Lead Image © Bruce Rolff, 123RF.com

Lead Image © Bruce Rolff, 123RF.com

Forensic main memory analysis with Volatility

Fingerprints

Article from ADMIN 49/2019
By
When you examine the memory of a computer after a break-in, take advantage of active support from the Volatility framework to analyze important memory structures and read the volatile traces of an attack.

When you think of IT forensics, you usually have the analysis of non-volatile data carriers, such as hard disks or SSDs, in mind. But volatile RAM is also worth a look. It usually contains important traces (e.g., of processes or network connections) and thus provides indications of a successful attack.

The detective work is preceded by the task of creating a RAM image. This memory dump must then be analyzed. With Linux onboard tools, users already can find out and learn a lot, but it's also quite a time-consuming process. Luckily, you can find support in Volatility [1], a framework written in Python that identifies the most important memory structures of an operating system and presents the content in a human-readable form. Its big advantage is the many plugins that support a wide variety of analysis activities (Table 1).

Table 1

Volatility Enhancements

Plugin Function
Processes
linux_apihooks Checks for userland API hooks
linux_bash Extracts the Bash history from the process memory
linux_check_creds Checks whether processes share credential structures
...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Forensic Analysis on Linux

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

    more »
  • Lead Image © raptorcaptor, 123RF.com
    Malware Analysis
    We show you how to dig deep to find hidden and covert processes, clandestine communications, and signs of misconduct on your network.
    more »
  • Lead Image © lightwise, 123RF.com
    Acquiring a Memory Image
    Be ready before disaster strikes. In this article we describe some tools you should have on hand to obtain a memory image of an infected system.
    more »
  • Lead Image © Iaroslav Neliubov, 123RF.com
    Maintaining Android in the enterprise
    No matter how insecure Android might appear, you can't escape the "bring your own device" philosophy in today's corporate environment. In this article, we show how admins can use on-board tools in Android phones to regain a little control.
    more »
  • Lead Image © stockbksts, 123RF.com
    Comparison of forensic toolkits for reconstructing browser sessions
    Criminals often focus on browsers for various attacks because they are a worthwhile, attractive, and often easy target. However, admins can investigate such attacks with forensic tools that provide the ability to reconstruct browser sessions.
    more »
comments powered by Disqus