RAM Forensics using Volatility

 

Volatility is a free memory forensics tool developed and maintained by Volatility labs. Regarded as the gold standard for memory forensics in incident response, Volatility is wildly expandable via a plugins system and is an invaluable tool for any Blue Teamer. 

Obtaining Memory Sample

Obtaining a memory capture from machines can be done in numerous ways, however, the easiest method will often vary depending on what you're working with. For example, live machines (turned on) can have their memory captured with one of the following tools:

-FTK Imager 

-Redline 

-DumpIt.exe

-win32dd.exe / win64dd.exe - *Has fantastic psexec support, great for IT 

departments if your EDR solution doesn't support this

Offline machines, however, can have their memory pulled relatively easily as long as their drives aren't encrypted. For Windows systems, this can be done via pulling the following file: 

%SystemDrive%/hiberfil.sys

hiberfil.sys, better known as the Windows hibernation file contains a compressed memory image from the previous boot. Microsoft Windows systems use this in order to provide faster boot-up times, however, we can use this file in our case for some memory forensics!

Things get even more exciting when we start to talk about virtual machines and memory captures. Here's a quick sampling of the memory capture process/file containing a memory image for different virtual machine hypervisors:

VMware - .vmem file

Hyper-V - .bin file

Parallels - .mem file

VirtualBox - .sav file *This is only a partial memory file. You'll need to dump memory like a normal bare-metal system for this hypervisor

These files can often be found simply in the data store of the corresponding hypervisor and often can be simply copied without shutting the associated virtual machine off. This allows for virtually zero disturbance to the virtual machine, preserving it's forensic integrity.

Practical:--

1. Let us take a image file say cidex.vmem.

2. Then We will try to discover profiles and use the suitable one.

3. Then we will check the running processes

4. We can also scan the network using netscan command.

5. Let us check the hidden process using psview.

6. Check the values our suspects are mainly with false values.

7.Let us check that in deep using ldrmodules.

we can see that except system csrss.exe have all values false it means it wants to hide itself.

8. Then we will run the apihooks command and if any of them shows that Hooking module:<unknown>

then most probably they are infected.Using the 'apihooks' command we can view unexpected patches in the standard system DLLs.This command will take a while to run, however, it will show you all of the extraneous code introduced by the malware.

9.Injected code can be a huge issue and is highly indicative of very very bad things. We can check for this with the command `malfind`. Using the full command `volatility -f MEMORY_FILE.raw --profile=PROFILE malfind -D <Destination Directory>` we can not only find this code, but also dump it to our specified directory.

10. we can view all of the DLLs loaded into memory. DLLs are shared system libraries utilized in system processes. These are commonly subjected to hijacking and other side-loading attacks, making them a key target for forensics. Let's list all of the DLLs in memory now with the command `dlllist`

11.Now that we've seen all of the DLLs running in memory, let's go a step further and pull them out! Do this now with the command `volatility -f MEMORY_FILE.raw --profile=PROFILE --pid=PID dlldump -D <Destination Directory>` where the PID is the process ID of the infected process we identified earlier

12. We can check the files in virus total and most probably it may identify the malware.

credits:--

tryhackme.com