Ransomware analysis with Volatility


In this article, we’ll discuss the Volatility framework and how to perform analysis on ransomware using it. We’ll discuss various capabilities of the tool that can allow us to perform forensic analysis.

For this article, we’ll be analyzing two notorious forms of malware, WannaCry and Jigsaw. The malware handled in this article will be within a sandboxed environment.

A brief overview of the Volatility framework

The Volatility framework is an open-source memory forensics tool that is maintained by the Volatility Foundation. The Volatility Foundation is an NGO that also conducts workshops and contests to educate participants on cutting-edge research on memory analysis.

Volatility allows memory analysts to extract memory artifacts from RAM (memory). This is done regardless of the platform on which the tool is run; in fact, support is offered for the major Operating Systems.

The source code can be found here. However, if you are on Kali Linux, it is installed by default. On Debian-based systems, simply install it using the following command:

sudo apt-get install volatility

The main advantages of Volatility over other memory analysis tools include:

  1. It is written in Python: A lot of memory analysts are comfortable with Python scripting. This makes them have an easier time working with Volatility than they would with something like windbg, which requires you to learn its scripting syntax
  2. It is cross-platform: Volatility can run on any platform that supports Python, meaning that you don’t have to waste time downloading or installing .NET libraries or DLLs for support
  3. It is open-source: Being open-source allows more and more analysts to contribute to the development of Volatility. It also means you don’t have to pay for a tool that will give you basically the same or more of what a paid tool would offer
  4. It is extensively scriptable: You (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Lester Obbayi. Read the original post at: