Introduction
Windows Memory Forensics mainly deals with analysing the memory dump produced by the windows OS when the system crashes.One can create a memory dump by loading a malicious code into the Vm and suspending or can use the following tools
1.Dumpit(This tools produces the memory dump in raw format)
The obtained Memory Dump is analysed through an open Source tool called Volatility.
Since Volatility is written in python it is platform independent hence it could be used in any platform.
Contents
1.Introduction on Malware
Malware or malicious software which attacks the computer by injecting malicious code into the processes. Whenever a this happens the process eventhough causes harm to the os will be disguised as a legit process by unlinking.These process will have the same permissions as the other process hence will not be affected when the computer boots.
2.Introduction to Volatility
Volatility is a open source tools used for Malware analyses of memory dumps.It is considered one of the best tools in memory analysis.The installation process for volatility is given below
https://shankaraman.wordpress.com/category/tools/
3.Basic Commands and concepts reagrding Volatlity
After installing Volatility use the following commands
Commands
After installing the volatility
1.vol.py -f lab1.vmem -h
This will start the volatility framework
2.vol.py -f lab1.vmem pslist
This will list all the process list given in the memory dump.It displays the address,name of the process.The process Id and the number of threads enclosed in the given process.However this will not show those procedurres which are unlinked.
2a.vol.py -f lab1.vmem -p 100
This command gives the information about a specific process which has the process id of 100
2b.pslist produce the result based on the virtual memory
3.vol.py -f lab1.vmem psscan
This command also lists all the processes in a given memory dump file but also shows those processes which are unliked hence by comparing the results produced by the two commands we could Identify which procedure has the malicious code injected since most of these procedures will be unlinked and hence cannot be viewed by pslist but can be viewed by using psscan
3a This command lists the processes based on physical memory
4.vol.py -f lab1.vmem pstree
This shows the parent child relationships between various procedures
5. vol.py lab1.vmem psxview
This command is used whether a function is visible in all fields like pslist,psscan,thrdproc,else will show false
6. vol.py lab1.vmem psxview -R
Most of the processes will be the child of another hence this will not be visible in one field but this does not mean that the process is malicious hence the above command will give an output of “okay”
for such instances.
7. vol.py lab1.vmem connections
This command checks whether there was any active connections during the time of memory dump.But if the process is unlinked then it would not show the connections
8.vol.py lab1.vmem connscan
This command also gives the active connections but also works for processes that are unlinked.
9.vol.py lab1.vmem handles -t mutant
This command is used to find out whether a mutant is present in the process if it is present then this indicates that the process has malicious code.
10.vol.py lab1.vmem sockets/socscan
These commands are used to view the socket activities when the memory dump occured.
11.vol.py lab1.vmem dlllist
This command gives the details of all the dll’s of all processes in the memory dump.
12.vol.py lab1.vmem dlllist -p 144
Gives the details of the dll’s in the process of the process id 144
13.vol.py lab1.vmem dlldump -p 144 -b 0x00000000016ba360 -D dump/
This dumps the content of dll which is specified by the hex address into a directory dump from a process defined by the process id 144
14. vol.py lab1.vmem procdump -p 144/-o 0x1f0003 -D dump/
This dumps the content of the process specified by the index number 144 or the hexadecimal address 0x1f0003 to the directory.
15. vol.py lab1.vmem yarascan -Y “MZ”/{4d 5a}
This commands finds all the process which has a MZ header which means locates the process having executable header.One could also give the hex value enclosed in the paranthesis
These are just the basic commands used in volatility for more information about the commands visit the given site. http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/
bi0s 
Leave a Reply