Digital Forensics – Memory Analysis using Volatility

Digital Forensics is regarded as an emerging topic nowadays due to the increasing number of computer crimes. Even though there doesn’t exist a precise definition to “Digital Forensics” it can be defined as the science of capturing, processing and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a court of law.

Malware analysis and Malicious process identification is a major and important aspect of forensic analysis. Even though the storage disks (Secondary Storage) contain evidence, it is must, to analyze the Random Access Memory (RAM). Through memory analysis (RAM – Primary Storage) it is possible to identify the processes and activities which were active within the certain time period.

Memory Dump Acquisition

This is the first step in Memory analysis. You need to take a memory dump. You can achieve it using tools like dumpit for windows and dd command for Linux operating system.

In real time digital forensics, if digital devices are powered on during the time of acquisition. They are kept on the power on stage due to the fact that important files that can be in the volatile memory can get erased. This is the actual instance where memory dumping comes in.

Usually, a memory dump is of the size of RAM of the certain computer. For an example assume that a Windows XP SP2 machine does have a volatile memory of 512 MB. Then the size of it’s memory dump too would be 512 MB.

After getting the memory dump a hash values should be checked. To do so sha256sum can be used. There exists hash calculating tools such as md5sum, sha1sum. But as both of these things are broken by now it is much safer and acceptable under the court of law if a tool based on SHA256 is used. However, these sum tools are specific for Linux. For Windows-based systems, there exists a number of tools. But hashcalc would be a better and an obvious choice considering it’s simplicity.

Memory Dump Analysis

For the analysis of the acquired memory dump, Volatility Framework can be used. Volatility is a python based framework which can be used on different operating systems for memory analysis. You can download volatility using its GitHub repository. There are a number of things that can be analyzed via volatility framework. We will be discussing them late in this blog.

Methodology

Windows

Initially, run dumpit.exe within the operating system (If it is windows).

Memory Image Dumping Windows
Figure 1: Memory Image dumping
Linux

use dd command for memory acquisition from /dev/mem of /dev/fmem. Here root privileges would be required.

dd if=/dev/mem or /dev/fmem of=/outputFile bs=64K conv=noerror,sync
Memory Image Dumping Linux
Figure 2: Memory image dumping Linux

You can find some interesting facts about types of memories that can be acquired in Linux systems by [5].

After getting the memory images (dd/raw), get the hash values of these images to check the integrity and to confirm that nothing has changed in the image.

After getting the disk image and getting the hash values, we can directly move to the analysis procedure.This is the instance where the role of Volatility comes in to play.

Initially, run volatility with the attribute imageinfo in order to find about the available information in the memory image.

python volatility.py imageinfo -f <memory_image_to_be_analyzed>

 

Memory Image information Analysis using Volatility
Figure 3: Memory image analysis with volatility

 

With the use of volatility.exe, the memory image can be acquired as,

volatility.exe imageinfo -f <memory_image_to_be_analyzed>

After getting the analyzed details,details such as possible OS profiles, number of Processors in the given system, etc. can be derived.

In most of the cases volatility suggests multiple profiles with the volatility framework. In order to select the best memory profile for further analysis a kdbgscan is used. Here by removing dummy profiles in which the number of processes and number of modules become a non-realistic value (0) the correct profile can be selected.

For demonstration purpose I have used a profile named WinXPSP2 here.

python volatility.py -f <memory_image> --profile=WinXPSP2 kdbgscan

After selecting the correct profile it can be moved in to the next steps of analysis.

Bu using the following command, a list of processes can be obtained which were there within the memory.

python volatility.py --profile=WinXPSP2 pslist -f <memory_image>

 Process Listing which exists within the Memory Image

Process Analysis of Memory Usage -2
Figure 4: Process analysis of a Memory Image

 

A parent-child relationship in between the processes can be obtained using the pstree attribute.

python volatility.py --profile=WinXPSP2 pstree -f <memory_image>

There exists a number of optional attributes that can be used to specify various details [1].

A list of network connections can be recovered via ,

python volatility.py netscan -f <memory_image> --profile=WinXPSP2

 

Identifying Network Connections within the Memory Image
Figure 5: Network connection scan for a memory image

 

Except for these direct information retrieval, there exists a number of mechanisms in which data can be retrieved (Malware dumps) and analyzed.

The command history too can be scanned by using the cmdhistory attribute.

Then how to detect malicious files

In volatility, there exists an attribute named malfind. This is actually an inbuilt plugin and can be used for malicious process detection.

python volatility.py malfind -D <Output_Location> -p <PID> -f <memory_image> --profile=WinXPSP2

If the above command doesn’t generate a result then it can be defined as non-malicious. However, if detailed memory analysis is found it can be classified as a malicious process.

Finding whether a certain process is malicious or not
Figure 6: Malicious process identification

 

References

[1]https://github.com/volatilityfoundation/volatility

[2]http://www.slavasoft.com/hashcalc/

[3]http://qpdownload.com/dumpit/

[4]https://www.gnu.org/software/coreutils/manual/html_node/dd-invocation.html

[5]https://unix.stackexchange.com/questions/119762/how-to-dump-memory-image-from-linux-system

 





Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *