Memory Forensics & Volatility

• Process of acquiring and analyzing physical memory
• Provides huge support for other investigations
  • Disk or network
• Why do you need memory forensics?
  • Malware already finished execution
    • Part of IR
  • Find code injection and rootkits
    • Hidden from disk but visible in memory
  • Bypass malware's anti-X techniques
    • Fake a normal system
  • Extra validation
    • Help support other analysis methods
• What can I find?
  • Everything running on a computer
  • Like:
    • Processes
    • Network connections
    • Drivers
    • CMD related info
    • Application-level details
    • Encryption related data
• Running Volatility v2.5
  • Step1: Determine profile
    • Which OS and service pack
    • exe -f C:\image.mem imageinfo
  • Step 2: Run various plugings – most don't need additional input and follow this format
    • exe -f C:\image.mem –profile=%PROFILE% %PLUGIN%
• Important Plugins
  • Process information
    • Psscan, pslist, pstree, psxview, cmdline
  • Commands run
    • Cmdscan, consoles
  • Network connections
    • Connections, connscan, sockets, sockscan, netscan
  • Enumerate windows
    • Windows, wintree, wndscan
  • Open files
    • Filescan
  • Environmental variables
    • Envars
  • Threads and handles
    • Thrdscan, handles
  • Security
    • Privs
  • Registry
    • Hivescan, hivelist, hivedump, dumpregistry
    • Printkey
  • Forensic artifacts
    • Userassist
    • Timeliner
    • Mftparser
    • Mbrparser
    • Shellbags
    • Shimcache
    • Amcache
    • Shutdowntime