Memory forensics involves extracting and analyzing data from a computer's volatile memory (RAM) to identify potential Indicators of Compromise (IOCs) or forensic artifacts crucial for incident response. This type of analysis can uncover malicious activity, such as hidden malware, sensitive data, and encryption keys, even after a machine has been powered off.
Two key tools frequently used in this process are Strings and Bstrings. While both help extract readable characters from memory dumps, they offer distinct features that make them suitable for different environments. In this article, we’ll cover the functionality of both tools, provide practical examples, and explore how they can aid in quick identification of IOCs during memory forensics.
Tools Overview
1. Strings
Functionality: Extracts printable characters from files or memory dumps.
Usage: Primarily used in Linux/Unix environments, although it can be utilized in other systems via compatible setups.(Example Windows WSL)
Key Features:
Lightweight and easy to use.
Can be combined with search filters like grep to narrow down relevant results.
2. Bstrings (by Eric Zimmerman)
Functionality: A similar tool to Strings, but designed specifically for Windows environments. It offers additional features such as regex support and advanced filtering.
Key Features:
Regex support for powerful search capabilities.
Windows-native, making it ideal for handling Windows memory dumps.
Capable of offset-based searches.
Basic Usage
1. Using Strings in Linux/Unix Environments
The strings tool is commonly used to extract printable (readable) characters from binary files, such as memory dumps. Its core functionality is simple but powerful when combined with additional filters, such as grep.
Example: Extracting IP Addresses
If you are hunting for a specific IOC, such as an IP address in a memory dump, you can extract printable characters and pipe the results through grep to filter the output.
strings <imagename> | grep -I <name or filename or IOC or IP address>Example for an IP address:
strings mem.dump | grep -i 192\.168\.0\.This command will extract any printable characters from the memory dump (mem.dump) and filter the results for the IP address 192.168.0.*.
Example for a filename:
strings mem.dump | grep -i akash\.exeHere, it searches for the filename akash.exe within the memory dump.
Note: For bstrings.exe in Windows, the same search can be done without using escape characters (\). This makes it easier to input IP addresses or filenames directly:
IP address: 192.168.0
Filename: akash.exe
-----------------------------------------------------------------------------------------------
2. Contextual Search
Finding an IOC in a memory dump is only the beginning. To better understand the context in which the IOC appears, you may want to see the lines surrounding the match. This can give insights into related processes, network connections, or file paths.
strings <imagename> | grep -i -C5 <name or filename or IOC or IP>Example:
strings mem.dump | grep -i -C5 akash.exeThe -C5 option tells grep to show five lines above and five lines below the matching IOC (akash.exe). This helps to investigate the surrounding artifacts and provides additional context for analysis.
-----------------------------------------------------------------------------------------------
3. Advanced Usage with Offsets
When you use strings with volatility (another powerful memory forensics tool), it’s essential to retrieve offsets. Offsets allow you to pinpoint the exact location of an artifact within the memory image, which is vital for correlating with other forensic evidence.
strings -tx <imagename> | grep -i -C5 <name or filename or IOC or IP address>Example:
strings -tx mem.dump | grep -i -C5 akash.exe
Here, the -tx option provides the offsets of the matches within the file, allowing for more precise analysis, especially when using memory analysis tools like Volatility.
-----------------------------------------------------------------------------------------------
Using Bstrings.exe in Windows
The bstrings.exe tool operates similarly to strings, but is designed for Windows environments and includes advanced features such as regex support and output saving.
Basic Operation
bstrings.exe -f "E:\ForensicImages\Memory\mem.dmp" --ls <search pattern>This command extracts printable characters from the specified memory dump and searches for a specific pattern or IOC.
Example:
bstrings.exe -f "E:\ForensicImages\Memory\mem.dmp" --ls qemu-img-win-x64-2_3_0.zip
-----------------------------------------------------------------------------------------------
Regex Support
Bstrings offers regex pattern matching, allowing for flexible searches. This can be especially useful when looking for patterns like email addresses, MAC addresses, or URLs.
Example of listing available regex patterns:
bstrings.exe -p
Example of applying a regex pattern for MAC addresses:
bstrings.exe -f "E:\ForensicImages\Memory\mem.dmp" --lr mac
-----------------------------------------------------------------------------------------------
Saving the Output
Often, forensic investigators need to save the results for later review or for reporting. Bstrings allows easy output saving.
bstrings.exe -f "E:\ForensicImages\Memory\mem.dmp" -o output.txtThis saves the output to output.txt for future reference or detailed analysis.
-----------------------------------------------------------------------------------------------
Practical Scenarios for Memory Forensics
Corrupted Memory Image
In certain cases, memory images may be corrupted or incomplete. Tools like Volatility or MemProc may fail to process these images. In such scenarios, strings and bstrings.exe can still be incredibly useful by extracting whatever readable data remains, allowing you to salvage critical IOCs.
Quick IOC Identification
These tools are particularly valuable for triage. During an investigation, quickly scanning a memory dump for IOCs (such as suspicious filenames, IP addresses, or domain names) can direct the next steps of a forensic investigation. If no IOCs are found, the investigator can move on to more sophisticated or time-consuming methods.
-----------------------------------------------------------------------------------------------
Conclusion
Memory forensics is a crucial part of modern incident response, and tools like strings and bstrings.exe can significantly accelerate the process. Their ability to extract readable characters from memory dumps and apply search filters makes them invaluable for forensic investigators, especially in cases where traditional analysis tools may fail.
Key Takeaways:
Strings is ideal for Unix/Linux environments, while Bstrings is tailored for Windows.
Both tools offer powerful search capabilities, including contextual search and offset-based analysis.
Bstrings provides additional features like regex support and output saving.
These tools help quickly identify IOCs, even in challenging scenarios like corrupted memory images.
Whether you’re dealing with a large memory dump or a corrupted image, these tools offer a simple yet effective way to sift through data and uncover critical forensic artifacts
Akash Patel
Comments