Analysis of Volatile Memory(RAM) Using Volatility3

 

Introduction:

Volatility3 is the most advanced and newest volatile memory forensics framework in the world. It is also Open Source, this framework is written in python. It is also the most widely used framework for extracting digital artefacts from volatile memory i.e. RAM image. The framework is intended to introduce people to the techniques for extracting digital artefacts from volatile memory(RAM) samples and provide a platform for further work into this exciting area of research.

Downloading and Installation:

Requirements:

    Download volatility from  here or run the following command in command line to clone the repository.

    git clone https://github.com/volatilityfoundation/volatility3.git

    RAM Image Creation:

    To create a memory dump for analysis we can use DumpIt memory tool which can be downloaded from
    here. Also, we can use ftkimager to create a memory dump, which can be downloaded from here.

    To create the image using ftkimager go to File > Capture memory > Browse location > Capture Memory to start capturing.

    Analysis of Ram Image in Windows:

    Open command line in the folder where we have downloaded the Volatility and run the following command to see all the available options for volatility:

    python3 vol.py -h


    Useful Commands 

    windows.info

    Most often this command is used to identify the operating system, kernel details, service pack and hardware architecture(32bit or 64bit) but it also contains other useful information such as the DTB address and time the sample was created.
    python3 vol.py -f <imagepath> windows.info






    windows.pslist.PsList

    To list the processes of a system, use the windows.pslist.PsList and show offset, process name, process ID, the present process ID, number of threads, number of handles, and date/time when the process started and exited. This plugin does not detect hidden or unlinked process.

    python3 vol.py -f <imagepath> windows.pslist.PsList



    windows.psscan.PsScan

    This can find processes that previously terminated(inactive) and processes that have been hidden or unlinked by a rootkit.

    python3 vol.py -f <imagepath> windows.psscan.PsScan



    windows.pstree.PsTree

    To view the process listing in tree form we use windows.pstree.PsTree command. This enumerates processes using the same technique as pslist, so it will not show hidden or unlinked processes. Child processes are indicated using indention and periods.

    python3 vol.py -f <imagepath> windows.pstree.PsTree



    windows.dlllist.DllList

    This command is used to display a process’s loaded DLLs. 
    python3 vol.py -f <imagepath> windows.dlllist.DllList


    windows.registry.hivelist.HiveList

    This is used for locating the virtual addresses of registry hives in memory and the full paths to the corresponding hive on disk. If we want to print values from a certain hive, running this command first so we can see the address of the hives.
    python3 vol.py -f <imagepath> windows.registry.hivelist.HiveList


    windows.registry.printkey.PrintKey

    It displays the subkeys, values, data and data types contained within a specific registry key. By default, this command will search all hives and print the key information(if found) for the requested key. Therefore if the key is located in more than one hive the information for the key will be printed for each hive that contains it.

    python3 vol.py -f <imagepath> windows.registry.printkey.PrintKey



    windows.registry.handles.Handles

    This is used to display the open handles in a process. This applies to files, registry keys, mutex, named pipes, and all other types of securable executive objects.


    python3 vol.py -f <imagepath> windows.registry.handles.Handles

    These are some examples of plugins provided under Volatility3, try out some more plugins by yourself and explore this exciting field of memory forensics. Volatility3 also provides different commands for the mac and Linux for the same functionalities discussed above.

    Credits - Mr Deepak Kumar (B.Tech. 4th Yr. IT, IIIT Bhopal), Mr Punit Choudhary (B.Tech. 4th Yr. IT, IIIT Bhopal ), Dr. Nitesh Bharadwaj (Faculty, IIIT Bhopal)



      Comments

      Post a Comment

      Popular posts from this blog

      $Recycle.Bin Forensics: Analysis of $I (metadata file) and $R (actual content)

      Image
        Forensic Insight into Windows 10 $Recycle.Bin  In Windows 10, the deleted files are temporarily located in  "C:\$Recycle.Bin>",  a sub directory under root directory. The completion of file deletion process yields two separate files placed within the $Recycle.Bin path, as follows: $I – Contains metadata specific to the deleted file (original file name path, file size, deletion timestamp, file name size and, file name). $R – Contains the actual contents of the file. The two files ($I and $R) corresponding to the deleted file are named/suffixed with a random six character value after $I and $R, resulting  into a 8–character file name. The system creates SID based folders corresponding to each user account.   In the SID sub-folder, you will find the SID of the user who deleted the file. Each time a user deletes a file from the Recycle Bin, a sub-folder is created for them. As per the requirement an analyst can analyse the contents inside the SID sub-folders.  Let’s
      Read more

      Usefulness of Epoch in Digital Forensics Investigation (UNIX and MacOS perspective)

      Image
       Usefulness of Epoch in Digital Forensics Investigation  (UNIX and MacOS perspective)  In digital forensics investigation, epoch plays an important role in event reconstruction. Hence, we try to provide detailed insight into the UNIX and MAC OS epoch values. An epoch is a date and time that a computer uses to determine the computer's clock and timestamp values. Epoch is sometimes also referred to as epoch time, POSIX time, and Unix time. In simple words, it is the starting point of the operating system that determines a computer’s date and time by counting ticks (seconds/ nanoseconds/picoseconds). Epochs can persist into the file metadata, system files, log files, and other metadata files. The value of epoch varies from operating system (OS) to OS and file system to file system.   The epoch traditionally corresponds to 0 hours, 0 minutes, and 0 seconds Coordinated Universal Time (UTC) on a specific date, which varies from system to system, as the starting date of each system i
      Read more