Memory Forensics 101

# Memory Forensics 101 ###### tags: `dfir` `blue team` `volatility` `memory forensics` ## Volatility Is a free memory forensics tool developed and maintained by Volatility labs. Gold standard for memory forensics in incident response. You can capture the memory of Live machines using the following tools: * FTK Imager from this [link](https://accessdata.com/product-download/ftk-imager-version-4-2-0) * [Redline](https://www.fireeye.com/services/freeware/redline.html) from this [link](https://fireeye.market/) * DumpIt from this [link](https://github.com/thimbleweed/All-In-USB/tree/master/utilities/DumpIt) * win32dd.exe / win64dd.exe These tools typically output a **.raw** file containing an image of system memory. You can pull the memory of offline machines relatively easily by pulling the **%SystemDrive%/hiberfil.sys** file. This is the windows hibernation file and contains a compressed memory image from the previous boot. Ms uses this to provide faster boot up times, but we can use it for memory forensics. For virtual machines you can target the following files: VMWARE - **.vmem** file HYPER-V - **.bin** file Parallels - **.mem** file Virtual box - **.sav** file. Note that you will need to dump memory like a baremetal sys for this hypervisor since the .sav file is only a partial memory file. These files can be found in the datastore of the corresponding hypervisor and can often be copied without shutting the vm off. This makes for minimal disruption :) ```=1 # when working with Volatility 3 # get image info volatility -f [image path] [plugin] # for example volatility -f cridex.vmem windows.info # list plugins volatility --plugins -h # for plugin specific options use volatility [plugin] --help # list windows processes volatility -f [image path] windows.pslist.PsList # list windows process in tree format volatility -f [image path] windows.pstree.PsTree # the pdb field in the results refers to the page directory base offset # list network connections / activity volatility -f [image path] windows.netscan.NetScan # list dlls attached to a process volatility -f [image path] -p [pid] dlllist # example volatility -f cridex.vmem -p 512 dlllist # list services that were running volatility -f [image path] windows.svcscan.SvcScan # list files volatility -f [image path] windows.filescan.FileScan ``` Here is a good [Volatility 3 cheatsheet](https://blog.onfvp.com/post/volatility-cheatsheet/) by Ashley Pearson you might be interested in. It has the differences between the commands used in Volatility 2.x and 3.x and is pretty neat imo :)