Memory forensic using Volatility
This article is a part of our program, #re:educate where we empowering cybersecurity students and beginners to share their understanding about anything related to offensive security. For more info, refer to this link RE:HACK - #re:educate
Author: Fatahillah bin Hashim
University: German-Malaysian Institute
Summary
Volatility is a tool that can be used to analyse a volatile memory of a system. We can inspect processes, look at command history, and even pull files and passwords from a system without even being on the system.
Prerequisite
- Volatility tool - https://www.volatilityfoundation.org/releases
- Memory dump samples - https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples, https://uupdump.net/, https://www.volatilityfoundation.org/26
tl;dr
# How to detect malicious files ?
./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 -D <Output_Location> -p <PID >malfind
# What type of dump am we are going to analyse ?
$ ./vol.exe -f Triage-Memory.mem imageinfo
# Which process are running
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile pslist
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile pstree
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile psxview
# List open TCP/UDP connections
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile connscan
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile sockets
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile netscan
# What commands were lastly run on the computer
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile cmdline
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile consoles
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile cmdscan
# Dump processes exe and memory
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile procdump -p MyPid --dump-dir .
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile memdump -p MyPid --dump-dir .
# Hive and Registry key values
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile hivelist
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile printkey -K "MyPath"
Capturing Windows Memory Using Winpmem
Winpmem is a part of the Pmem Suite, a suite of memory acquisition tools for Windows, Linux, and Mac OS. We can download the latest release of winpmem from here: https://github.com/Velocidex/c-aff4/releases
Run Winpmem
First, after we staged malicious activity, we downloaded winpmem version 3.3 RC3 onto the victim Windows machine. Then, we opened a command-line terminal and run the program:
C:\ winpmem_v3.3.rc3.exe --output memdump.raw --format raw --volume_format raw
The --output mem.raw option was used to name the output as memdump.raw. The --format raw and --volume_format raw options were used to output the memory in raw format (as opposed to something like aff4). Once the memory dump finished, we then transferred the raw memory file, memdump.raw, to our Kali Linux & Windows machine.
Analysing Windows Memory
Choosing the Right Profile
This part frustrates a lot of analysts. We can typically only analyse memory dumps that have a profile available in Volatility. Newer Windows 10 builds do not have compatible profiles in Volatility.
To find the right profile, type volatility --info to get a list of the available profiles. Look under “Profiles” in the output, we’ll see the following Windows 10 profiles:
Profiles
--------
[...]
Win10x64 - A Profile for Windows 10 x64
Win10x64_10240_17770 - A Profile for Windows 10 x64 (10.0.10240.17770 / 2018-02-10)
Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x64_15063 - A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04)
Win10x64_16299 - A Profile for Windows 10 x64 (10.0.16299.0 / 2017-09-22)
Win10x64_17134 - A Profile for Windows 10 x64 (10.0.17134.1 / 2018-04-11)
Win10x86 - A Profile for Windows 10 x86
[...]
Retrieve user’s passwords from a Windows memory dump
1. Identify the memory profile
First, we need to identify the correct profile of the system :
2. List the registry hive
With the correct profile, we can use the “hivelist” plugin in order to extract the list of registry hive in the memory dump :
3. Extract the hashes
Now, with the virtual offset of SYSTEM and SAM, we can extract the hashes :
.\Volatility.exe -f Triage-Memory.mem - profile=Win2008R2SP1x64_23418 hashdump -y 0xfffff8a000024010 -s 0xfffff8a000e66010 > hashes.txt
4. Crack the hashes
Finally, we can process the hash using a local tool (like HashCat) or using a online tool like CrackStation :
Note: If the password is not available through the crackstation, you can use rockyou.txt for cracking this hash
Retrieve SHA1 hash (memory dump)
Just to check whether we downloaded the right file or not, we can use the following command in PowerShell.
Get-FileHash -Algorithm SHA1 .\Triage-Memory.mem
In most of the cases volatility suggests multiple profiles with the volatility framework. In order to select the best memory profile for further analysis a kdbgscan (https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#kdbgscan) is used.
.\Volatility.exe -f Triage-Memory.mem - profile=Win2008R2SP1x64_23418 kdbgscan
After selecting the correct profile it can be moved in to the next steps of analysis.
Analysing Processes
By using the following command, a list of processes can be obtained which were there within the memory.
