Baseline Analysis in Memory Forensics: A Practical Guide

Introduction to Baseline Analysis in Digital Forensics

Baseline analysis is an essential technique in digital forensics and incident response, allowing analysts to efficiently identify anomalies in large datasets. At its core, baseline analysis involves comparing a suspect dataset with a "known good" dataset to detect outliers. This approach is particularly useful in memory forensics, where analysts must sift through hundreds of processes, drivers, and services to identify malicious activity.

One powerful tool that le verages baseline analysis for memory forensics is Memory Baseliner, developed by Csaba Barta.

This tool integrates with Volatility 3 to streamline comparisons between a suspect memory image and a baseline memory image, helping analysts quickly filter out known good items and focus on potential threats.

------------------------------------------------------------------------------------------------------------

The Need for Baseline Analysis in Memory Forensics

Windows memory is complex, often containing over a hundred processes, each with numerous associated objects. Even seasoned professionals can struggle to pinpoint malware hidden within the sheer volume of data. A baseline memory image from a clean system allows for direct comparison, making it easier to isolate unusual artifacts.

By feeding Volatility with both a suspect memory image and a baseline image, Memory Baseliner enables forensic analysts to:

Quickly filter out known good artifacts.
Identify new or uncommon processes, drivers, and services.
Stack multiple images to determine the least frequently occurring artifacts.

This approach reduces the dataset to review, making investigations more efficient.

------------------------------------------------------------------------------------------------------------

How Memory Baseliner Works

Memory Baseliner supports four types of memory object analysis:

Processes and associated DLLs (-proc)
Drivers (-drv)
Windows Services (-svc)

To perform baseline analysis, two memory images must be provided:

Baseline Image (-b): A clean system memory dump.
Suspect Image (-i): The compromised system's memory dump.

python memory_baseliner.py -b baseline.raw -i suspect.raw -o output.txt

This command compares the suspect memory image against the baseline, saving results to output.txt for further analysis.

A useful option is --showknown, which outputs both known and unknown items, allowing for flexible filtering in spreadsheet tools.

Key output details include:

Process Name & Command Line
Parent Process Details
Loaded DLLs
Import Table Hashes
Known/Unknown Status (Whether the item was in the baseline)
Frequency of Occurrence (Baseline vs. suspect image)

These data points help analysts identify anomalies that might indicate malware presence.

------------------------------------------------------------------------------------------------------------

Stacking for Least Frequency of Occurrence Analysis

Stacking is another powerful feature of Memory Baseliner that analyzes multiple memory images to detect rare artifacts. Since malware-related items tend to be less common across systems, identifying low-frequency occurrences can highlight suspicious activity.

Stacking Example

python memory_baseliner.py -d memory_images_folder -procstack -o stacked_output.txt

Here, the tool scans multiple images in the memory_images_folder directory, identifying the least frequently occurring processes.

By focusing on rare executables, DLLs, drivers, or services, analysts can reduce the dataset and prioritize investigative leads. However, false positives may still exist, requiring manual review.

------------------------------------------------------------------------------------------------------------

Speeding Up Analysis with JSON Baselines

One challenge of Memory Baseliner is its processing time. Large memory images can take up to 15 minutes to analyze. To optimize this, the tool allows users to create and reuse JSON baseline files.

JSON Baseline Usage

Create a JSON Baseline

python memory_baseliner.py -b baseline.raw --jsonbaseline baseline.json --savebaseline

Load the JSON Baseline for Faster Analysis

python memory_baseliner.py -i suspect.raw --jsonbaseline baseline.json --loadbaseline -o output.csv

By leveraging JSON files, analysts can bypass re-analysis of the baseline memory image, significantly speeding up the comparison process.

------------------------------------------------------------------------------------------------------------

I know until now we have gone through theory. But lets go with practical execution and analysis as well , So, you will not face errors like I did. So, I wanted to make your experience better—this is how you install this script.

Setting Up Memory Baseliner in WSL

Before we dive in, let’s set up the tool properly.

Clone the repository into your WSL environment:

git clone https://github.com/csababarta/memory-baseliner.git

Navigate to the cloned directory and move the scripts into the Volatility3 folder:

mv memory-baseliner/*.py ~/Memorytool/volatility3/

Verify the setup by running:

python3 baseline.py

If it runs without errors, you're good to go!

-------------------------------------------------------------------------------------------------------------

Using Memory Baseliner: Practical Examples

Now that we’re set up, let’s start running some analysis.

