Cyber Forensic — Volatile Memory Analysis With Volatility Framework
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
we are going to use this volatility framework for analyzing the Memory dumb (RAM dump) of a windows PC.
so let's Begin …
First, we need to create a memory dump for analysis, for that we are going to use Moonsols’s DumpIt memory dump tool. you can download the tool from here.
Then let's fire up DumpIt and press ‘y’ for create the main memory dump.
Now you need volatility framework for analyzing the memory dump that we just created. so download volatility framework from here.
analyzing volatile memory is very useful for computer forensic investigators. because of very important data is going through volatile memory. we can extract passwords even from this memory dump.
After you downloaded the volatility framework you need to copy your memory dump into the folder where volatility.exe is located, otherwise we have to face some difficulties when loading the memory dump to the volatility.
Now you can fire up volatility by giving the command
“.\volatility.exe -h”
then you can see the options available in the volatility framework.
Let's get some basic information about the memory dump that we created using the dumpIt. for that, we can give bellow command on volatility.
command : “volatility imageinfo -f memory_dump_name.raw”
raw_image_name is the name of your memory dump file.
as you see there is some information about the image file. for now, we just need what is the profile type of the image. that is Win7SP1x64 this piece of information will be helpful for the next steps.
Extract the Passwords from the Memory Dump.
Now let's get the “hive list” to get the knowledge of starting location of the memory where the registry information resides. for that, we need the profile information that we discover in the previous step. I told you that will be helpful :D. so let's enter the command below.
Command : “volatility hivelist -f memory_dump_name.raw — profile=Profie_type ”
profile type for my command is Win7SP1x64. use whatever you get from the previous step. otherwise, this will not be worked.
so let’s use this information to extract the password hashes from the memory dump.
For that, we need the memory locations of the “SAM” and “SYSTEM” entries.
SAM — 0xfffff8a000d58010
SYSTEM — 0xfffff8a000024010
let's get that password hash and store in a separate file.
Command: “volatility hashdump -f memory_dump_name.raw — profile=Profie_type -y System_Entry_1st_coloumn -s Sam_Entry_1st_coloumn > hashes.txt”
This is the hash dump file of my case
if you use Windows XP memory dump you can crack the password hash less than 5 seconds.
to crack from john the ripper -> copy password hash.txt file to the folder which contains john.exe and runs with>john.exe — show hash.txt
There is a very special command to extract the bios passwords. most of the newer system has bios boot passwords. use the command “bioskbd”
Command: “volatility bioskdb -f memory_dump_name.raw — profile=Profie_type ”
the result is empty because there is no bios boot password on this VM
Let's get the process list & Network Connections from the memory dump
using “pslist” command to get the processes that run.
command: “volatility pslist -f memory_dump_name.raw — profile=Profie_type”
use “netscan” command to get the processes that run.
command: “volatility netscan -f memory_dump_name.raw — profile=Profie_type”
this result shows all network connections including their process name, source, and destination IP addresses and the ports.
That's all for the volatile memory analysis …. ❤
