Memory analysis of .NET and .Net Core applications

Memory analysis is a digital forensics technique whose goal is to model a computer system's state based solely on the analysis of a snapshot of physical memory (RAM). Memory forensics is frequently employed in incident response to detect and analyze modern malware and attack frameworks. Memory forensics is a particularly powerful tool for analyzing modern malware, which may exist only in memory and not touch non-volatile storage. Memory-only attacks leave no trace of the malware and its associated modules on the file system and all data that traverses the network is commonly encrypted. While initially focused on kernel level rootkits, memory analysis research efforts have recently shifted to detection of userland malware. This shift occurred as operating system vendors have strongly locked down the ability for kernel rootkits to load, and, in turn, malware authors have developed significant userland malware capabilities. In this paper, we present our effort to develop memory analysis capabilities that target a very powerful and widely abused set of userland runtimes: the .NET Framework and its replacement, .NET Core. To support automated and repeatable results, even for non-expert investigators, we developed a number of Volatility plugins that automatically target key areas of these runtimes and report any suspicious artifacts. Our suite of new plugins provides investigators with deep insight into the use of .NET on a target system as well as identification of suspicious and malicious components. These capabilities considerably advance a defenders' ability to combat, contain, and understand modern malware.