Skip to content

Divinemonk/memory_forensics_with_volatility

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Memory Forensics with Volatility

https://www.volatilityfoundation.org/releases


Obtaining Memory Samples

Live machines

  • memory image extractor
 FTK Imager
 Redline
 DumpIt.exe
 win32dd.exe / win64dd.exe (psexec)
  • these tools will typically output a .raw file

Offline machines

  • windows:
    • windows hibernation file (%SystemDrive%/hiberfil.sys) stores compressed memory image from previous boot

Virtual machines

  • memory images
 VMware - .vmem file
 Hyper-V - .bin file
 Parallels - .mem file
 VirtualBox - .sav file
  • can be found on data store of the corresponding hypervisor & can be copied without shuting vm off
  • allows for virtually zero disturbance to the virtual machine, preserving it's forensic integrity


[Eg.] examine .vmem memory sample

download memory sample


Basic commands

tested using volatility version 2.6 (linux standalone executable x64)

command details
volatility -f MEMORY_FILE.raw imageinfo Profiles determine how volatility treats our memory image since every version of windows is a little bit different.
volatility -f MEMORY_FILE.raw --profile=PROFILE pslist Test these profiles using the pslist command, validating our profile selection by the sheer number of returned results.
volatility -f MEMORY_FILE.raw --profile=PROFILE netscan View active network connections at the time of image creation.
volatility -f MEMORY_FILE.raw --profile=PROFILE psxview View intentionally hidden processes.
volatility -f MEMORY_FILE.raw --profile=PROFILE ldrmodules In addition to viewing hidden processes via psxview, we can also check this with a greater focus via the command 'ldrmodules'. Three columns will appear here in the middle, InLoad, InInit, InMem. If any of these are false, that module has likely been injected which is a really bad thing. On a normal system the grep statement above should return no output.
volatility -f MEMORY_FILE.raw --profile=PROFILE apihooks View unexpected patches in the standard system DLLs. If we see an instance where Hooking module: that's really bad. This command will take a while to run, however, it will show you all of the extraneous code introduced by the malware.
volatility -f MEMORY_FILE.raw --profile=PROFILE malfind -D <Destination Directory> Injected code can be a huge issue and is highly indicative of very very bad things. With malfind command, we can not only find this code, but also dump it to our specified directory.
volatility -f MEMORY_FILE.raw --profile=PROFILE dlllist List all of the DLLs in memory.
volatility -f MEMORY_FILE.raw --profile=PROFILE --pid=PID dlldump -D Dump the DLLs running in memory, where the PID is the process ID of the infected process

Post actions

  • we spoted & extracted malicious code from infected process (done with basic forensics)
  • now upload to code to VirusTotal or Hybrid Analysis for checking any previous matches of malware

About

Memory Forensics with Volatility

Topics

memory forensics volatility memory-forensics

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

download memory sample Latest
Oct 28, 2023