# Memory Forensics

## Gathering Memory

There are a handful of different tools which can be used to gather memory. Some of these include:

* winpmem (<https://github.com/Velocidex/WinPmem>)
  * `winpmem_mini_x64.exe physmem.raw`
* procdump (<https://learn.microsoft.com/en-us/sysinternals/downloads/procdump>)
* FTK Imager

### IMPORTANT WHEN GATHERING MEMORY

Always <mark style="color:yellow;">make sure that the OS information is gathered</mark> in conjuction with the image information! This can be achieved on windows machines with the `ver` command. After, we can `grep` for the version information through the `vol.py --info` output.

## Analyzing Memory

Volatility is one of the most common tools to use in memory investigations.

{% embed url="<https://www.varonis.com/blog/how-to-use-volatility>" %}

Keep in mind that the current release of Volatility still uses Python 2, and the newest version of volatility is still in beta.

### Volatility Usage

`./vol.py -f [image file] --profile [profile] [plugin]`

In order to use this effectively, we need to know the profile of the memory image before we can analyze it properly. This is because each separate version of OS, including minor releases, can have drastically different locations in memory where objects are stored.

The following env vars can be set to speed up the usage of Volatility and prevent having to type in the file location and profile info for each run.

* `VOLATILITY_LOCATION`
* `VOLATILITY_PROFILE`

### Common Plugins

| Plugin        | Purpose                                                            |
| ------------- | ------------------------------------------------------------------ |
| `-h [plugin]` | Learn plugin options for individual plugin                         |
| `--info`      | List all available plugins                                         |
| `imageinfo`   | Attempt to determine OS of image (slow)                            |
| `kdbgscan`    | Attempt to determine OS of image (slow)                            |
| `pslist`      | List system processes                                              |
| `pstree`      | List processes in a tree format, showing parents and relationships |
| `psscan`      | Search for potentially hidden processes                            |
| `netscan`     | Search for active and listening sockets                            |
| `userassist`  | Track program usage from GUI                                       |
| `cmdline`     | Identify command line for processes which were running             |
| `printkey`    | Print the output of a registry key                                 |
| `svcscan`     | List services on the system                                        |
| `dlllist`     | List DLLs for each process                                         |

## References

{% embed url="<https://www.varonis.com/blog/how-to-use-volatility>" %}