How to use the Volatility memory forensics framework to identify potential malicious activity.
Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Tool Name
Version
MITRE ATT&CK Tactic
MITRE ATT&CK Technique
V2.4.1
Volatility Plugins
Volatility consists of a number of plugins that can be used to perform various tasks, such as identifying and extracting process data, network connections, and other information that may be relevant to a forensic investigation.
A list of all plugins available in Volatility can be found at the Volatility3 Docs Page. Some examples of plugins included in Volatility include:
pstree: Display the process tree for a given memory image.
sockscan: Scan for and list open TCP and UDP sockets.
dlllist: List the DLLs (dynamic link libraries) loaded by each process.
connscan: Scan for and list active TCP connections.
netscan: Scan for and list active network connections.
These are just a few examples of the plugins available in Volatility. There are many other plugins available that can be used to extract and analyze different types of forensic data. Refer to the Volatility3 Docs Page. for a complete list of plugins and their descriptions.
Instructions
The below examples were based off of a Windows 10 Memory Image available for download via the NIST CFReDS Portal which was provided from Magnet Forensics.
Memory Image Identification (windows.info)
Show OS & kernel details of the memory sample being analyzed.
Variable Value
Kernel Base 0xf80002a48000
DTB 0x187000
Symbols file:///etc/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/ECE191A20CFF4465AE46DF96C2263845-1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdDebuggerDataBlock 0xf80002c2a120
NTBuildLab 7601.24384.amd64fre.win7sp1_ldr_
CSDVersion 1
KdVersionBlock 0xf80002c2a0e8
Major/Minor 15.7601
MachineType 34404
KeNumberProcessors 2
SystemTime 2020-04-20 23:23:26
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 6
NtMinorVersion 1
PE MajorOperatingSystemVersion 6
PE MinorOperatingSystemVersion 1
PE Machine 34404
PE TimeDateStamp Thu Feb 21 03:36:29 2019
Running Processes (pslist)
Lists the processes present in a particular windows memory image. Specific PIDs can be processed via the --pid switch. Additionally, each process can be dumped to disk via the --dump switch.
Plugin for listing processes in a tree based on their parent process ID. Specific PIDs can be processed via the --pid switch. Additionally, each process can be dumped to disk via the --dump switch.
