Volatility is a python based command line tool that helps in analyzing virtual memory dumps. It provides a very good way to understand the importance as well as the complexities involved in Memory Forensics.
Advantages of using Volatility:
- Runs on Windows, Linux and Mac
- It can be executed wherever python environment is present.
- Uses Fast and Efficient Algorithms
- For Example, Volatility can dump the kernel modules of an 80GB RAM dump in just a few seconds.
- Fabulous Set of Features
- Talking about reverse engineering and specialized research, volatility provides capabilities that Microsoft’s own kernel debugger doesn’t allow.
- You can actually go through the entire command history, console input/output buffers and USER objects and also Network related data structures.
- Extensible & Scriptable API
- Since the framework is Open Source, you can add new address spaces, plugins, data structures etc. to weld the tool based on your needs.
- Volatility was designed by hardcore Forensic, Incident Response and Malware Analysts. As a result, there are things that are often very important to forensics analysts that are not as important to a person debugging a kernel driver.
- Comprehensive Coverage of File Formats
- Volatility can analyze Raw dumps, Crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), Expert witness (EWF), and direct physical memory over Firewire.
Let us look at the basic plugins and commands available in the framework:
This particular command is most often used to identify the operating system, service pack, and hardware architecture (32 or 64 bit).
The imageinfo output tells you the suggested profile that you should pass as the parameter to –profile=PROFILE when using other plugins. There may be more than the one suggested profile and we must be careful to select the correct one.
As you can see there are 3 suggested profiles.
This is a significantly used plugin which helps in listing the details of the processes which were running when the dump was taken. It shows the offset, process name, process ID(PID), the parent process ID(PPID), number of threads, number of handles, and date/time when the process started and exited.
pslist fails to show hidden/terminated processes. The plugin which solves this problem is
psscan. Try it out!!
To view the process listing in tree form, use the
pstree command. This plugin uses the same approach as pslist hence it’ll not display the hidden/terminated processes.
But the one advantage that this plugin gives is that we can easily identify the parent & child processes.
The cmdscan plugin searches the memory for conhost.exe on Windows 7 Operating systems. This is one of the most powerful commands you can use to gain visibility into an attackers actions on a victim system, whether they opened cmd.exe
This plugin finds structures known as COMMAND_HISTORY by looking for a known constant value (MaxHistory) and then applying sanity checks.
To put it simply, you can see the content that the attacker typed in the command prompt.
By default, the value in MAXHistory is set to 50. We can change that. Also, cmdscan can print up to 50 commands. We can increase that by adding –max_history=NUMBER along with the plugin command.
To put it quite simply, consoles display the same content as cmdscan.
However, the advantage that consoles gives is that it also prints the output which was displayed for a specific instruction given in the command prompt.
This will find open files even if a rootkit is hiding the files on disk and if the rootkit hooks some API functions to hide the open handles on a live system. The output shows the physical offset of the FILE_OBJECT, file name, number of pointers to the object, number of handles to the object, and the effective permissions granted to the object.
An important concept that everyone who has worked on the study of Operating Systems is the idea of caching. Files are cached in memory for system performance as they are accessed and used. This makes cache an important source for collecting valuable info.
The dumpfiles plugin has many options. Let us have a look at what they are:
-r REGEX, --regex=REGEX Dump files matching REGEX -i, --ignore-case Ignore case in pattern match -o OFFSET, --offset=OFFSET Dump files for Process with physical address OFFSET -Q PHYSOFFSET, --physoffset=PHYSOFFSET Dump File Object at physical address PHYSOFFSET -D DUMP_DIR, --dump-dir=DUMP_DIR Directory in which to dump extracted files -S SUMMARY_FILE, --summary-file=SUMMARY_FILE File where to store summary information -p PID, --pid=PID Operate on these Process IDs (comma-separated) -n, --name Include extracted filename in output file path -u, --unsafe Relax safety constraints for more data -F FILTER, --filter=FILTER Filters to apply (comma-separated)
So here’s the fun and exciting part. You can literally get the hashes of the domain credentials stored in the registry using hashdump. What I mean to say is that you can actually get the passwords of the accounts.
These hashes can be cracked by online tools such as HashKiller.
So that’s it!!
Did you find such plugins interesting? Wanna write a few?
Check out my next blog in which I’ll be writing a basic plugin and also explain the basic syntax involved in this.