Cyber Forensics

Memory Forensics: Using Volatility Framework

Cyber Criminals and attackers have become so creative in their crime type that they have started finding methods to hide data in the volatile memory of the systems. Today, in this article we are going to have a greater understanding of live memory acquisition and its forensic analysis. Live Memory acquisition is a method that is used to collect data when the system is found in an active state at a scene of the crime.

Table of Contents

  • Memory Acquisition
  • Importance of Memory Acquisition
  • Dump Format Supported
  • Memory Analysis Plugins
  • Imageinfo
  • Kdbgscan
  • Processes
  • DLLs
  • Handles
  • Netscan
  • Hivelist
  • Timeliner
  • Hashdump
  • Lsadump
  • Modscan
  • Filescan
  • Svcscan
  • History
  • Dumpregistry
  • Moddump
  • Procdump
  • Memdump
  • notepad

Memory Acquisition

It is the method of capturing and dumping the contents of a volatile content into a non-volatile storage device to preserve it for further investigation. A ram analysis can only be successfully conducted when the acquisition has been performed accurately without corrupting the image of the volatile memory. In this phase, the investigator has to be careful about his decisions to collect the volatile data as it won’t exist after the system undergoes a reboot. The volatile memory can also be prone to alteration of any sort due to the continuous processes running in the background. Any external move made on the suspect system may impact the device’s ram adversely.

Importance of Memory Acquisition

When a volatile memory is a capture, the following artifacts can be discovered which can be useful to the investigation:

  • On-going processes and recently terminated processes
  • Files mapped in the memory (.exe, .txt, shared files, etc.)
  • Any open TCP/UDP ports or any active connections
  • Caches (clipboard data, SAM databases, edited files, passwords, web addresses, commands)
  • Presence of hidden data, malware, etc.

Here, we have taken a memory dump of a Windows7 system using the Belkasoft RAM Capturer, which can be downloaded from here.

Memory Analysis

Once the dump is available, we will begin with the forensic analysis of the memory using the Volatility Memory Forensics Framework which can be downloaded from here. The volatility framework support analysis of memory dump from all the versions and services of Windows from XP to Windows 10. It also supports Server 2003 to Server 2016. In this article, we will be analyzing the memory dump in Kali Linux where Volatility comes pre-installed.

Dump Format Supported

  • Raw format
  • Hibernation File
  • VM snapshot
  • Microsoft crash dump

Switch on your Kali Linux Machines, and to get a basic list of all the available options, plugins, and flags to use in the analysis, you can type

volatility -h

Imageinfo

When a Memory dump is taken, it is extremely important to know the information about the operating system that was in use. Volatility will try to read the image and suggest the related profiles for the given memory dump. The image info plugin displays the date and time of the sample that was collected, the number of CPUs present, etc. To obtain the details of the ram, you can type;

volatility -f ram.mem imageinfo

A profile is a categorization of specific operating systems, versions and its hardware architecture, A profile generally includes metadata information, system call information, etc. You may notice multiple profiles would be suggested to you.

Kdbgscan

This plugin finds and analyses the profiles based on the Kernel debugger data block. The Kdbgscan thus provides the correct profile related to the raw image. To supply the correct profile for the memory analysis, type

volatility -f ram.mem kdbgscan

Processes

When a system is in an active state it is normal for it to have multiple processes running in the background and can be found in the volatile memory. The presence of any hidden process can also be parsed out of a memory dump. The recently terminated processes before the reboot can also be recorded and analyzed in the memory dump. There are a few plugins that can be used to list down the processes

Pslist

To identify the presence of any rogue processes and to view any high-level running processes, one can use

volatility -f ram.mem --profile=Win7SP1x64 pslist -P

On executing this command, the list of processes running is displayed, their respective process ID assigned to them and the parent process ID is also displayed along. The details about the threads, sessions, handles are also mentioned. The timestamp according to the start of the process is also displayed. This helps to identify whether an unknown process is running or was running at an unusual time.

Psscan

This plugin can be used to give a detailed list of processes found in the memory dump. It can not detect hidden or unlinked processes.

volatility -f ram.mem --profile=Win7SP1x64 psscan

Pstree

In this plugin, the pslist is represented with a child-parent relationship and shows any unknown or abnormal processes. The child process is represented by indention and periods.

volatility -f ram.mem --profile=Win7SP1x64 pstree

DLLs

DLLlist

volatility -f ram.mem --profile=Win7SP1x64 dlllist -p 1116,788

DLLs stand for Dynamic-link library automatically that is added to this list when a process according to calls Load Library and they aren’t removed until. To display the DLLs for any particular process instead of all processes.

