Digital forensics and incident response (DFIR) analysts constantly face the challenge of quickly acquiring and extracting value from raw digital evidence. Investigators must make sense of unfiltered accounts of all attacker activities recorded during incidents. They need to analyze attacker activities against data at rest, data in motion, and data in use. And they must accomplish all this while operating within resource constraints. That鈥檚 why DFIR analysts should have听听(OSS) in their toolkits.
Volatility is a command-line tool that lets DFIR teams acquire and analyze the volatile data that is temporarily stored in random access memory (RAM). Such data often contains critical clues for investigators. Volatility鈥檚 extraction techniques are performed completely independent of the system being investigated, yet still offer visibility into the runtime state of the system. What鈥檚 more, Volatility鈥檚 source code is freely available for inspection, modifying, and enhancement鈥攁nd that brings organizations financial advantages along with improved security.
Memory acquisition is the process of dumping the memory of the device of interest on the physical machine (Windows, Linux, and Unix). With Volatility, this process can be applied against hibernation files, crash dumps, pagefiles, and swap files. For memory acquisition, DFIR analysts can also use tools like Win32dd/Win64dd, Memoryze, DumpIt, and FastDump.
And on a virtual machine (VM), analysts can use Volatility to easily acquire the memory image by suspending the VM and grabbing the 鈥.vmem" file.
Analysts can use Volatility for memory forensics by leveraging its unique plug-ins to identify rogue processes, analyze process dynamic link libraries (DLL) and handles, review network artifacts, and look for evidence of code injection. Volatility has multiple plug-ins that enable the analyst to analyze RAM in 32-bit and 64-bit systems. These plug-ins also allow the DFIR analysts to extract the process, drives, and objects, and check for the rootkit signs running on the device of interest at the time of infection.
Once the random-access memory (RAM) artifacts found in the memory image are acquired, the next step is to analyze the obtained memory dump file for forensic artifacts. The memory image analysis can determine information about the process running, created files, users' activities, and the overall state of the device of interest at the time of the incident.
Volatility is written in Python and supports Microsoft Windows, Mac OS X, and Linux operating systems. Volatility requires the OS profile name of the volatile dump file. The 鈥渋mageinfo鈥 plug-in command allows Volatility to suggest and recommend the OS profile and identify the dump file OS, version, and architecture.
The process identifier (PID) is automatically assigned to each process when created on Windows, Linux, and Unix. Each process running on Windows, Linux, and Unix OS has a unique identification decimal number 鈥減rocess ID鈥 assigned to it.听
PIDs can only identify a process during the lifetime of the process and are reused over time, so it does not identify processes that are no longer running. The PID will help to identify specific files of interest using 鈥減slist鈥 plug-in command.听
ShellBags is a popular Windows forensics artifact used to identify the existence of directories on local, network, and removable storage devices. DFIR teams can use Volatility鈥檚 鈥淪hellBags鈥 plug-in command to identify the files and folders accessed by the user, including the last accessed item. 听
In Windows 7 through Windows 10, these artifacts are stored as a highly nested and hierarchal set of subkeys in the UsrClass.dat registry hive鈥攊n both the NTUSER.DAT and USRCLASS.DAT folders. These locations can be found below:
Volatility鈥檚 plug-in parses and prints a file named 鈥厂丑别濒濒产补驳冲辫诲蹿鈥听that will identify files, folders, zip files, and any installers that existed at one point in this system even if the file was already deleted. The plug-in will identify the file metadata that includes, for instance, the file path, timestamp, and size.听
Volatility can be used during an investigation to link artifacts from the device, network, file system, and registry to ascertain the list of all running processes, active and closed network connections, running Windows command prompts, screenshots, and clipboard contents that ran within the timeframe of the incident.
DFIR analysts not already using Volatility should seize the opportunity to learn more about how this very powerful open-source tool enables analysts to interact with the memory artifacts and files on a compromised device. See the reference links below for further guidance.
听
To sign up for more technical content like this blog post
听
听
If you would like to learn about 无忧传媒's acquisition of Tracepoint, an industry-leading DFIR company
Forensics 鈥 2021; classification of extracted material is Unclassified
Volatility Integration in AXIOM 鈥 ; 2020; classification of extracted material is Unclassified
2014; classification of extracted material is Unclassified
2020; classification of extracted material is Unclassified
; 2020; classification of extracted material is Unclassified
; 2021; classification of extracted material is Unclassified
; 2020; classification of extracted material is Unclassified
; 2018; classification of extracted material is Unclassified
; 2019; classification of extracted material is Unclassified
听
This blog series听is brought to you by 无忧传媒 DarkLabs. Our听DarkLabs听is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.
This article is for informational purposes only; its content may be based on employees鈥 independent research and does not represent the position or opinion of 无忧传媒. Furthermore, 无忧传媒 disclaims all warranties in the article's content, does not recommend/endorse any third-party products referenced therein, and any reliance and use of the article is at the reader鈥檚 sole discretion and risk.