.\Volatility.exe -f Triage-Memory.mem - profile=Win7SP1x64 pslist
A parent-child relationship in between the processes can be obtained using the pstree ( https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#pstree) attribute
.\Volatility.exe -f Triage-Memory.mem - profile=Win7SP1x64 pstree
Note : highlighted in green - child process of wscript.exe
Let’s run a last command before investigating deeper into these two processes. psxview will list processes that are trying to hide themselves while running on the computer, this plugin can be really useful.
./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 psxview
By identify processes seems hidden, if so you’ll see “False” in the first two columns (pslist and psscan).
In Linux, you can use dlllist plugin to view the list of loaded DLLs for each process.
volatility -f Triage-Memory.mem --profile=Win7SP1x64 dlllist|grep VCRUNTIME140.dll
All application running
Use the shimcache option to get a full list of all executed applications and execution times
.\vol.exe -f Triage-Memory.mem --profile=Win7SP1x64 shimcache > shimcache.txt
How to detect malicious files
In volatility, there exists an attribute named malfind. This is actually an inbuilt plugin and can be used for malicious process detection.
.\Volatility.exe -f Triage-Memory.mem - profile=Win7SP1x64 -D <Output_Location> -p <PID >malfind
Analysing Network Connections
netscan . This plugin allows us to see the network connections on the machine at the time the memory was captured. We ran the plugin with volatility and directed the output to output_netscan.txt.
./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 netscan > output_netscan.txt
We can check running sockets and open connections on the computer. To do this we’ll use these different plugins: connscan, netscan and sockets.
./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 connscan
$ volatility -f cridex.vmem --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x02087620 172.16.112.128:1038 41.168.5.140:8080 1484
0x023a8008 172.16.112.128:1037 125.19.103.198:8080 1484
$ volatility -f cridex.vmem --profile=WinXPSP2x86 sockets
Volatility Foundation Volatility Framework 2.6
Offset(V) PID Port Proto Protocol Address
---------- -------- ------ ------ --------------- ---------------
0x81ddb780 664 500 17 UDP 0.0.0.0
0x82240d08 1484 1038 6 TCP 0.0.0.0
0x81dd7618 1220 1900 17 UDP 172.16.112.128
0x82125610 788 1028 6 TCP 127.0.0.1
0x8219cc08 4 445 6 TCP 0.0.0.0
The connscan plugin is a scanner for TCP connections, while sockets will print a list of open sockets and finally netscan (which cannot be used in our example due to the profile used) will scan a Vista (or later) image for connections and sockets.
Looking at Command-Line History
Using the cmdline plugin, we can see what commands were executed at the time that the memory was captured.
./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 cmdline > cmdline.txt
We can observe suspicious commands from there.
Dumping the infected process
.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 procdump -p 3496 - dump-dir dump-folder
We created the “dump-folder” to dump the information.
After dumping the process we can use PowerShell to find out the md5 hash value.
Get-FileHash -Algorithm md5 executable.3496.exe
Dump and capture flag memory written in notepad.exe
Once we obtained the PID of notepad.exe, use the memdump to dump the process memory then use strings command in Linux or a Hex Editor software to look through the data. For this example, we used strings from our Kali Linux.
.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 pslist
.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 memdump -p 3032 - dump-dir .
Then we use strings along with grep to search for flags. Since notepad stores text in 16-bit little-endian format, so we need to add -e & l switches to work. In Notepad, as in Windows software in general, “Unicode” as an encoding name means UTF-16 Little Endian (UTF-16LE). Similarly, “Unicode big endian” means UTF-16 Big Endian.
flag<REDBULL_IS_LIFE>
Finding short name of the file at file record (Managed file transfer)
.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 mftparser > mft.txt
Dump the VAD info ( memory protection constants )
vadinfo displays extended information about a process’s VAD nodes. In particular, it shows: The address of the MMVAD structure in kernel memory. The starting and ending virtual addresses in process memory that the MMVAD structure pertains to.
.\vol.exe -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo > vadinfo.txt
The memory protection constant (permissions). Note there is a difference between the original protection and current protection. The original protection is derived from the flProtect parameter to VirtualAlloc. For example we can reserve memory (MEM_RESERVE) with protection PAGE_NOACCESS (original protection). Later, we can call VirtualAlloc again to commit (MEM_COMMIT) and specify PAGE_READWRITE (becomes current protection). The vadinfo command shows the original protection only. Thus, just because we see PAGE_NOACCESS here, it doesn’t mean code in the region cannot be read, written, or executed.
Reference :