Everything in OS traverse RAM:-
Network Sockets and URLs
Windows Registry keys
Password,caches and clipboards
User generated contents
DIGITAL FORENSIC ANALYSIS
Goals of Digital Forensics
Identify Digital Evidence
Generally only a part of crime investigation
unauthorized use of corporate computers
any physical crime whose suspect had a computer
Three major phases:
Which data as digital evidence ????????
Goal is to save the state of digital system for analysis.
Similar to taking photographs, fingerprints, blood samples, from a crime scene.
The allocated and unallocated areas of a hard disk are copied known as image.
Tools are used to copy data from the suspect storage device to a trusted device.
Tools must modify the suspect device as little as possible and copy all data.
Capture the acquired data for identifying pieces of evidence.
Acquistion : MoonSols Kit for obtaining memory
image Advanced toolkit for Windows physical memory snapshot management.
Designed to deal with :- A) Microsoft Windows hibernation file (from Microsoft Windows XP to Microsoft Windows 7 both 32-bits and 64-bits (x64) Editions). B)Microsoft full memory crashdump (in both 32-bits and 64-bits (x64) Editions). C)Raw memory dump files (from memory acquisition tools like win32dd or win64dd, or Virtualization application like VMWare.
Contains new version of win32dd and win64dd.
C:\win32dd.exe /l /f mem1.vmem
Parse Memory Structure
Executive Process Blocks
Process Environment Blocks
Track loaded DLLs
Virtual Address Descriptor
Process Memory Sections
Scan For outliers
Unlinked Process DLLs,sockets and threads
Unmapped page with execute privelage
Know Heuristics and signatures
Analysis of Memory through volatility
Open collection of tools. Python implemented under GNU General Public License for the extraction
of digital artifacts from volatile memory (RAM).
Extraction performed are independent of system being investigated but offer unprecedented visibilty into the runtime state of system.
Intended to introduce people:-
Techniques and complexities associated with extracting digital artifacts from volatile memory samples
Work into this exciting area of research.
Volatility Supports x86 Windows versions
Windows XP SP 2, 3
Windows 2003 Server SP 0, 1, 2
Windows Vista SP 0, 1, 2
Windows 2008 Server SP 1, 2
Windows 7 SP 0, 1
Image Date and Time
Open Network Sockets & connections
DLLs Loaded For Process Open Registry Handles
Processs addressable Memory
OS Kernel Modules
Mapping Physical offset to virtual address
Virtual address Descriptor Information
Scanning Process , threads, modules
Extract Executables From Memory Samples
Static RAM analysis from an image or
against a live system Enumerate all running processes, including those hidden by
rootkits, and display associated DLLs, network sockets and handles in context.
Dump a process and associated DLLs for further analysis in third-party tools.
Memory string search allows you to identify hits in memory and automatically map them back to a given process, DLL or piece of unallocated space and dump the corresponding item.
Volatility provides VAD tree analysis and exposes registry artifacts in memory and will parse and display handle information from memory.
Legitimate process? Spelled correctly? Matches system
Appropriate path for system executable?
a user or temp directory
Is the parent
Process what you would expect?
Was the process
started at boot
(with other system
near time of known
a)Spot hidden processes psxview
b)List all processes pslist, psscan
c)Show a registry key printkey -K key
d)Extract process image procexedump
e)Extract process memory memdump, vaddump
f)List open handles, files, DLLs
and mutant objects
handles, filescan, dlllist,
g)List services, drivers and
svcscan, driverscan, modules,
h)View network activities connscan, connections,
sockets, sockscan, netscan
i)View activity timeline timeliner, evtlogs
j)Find and extract malware malfind, apihooks
Used for Knowing what type of system your image came from.
Output shows suggested profile that you should pass as the parameter to --profile=PROFILE.
$ volatility f imagename imageinfo For most accurate and fastest results supply the profile and KDBG to other Volatility commands.
Use to list the processes of a system. Walks doubly-linked list pointed by PsActiveProcessHead. Does not detect hidden or unlinked processes.
Syntax:- $ volatility f --profile=profilename mem1.vmem pslist
Used for viewing the process listing in tree form. Enumerates processes using the same technique
as pslist. Child process are indicated using indention and
periods. $ volatility profile=profilename f imagename pstree
To enumerate processes using pool tag scanning, use this command.
Finds processes that are previously terminated (inactive) and hidden or unlinked by a rootkit.
$ volatility f imagename psscan
Used for finding connection structures using pool tag scanning.
Finds artifacts from previous connections that have been terminated.
It may find false positives sometimes, you also get the benefit of detecting as much information as possible.
$ volatility f imagename connscan
Used for:- Finding hidden or injected code/DLLs in user mode memory,
based on characteristics such as VAD tag and page permissions.
Locating sequence of bytes, regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory.
$ volatility f imagename malfind D directoryname
Used for finding API hooks in user mode or kernel mode. It finds IAT, EAT, Inline style hooks, and several special types of
hooks. For Inline hooks, it detects CALLs and JMPs to direct and
indirect locations, and it detects PUSH/RET instruction sequences.
Special types of hooks that it detects include syscall hooking in ntdll.dll and calls to unknown code pages in kernel memory.
$ volatility f imagename apihook
For displaying a process's loaded DLLs, use this command. It walks the doubly linked list of LDR_DATA_TABLE
_ENTRY structures pointed by PEB's InLoad Order Module
List. DLLs are automatically added to this list when a process calls
LoadLibrary and they aren't removed until FreeLibrary is called and the reference count reaches zero.
$ volatility f imageinfo dlllist
For extracting a DLL from a process's memory space and dump it to disk for analysis, use this command. We can: Dump all DLLs from all processes . Dump all DLLs from a specific process (with --pid=PID) . Dump all DLLs from a hidden/unlinked process (with --
offset=OFFSET) . Dump a PE from anywhere in process memory (with --
base=BASEADDR), this option is useful for extracting hidden DLLs.
$ volatility f imagename dlldump D directoryname
Used for displaying the open handles in a process. Process obtains a file handle by calling functions such as
CreateFile, and the handle will stay valid until CloseHandle is called. This concept applies for registry keys, mutexes, named pipes, events, window stations, desktops, threads, and all other types of objects.
$ volatility f imagename handles
For viewing the SIDs (Security Identifiers) associated with a process, use this command.
It helps you to identify processes which have maliciously escalated privileges.
$ volatility f imageinfo getsids
For a brief inspection of the addressable memory pages in a process use this command. $ volatility f imagename p PID memmap
To extract all data from the various memory segments in
a process and dump them to a single file, use the
$ volatility --profile=Win7SP0x86 -f imagename p PID memdump D directoryname/