Information Technology | Softwares - Graphics - Programming - Hacking - Security

Apr 11, 2020

Basic Memory Forensics | Volatility

Basic Memory Forensics


There are plenty of traces of someone's activity on a computer, but perhaps some of the most valuble information can be found within memory dumps, that is images taken of RAM.
In the case of digital forensic, data present in the digital assets serves as strong evidence. The systems’ memory may have critical data of attacks, like account credentials, encryption keys, messages, emails, non-cacheable internet history, network connections, endpoint connected devices, etc.
There are many ways to capture a memory file, we can you a tool called DumpIt, used to generate a physical memory dump of Windows machines.

Raw memory dump is the most commonly used memory dump format by modern analysis tools. These dumps of data are often very large, but can be analyzed using a tool called Volatility
Volatility is the most popular memory forensics platform, available in Kali, Parrot,... It also can use on Windows by install manually. It allows you to extract evidence and intelligence from a memory image. It has an active user and developer community who build new modules to support new analysis techniques and data types. Volatility is a powerful tool that allows advanced users to find evidence that cannot be found with other tools. This post will help you start with Volatility.

Let go
In order to properly use Volatility you must supply a profile with --profile=<PROFILE>. So in the first step, we need to determine the profile using imageinfo        
$ volatility -f <Memory file> imageinfo
Then we got profile e.g: Win7SP0x64, Win7SP1x64, Win2008R2SP0x64


In order to view processes, the pslist or pstree or psscan command can be used.
E.g: $ volatility -f <Memory file> --profile=Win7SP1x64 psslist
To extract a DLL from a process's memory space and dump it to disk for analysis, use the dlldump command, dlllist to display a process's loaded DLLs. -D is output directory (dllfiles for sample).
E.g: $ volatility -f <Memory file> --profile=Win7SP1x64 dlldump -D dllfiles/


To view network connections and view commands that were run in cmd prompt, E.g:
$ volatility -f <Memory file> --profile=Win7SP1x64 connections
$ volatility -f <Memory file> --profile=Win7SP1x64 cmdscan

To locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk, use the hivelist command., E.g:
$ volatility -f <Memory file> --profile=Win7SP1x64 hivelist

To display a process's environment variables, use the envars plugin. Typically this will show the number of CPUs installed and the hardware architecture, the process's current directory, temporary directory, session name, computer name, user name, and various other interesting artifacts E.g:
$ volatility -f <Memory file> --profile=Win7SP1x64 envars


To find file objects in physical memory using pool tag scanning, use the filescan command. This will find open files even if a rootkit is hiding the files on disk and if the rootkit hooks some API functions to hide the open handles on a live system, E.g:
$ volatility -f <Memory file> --profile=Win7SP1x64 filescan


Dump a file: -Q <file offset> -D <output directory>:
$ volatility -f <Memory file> --profile=Win7SP1x64 dumpfiles -Q 0x000000005fcfc4b0 -D .

Besides, there more command and module/plugins very useful like:
chromehistory, iehistory, notepad, sqlite_help, apihooksdeep, screenshot, userassists, …


Volatility in Cyber Triage
We integrated Volatility into Cyber Triage so that you can harness the parsing power of Volatility along with the intuitive Cyber Triage automation and interface. If you are a responder who always does a memory capture as part of your workflow, you can now pull it into Cyber Triage and integrate into your triage process.

When you import a memory image, Cyber Triage uses Volatility’s ‘kdbgscan’ module to detect the profile (i.e. operating system) and run a series of modules. Cyber Triage parses the module output, merges them together, and adds them to the database. When the results are available, they will get further analysis from Cyber Triage, and be displayed in the UI.


Thanks for reading


Share:

About Us