🧭

CIS-4348 - Week14 - Hands On Part 2 of 3 - Router Security and Memory Forensics

Nov 26, 2025

Overview

The session covers home router security practices and an introduction to memory forensics using DumpIt and Volatility, including workflow, tools, and example analysis steps.

Router Security and Management

  • Universal Plug and Play: Disable to avoid unintended sharing from removable drives.
  • Backup Settings: Export router config to avoid rebuilding DHCP reservations after failures.
  • DHCP Table: Manually assign friendly names and static leases for easy identification.
  • Firmware Updates: Prefer notifications; periodically check and apply updates manually.
  • Device Monitoring: Use router interface to list connected devices with friendly names.
  • SSID Naming: Avoid personal info and model numbers; hiding SSID offers negligible security.
  • Address Scheme: Example uses 192.168.0.1 for router, .2 main PC, .3 spouse PC via DHCP reservations.

SSID Naming Guidance

  • Do not include personal identifiers (e.g., names, addresses).
  • Do not include vendor/model (e.g., Netgear ABC123) to avoid targeted exploits.
  • Hiding SSID: Provides only minimal security; tools can detect networks regardless.

Firmware Update Approach

  • Automatic updates: Presenter prefers notifications over full auto-update.
  • Current practice: Manually check “latest version” and update when available.

Memory Forensics: Concepts and Workflow

  • Volatility: RAM forensic tool for analyzing memory dumps.
  • Goal: Detect active malware, injected processes, and suspicious activity in RAM.
  • Two Pieces Needed:
    • Memory capture tool: DumpIt (legacy versions available without registration).
    • Analysis tool: Volatility (command line), optionally Volatility Workbench (GUI).
  • Workflow:
    • Create memory dump on infected system.
    • Transfer dump to clean machine for analysis.
    • Analyze processes, injections, and network indicators.

Memory Capture Tools

  • DumpIt: Command-line utility to dump RAM to a file; historically from MoonSols.
  • FTK Imager: Free forensic tool; can capture memory if DumpIt fails.
  • Output: Example memory dump size noted as ~9 GB.

Volatility and Workbench Usage

  • Volatility: Open-source, primarily command line; standalone executable.
  • Volatility Workbench: GUI wrapper; easier for beginners; limited command set.
  • Screen Requirement: Workbench needs resolution ≥ 1152 x 864.
  • Platform Selection: Choose Windows in Workbench for Windows dumps.

Example Analysis Steps

  • Load Image: Browse to memory dump in Workbench.
  • Get Process List: Reconstruct running processes similar to Task Manager.
  • Identify Anomalies: Example shows “process hider” and ETW.exe flagged as suspicious.
  • Malware Indicators:
    • Recognize known system processes (cmd.exe, svchost.exe, conhost.exe).
    • Flag unexpected or renamed binaries (e.g., ETW.exe not standard).
  • malfind Command:
    • Detects process injection and suspicious memory patterns (YARA-like matching).
    • Results may include system processes showing injected regions.

Command Line Workflow for Network Clues

  • Use Command Prompt (not PowerShell) in Volatility’s directory.
  • Navigate with cd to the tool folder (e.g., C:\lab\forensics).
  • Invoke tool (e.g., vol.exe -h) to list options.
  • Objective: Identify connections to external malicious servers from memory data.

Practical Tips and Caveats

  • Do not install analysis tools on infected systems; analyze dumps on a clean machine.
  • Expect errors reading some pages; review available findings anyway.
  • GUI convenience vs. completeness: Switch to CLI when Workbench lacks needed commands.

Key Terms & Definitions

  • Universal Plug-and-Play (UPnP): Protocol enabling device auto-discovery and port mapping.
  • DHCP Reservation: Router assigns fixed IP to a device based on MAC address.
  • SSID: Wireless network name broadcast by the router.
  • RAM/Volatile Memory: Active memory storing running processes and data.
  • Memory Dump: File containing a snapshot of RAM for forensic analysis.
  • Process Injection: Technique where malware inserts code into legitimate process memory.
  • Volatility: Framework for analyzing memory dumps across platforms.
  • Volatility Workbench: GUI front end for Volatility with limited command coverage.
  • DumpIt: Utility to capture full RAM contents to a file.
  • FTK Imager: Forensic tool supporting disk and memory acquisition.

Action Items / Next Steps

  • Disable UPnP; review router for unintended sharing features.
  • Export and securely store router configuration backups.
  • Establish DHCP reservations with friendly names for all devices.
  • Set a neutral SSID without personal data or vendor/model hints.
  • Schedule periodic manual firmware update checks.
  • Capture a memory dump from a test/infected system using DumpIt or FTK Imager.
  • Analyze the dump on a clean machine using Volatility or Workbench.
  • Run process listing and malfind; escalate to CLI for deeper modules and network artifacts.

Full transcript