Volatility

Volatility is a python based command line tool that helps in analyzing virtual memory dumps. It provides a very good way to understand the importance as well as the complexities involved in Memory Forensics.

To install volatility,

1
sudo apt install volatility

Offset

The start of a file or the start of a memory address is called offset(by default, virtual offset).

PID

When a process is started, it is given a unique number called process ID (PID) that identifies that process to the system. If you ever need to kill a process, for example, you can refer to it by its PID. Since each PID is unique, there is no ambiguity or risk of accidentally killing the wrong process (unless you enter the wrong PID).

PPID

The PPID is the PID of the process’s parent. To understand this, let us look at an example. Consider a process A with a PID 1. Suppose this process calls upon another process say B. So as far as this scenario is considered, B is actually a child process of A. So the PPID of B will be the PID of A.

Plugins

A plugin is a software component that adds a specific feature to an existing computer program. When a program supports plugins, it enables customization. In volatility along with the profile, we give the plugins as the input to get the desired output.

imageinfo

This particular command is most often used to identify the operating system, service pack, and hardware architecture (32 or 64 bit).

The imageinfo output tells you the suggested profile that you should pass as the parameter to --profile=PROFILE when using other plugins. There may be more than the one suggested profile and we must be careful to select the correct one. As you can see this command helps you to know the suggested profiles, the date and time dump image were created and no of processors.

pslist

This is a significantly used plugin which helps in listing the details of the processes which were running when the dump was taken. It shows the offset, process name, process ID(PID), the parent process ID(PPID), number of threads, number of handles, and date/time when the process started and exited. However, pslist fails to show hidden/terminated processes. The plugin which solves this problem is psscan. Try it out!!

pstree

To view the process listing in tree form, use the pstree command. This plugin uses the same approach as pslist hence it'll not display the hidden/terminated processes.

But the one advantage that this plugin gives is that we can easily identify the parent & child processes.

cmdscan

The cmdscan plugin searches the memory for conhost.exe on Windows 7 Operating systems. This is one of the most powerful commands you can use to gain visibility into an attackers actions on a victim system, whether they opened cmd.exe

This plugin finds structures known as COMMAND_HISTORY by looking for a known constant value (MaxHistory) and then applying sanity checks.

To put it simply, you can see the content that the attacker typed in the command prompt.

img

By default, the value in MAXHistory is set to 50. We can change that. Also, cmdscan can print up to 50 commands. We can increase that by adding  --max_history=NUMBER along with the plugin command.

consoles

To put it quite simply, consoles display the same content as cmdscan.

However, the advantage that consoles gives is that it also prints the output which was displayed for a specific instruction given in the command prompt.

filescan

This will find open files even if a rootkit is hiding the files on disk and if the rootkit hooks some API functions to hide the open handles on a live system. The output shows the physical offset of the FILE_OBJECT, file name, number of pointers to the object, number of handles to the object, and the effective permissions granted to the object. img

dumpfiles

An important concept that everyone who has worked on the study of Operating Systems is the idea of caching. Files are cached in memory for system performance as they are accessed and used. This makes cache an important source for collecting valuable info.

The dumpfiles plugin has many options. Let us have a look at what they are:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
-r REGEX, --regex=REGEX
                        Dump files matching REGEX
  -i, --ignore-case     Ignore case in pattern match
  -o OFFSET, --offset=OFFSET
                        Dump files for Process with physical address OFFSET
  -Q PHYSOFFSET, --physoffset=PHYSOFFSET
                        Dump File Object at physical address PHYSOFFSET
  -D DUMP_DIR, --dump-dir=DUMP_DIR
                        Directory in which to dump extracted files
  -S SUMMARY_FILE, --summary-file=SUMMARY_FILE
                        File where to store summary information
  -p PID, --pid=PID     Operate on these Process IDs (comma-separated)
  -n, --name            Include extracted filename in output file path
  -u, --unsafe          Relax safety constraints for more data
  -F FILTER, --filter=FILTER
                        Filters to apply (comma-separated)

envars

To display a process’s environment variables, use the envars plugin. Typically this will show the number of CPUs installed and the hardware architecture, the process’s current directory, temporary directory, session name, computer name, username, and various other interesting artefacts.

hashdump

So here's the fun and exciting part. You can literally get the hashes of the domain credentials stored in the registry using hashdump. What I mean to say is that you can actually get the passwords of the users. These will be mostly md5 hashes. These hashes can be cracked by using online md5 hash crackers.