Saturday 15 October 2022

[re:educate] Memory forensic using Volatility

Memory forensic using Volatility

Memory forensic using Volatility

This article is a part of our program, #re:educate where we empowering cybersecurity students and beginners to share their understanding about anything related to offensive security. For more info, refer to this link RE:HACK - #re:educate

Author: Fatahillah bin Hashim
University: German-Malaysian Institute


Volatility is a tool that can be used to analyse a volatile memory of a system. We can inspect processes, look at command history, and even pull files and passwords from a system without even being on the system.



# How to detect malicious files ?
./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 -D <Output_Location> -p <PID >malfind
# What type of dump am we are going to analyse ?
$ ./vol.exe -f Triage-Memory.mem imageinfo

# Which process are running
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile pslist
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile pstree
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile psxview

# List open TCP/UDP connections
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile connscan
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile sockets
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile netscan

# What commands were lastly run on the computer
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile cmdline
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile consoles
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile cmdscan

# Dump processes exe and memory 
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile procdump -p MyPid --dump-dir .
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile memdump -p MyPid --dump-dir .

# Hive and Registry key values
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile hivelist
$ ./vol.exe -f Triage-Memory.mem --profile=MyProfile printkey -K "MyPath"

Capturing Windows Memory Using Winpmem

Winpmem is a part of the Pmem Suite, a suite of memory acquisition tools for Windows, Linux, and Mac OS. We can download the latest release of winpmem from here:

Run Winpmem

First, after we staged malicious activity, we downloaded winpmem version 3.3 RC3 onto the victim Windows machine. Then, we opened a command-line terminal and run the program:

C:\ winpmem_v3.3.rc3.exe --output memdump.raw --format raw --volume_format raw

The --output mem.raw option was used to name the output as memdump.raw. The --format raw and --volume_format raw options were used to output the memory in raw format (as opposed to something like aff4). Once the memory dump finished, we then transferred the raw memory file, memdump.raw, to our Kali Linux & Windows machine.

Analysing Windows Memory

Choosing the Right Profile

This part frustrates a lot of analysts. We can typically only analyse memory dumps that have a profile available in Volatility. Newer Windows 10 builds do not have compatible profiles in Volatility.

To find the right profile, type volatility --info to get a list of the available profiles. Look under “Profiles” in the output, we’ll see the following Windows 10 profiles:

Win10x64              - A Profile for Windows 10 x64
Win10x64_10240_17770  - A Profile for Windows 10 x64 (10.0.10240.17770 / 2018-02-10)
Win10x64_10586        - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393        - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x64_15063        - A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04)
Win10x64_16299        - A Profile for Windows 10 x64 (10.0.16299.0 / 2017-09-22)
Win10x64_17134        - A Profile for Windows 10 x64 (10.0.17134.1 / 2018-04-11)
Win10x86              - A Profile for Windows 10 x86

Retrieve user’s passwords from a Windows memory dump

1. Identify the memory profile

First, we need to identify the correct profile of the system :


2. List the registry hive

With the correct profile, we can use the “hivelist” plugin in order to extract the list of registry hive in the memory dump :


3. Extract the hashes

Now, with the virtual offset of SYSTEM and SAM, we can extract the hashes :

.\Volatility.exe -f Triage-Memory.mem  - profile=Win2008R2SP1x64_23418 hashdump -y 0xfffff8a000024010 -s 0xfffff8a000e66010 > hashes.txt


4. Crack the hashes

Finally, we can process the hash using a local tool (like HashCat) or using a online tool like CrackStation :


Note: If the password is not available through the crackstation, you can use rockyou.txt for cracking this hash

Retrieve SHA1 hash (memory dump)

Just to check whether we downloaded the right file or not, we can use the following command in PowerShell.

Get-FileHash -Algorithm SHA1 .\Triage-Memory.mem


In most of the cases volatility suggests multiple profiles with the volatility framework. In order to select the best memory profile for further analysis a kdbgscan ( is used.

.\Volatility.exe -f Triage-Memory.mem - profile=Win2008R2SP1x64_23418 kdbgscan


After selecting the correct profile it can be moved in to the next steps of analysis.

Analysing Processes

By using the following command, a list of processes can be obtained which were there within the memory.

