Malware Analysis with Volatility Module 1
➡ How do you capture the image memory of a machine through the use of different
tools
➡ Software Imager Lite 3.1.1 (FTK), Ram Capturer 1.0 (Belkasoft) and Dumpit 1.3.2
(Moonsols).
➡ How to configure your computer environment to use the Volatility.
➡ And the basic use of imageinfo, kdbgscan, pslist, pstree and psscan plugins in the
Volatility (version 2.5).
Memory tools for Live Analysis
First let's start with the RAM capture tools. In a modern school of live analysis a forensic analyst should have more than one tool at your disposal.
Will show the use of memory tools for live analysis.
The tools and the file format
Imager Lite
➡ The Imager Lite captures the RAM and saved in a memdump.mem file.
➡ The Imager doesn't need to be installed on the machine.
Dumpit
➡ The Dumpit saved the output in a PAULO-PC 20160617-213817.raw file.
RAM Capturer
➡ The RAM Capturer saved the output in a 20160617.mem file.
Comparison of the VMs
VirtualBox
➡ The VirtualBox doesn´t save a memory dump when we suspend the virtual machine.
VMware
➡ The Vmware saves a memory dump when we suspend the virtual machine (format .vmem)
Configuring an environment to use Volatility
The essential question for working with the Volatility in a Windows environment is the fact that it runs from the Command Prompt. So, the shorter our command, the chance of error will be smaller. For example, if I decide to work in a folder located on my Desktop the command would be:
C:\Users\paulo_000\Contacts\Desktop\Module1\vol>vol.exe imageinfo -f img1.mem
This command is too long and boring…
If we decide to work, for example, with a folder named "vol" on drive C, our command would be:
C:\vol > vol.exe imageinfo -f img1.mem
You can also extract the result to a txt file :
C:\vol > vol.exe imageinfo -f img1.mem > imageinfo.txt
Using Volatility: Profiles
When we acquire a memory sample from a machine we need to know the profile of operating system running in the machine to analyze the data structures, algorithms and symbols.
By default Volatility uses the approach of the similarity of Windows operating systems architectures. So, it is normal Volatility indicate more than one OS profile to use. Based on this approach and in the Service Pack version we can choose one profile and use it.
In some cases Volatility will not display a profile. So tested this situation with memory samples taken from the W10x64, for example.
In Linux OS the similarity approach doesn’t work because there are a large number of kernel version (and subkernel versions). In this case we must build a profile. See [1] for more details.
When we don’t know the profile of the memory sample, the basic usage of Volatility starts with the imageinfo command to discovery the profile of a memory sample. This command shows only the profile, if there is one associated with the KDBG (Kernel Debugger data block).
Using Volatility: Imageinfo plugin
The command kdbgscan shows more information about the memory sample image. Since we have a profile, we can use it for other plugins.
Using Volatility: Default profile
Volatility uses WinXPSP2x86 as the default profile. We don’t need to specify a profile in this case.
➡ How do you capture the image memory of a machine through the use of different
tools
➡ Software Imager Lite 3.1.1 (FTK), Ram Capturer 1.0 (Belkasoft) and Dumpit 1.3.2
(Moonsols).
➡ How to configure your computer environment to use the Volatility.
➡ And the basic use of imageinfo, kdbgscan, pslist, pstree and psscan plugins in the
Volatility (version 2.5).
Memory tools for Live Analysis
First let's start with the RAM capture tools. In a modern school of live analysis a forensic analyst should have more than one tool at your disposal.
Will show the use of memory tools for live analysis.
The tools and the file format
Imager Lite
➡ The Imager Lite captures the RAM and saved in a memdump.mem file.
➡ The Imager doesn't need to be installed on the machine.
Dumpit
➡ The Dumpit saved the output in a PAULO-PC 20160617-213817.raw file.
RAM Capturer
➡ The RAM Capturer saved the output in a 20160617.mem file.
Comparison of the VMs
VirtualBox
➡ The VirtualBox doesn´t save a memory dump when we suspend the virtual machine.
VMware
➡ The Vmware saves a memory dump when we suspend the virtual machine (format .vmem)
Configuring an environment to use Volatility
The essential question for working with the Volatility in a Windows environment is the fact that it runs from the Command Prompt. So, the shorter our command, the chance of error will be smaller. For example, if I decide to work in a folder located on my Desktop the command would be:
C:\Users\paulo_000\Contacts\Desktop\Module1\vol>vol.exe imageinfo -f img1.mem
This command is too long and boring…
If we decide to work, for example, with a folder named "vol" on drive C, our command would be:
C:\vol > vol.exe imageinfo -f img1.mem
You can also extract the result to a txt file :
C:\vol > vol.exe imageinfo -f img1.mem > imageinfo.txt
Using Volatility: Profiles
When we acquire a memory sample from a machine we need to know the profile of operating system running in the machine to analyze the data structures, algorithms and symbols.
By default Volatility uses the approach of the similarity of Windows operating systems architectures. So, it is normal Volatility indicate more than one OS profile to use. Based on this approach and in the Service Pack version we can choose one profile and use it.
In some cases Volatility will not display a profile. So tested this situation with memory samples taken from the W10x64, for example.
In Linux OS the similarity approach doesn’t work because there are a large number of kernel version (and subkernel versions). In this case we must build a profile. See [1] for more details.
When we don’t know the profile of the memory sample, the basic usage of Volatility starts with the imageinfo command to discovery the profile of a memory sample. This command shows only the profile, if there is one associated with the KDBG (Kernel Debugger data block).
Using Volatility: Imageinfo plugin
The command kdbgscan shows more information about the memory sample image. Since we have a profile, we can use it for other plugins.
Using Volatility: Default profile
Volatility uses WinXPSP2x86 as the default profile. We don’t need to specify a profile in this case.