Try   HackMD

Memory Forensics 101

tags: dfir blue team volatility memory forensics

Volatility

Is a free memory forensics tool developed and maintained by Volatility labs.
Gold standard for memory forensics in incident response.

You can capture the memory of Live machines using the following tools:

  • FTK Imager from this link
  • Redline from this link
  • DumpIt from this link
  • win32dd.exe / win64dd.exe

These tools typically output a .raw file containing an image of system memory.
You can pull the memory of offline machines relatively easily by pulling the %SystemDrive%/hiberfil.sys file.
This is the windows hibernation file and contains a compressed memory image from the previous boot.
Ms uses this to provide faster boot up times, but we can use it for memory forensics.

For virtual machines you can target the following files:
VMWARE - .vmem file
HYPER-V - .bin file
Parallels - .mem file
Virtual box - .sav file. Note that you will need to dump memory like a baremetal sys for this hypervisor since the .sav file is only a partial memory file.

These files can be found in the datastore of the corresponding hypervisor and can often be copied without shutting the vm off. This makes for minimal disruption :)







































# when working with Volatility 3
# get image info
volatility -f [image path] [plugin]

# for example
volatility -f cridex.vmem windows.info

# list plugins
volatility --plugins -h 

# for plugin specific options use
volatility [plugin] --help

# list windows processes
volatility -f [image path] windows.pslist.PsList

# list windows process in tree format
volatility -f [image path] windows.pstree.PsTree

# the pdb field in the results refers to the page directory base offset

# list network connections / activity
volatility -f [image path] windows.netscan.NetScan

# list dlls attached to a process
volatility -f [image path] -p [pid] dlllist

# example
volatility -f cridex.vmem -p 512 dlllist

# list services that were running
volatility -f [image path] windows.svcscan.SvcScan

# list files
volatility -f [image path] windows.filescan.FileScan

Here is a good Volatility 3 cheatsheet by Ashley Pearson you might be interested in. It has the differences between the commands used in Volatility 2.x and 3.x and is pretty neat imo :)

Last changed by 
codeAssassin
As a code Assassin my focus is on Learning different ways to break code, and therefore, secure it. Interested in everything cyber security!
0
423

Read more

Jeeves - HTB Series

Windows Exploitation Walk through for Jeeves on Hack The Box

Sep 5, 2024
Windows Privilege Escalation

Fuzzy Security reference

Aug 26, 2024
Chatterbox - HTB Series

We start by scanning the target with nmap to find open ports

Aug 11, 2024
Active - HTB Series

image

Aug 10, 2024
Read more from codeAssassin
Published on HackMD