Volatility

By on

 



In this blog:

  • What is Volatility?
  • Installation. 
  • Usage.

What is Volatility?


Volatility is an open-source memory forensics framework for malware analysis and incident response.

 

It allows investigators to parse memory dumps and extract information about a target system that the memory was taken from.

 

Since data in memory is highly volatile, a live memory dump contains information which would be lost when the computer is shutdown; which is where volatility comes in.

 

Volatility requires Python3.7.0 or later.

 

Can be installed with setup.py.



Image showing Volatility requirements.
Requirements for Volatility. Click to see more.


Installation

Click here to check out the GitHub page where you can download it ➡️

https://www.volatilityfoundation.org/releases.

 

Download the Linux standalone executables from this link.



Image showing Volatility downloads page.
Download page for Volatility.




Once the zip file has downloaded, open it or cd into the directory through the terminal. It will be easier to proceed through terminal from here.

 

CD into the Downloads folder as this is where the file will be downloaded into.

 

Typing ls will show us the contents of the Downloads folder.

 

I have a capture01.bin file which is the memory dump that I will be analysing. 



Image showing Linux command.
Directory showing downloaded ZIP file.


Volatility_2.6_lin64_standalone.zip is the file we just downloaded.





Type unzip volatility_2.6_lin64_standalone.zip


Image showing Linux command.
Unzipping ZIP file.


When you cd into the new file that appears after unzipping (shown in the screenshot below), you will see the name volatility_2.6_lin64_standalone.

 

This is the executable which we will be using to interact with the memory dump. 


Now since we will need to type out this name many times, it will be easier to rename it to something smaller like simply volatility. 


Do this by typing mv volatility_2.6_lin64_standalone volatility.


Image showing Linux command.
Changing the file name to make it easier to refer to.


You can view the Volatility manual by typing ./volatility -h.


Image showing Linux command.
Help page for Volatility.


My memory dump file was in the Downloads folder and for volatility to work, the dump fill must be in the same folder as the tool. So, to move it, I typed ➡️

 

mv capture01.bin volatility_2.6_lin64_standalone volatility.



Image showing Linux command.
Move capture file to same directory as Volatility.


Usage


Type ./volatility -f capture01.bin imageinfo.

 

The -f flag specifies the presence of a file, in this case ‘capture01.bin’, and imageinfo identifies information about the image. 



Image showing Linux command.
Finding image information with Volatility.




The result shows that the memory dump was of a WinXPSP2x86 operating system based on a scan of the KDBG (Kernel Debugging Block).

 

The KDBG is used by the operating system for debugging purposes and is unique enough across different OS versions to have its own signature. 





Running the pslist command on the capture file returns a list of processes that were running on the host OS at the time of the live RAM capture.

 

Type ./volatility -f capture01.bin --profile WinXPSP2x86 pslist




Image showing Linux command.
Running pslist on Volatility.





Running pstree returns all the processes in tree form with parent and child processes clearly visible.

 

Type ./volatility -f capture01.bin pstree.




Image showing Linux command.
Running pstree on Volatility.





Rather than relying on the linked process list, psscan displays _EPROCESS objects (structure used by Windows to represent processes).

 

This means psscan can find terminated processes as well as unlinked (hidden) processes.

 

Type ./volatility -f capture01.bin psscan.




Image showing Linux command.
Running pstree on Volatility.




The plugin psxview uses seven different methods to enumerate running processes – Process object scanning, Thread scanning, CSRSS Handle table, PspCid table, session processes, desktop threads and active process linked list. This makes it less likely for a process to hide from this plugin.

A shown below, the highlighted processes come out as False in the first two columns (pslist and psscan) which indicates that they are hidden processes.

 

Type ./volatility -f capture01.bin psxview.


Image showing Linux command.
Running psxview on Volatility.



Running connscan on the capture file scans the capture for UDP/TCP connections (Windows XP only). Other operating systems have the netscan command instead.

 

As shown in the screen shot, the PID 1696 (the network listener from the last screen shot) has a remote connection pointing to 192.168.101.1 – suspicious.

 

Type ./volatility -f capture01.bin connscan.


Image showing Linux command.
Running connscan on Volatility.



The sockscan plugin lists open sockets on the machine. Here we can see that PID 1696 (the network listener) is open and listening on port 31337.    

 

Type ./volatility -f capture01.bin sockscan.




Image showing Linux command.
Running sockscan on Volatility.



The memdump plugin dumps the addressable memory for a given process and since we are suspicious about PID 1896 (the hidden network listener), we can pass the PID through as an argument and volatility will write out the memory dump to a filename of your choice (for simplicity I named it 1896) and you can specify what location to save it in.


Type ./volatility -f captre01.bin memdump -p 1896 –dump-dir.




Image showing Linux command.
Running memdump on a specified port.



The file will be saved in the directory with a .dmp extension. 


Image showing Linux commands.
Directory showing dump file.


You can now access this file and find out memory information for the specific port and conduct further analysis. 



Shone is a Cyber Security student at the Manchester Metropolitan University. Shone started writing blogs to document his own learning and help others along the way.

Comments

Post a Comment

Popular posts from this blog

Connecting Metasploitable to Kali Linux

By on
Image
  In this blog: Pre-text. Setting up NAT Network. Connected. What's next? This blog is one of a 4 part series in Metasploitable. Click here to see how to run a DOS attack on Metasploitable. Click here to see how to deface Metasploitable's webpage. Click here to see how to fix a common timer error that occurs during bootup .  Pre-text This blog comes after the tutorial on creating a Metasploitable virtual machine and solving the kernel timer error. Setting up a NAT Network In our Linux machine, I checked the network interfaces on the system and I have a tunnel connection that I set up earlier for Openvpn access.  To terminate this connection, type ➡️  sudo killall openvpn . Killing Openvpn connections. Now to connect the metasploitable machine to the kali Linux machine we must create a NAT Network.  We want to make sure that the machine is not able to communicate with connections outside the host. Go to file ➡️...
Read more

Fixing kernel timer error in Metasploitable

By on
Image
In this blog: Disclaimer. Fixing the kernel timer error. What's next? This blog is one of a 4 part series in Metasploitable. Click here to see how to run a DOS attack on Metasploitable. Click here to see how to deface Metasploitable's webpage. Click here to see how to set up a Metasploitable lab . Click here to see how to connect Metasploitable with Kali Linux . Disclaimer The solution given in this blog is for the kernel timer error that is caused by a misconfiguration in the kernel boot settings in the BIOS. The solution is not permanent and you must complete the steps each time you start a new session. Fixing timer errors To start the virtual machine, go back to VirtualBox and click start. When starting, if you get this kernel panic – not syncing error message, follow these steps ➡️  Kernel panick error message. Go to settings, system and double the base memory to 2048MB. Doubling base memory. Provide the machine with two processors instead of one and click OK.  Doubling p...
Read more

Wireshark alternative ➡️ tcpdump (Linux)

By on
Image
In this blog: What is tcpdump? Installation. Usage. Saving captures to a file. Filtering output. Expressions. Understanding the output. Packet content.   The end? See my Wireshark blog here. See my blog on uncovering network attacks using Wireshark here.                                   What is tcpdump? Tcpdump is a command line alternative to Wireshark and runs natively on Linux based operating systems.  The tool is not as feature rich as Wireshark but can be faster and more efficient in capturing and displaying packets, hence why many network admins and security professionals like using tcpdump for quick analysis.  Being a command line tool allows it to be run on remote servers to troubleshoot networks where a gui may not be available. The .PCAP files can then be analysed with Wireshark later. Most Linux distributions come with tcpdump installed, so your distro might already have it d...
Read more