager:

• Right-click on the process → Create dump file (macOS or Linux equivalents might require different tools)

Using ProcDump (Sysinternals):

Using DumpIt (Portable tool):

• Run DumpIt on the target machine, it automatically collects full memory dump.

B. Initial Analysis with Strings

Extract strings from dump:

Search for sensitive info: Open output_strings.txt and search for:

• Password patterns (password, pwd, pass)

• API keys (AIza, ssh-rsa, Bearer)

• URLs or IP addresses

C. Using Volatility for In-Depth Analysis

List processes:

Find injected DLLs:

Detect hidden or malicious processes:

Find network connections:

2. Registry Analysis Workflow

A. Manual Inspection Using Regedit

• Open regedit.exe

• Navigate to:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Look for:

• Unusual or random key names

• Executables pointing to suspicious locations

B. Automated Comparison with Regshot

Steps:

1. Launch Regshot

2. Click "First Shot" to capture baseline

3. Perform system or application activity (install malware or configure app)

4. Click "Second Shot"

5. Click "Compare"

Review output:

• Look for new keys, changed values, or deleted entries

• Focus on keys with suspicious executable paths or obfuscated names

3. Case Study Example

Scenario:

An incident response team suspects a malware infection on a Windows machine. They suspect persistence via registry and memory injection.

Step-by-step Investigation:

Step 1: Collect Memory Dump

Step 2: Initial String Search

Result: Found a string with an API key: AIzaSyD...

Step 3: Volatility Process Listing

Result: Suspicious process svchost.exe with unusual parent process.

Step 4: DLLs Loaded by Suspicious Process

Result: Malicious DLL loaded, possibly injected.

Step 5: Registry Snapshot Before & After

• Baseline:

• After activity:

• Compare snapshots for registry persistence keys.

Step 6: Summary of Findings

• Memory contains API keys and injected DLLs.

• Registry keys added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run point to malicious executables.

• Malicious process injection detected.