Python Forensics – Memory and Forensics
Python Forensics – Memory and Forensics
In this chapter, we will focus on investigating volatile memory with the help of Volatility, a Python-based forensics framework for the following platforms: Android and Linux.
Volatile Memory
Volatile memory is a type of storage whose contents are erased when system power is turned off or interrupted. RAM is a prime example of volatile memory. This means that if you are working on a file that has not been saved to non-volatile storage (such as a hard drive) and the computer loses power, all data is lost.
Generally speaking, volatile memory forensics follows the same pattern as other forensic investigations –
- Selecting the target of the investigation
- Acquiring forensic data
- Forensic analysis
The basic Volatility plugin for Android collects a RAM dump for analysis. Once the RAM dump is collected for analysis, the hunt for malware in RAM must begin.
YARA Rules
YARA is a popular tool that provides a powerful language compatible with Perl-based regular expressions and is used to inspect suspicious files/directories and match strings.
In this section, we will use YARA’s pattern matching implementation and combine it with practical power. This complete process will facilitate forensic analysis.
Example
Consider the following code. This code helps extract code.
import operator
import os
importsys
sys.path.insert(0, os.getcwd())
import plyara.interp as interp
# Plyara is a script that lexes and parses a file consisting of one more Yara
# rules into a python dictionary representation.
if __name__ == '__main__':
file_to_analyze = sys.argv[1]
rulesDict = interp.parseString(open(file_to_analyze).read())
authors = {}
imps = {}
meta_keys = {}
max_strings = []
max_string_len = 0
tags = {}
rule_count = 0
for rule in rulesDict:
rule_count += 1
#Imports
if 'imports' in rule:
for imp in rule['imports']:
imp = imp.replace('"','')
if imp in imps:
imps[imp] += 1
else:
imps[imp] = 1
# Tags
if 'tags' in rule:
for tag in rule['tags']:
if tag in tags:
tags[tag] += 1
else:
tags[tag] = 1
# Metadata
if 'metadata' in rule:
for key in rule['metadata']:
if key in meta_keys:
meta_keys[key] += 1
else:
meta_keys[key] = 1
if key in ['Author', 'author']:
if rule['metadata'][key] in authors:
authors[rule['metadata'][key]] += 1
else:
authors[rule['metadata'][key]] = 1
#Strings
if 'strings' in rule:
for strr in rule['strings']:
if len(strr['value']) > max_string_len:
max_string_len = len(strr['value'])
max_strings = [(rule['rule_name'], strr['name'], strr['value'])]
elif len(strr['value']) == max_string_len: max_strings.append((rule['rule_name'], strr['key'], strr['value']))
print("nThe number of rules implemented" + str(rule_count))
ordered_meta_keys = sorted(meta_keys.items(), key = operator.itemgetter(1),
reverse = True)
ordered_authors = sorted(authors.items(), key = operator.itemgetter(1),
reverse = True)
ordered_imps = sorted(imps.items(), key = operator.itemgetter(1), reverse = True)
ordered_tags = sorted(tags.items(), key = operator.itemgetter(1), reverse = True)
The above code will produce the following output.
The number of YARA rules implemented helps to better understand the suspicious files. Indirectly, the list of suspicious files helps to collect appropriate information for forensics.
The following is the source code in GitHub: https://github.com/radhikascs/Python_yara