In terms of Digital Forensic, many tools can be used to extract valuable and sensitive information directly from the memory (RAM) of a computer/server. For example, it is possible to extract user password hashes, Bitlocker volume encryption keys, web browsing history and much more.
In this article, we will see how researchers, experts in cyber-security and also hackers use Volatility Framework to retrieve almost everything they want from a computer memory dump. Before to move further and to be able to replicate this tutorial on your side, you will need the following to be present in your machine:
- VirtualBox 5 or 6 which will host the vulnerable Windows Server.
- A Windows or Linux system installed on a Virtual Machine
- Volatility Framework will be used to extract and read data from the RAM dump.
EXTRACT A RAM DUMP FROM THE VIRTUAL MACHINE
As stated in the title, the first purpose of this article it's to see the best way to extract sensitive information from a computer memory dump and to do so we will use our virtual machine as a targeted system. This assumes that you have already installed a Windows operating system on your Virtual machine. For this demonstration, I use Windows Server 2008R2 as the operating system.
The first step for us will be to generate a memory dump of the target machine which is quite easy to do since we host it. This operation can be done quickly if you are using VirtualBox. To do it, you need first to start your target machine (VM) and once you are ready to use the following commands :
mkdir dump && cd dump
# Don't forget to replace "Windows-2008-R2" with your own VM name
VBoxManage debugvm "Windows-2008-R2" dumpvmcore --filename=vm.memdump
Now that we are ready with our memory dump, we can start to move around and discover Volatility Framework and what this tool will allow us to do.
HOW TO USE VOLATILITY FRAMEWORK
One of the most popular tools for RAM analysis is Volatility. This Open Source platform implemented using Python language can be used very easily on Windows, Mac, and Linux systems. It consists of several plugins that can be used for different types of queries.
The following memory format is supported by the latest Volatility release.
- Raw/Padded Physical Memory
- Firewire (IEEE 1394)
- Expert Witness (EWF)
- 32 and 64-bit Windows Crash Dump
- 32 and 64-bit Windows Hibernation
- 32 and 64-bit MachO files
- Virtualbox Core Dumps
- VMware Saved State (.vmss) and Snapshot (.vmsn)
Volatility Framework comes bundled with Kali Linux. If you do not have it yet in your machine, you can download and install it using the following instructions.
INSTALL VOLATILITY ON UBUNTU/DEBIAN AND OTHER DERIVED DISTRIBUTIONS
sudo apt -f install volatility
To display the help menu simply execute the following command:
There is a multitude of options available that you can explore from the help. These options allow you to explore the contents of the memory and rebuild the data structures to extract the relevant information. The Volatility project wiki page presents each option.
RETRIEVE THE PROFILE OF THE IMAGE WITH IMAGEINFO
The first step to analyze a memory dump is to retrieve the information from the image that will allow Volatility to correctly parse the data to determine its profile.
Parsing the data means reading and interpreting them to understand what they mean. Depending on the type of profile you are reporting to Volatility, it will not interpret the data in the same way.
For that, we will use the "
imageinfo" option of Volatility on our memory dump as stated in the below example.
volatility -f vm.memdump imageinfo
Note: Of course the output on your side will be different according to the system image you are parsing.
The above command will allow you to get the profile information of your image. As you can see on the console output above, the "suggested profile" field offers suggestions for profiles which will then have to be specified to Volatility with the option "
This profile corresponds to the operating system of your memory dump. Volatility suggests here a 64-bit system based on Win7SP1x64 or Win7SP0x64 or Win2008R2SP0x64 or Win2008R2SP1x64_23418 or Win2008R2SP1x64 or Win7SP1x64_23418.
For this article, I did use Windows Server 2008 R2 SP1. We will then be able to specify later to process the dump with the option "
--profile=Win2008R2SP1x64". Now that we have determined the profile of our image, we can start extracting information from it.
GET THE PROCESSES LIST
The operating system is responsible for managing, handling, suspending and creating processes, that is, instances of a program.
When a program runs, a new process is created and associated with its own set of attributes, including a unique process ID (PID) unique to each, and an address space. The memory space of a process becomes a container for application code, shared libraries, dynamic data, and the execution stack.
An important aspect of memory analysis is enumerating the processes that run on a system and analyzing the data stored in their address space. The goal? Identify processes for potentially malicious programs, understand how they work, where they come from, and analyze them in detail.
Beware, to perform malicious actions, malware must be executed but it can hide its operation behind a legitimate process, via injection of code, for example.
