Tuesday, January 29, 2013

Backtrack Forensics: Memory analysis with volatility

Menu: Forensics -> RAM Forensic Tools
Directory: /pentest/forensics/volatility
Official Website: http://code.google.com/p/volatility/
License: GNU GPL v2

volatility is probably the best open source memory analysis tools. It was written in python, so can be run on any platform, and it supports extension by various plugins, which are python scripts as well, so you can easily create your own. The script supports all major Windows and Linux version (full list on their site) and most major memory dump formats.


I will use a WinXP SP2 image for the examples, which I got for testing. It has a rootkit installed for study purposes.

./vol.py -h - this is the help, and will list all the plugins currently available

To display the list of open socktes, found in the memory, run:
./vol.py sockets -f /root/mem/winxp-mem.mdd

to display list of the processes, run - it will check the memory dump with many diffeent methods, and tell us, which method found it, and which doesn't:
./vol.py psxview -f /root/mem/winxp-mem.mdd

to get a list of recently run CLI commands, run (we can see in the results, that the rootkit being installed):
./vol.py cmdscan -f /root/mem/winxp-mem.mdd

to get a list of the found registry hives, run:
./vol.py hivelist -f /root/mem/winxp-mem.mdd

and based on that we can do a hashdump, and we need the location of the system and SAM hives for that. The command will be:
./vol.py hashdump -y 0xe1018378 -s 0xe1496b60 -f /root/mem/winxp-mem.mdd 
where -y specifies the location of the system hive, and -s the location of the SAM hive.

That's all, it has quite a few plugins, so you can play with it to discover more and more.

No comments: