https://github.com/divinemonk/memory_forensics_with_volatility
Memory Forensics with Volatility
https://github.com/divinemonk/memory_forensics_with_volatility
forensics memory memory-forensics volatility
Last synced: 10 months ago
JSON representation
Memory Forensics with Volatility
- Host: GitHub
- URL: https://github.com/divinemonk/memory_forensics_with_volatility
- Owner: Divinemonk
- License: mit
- Created: 2023-10-28T18:19:16.000Z (about 2 years ago)
- Default Branch: m41n
- Last Pushed: 2023-10-28T18:31:52.000Z (about 2 years ago)
- Last Synced: 2025-02-05T23:29:20.415Z (11 months ago)
- Topics: forensics, memory, memory-forensics, volatility
- Homepage:
- Size: 16.6 KB
- Stars: 1
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Memory Forensics with Volatility
> https://www.volatilityfoundation.org/releases
## Obtaining Memory Samples
### Live machines
- memory image extractor
```
FTK Imager
Redline
DumpIt.exe
win32dd.exe / win64dd.exe (psexec)
```
- these tools will typically output a `.raw` file
### Offline machines
- windows:
- _windows hibernation file_ (`%SystemDrive%/hiberfil.sys`) stores compressed memory image from previous boot
### Virtual machines
- memory images
```
VMware - .vmem file
Hyper-V - .bin file
Parallels - .mem file
VirtualBox - .sav file
```
- can be found on data store of the corresponding hypervisor & can be copied without shuting vm off
- allows for virtually zero disturbance to the virtual machine, preserving it's forensic integrity
## [Eg.] examine `.vmem` memory sample
> [download memory sample](https://github.com/Divinemonk/memory_forensics_with_volatility/releases/download/mem_sample/cridexmemdump.zip)
### Basic commands
> tested using [volatility version 2.6 (linux standalone executable x64)](https://www.volatilityfoundation.org/26)
|command|details|
|---|---|
|`volatility -f MEMORY_FILE.raw imageinfo`|Profiles determine how _volatility_ treats our memory image since every version of windows is a little bit different.|
|`volatility -f MEMORY_FILE.raw --profile=PROFILE pslist`|Test these profiles using the pslist command, validating our profile selection by the sheer number of returned results.|
|`volatility -f MEMORY_FILE.raw --profile=PROFILE netscan`|View active network connections at the time of image creation.|
|`volatility -f MEMORY_FILE.raw --profile=PROFILE psxview`|View intentionally hidden processes.|
|`volatility -f MEMORY_FILE.raw --profile=PROFILE ldrmodules`|In addition to viewing hidden processes via psxview, we can also check this with a greater focus via the command 'ldrmodules'. Three columns will appear here in the middle, InLoad, InInit, InMem. If any of these are false, that module has likely been injected which is a really bad thing. On a normal system the grep statement above should return no output.|
|`volatility -f MEMORY_FILE.raw --profile=PROFILE apihooks`|View unexpected patches in the standard system DLLs. If we see an instance where Hooking module: that's really bad. This command will take a while to run, however, it will show you all of the extraneous code introduced by the malware.|
|`volatility -f MEMORY_FILE.raw --profile=PROFILE malfind -D `|Injected code can be a huge issue and is highly indicative of very very bad things. With `malfind` command, we can not only find this code, but also dump it to our specified directory.|
|`volatility -f MEMORY_FILE.raw --profile=PROFILE dlllist`|List all of the DLLs in memory.|
|`volatility -f MEMORY_FILE.raw --profile=PROFILE --pid=PID dlldump -D`|Dump the DLLs running in memory, where the PID is the process ID of the infected process|
### Post actions
- we spoted & extracted malicious code from infected process (done with basic forensics)
- now upload to code to [VirusTotal](https://www.virustotal.com/gui/home/upload) or [Hybrid Analysis](https://www.hybrid-analysis.com/) for checking any previous matches of malware