Memory Forensics and Analysis Using Volatility

Volatility is one of the best open source software programs for analyzing RAM in 32 bit/64 bit systems. It supports analysis for Linux, Windows, Mac, and Android systems. It is based on Python and can be run on Windows, Linux, and Mac systems. It can analyze raw dumps, crash dumps, VMware dumps (.vmem), virtual box dumps, and many others.

Ethical Hacking Training – Resources (InfoSec)

Installation

The Volatility software may be downloaded from here-

https://code.google.com/p/volatility/downloads/list

It also comes pre-installed with Backtrack 5 R3, which I am presently using.

Demo Tutorial

Selecting a Profile

For performing analysis using Volatility we need to first set a profile to tell Volatility what operating system the dump came from, such as Windows XP, Vista, Linux flavors, etc.

We have a memory dump with us and we do not know what operating system it belongs to, so we use the imageinfo plug-in to find this out.

I have also explained how to take a memory dump using Helix ISO in the end of the document for the people who might be new to it.

Type ./vol.py imageino –f <Destination of the memory Dump>

From the above screenshot, we can see that Volatility suggests using the profile for Windows XP SP2 x86 or Windows XP SP3 x86. Let us select Windows SP2 x86. The default profile for Volatility is WinXPSP2x86 if we do not specifically set a profile.

Here is the list of the available profiles in Volatility. We can see all Windows profiles here; the Linux profiles will be included in future updates. So, if we are using Linux, we will need to create our own profile.

Viewing Running Processes

This plug-in gives us the option to view all running process on the particular system during which the memory dump was (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Aditya Balapure. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/xU2E1LSD_yc/