DLLDump

This plugin is used to dump the DLLs from the memory space of the processes into another location to analyze it. To take a dump of the DLLs you can type,

volatility -f ram.mem --profile=Win7SP1x64 dlldump --dump-dir /root/ramdump/

Handles

This plugin is used to display the open handles that are present in a process. This plugin applies to files, registry keys, events, desktops, threads, and all other types of objects. To see the handles present in the dump, you can type,

volatility -f ram.mem --profile=Win7SP1x64 handles

Getsids

This plugin is used to view the SIDs stands for Security Identifiers that are associated with a process. This plugin can help in identifying processes that have maliciously escalated privileges and which processes belong to specific users. To get detail on a particular process id, you can type

volatility -f ram.mem --profile=Win7SP1x64 gets its -p 464

Netscan

This plugin helps in finding network-related artifacts present in the memory dump. It makes use of pool tag scanning. This plugin finds all the TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It provides details about the local and remote IP and also about the local and remote port. To get details on the network artifacts, you can type:

volatility -f ram.mem --profile=Win7SP1x64 netscan

Hivelist

This plugin can be used to locate the virtual addresses present in the registry hives in memory, and their entire paths to hive on the disk. To obtain the details on the hivelist from the memory dump, you can type:

volatility -f ram.mem --profile=Win7SP1x64 hivelist

Timeliner

This plugin usually creates a timeline from the various artifacts found in the memory dump. To locate the artifacts according to the timeline, you can use the following command:

volatility -f ram.mem --profile=Win7SP1x64 timeliner

Hashdump

This plugin can be used to extract and decrypt cached domain credentials stored in the registry which can be availed from the memory dump. The hashes that are availed from the memory dump can be cracked using John the Ripper, Hashcat, etc. To gather the hashdump, you can use the command:

volatility -f ram.mem --profile=Win7SP1x64 hashdump

Lsadump

This plugin is used to dump LSA secrets from the registry in the memory dump. This plugin gives out information like the default password, the RDP public key, etc. To perform a lsadump, you can type the following command:

volatility -f ram.mem --profile=Win7SP1x64 lsadump

Modscan

This plugin is used to locate kernel memory and its related objects. It can pick up all the previously unloaded drivers and also those drivers that have been hidden or have been unlinked by rootkits in the system. To

volatility -f ram.mem --profile=Win7SP1x64 modscan

Filescan

This plugin is used to find FILE_OBJECTs present in the physical memory by using pool tag scanning. It can find open files even if there is a hidden rootkit present in the files. To make use of this plugin, you can type the following command:

volatility -f ram.mem --profile=Win7SP1x64 filescan

Svcscan

This plugin is used to see the services are registered on your memory image, use the svcscan command. The output shows the process ID of each service the service name, service name, display name, service type, service state, and also shows the binary path for the registered service – which will be a .exe for user-mode services and a driver name for services that run from kernel mode. To find the details on the services

volatility -f ram.mem --profile=Win7SP1x64 svcscan

Cmdscan

This plugin searches the memory dump of XP/2003/Vista/2008 and Windows 7 for commands that the attacker might have entered through a command prompt (cmd.exe). It is one of the most powerful commands that one can use to gain visibility into an attacker’s actions on a victim system. To conduct a cmdscan, you can make use of the following command:

volatility -f ram.mem --profile=Win7SP1x64 cmdscan

Iehistory

This plugin recovers the fragments of Internet Explorer history by finding index.dat cache file. To find iehistory files, you can type the following command:

volatility -f ram.mem --profile=Win7SP1x64 iehistory

Dumpregistry

This plugin allows one to dump a registry hive into a disk location. To dump the registry hive, you use the following command.

volatility -f ram.mem --profile=Win7SP1x64 dumpregistry --dump-dir /root/ramdump/

Moddump

This plugin is used to extract a kernel driver to a file, you can do this by using the following command:

volatility -f ram.mem --profile=Win7SP1x64 moddump --dump-dir /root/ramdump/

Procdump

This plugin is used to dump the executable processes in a single location, If there is malware present it will intentionally forge size fields in the PE header for the memory dumping tool to fail. To collect the dump on processes, you can type:

volatility -f ram.mem --profile=Win7SP1x64 procdump --dump-dir /root/ramdump/

Memdump

The memdump plugin is used to dump the memory-resident pages of a process into a separate file. You can also look up a particular process using -p and provide it with a directory path -D to generate the output. To take a dump on memory-resident pages, you can use the following command:

volatility -f ram.mem --profile=Win7SP1x64 memdump --dump-dir /root/ramdump/

Notepad

Notepad files are usually highly looked up files in the ram dump. To find the contents present in the notepad file, you can use the following command:

volatility -f ram.mem --profile=WinXPSP2x86 notepad

Author: Jeenali Kothari is a Digital Forensics enthusiast and enjoys technical content writing. You can reach her on Here