Memory Forensics
Gathering and analyzing memory images
Gathering Memory
There are a handful of different tools which can be used to gather memory. Some of these include:
winpmem (https://github.com/Velocidex/WinPmem)
winpmem_mini_x64.exe physmem.raw
FTK Imager
IMPORTANT WHEN GATHERING MEMORY
Always make sure that the OS information is gathered in conjuction with the image information! This can be achieved on windows machines with the ver command. After, we can grep for the version information through the vol.py --info output.
Analyzing Memory
Volatility is one of the most common tools to use in memory investigations.
Keep in mind that the current release of Volatility still uses Python 2, and the newest version of volatility is still in beta.
Volatility Usage
./vol.py -f [image file] --profile [profile] [plugin]
In order to use this effectively, we need to know the profile of the memory image before we can analyze it properly. This is because each separate version of OS, including minor releases, can have drastically different locations in memory where objects are stored.
The following env vars can be set to speed up the usage of Volatility and prevent having to type in the file location and profile info for each run.
VOLATILITY_LOCATIONVOLATILITY_PROFILE
Common Plugins
| Plugin | Purpose |
|---|---|
| Learn plugin options for individual plugin |
| List all available plugins |
| Attempt to determine OS of image (slow) |
| Attempt to determine OS of image (slow) |
| List system processes |
| List processes in a tree format, showing parents and relationships |
| Search for potentially hidden processes |
| Search for active and listening sockets |
| Track program usage from GUI |
| Identify command line for processes which were running |
| Print the output of a registry key |
| List services on the system |
| List DLLs for each process |
References
Last updated