.\Volatility.exe -f Triage-Memory.mem - profile=Win7SP1x64 pslist


A parent-child relationship in between the processes can be obtained using the pstree ( attribute

.\Volatility.exe -f Triage-Memory.mem - profile=Win7SP1x64 pstree



Note : highlighted in green - child process of wscript.exe

Let’s run a last command before investigating deeper into these two processes. psxview will list processes that are trying to hide themselves while running on the computer, this plugin can be really useful.

./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 psxview


By identify processes seems hidden, if so you’ll see “False” in the first two columns (pslist and psscan).

In Linux, you can use dlllist plugin to view the list of loaded DLLs for each process.

volatility -f Triage-Memory.mem --profile=Win7SP1x64 dlllist|grep VCRUNTIME140.dll

All application running

Use the shimcache option to get a full list of all executed applications and execution times

.\vol.exe -f Triage-Memory.mem --profile=Win7SP1x64 shimcache > shimcache.txt



How to detect malicious files

In volatility, there exists an attribute named malfind. This is actually an inbuilt plugin and can be used for malicious process detection.

.\Volatility.exe -f Triage-Memory.mem - profile=Win7SP1x64 -D <Output_Location> -p <PID >malfind

Analysing Network Connections

netscan . This plugin allows us to see the network connections on the machine at the time the memory was captured. We ran the plugin with volatility and directed the output to output_netscan.txt.

./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 netscan > output_netscan.txt


We can check running sockets and open connections on the computer. To do this we’ll use these different plugins: connscan, netscan and sockets.

./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 connscan
$ volatility -f cridex.vmem --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.6
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x02087620         1484
0x023a8008       1484
$ volatility -f cridex.vmem --profile=WinXPSP2x86 sockets
Volatility Foundation Volatility Framework 2.6
Offset(V)       PID   Port  Proto Protocol        Address         
---------- -------- ------ ------ --------------- --------------- 
0x81ddb780      664    500     17 UDP            
0x82240d08     1484   1038      6 TCP            
0x81dd7618     1220   1900     17 UDP     
0x82125610      788   1028      6 TCP          
0x8219cc08        4    445      6 TCP   

The connscan plugin is a scanner for TCP connections, while sockets will print a list of open sockets and finally netscan (which cannot be used in our example due to the profile used) will scan a Vista (or later) image for connections and sockets.

Looking at Command-Line History

Using the cmdline plugin, we can see what commands were executed at the time that the memory was captured.

./vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 cmdline > cmdline.txt

We can observe suspicious commands from there.


Dumping the infected process

.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 procdump -p 3496 - dump-dir dump-folder


We created the “dump-folder” to dump the information.

After dumping the process we can use PowerShell to find out the md5 hash value.

Get-FileHash -Algorithm md5 executable.3496.exe

Dump and capture flag memory written in notepad.exe

Once we obtained the PID of notepad.exe, use the memdump to dump the process memory then use strings command in Linux or a Hex Editor software to look through the data. For this example, we used strings from our Kali Linux.

.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 pslist


.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 memdump -p 3032 - dump-dir .


Then we use strings along with grep to search for flags. Since notepad stores text in 16-bit little-endian format, so we need to add -e & l switches to work. In Notepad, as in Windows software in general, “Unicode” as an encoding name means UTF-16 Little Endian (UTF-16LE). Similarly, “Unicode big endian” means UTF-16 Big Endian.



Finding short name of the file at file record (Managed file transfer)

.\vol.exe -f Triage-Memory.mem - profile=Win7SP1x64 mftparser > mft.txt


Dump the VAD info ( memory protection constants )

vadinfo displays extended information about a process’s VAD nodes. In particular, it shows: The address of the MMVAD structure in kernel memory. The starting and ending virtual addresses in process memory that the MMVAD structure pertains to.

.\vol.exe -f Triage-Memory.mem --profile=Win7SP1x64 vadinfo > vadinfo.txt



The memory protection constant (permissions). Note there is a difference between the original protection and current protection. The original protection is derived from the flProtect parameter to VirtualAlloc. For example we can reserve memory (MEM_RESERVE) with protection PAGE_NOACCESS (original protection). Later, we can call VirtualAlloc again to commit (MEM_COMMIT) and specify PAGE_READWRITE (becomes current protection). The vadinfo command shows the original protection only. Thus, just because we see PAGE_NOACCESS here, it doesn’t mean code in the region cannot be read, written, or executed.

Reference :