Basic
Memory Forensics
There are
plenty of traces of someone's activity on a computer, but perhaps some of the
most valuble information can be found within memory dumps, that is images taken
of RAM.
In the case
of digital
forensic, data present in the digital assets serves as strong
evidence. The systems’ memory may have critical data of attacks, like account
credentials, encryption keys, messages, emails, non-cacheable internet history,
network connections, endpoint connected devices, etc.
There are
many ways to capture a memory file, we can you a tool called DumpIt,
used to generate a physical memory dump of Windows machines.
Raw memory
dump is the most commonly used memory dump format by modern analysis tools.
These dumps of data are often very large, but can be analyzed using a tool
called Volatility
Volatility is
the most popular memory forensics platform, available in Kali,
Parrot,...
It also can use on Windows by install manually. It allows you to extract
evidence and intelligence from a memory image. It has an active user and
developer community who build new modules to support new analysis techniques
and data types. Volatility is a powerful tool that allows advanced users to
find evidence that cannot be found with other tools. This post will help you
start with Volatility.
Let go
In order to properly use Volatility you must supply a profile
with --profile=<PROFILE>.
So in the first step, we need to determine the profile using imageinfo
$ volatility -f <Memory file>
imageinfo
Then we got
profile e.g: Win7SP0x64, Win7SP1x64, Win2008R2SP0x64
In order to
view processes, the pslist or pstree or psscan command
can be used.
E.g: $ volatility -f
<Memory file> --profile=Win7SP1x64 psslist
To extract a
DLL from a process's memory space and dump it to disk for analysis, use the dlldump command,
dlllist to
display a process's loaded DLLs. -D is output directory (dllfiles
for sample).
E.g: $ volatility -f
<Memory file> --profile=Win7SP1x64 dlldump -D dllfiles/
To view network connections and view
commands that were run in cmd prompt, E.g:
$ volatility -f <Memory file> --profile=Win7SP1x64 connections
$ volatility -f <Memory file> --profile=Win7SP1x64 cmdscan
$ volatility -f <Memory file> --profile=Win7SP1x64 cmdscan
To locate the virtual addresses of
registry hives in memory, and the full paths to the corresponding hive on disk,
use the hivelist command., E.g:
$ volatility -f <Memory file> --profile=Win7SP1x64 hivelist
To display a
process's environment variables, use the envars plugin.
Typically this will show the number of CPUs installed and the hardware
architecture, the process's current directory, temporary directory, session
name, computer name, user name, and various other interesting artifacts E.g:
$ volatility -f <Memory file> --profile=Win7SP1x64 envars
To find file objects in physical
memory using pool tag scanning, use the filescan command.
This will find open files even if a rootkit is hiding the files on disk and if
the rootkit hooks some API functions to hide the open handles on a live system,
E.g:
$ volatility -f <Memory file> --profile=Win7SP1x64
filescan
Dump a file: -Q
<file offset> -D <output directory>:
$ volatility -f <Memory file> --profile=Win7SP1x64 dumpfiles
-Q 0x000000005fcfc4b0 -D .
Read more
cheat sheet: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
Besides, there more command and
module/plugins very useful like:
chromehistory, iehistory, notepad, sqlite_help,
apihooksdeep, screenshot, userassists, …
Thanks for reading
