2014/05/19

Physical Memory Analysis – Volatility

by Destruct_Icon
Categories: Analysis, Host Forensics
Tags: ,
Comments: Leave a Comment

Volatility

So far we have gone through two other means of memory analysis; Bulk Extractor and Foremost. We plan to go very deep into Volatility at a later date but, as this run of posts is about basics of phys mem, I want to keep this relatively short and sweet.

Volatility is a collection of plugins that allow you to parse and extract information out of a physical memory dump. Simple statement, but the tool’s value knows no bounds. What can you extract using Volatility? Current connections, malware, registry hives, MFT information, you name it. All it comes down to is knowing what plugins exist and how to use them.

Where to start:

The python or Windows standalone of Volatility may be downloaded at the following link: https://code.google.com/p/volatility/

SANS has a memory dump of a winXP system infected with APT malware freely available: http://digital-forensics.sans.org/blog/2014/02/08/apt-memory-and-malware-analysis-solution

— The SANS image appears to be 404ing based on some feedback we have received. I am adding a link to Volatility’s Memory Image Repo: https://code.google.com/p/volatility/wiki/SampleMemoryImages

The below images will be based off the windows standalone of Volatility.

`Volatility.exe –h` displays the help menu to give an overview of what plugins you may use and switches that exist.

volDI01

To dive deeper into the specific help file of a plugin you may use the following `Volatility.exe “plugin” –h` which could display more options.

volDI02

In order to launch volatility with a plugin, you will want to use the following format: `Volatility.exe “plugin” –profile=”Suggested Profile” –f “Filename”`

The first plugin you will want to run against your image will be the imageinfo. This will display which profile is suggested to use during your investigation. `Volatility.exe imageinfo –f APT.img`

volDI03

The suggested profile for this image appears to be WinXPSP2x86 or WinXPSP3x86. So far I have been able to use the first profile in all of the images I have used but DO make a note of ALL of them as you will reference them frequently.

We now have been able to successfully run volatility against a file as well as identify what profile to use going forward. We will try running a few plugins to see what pops up.

This first plugin I have run is “connections”. As stated in the help file, “This module follows the handle table in tcpip.sys and prints current connections.” Keep note that if you are investigating a Vista/7/2008 profile, the netscan plugin will be used instead of connections. `Volitility.exe connections –profile=WinXPSP2x86 –f APT.img`

volDI04

It looks like we have found some strange traffic under the PID 796. We will follow this up by taking a look at the current processes that were running on the system. `Volatility.exe pstree –profile=WinXPSP2x86 –f APT.img`

volDI05

As going any further will spoil a lot of the challenge, let’s assume that we know for sure that process 796 is a malicious file currently running on the system. How do we retrieve this process out of memory? `Volatility.exe procexedump –p 796 –dump-dir=”C:\Users\Developer\Desktop\Volatility” –profile=WinXPSP2x86 -f APT.img`

volDI06

We have looked at identifying connections, processes and also extracting data out of memory using Volatility. These were just a few of the plugins that can be used during an investigation. Do not be afraid to poke around and see what you can find in the image sample from SANS. Keep in mind understanding methodology is going to be key during an investigation. Did you identify maybe an exe named 1.exe? Maybe you found some strange writes in the MFT. Is there a legitimate reason why a system may be speaking to Chinese IP address space?

If you have any questions, you can contact me directly at destruct_icon@malwerewolf.com or leave a comment below.


Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Tuesday
2018/01/23