Try   HackMD

Memory Forensics 101

tags: dfir blue team volatility memory forensics

Volatility

Is a free memory forensics tool developed and maintained by Volatility labs.
Gold standard for memory forensics in incident response.

You can capture the memory of Live machines using the following tools:

  • FTK Imager from this link
  • Redline from this link
  • DumpIt from this link
  • win32dd.exe / win64dd.exe

These tools typically output a .raw file containing an image of system memory.
You can pull the memory of offline machines relatively easily by pulling the %SystemDrive%/hiberfil.sys file.
This is the windows hibernation file and contains a compressed memory image from the previous boot.
Ms uses this to provide faster boot up times, but we can use it for memory forensics.

For virtual machines you can target the following files:
VMWARE - .vmem file
HYPER-V - .bin file
Parallels - .mem file
Virtual box - .sav file. Note that you will need to dump memory like a baremetal sys for this hypervisor since the .sav file is only a partial memory file.

These files can be found in the datastore of the corresponding hypervisor and can often be copied without shutting the vm off. This makes for minimal disruption :)

# when working with Volatility 3 # get image info volatility -f [image path] [plugin] # for example volatility -f cridex.vmem windows.info # list plugins volatility --plugins -h # for plugin specific options use volatility [plugin] --help # list windows processes volatility -f [image path] windows.pslist.PsList # list windows process in tree format volatility -f [image path] windows.pstree.PsTree # the pdb field in the results refers to the page directory base offset # list network connections / activity volatility -f [image path] windows.netscan.NetScan # list dlls attached to a process volatility -f [image path] -p [pid] dlllist # example volatility -f cridex.vmem -p 512 dlllist # list services that were running volatility -f [image path] windows.svcscan.SvcScan # list files volatility -f [image path] windows.filescan.FileScan

Here is a good Volatility 3 cheatsheet by Ashley Pearson you might be interested in. It has the differences between the commands used in Volatility 2.x and 3.x and is pretty neat imo :)