The Volatility Framework

Volatility is a python based command line tool that helps in analyzing virtual memory dumps. It provides a very good way to understand the importance as well as the complexities involved in Memory Forensics.

Advantages of using Volatility:

  • Runs on Windows, Linux and Mac
    • It can be executed wherever python environment is present.
  • Uses Fast and Efficient Algorithms
    • For Example, Volatility can dump the kernel modules of an 80GB RAM dump in just a few seconds.
  • Fabulous Set of Features
    • Talking about reverse engineering and specialized research, volatility provides capabilities that Microsoft’s own kernel debugger doesn’t allow.
    • You can actually go through the entire command history, console input/output buffers and USER objects and also Network related data structures.
  • Extensible & Scriptable API
    • Since the framework is Open Source, you can add new address spaces, plugins, data structures etc. to weld the tool based on your needs.
  • Focus
    • Volatility was designed by hardcore Forensic, Incident Response and Malware Analysts. As a result, there are things that are often very important to forensics analysts that are not as important to a person debugging a kernel driver.
  • Comprehensive Coverage of File Formats
    • Volatility can analyze Raw dumps, Crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), Expert witness (EWF), and direct physical memory over Firewire.

Let us look at the basic plugins and commands available in the framework:

1. imageinfo

This particular command is most often used to identify the operating system, service pack, and hardware architecture (32 or 64 bit).

The imageinfo output tells you the suggested profile that you should pass as the parameter to –profile=PROFILE when using other plugins. There may be more than the one suggested profile and we must be careful to select the correct one.

imageinfo
imageinfo plugin

As you can see there are 3 suggested profiles.

2. pslist

This is a significantly used plugin which helps in listing the details of the processes which were running when the dump was taken. It shows the offset, process name, process ID(PID), the parent process ID(PPID), number of threads, number of handles, and date/time when the process started and exited.

pslist

However, pslist fails to show hidden/terminated processes. The plugin which solves this problem is psscanTry it out!!

3. pstree

To view the process listing in tree form, use the pstree command. This plugin uses the same approach as pslist hence it’ll not display the hidden/terminated processes.

But the one advantage that this plugin gives is that we can easily identify the parent & child processes.pstree

 

4. cmdscan

The cmdscan plugin searches the memory for conhost.exe on Windows 7 Operating systems. This is one of the most powerful commands you can use to gain visibility into an attackers actions on a victim system, whether they opened cmd.exe

This plugin finds structures known as COMMAND_HISTORY by looking for a known constant value (MaxHistory) and then applying sanity checks.

To put it simply, you can see the content that the attacker typed in the command prompt.

Screenshot from 2018-08-31 15-38-44

By default, the value in MAXHistory is set to 50. We can change that. Also, cmdscan can print up to 50 commands. We can increase that by adding  –max_history=NUMBER along with the plugin command.

5. Consoles

To put it quite simply, consoles display the same content as cmdscan.

However, the advantage that consoles gives is that it also prints the output which was displayed for a specific instruction given in the command prompt.

 

6. filescan

This will find open files even if a rootkit is hiding the files on disk and if the rootkit hooks some API functions to hide the open handles on a live system. The output shows the physical offset of the FILE_OBJECT, file name, number of pointers to the object, number of handles to the object, and the effective permissions granted to the object.

Screenshot from 2018-08-31 16-16-14

 

7. dumpfiles

An important concept that everyone who has worked on the study of Operating Systems is the idea of caching. Files are cached in memory for system performance as they are accessed and used. This makes cache an important source for collecting valuable info.

The dumpfiles plugin has many options. Let us have a look at what they are:

-r REGEX, --regex=REGEX
                        Dump files matching REGEX
  -i, --ignore-case     Ignore case in pattern match
  -o OFFSET, --offset=OFFSET
                        Dump files for Process with physical address OFFSET
  -Q PHYSOFFSET, --physoffset=PHYSOFFSET
                        Dump File Object at physical address PHYSOFFSET
  -D DUMP_DIR, --dump-dir=DUMP_DIR
                        Directory in which to dump extracted files
  -S SUMMARY_FILE, --summary-file=SUMMARY_FILE
                        File where to store summary information
  -p PID, --pid=PID     Operate on these Process IDs (comma-separated)
  -n, --name            Include extracted filename in output file path
  -u, --unsafe          Relax safety constraints for more data
  -F FILTER, --filter=FILTER
                        Filters to apply (comma-separated)

 

8. hashdump

So here’s the fun and exciting part. You can literally get the hashes of the domain credentials stored in the registry using hashdump. What I mean to say is that you can actually get the passwords of the accounts.

These hashes can be cracked by online tools such as HashKiller.

So that’s it!!

Did you find such plugins interesting? Wanna write a few?

Check out my next blog in which I’ll be writing a basic plugin and also explain the basic syntax involved in this.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: