Memory Forensics
Gathering and analyzing memory images
Last updated
Gathering and analyzing memory images
Last updated
There are a handful of different tools which can be used to gather memory. Some of these include:
winpmem (https://github.com/Velocidex/WinPmem)
winpmem_mini_x64.exe physmem.raw
FTK Imager
Always make sure that the OS information is gathered in conjuction with the image information! This can be achieved on windows machines with the ver command. After, we can grep for the version information through the vol.py --info output.
Volatility is one of the most common tools to use in memory investigations.
Keep in mind that the current release of Volatility still uses Python 2, and the newest version of volatility is still in beta.
./vol.py -f [image file] --profile [profile] [plugin]
In order to use this effectively, we need to know the profile of the memory image before we can analyze it properly. This is because each separate version of OS, including minor releases, can have drastically different locations in memory where objects are stored.
The following env vars can be set to speed up the usage of Volatility and prevent having to type in the file location and profile info for each run.
VOLATILITY_LOCATION
VOLATILITY_PROFILE
| Plugin | Purpose |
|---|---|
-h [plugin]
Learn plugin options for individual plugin
--info
List all available plugins
imageinfo
Attempt to determine OS of image (slow)
kdbgscan
Attempt to determine OS of image (slow)
pslist
List system processes
pstree
List processes in a tree format, showing parents and relationships
psscan
Search for potentially hidden processes
netscan
Search for active and listening sockets
userassist
Track program usage from GUI
cmdline
Identify command line for processes which were running
printkey
Print the output of a registry key
svcscan
List services on the system
dlllist
List DLLs for each process