To extract the list of processes, it is possible to use the "
volatility -f vm.memdump --profile=Win2008R2SP1x64 pslist
This option allows us to display the list of the running processes at the time the dump was created. Using this, you can retrieve much information, such as :
- offset: the memory address of the process
- name: the name of the running process
- PID: the identification number of the process
- PPID: the PID of the parent process
- start: the date and time the process was started
During a memory analysis, it is necessary to be able to identify legitimate processes and those that are not. However, the name is not enough to identify whether a process is legitimate or not! But it's the first sign.
LIST THE DLLS OF A PROCESS
The DLLs, for Dynamic Link Library, are the libraries in Windows. These are functions previously coded and available on the system. To avoid re-encoding certain functions, the Windows API provides a list of DLLs for manipulating data, making network connections, or writing files.
Malware will also use these APIs to perform actions on the system. Through the memory analysis, it will be possible to list the DLL used by a process to deduce its operation on the system.
With Volatility, it is possible to extract the DLLs used for a given process, with the "
dlllist" option. For example, if we want to find more information about the process with PID 1404 we shall use the following command:
volatility -f vm.memdump --profile=Win2008R2SP1x64 dlllist -p 1824
ANALYZE THE REGISTRY
The registry contains various settings and configurations for the Windows operating system. As the main component of Windows, it is accessed continuously during the execution time. Thus, it is logical that the system places in memory all or part of the files of the register.
Besides, the Windows registry holds a wealth of useful information for analysis purposes. For example, it will be possible to determine recently executed programs, extract hashes of passwords for audit purposes, or study the keys and values introduced by malicious code into the system.
With Volatility, it is possible to extract the information from the register and lists the corresponding files with the "
volatility -f vm.memdump --profile=Win2008R2SP1x64 hivelist
Using the result of the above command and the "
hashdump" option, it will be possible to dump the password hashes of Windows accounts.
volatility -f vm.memdump --profile=Win2008R2SP1x64 hashdump -y 0xfffff8a0073d4410
ANALYZE NETWORK CONNECTIONS
Almost all malware can communicate on the network using their Control server, to spread themself, or set up a backdoor.
These actions use Windows Network APIs, which inevitably leave traces in memory. The network memory scan will recover information such as remote IP connections, connection ports, and even some data exchanged.
Volatility provides several options for retrieving login information. The connections, sockscan, and socket options work only on systems older than Windows 7.
However, active network connections can be listed on newer systems with the "
volatility -f vm.memdump --profile=Win2008R2SP1x64 netscan
In the above screenshot, we can see that some identified processes make multiple connections to the IP addresses 22.214.171.124:0, 126.96.36.199:0 and 188.8.131.52:0.
Memory analysis can reveal a lot of things about the infected environment. A malicious process will be easier to detect and analyze a memory dump than in a running environment. In addition, it will be possible to access other crucial information about the system.
DISCOVER THE DIFFERENT TYPE MEMORY FILES
There are different types of files that can be used for memory analysis. Windows uses system files to store certain information that is specific to internal features, such as hibernation or paging.
Hiberfil.sys is the default file used by Windows to save the machine state as part of the hibernation process. This process is used to restore the state of the machine. The operating system also maintains an open file descriptor on this file so that no user, including the administrator, can read the file while the system is running.
The file hiberfil.sys is compressed by default. In order to be able to analyze it with Volatility, it will first be necessary to use the "
imagecopy" option to decompress the image.
volatility -f vm.memdump --profile=Win2008R2SP1x64 imagecopy -O hiberfil.dmp
Paging is a concept that extends the available RAM by storing RAM items that are not in use in a file. Windows uses the system file Pagefile.sys to store this information, which can also be exploited during the investigation.
Although Windows supports up to 16 paging files, in practice only one is used. This file, stored in "%SystemDrive%\pagefile.sys", is a hidden system file.
Because the operating system keeps this file open during normal operation, it can never be read or viewed by a user. However, it may contain interesting information once extracted.
Pagefile.sys can not be parsed by Volatility. However, it is possible to extract information with the "
strings" command. Be careful, note that this can be extremely long and it is better to couple the command "
strings" with the command "
strings pagefile.sys | grep “http://”
Windows memory is a complex environment that needs to be known in order to retrieve information during forensic analysis. However, this introduction to the functioning of the memory will allow knowing the basic information to analyze the most important information and to understand the actions carried out by a malicious process.