Forensic main memory analysis with Volatility

Fingerprints

Interpretation Needed

Analyzing the Bash history (Figure 3) is useful for detecting user misbehavior. Volatility also detects commands if the length of the history has been changed to zero and its location to /dev/null to hide the last entries.

Figure 3: Clearly visible: Here the forensic scientist created the memory dump with lime.

The real challenge in using Volatility, as with all analysis tools, is not so much using the correct parameters, but interpreting the program's output correctly. Only practice and a good knowledge of the system with all its data structures will be useful.

Infos

  1. Volatility: https://www.volatilityfoundation.org
  2. Volatility and VMware: https://github.com/volatilityfoundation/volatility/wiki/VMware-Snapshot-File
  3. Volatility and VirtualBox: https://github.com/volatilityfoundation/volatility/wiki/Virtual-Box-Core-Dump
  4. Skorobogatov, S. Low Temperature Data Remanence in Static RAM. University of Cambridge Computer Laboratory Technical Report 536, 2002: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-536.pdf
  5. Becher, M., M. Dornseif, and C.N. Klein. "FireWire: All Your Memory are Belong to Us." A presentation at CanSecWest Core05, 2005: https://cansecwest.com/core05/2005-firewire-cansecwest.pdf
  6. "DMA attacking over USB-C and Thunderbolt 3" by Ulf Frisk, 2016: http://blog.frizk.net/2016/10/dma-attacking-over-usb-c-and.html
  7. Inception: https://github.com/carmaa/inception
  8. FitzPatrick, J., and M. Crabill. "Stupid PCIe Tricks featuring NSA Playset: PCIe." YouTube video of presentation at DEF CON 22 Hacking Conference, 2014: https://www.youtube.com/watch?v=OD2Wxe4RLeU
  9. Linux Memory Grabber: https://github.com/halpomeranz/lmg
  10. "Host-Based IDS" by Tobias Eggendorfer, Linux Pro Magazine , issue 183, February 2016, pg. 12, http://www.linuxpromagazine.com/Issues/2016/183/Host-Based-IDS
  11. Stuttgen, J., and M. Cohen, "Anti-Forensic Resilient Memory Acquisition" In: Proceedings of The Digital Forensic Research Conference, DFRWS 2013 (Monterey, CA, USA, 2013), http://dfrws.org/sites/default/files/session-files/paper-anti-forensic_resilient_memory_acquisition.pdf
  12. Volatility profiles for Linux: https://github.com/volatilityfoundation/volatility/wiki/Linux
  13. Ligh, M.H., A. Case, J. Levy, and A. Walters. The Art of Memory Forensics , Wiley, 2014: https://www.memoryanalysis.net/amf
  14. "Kernel Rootkits" by Jürgen Quade, Linux Pro Magazine , issue 147, February 2013, p. 30, http://www.linuxpromagazine.com/Issues/2013/147/Kernel-Rootkits

The Author

Dr. Tobias Eggendorfer is a professor of IT security and a freelance IT consultant (http://www.eggendorfer.info). When he teaches IT forensics, his students moan from time to time, because long-forgotten knowledge from basic lectures suddenly becomes important again, which is exactly what makes IT forensics and security so exciting.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Forensic Analysis on Linux

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

  • Malware Analysis
    We show you how to dig deep to find hidden and covert processes, clandestine communications, and signs of misconduct on your network.
  • Maintaining Android in the enterprise
    No matter how insecure Android might appear, you can't escape the "bring your own device" philosophy in today's corporate environment. In this article, we show how admins can use on-board tools in Android phones to regain a little control.
  • Acquiring a Memory Image
    Be ready before disaster strikes. In this article we describe some tools you should have on hand to obtain a memory image of an infected system.
  • NVDIMM and the Linux kernel
    Non-volatile dual in-line memory modules will provide storage as fast as RAM and keep its content through a reboot. The Linux kernel is already geared to handle the new technology and can even serve the modules up as block devices.
comments powered by Disqus