See also MemProcFS
The forensic memory framework Volatility (Version 3 since 2019) offers a wide range of methods to analyse memory. See the blog post Retrieving memory for methods and techniques to obtain memory.
Start by getting general information about a memory dump:
volatility -f image.mem imageinfo
Now use the following commands to get more information:
pslistto show the running processesnetscanshows current network connectionsldrmodulesshows which modules/libraries/dlls are loaded and also how they were loaded. If a line contains “False False False”, then the module was probably directly injected into the memory like Meterpreter does it. This is a serious signal for a malicious process.vol -f dump windows.privileges --pid 42get the privileges for a process.vol -f dump windows.callbacksshows the callbacks — should only be the default windows callbacks.vol -f dump windows.vadinfo --pid 42shows the VAD virtual address descriptors, the permissions on the pages, e.g. READONLY, READWRITE, EXECUTE_WRITECOPY, … Suspicious, if there are pages EXECUTE_READWRITE, because normally pages are not set to contain executeable code which is also writeable.vol -f dump windows.registry.hivelist --dumpexports the registry keys.vol -f dump windows.cmdline --pid 42returns the command line history. Usefull for cmd.exe or powershell.exe processes.vol -f dump windows.pstreeshows the process tree, also with arguments of commands.
Example:
- Scan with windows.netscan open connections
- Look with windows.pslist for suspicious processes.
- Get more information with other plugins, e.g. with windows.cmdline see, what happened in powershell.exe or cmd.exe.
- Detect system type for the profile:
- volatility ‑f /root/lab.notes/10.11.1.238/238.ram imageinfo
- Get Certs:
- volatility ‑f /root/lab.notes/10.11.1.238/238.ram dumpcerts ‑D certs
volatility ‑f /tmp/Linux64.mem –profile=Linuxd2018-1x6 linux_ifconfig
Leave a Reply
You must be logged in to post a comment.