Step 1: Process Baselining

To dump all processes and compare them against a baseline:

python3 baseline.py -proc --state -b /mnt/c/Users/Akash's/Downloads/20250213/20250213.mem -i /mnt/c/Users/Akash's/Downloads/20250213Horizon/20250213.mem --showknown -o /mnt/c/Users/Akash's/Downloads/proc_all.txt

Step 2: Driver Baselining

To dump all loaded drivers:

python3 baseline.py -drv -b /mnt/c/Users/Akash's/Downloads/20250213/20250213.mem -i /mnt/c/Users/Akash's/Downloads/20250213Horizon/20250213.mem --showknown -o /mnt/c/Users/Akash's/Downloads/driv-all.txt

Step 3: Service Baselining

To analyze running services:

python3 baseline.py -svc --state -b /mnt/c/Users/Akash's/Downloads/20250213/20250213.mem -i /mnt/c/Users/Akash's/Downloads/20250213Horizon/20250213.mem --showknown -o /mnt/c/Users/Akash's/Downloads/svc-all.txt

------------------------------------------------------------------------------------------------------------

Output:

Converting Output for Better Analysis

By default, the tool outputs pipe-separated (|) text files, which aren’t ideal for analysis in tools like Timeline Explorer or Excel. To convert them to CSV:

sed -i 's/|/,/g' /mnt/c/Users/Akash's/Downloads/svc-all.txt > /mnt/c/Users/Akash's/Downloads/svc-all.csv

Do the same for other files (proc_all.txt, driv-all.txt).

------------------------------------------------------------------------------------------------------------

Key Analysis Techniques

Once you have the data, here’s how to make sense of it:

Process Baselining

-proc: This generates a lot of information. To narrow down the data to just process names, filter for .exe in the DLL NAME column. This works because the executable binary (.exe) will also appear in the loaded DLL list. Combine this with PROCESS STATUS=UNKNOWN to quickly identify processes that were not present in the original baseline image.
If you want to investigate loaded DLLs, filter for DLL STATUS=UNKNOWN and focus on DLLs with the lowest frequency of occurrence in the IMAGE Fo O column. If a DLL appears in many processes (i.e., has a high occurrence rate), it is less likely to be malicious.
The --cmdline option forces a comparison of the full process command line in addition to the process name. This helps detect anomalies, such as the 32-bit version of an application running even though the system typically uses the 64-bit version.
You can also compare process owners (--owner) and import hashes (--imphash). However, these comparisons might be too restrictive unless your baseline image is very similar to the suspect image.

Driver Baselining

If your baseline image is a close match, you should see only a few new drivers added to the system. Focus on STATUS=UNKNOWN entries first. Review the PATH column to check if any drivers are loaded from unusual locations outside the standard

\Windows\System32\Drivers\ and \Windows\System32\ paths.

Import hashes (ImpHash) can often be calculated for many drivers present in memory. For deeper analysis, add the --imphash comparison option to detect variations of known drivers.

Service Baselining

The STATE column shows whether a service was running. As a first step, filter for SERVICE_RUNNING to focus on active malware.
The --state option allows you to compare service configurations. This helps detect services that were disabled in the baseline but enabled in the suspect image—a common persistence tactic used by malware. It can also reveal services that were disabled in the suspect image but should be enabled (e.g., Windows updates or security software).

Malware attempting to maintain persistence often uses SERVICE_AUTO_START. Filtering for this value can help identify potential threats.

Some malware executes only once and then stops. These may use different start types, such as SERVICE_DEMAND_START, and might appear as SERVICE_STOPPED. To get a complete picture, examine all UNKNOWN services, but segmenting the data in different ways can make anomalies more obvious.

Most Windows services run under built-in accounts like LOCAL SERVICE or the computer account (HOSTNAME$). Look for services running under user accounts, as these could indicate unauthorized activity.

-------------------------------------------------------------------------------------------------------------

Practical Tips for Using Memory Baseliner

Use tailored baseline images: A baseline from a similar system build reduces noise.
Filter results in Excel: Use UNKNOWN status and .exe filters to highlight suspicious processes.
Leverage JSON baselines: Saves time on repeat analyses.
Validate findings with additional tools: Use Volatility’s malfind or yarascan plugins for deeper malware analysis.

------------------------------------------------------------------------------------------------------------

Conclusion

Baseline analysis is a crucial technique in memory forensics, enabling rapid identification of suspicious activity by filtering known good artifacts. Memory Baseliner simplifies this process, providing efficient comparisons between suspect and clean memory images.

Memory Baseliner is a powerful addition to any forensic analyst’s toolkit. By integrating it into investigations, analysts can significantly reduce data review time and enhance their ability to detect stealthy malware infections.

---------------------------------------------Dean---------------------------------------------

Actively looking roles in cybersecurity. If you have a reference or a job opportunity, your support would mean the world to me!

Baseline Analysis in Memory Forensics: A Practical Guide

Introduction to Baseline Analysis in Digital Forensics

The Need for Baseline Analysis in Memory Forensics

How Memory Baseliner Works

Stacking for Least Frequency of Occurrence Analysis

Stacking Example

Speeding Up Analysis with JSON Baselines

JSON Baseline Usage

Setting Up Memory Baseliner in WSL

Using Memory Baseliner: Practical Examples

Step 1: Process Baselining

Step 2: Driver Baselining

Step 3: Service Baselining

Converting Output for Better Analysis

Key Analysis Techniques

Process Baselining

Driver Baselining

Service Baselining

Practical Tips for Using Memory Baseliner

Conclusion

Recent Posts

Comments