Automate memory forensics analysis with Vortessence
Vortessence is a tool, whose aim is to partially automate memory forensics analysis. Vortessence is a project of the Security Engineering Lab of the Bern University of Applied Sciences. While Vortessence is conceptually a rather straightforward tool, it turns out to be quite effective in practice.
In fact, a key problem in memory forensics is that an analyst needs to be able to memorize lots of “encyclopedic” details about the state of a clean system in order to be able to spot anomalies originating from an intrusion. Examples of such encyclopedic details would be names of legitimate drivers, legitimate parent child relations ships for processes, legitimate DLLs being loaded into processes etc. We believe that it is impossible for humans to memorize all the relevant information — and even if it would be possible, it is still a rather boring and cumbersome task to check a candidate memory image against the clean states. The fun parts in memory forensics are the more advanced analysis techniques, as well as researching new analysis techniques.
Another issue concerns memory forensics techniques that are geared towards the direct detection of anomalies caused by malware. An example is the malfind plugin in Volatility which uses heuristics to detect anomalous memory allocations which are characteristic for code injections. Although clever heuristics are being employed, it seems to be impossible to entirely avoid false positives. Sorting out these false positives from true positives requires manual intervention by the analyst, whereas in some cases it can be hard to tell false from true positives.
Vortessence provides some remedy to the above issues. There are two main activities when using Vortessence, one is populating / maintaining the whitelist, the other is running the detection component on a memory image to be analyzed (the “target image”), which generates a report showing the anomalies that have been detected. The analyst will then go through the report, and check whether the reported anomalies are true or false positives.
Vortessence allows users to populate their own whitelist, typically by adding images of a known clean system to Vortessence. The detection is performed by the Vortessence rule engine, which essentially checks the target image against the whitelist database. The resulting report can be either queried using a command line tool or be displayed using the Vortessence Web fronted.
Technically, Vortessence is currently based on Volatility and uses the Volatility plugins to query memory information for populating whitelists as well as detection.
The image below shows the process related information of a report in the Vortessence Web front-end: