Volatility Framework – How to use for Memory Analysis

Malware analysis and Malicious process identification is a major and important aspect of digital forensic analysis. It is necessary to analyze the Random Access Memory (RAM) along with the storage disks (Secondary Storage) for evidence. It helps to identify the processes and activities which were active during the certain time period.

In this article, let’s see how to analyze RAM using Volatility Framework

Volatility Framework

Volatility Framework provides open collection of tools implemented in Python for the extraction of digital artifacts from volatile memory (RAM) samples. It is the world’s most widely used memory forensics platform for digital investigations. It supports memory dumps from all major 32- and 64-bit Windows, Linux and Mac operating systems. Check github page for further details.

Memory Dump Acquisition

Memory dump acquisition is the first step in Memory analysis. Use tools like dumpit for windows and dd command for Linux operating system to get memory dump. dumpit is utility to generate physical dump of windows machine, works for both x86 (32-bits) and x64 (64-bits) machines.

Usually, a memory dump size is same as that of the size of RAM. For an example Windows XP SP2 machine with a volatile memory of 512 MB would have memory dump 512 MB  size.

After getting the memory dump a hash values should be checked. To do so sha256sum can be used. There exists hash calculating tools such as md5sum, sha1sum. But as both of these things are broken by now it is much safer and acceptable under the court of law if a tool based on SHA256 is used. However, these sum tools are specific for Linux. For Windows-based systems, there exists a number of tools. But hashcalc would be a better and an obvious choice considering it’s simplicity.

Memory Dump Analysis

For the analysis of the acquired memory dump, Volatility Framework can be used. Volatility is a python based framework which can be used on different operating systems for memory analysis. You can download volatility using its GitHub repository. There are a number of things that can be analyzed via volatility framework. We will be discussing them late in this blog.

Methodology

Windows

Initially, run dumpit.exe within the operating system (If it is windows).

Memory Image Dumping Windows
Figure 1: Memory Image dumping

Linux

use dd command for memory acquisition from /dev/mem of /dev/fmem. Here root privileges would be required.

dd if=/dev/mem or /dev/fmem of=/outputFile bs=64K conv=noerror,sync

Memory Image Dumping Linux
Figure 2: Memory image dumping Linux

You can find some interesting facts about types of memories that can be acquired in Linux systems by [5].

After getting the memory images (dd/raw), get the hash values of these images to check the integrity and to confirm that nothing has changed in the image.

After getting the disk image and getting the hash values, we can directly move to the analysis procedure.This is the instance where the role of Volatility comes in to play.

Initially, run volatility with the attribute imageinfo in order to find about the available information in the memory image.

python volatility.py imageinfo -f <memory_image_to_be_analyzed>

 

Memory Image information Analysis using Volatility
Figure 3: Memory image analysis with volatility

 

With the use of volatility.exe, the memory image can be acquired as,

volatility.exe imageinfo -f <memory_image_to_be_analyzed>

After getting the analyzed details,details such as possible OS profiles, number of Processors in the given system, etc. can be derived.

In most of the cases volatility suggests multiple profiles with the volatility framework. In order to select the best memory profile for further analysis a kdbgscan is used. Here by removing dummy profiles in which the number of processes and number of modules become a non-realistic value (0) the correct profile can be selected.

For demonstration purpose I have used a profile named WinXPSP2 here.

python volatility.py -f <memory_image> --profile=WinXPSP2 kdbgscan

After selecting the correct profile it can be moved in to the next steps of analysis.

Bu using the following command, a list of processes can be obtained which were there within the memory.

python volatility.py --profile=WinXPSP2 pslist -f <memory_image>

 Process Listing which exists within the Memory Image

Process Analysis of Memory Usage -2
Figure 4: Process analysis of a Memory Image

 

A parent-child relationship in between the processes can be obtained using the pstree attribute.

python volatility.py --profile=WinXPSP2 pstree -f <memory_image>

There exists a number of optional attributes that can be used to specify various details [1].

A list of network connections can be recovered via ,

python volatility.py netscan -f <memory_image> --profile=WinXPSP2

 

Identifying Network Connections within the Memory Image
Figure 5: Network connection scan for a memory image

 

Except for these direct information retrieval, there exists a number of mechanisms in which data can be retrieved (Malware dumps) and analyzed.

The command history too can be scanned by using the cmdhistory attribute.

Then how to detect malicious files

In volatility, there exists an attribute named malfind. This is actually an inbuilt plugin and can be used for malicious process detection.

python volatility.py malfind -D <Output_Location> -p <PID> -f <memory_image> --profile=WinXPSP2

If the above command doesn’t generate a result then it can be defined as non-malicious. However, if detailed memory analysis is found it can be classified as a malicious process.

Finding whether a certain process is malicious or not
Figure 6: Malicious process identification

References