Volatility: A Memory Forensics Framework

Introduction

Windows Memory Forensics mainly deals with analysing the memory dump produced by the windows OS when the system crashes.One can create a memory dump by loading a malicious code into the Vm and suspending or can use the following tools

1.Dumpit(This tools produces the memory dump in raw format)

The obtained Memory Dump is analysed through an open Source tool called Volatility.

Since Volatility is written in python it is platform independent hence it could be used in any platform.

Contents

1.Introduction on Malware

Malware or malicious software which attacks the computer by injecting malicious code into the processes. Whenever a this happens the process eventhough causes harm to the os will be disguised as a legit process by unlinking.These process will have the same permissions as the other process hence will not be affected when the computer boots.

2.Introduction to Volatility

Volatility is a open source tools used for Malware analyses of memory dumps.It is considered one of the best tools in memory analysis.The installation process for volatility is given below

https://shankaraman.wordpress.com/category/tools/

3.Basic Commands and concepts reagrding Volatlity

After installing Volatility use the following commands

Commands

After installing the volatility

1.vol.py -f lab1.vmem -h

This will start the volatility framework

2.vol.py -f lab1.vmem pslist

This will list all the process list given in the memory dump.It displays the address,name of the process.The process Id and the number of threads enclosed in the given process.However this will not show those procedurres which are unlinked.

2a.vol.py -f lab1.vmem -p 100

This command gives the information about a specific process which has the process id of 100

2b.pslist produce the result based on the virtual memory

3.vol.py -f lab1.vmem psscan

This command also lists all the processes in a given memory dump file but also shows those processes which are unliked hence by comparing the results produced by the two commands we could Identify which procedure has the malicious code injected since most of these procedures will be unlinked and hence cannot be viewed by pslist but can be viewed by using psscan

3a This command lists the processes based on physical memory

4.vol.py -f lab1.vmem pstree

This shows the parent child relationships between various procedures

5. vol.py lab1.vmem psxview

This command is used whether a function is visible in all fields like pslist,psscan,thrdproc,else will show false

6. vol.py lab1.vmem psxview -R

Most of the processes will be the child of another hence this will not be visible in one field but this does not mean that the process is malicious hence the above command will give an output of “okay”

for such instances.

7. vol.py lab1.vmem connections

This command checks whether there was any active connections during the time of memory dump.But if the process is unlinked then it would not show the connections

8.vol.py lab1.vmem connscan

This command also gives the active connections but also works for processes that are unlinked.

9.vol.py lab1.vmem handles -t mutant

This command is used to find out whether a mutant is present in the process if it is present then this indicates that the process has malicious code.

10.vol.py lab1.vmem sockets/socscan

These commands are used to view the socket activities when the memory dump occured.

11.vol.py lab1.vmem dlllist

This command gives the details of all the dll’s of all processes in the memory dump.

12.vol.py lab1.vmem dlllist -p 144

Gives the details of the dll’s in the process of the process id 144

13.vol.py lab1.vmem dlldump -p 144 -b 0x00000000016ba360 -D dump/

This dumps the content of dll which is specified by the hex address into a directory dump from a process defined by the process id 144

14. vol.py lab1.vmem procdump -p 144/-o 0x1f0003 -D dump/

This dumps the content of the process specified by the index number 144 or the hexadecimal address 0x1f0003 to the directory.

15. vol.py lab1.vmem yarascan -Y “MZ”/{4d 5a}

This commands finds all the process which has a MZ header which means locates the process having executable header.One could also give the hex value enclosed in the paranthesis 

These are just the basic commands used in volatility for more information about the commands visit the given site. http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: