Memory Forensics

Gathering Memory

There are a handful of different tools which can be used to gather memory. Some of these include:

• winpmem (https://github.com/Velocidex/WinPmem)

  • winpmem_mini_x64.exe physmem.raw

• procdump (https://learn.microsoft.com/en-us/sysinternals/downloads/procdump)

• FTK Imager

IMPORTANT WHEN GATHERING MEMORY

Always make sure that the OS information is gathered in conjuction with the image information! This can be achieved on windows machines with the ver command. After, we can grep for the version information through the vol.py --info output.

Analyzing Memory

Volatility is one of the most common tools to use in memory investigations.

How to Use Volatility for Memory Forensics and Analysis | VaronisVaronis

Keep in mind that the current release of Volatility still uses Python 2, and the newest version of volatility is still in beta.

Volatility Usage

./vol.py -f [image file] --profile [profile] [plugin]

In order to use this effectively, we need to know the profile of the memory image before we can analyze it properly. This is because each separate version of OS, including minor releases, can have drastically different locations in memory where objects are stored.

The following env vars can be set to speed up the usage of Volatility and prevent having to type in the file location and profile info for each run.

• VOLATILITY_LOCATION

• VOLATILITY_PROFILE

Common Plugins

References

How to Use Volatility for Memory Forensics and Analysis | VaronisVaronis