Examining RAM Dumps
Volatility is an advanced memory forensics framework used for analyzing RAM dumps. It helps digital forensic investigators and cybersecurity professionals extract valuable information from volatile memory, including processes, registry hives, network connections, and more. This tool is often used in incident response, malware analysis, and CTF challenges due to its ability to dig deep into system states captured at the moment a memory dump is created.
Volatility Cheatsheet¶
Installation and Setup¶
-
Install Dependencies:
sudo apt update sudo apt install python3 python3-pip git
-
Clone Volatility 3 Repository:
git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3
-
Install Volatility Requirements:
pip3 install -r requirements.txt
-
Run Volatility 3:
python3 vol.py -h
Basic Commands¶
List Running Processes¶
python3 vol.py -f ./memdump.raw windows.pslist.PsList
- Purpose: Identifies active processes at the time the memory was captured.
- Scenario: You’re investigating a potential malware infection. Listing running processes helps you quickly identify suspicious applications or unexpected software that was running on the system at the time of the memory dump. This could reveal unauthorized applications or processes indicative of a compromise.
Scan for Hidden Processes¶
python3 vol.py -f ./memdump.raw windows.psscan.PsScan
- Purpose: Finds hidden or terminated processes not visible in standard listings.
- Scenario: An attacker may have employed techniques to hide their malicious processes or terminated them to evade detection. This command helps you uncover these hidden or terminated processes, which are critical for understanding what the attacker was running and how they might have tried to conceal their activities.
Dump Process Memory¶
python3 vol.py -f ./memdump.raw windows.memmap.Memmap --pid <PID> --dump
- Purpose: Extracts the full memory content of a specific process.
- Scenario: Suppose you discover that a browser like Internet Explorer was active during an attack. By dumping its memory, you can search for and analyze URLs, login credentials, and other data that could indicate what the attacker was doing, such as accessing a malicious website or exfiltrating data.
Network and Connection Analysis¶
List Network Connections¶
python3 vol.py -f ./memdump.raw windows.netscan.NetScan
- Purpose: Displays active and closed network connections.
- Scenario: After detecting suspicious activity, you need to determine if the compromised system was communicating with any external IP addresses. This command helps you identify outgoing connections, which can reveal data exfiltration attempts or communication with command-and-control servers used by attackers.
Registry Analysis¶
List Registry Hives¶
python3 vol.py -f ./memdump.raw windows.registry.hivelist.HiveList
- Purpose: Lists all registry hives found in the memory dump.
- Scenario: You’re looking for specific registry keys that may have been altered by malware. Before you dive into detailed registry analysis, this command helps you locate all available registry hives, ensuring you don’t miss any critical configurations or modifications that could explain the system’s behavior during the compromise.
Extract Specific Registry Keys¶
python3 vol.py -f ./memdump.raw windows.registry.printkey.PrintKey --key '<KEY_PATH>'
- Purpose: Accesses specific registry entries.
- Scenario: You suspect that malware altered certain system configurations or that specific software was installed recently. This command lets you pull out the exact registry key values, such as installation dates, software serial numbers, or configuration settings, which can confirm or refute your suspicions.
File and Data Extraction¶
Scan for File Objects¶
python3 vol.py -f ./memdump.raw windows.filescan.FileScan
- Purpose: Finds file objects, including hidden or recently accessed files.
- Scenario: If you believe files have been tampered with or new files have been added by an attacker, this command helps you locate them, even if they’re hidden. For example, you can use it to find suspicious files that might contain malware or to verify whether critical files were accessed during the attack.
Dump Files from Memory¶
python3 vol.py -f ./memdump.raw windows.dumpfiles.DumpFiles --physaddr <PHYSICAL_ADDRESS>
- Purpose: Extracts specific files from the memory dump.
- Scenario: Suppose you’ve identified a suspicious file or document in memory. By dumping it from memory, you can recover the file contents for further analysis, which might include searching for embedded malware, sensitive information, or signs that the file was involved in the attack.
Command History and User Activity¶
Scan for Command History¶
python3 vol.py -f ./memdump.raw windows.cmdscan.CmdScan
- Purpose: Recovers command-line history from memory.
- Scenario: An attacker may have used command-line tools to carry out malicious activities, such as manipulating files, altering configurations, or running scripts. This command retrieves those commands, allowing you to see exactly what actions were taken, providing valuable insights into the attacker’s methods and objectives.
Extract UserAssist Data¶
python3 vol.py -f ./memdump.raw windows.userassist.UserAssist
- Purpose: Lists recently executed applications.
- Scenario: If you suspect unauthorized software was installed or executed, UserAssist data can reveal what programs were recently run by the user. This is useful for tracking down malware installations, unauthorized software usage, or applications that were run just before or during the compromise.
Malware and Suspicious Activity Detection¶
Detect Injected Code in Processes¶
python3 vol.py -f ./memdump.raw windows.malfind.Malfind
- Purpose: Identifies memory regions with injected code.
- Scenario: Malfind is invaluable when you suspect that malware has injected code into legitimate processes to evade detection. This command highlights those memory regions, allowing you to analyze the injected code, which might reveal the presence of a rootkit, backdoor, or other malicious payload.
Check System Service Table (SSDT)¶
python3 vol.py -f ./memdump.raw windows.ssdt.SSDT
- Purpose: Lists system call addresses, checking for rootkits.
- Scenario: Rootkits often manipulate the SSDT to hide their presence or alter system behavior. By examining the SSDT, you can detect these alterations, providing evidence of advanced persistent threats (APTs) that might have deeply compromised the system.
Advanced Object and System Analysis¶
List Loaded DLLs for Processes¶
python3 vol.py -f ./memdump.raw windows.dlllist.DllList
- Purpose: Displays all DLLs loaded by each process.
- Scenario: If a process is behaving suspiciously, it may have loaded a malicious or unauthorized DLL. Listing the DLLs helps you identify any that don’t belong or that have been injected by an attacker, which can lead to the discovery of the malware's functionality or origin.
List Open Handles in Processes¶
python3 vol.py -f ./memdump.raw windows.handles.Handles
- Purpose: Displays open files, registry keys, and other objects.
- Scenario: You need to know what files or resources a suspicious process was interacting with. By listing open handles, you can track down exactly what files were accessed or modified, which is crucial for understanding the scope of the attack and identifying any data that may have been compromised.
Extract ShellBags (Folder Navigation)¶
python3 vol.py -f ./memdump.raw windows.shellbags.ShellBags
- Purpose: Shows user navigation history within Windows Explorer.
- Scenario: To understand what folders or directories were accessed during the compromise, ShellBags provide a history of user navigation. This can help you determine whether sensitive directories were opened or if the attacker was searching for specific files or information.
Clipboard and Miscellaneous¶
Dump Clipboard Contents¶
python3 vol.py -f ./memdump.raw windows.clipboard.Clipboard
- Purpose: Retrieves the clipboard data at the time of capture.
- Scenario: If you suspect that sensitive data, such as passwords or personal information, was copied to the clipboard during the incident, this command lets you retrieve that data. It can provide clues about what information the attacker was interested in or intended to exfiltrate.
Scan for Windows Services¶
python3 vol.py -f ./memdump.raw windows.svcscan.SvcScan
- Purpose: Lists all services, including hidden or malicious ones.
- Scenario: Rogue services are often used to maintain persistence on compromised systems. SvcScan helps you identify all services running at the time of memory capture, including those that might be hidden or configured to start automatically, which can be critical for locating persistent threats.