Skip to main content

Part 3 - Memory Forensics and Malware Extraction with Volatility and DumpIt

Considering the threats that have been highlighted in the previous posts, there definitely have to be ways for users to stay or keep themselves safe besides:

  • keeping their antivirus software updated, 
  • first checking whether a program is malicious via Virustotal before installing it or 
  • submitting it to malwr.com which uses the cuckoo sandbox
The operation of cuckoo sandbox was demonstrated in one of the earlier posts on this blog as part of a tool that extracts malware embedded within pictures and scans it.

The video below shows how to use the Volatility framework which is actually a memory forensics tool. It is used in partnership with a "RAM dumping" tool or basically a tool that takes a snapshot of the RAM in a targeted computer. 

For our case, we used DumpIt in the video below. A forensic investigator could have this on a USB drive, connect it to the evidence workstation and then download the RAM dump onto the USB. DumpIt saves the RAM dump in the same location that it (the DumpIt executable) is located.


Volatility is then used to analyse the forensic artifacts in that memory dump. Volatility comes preinstalled on Kali and most forensic Linux VMs such as SIFT Workstation but it can also be cloned from its github repository. It is written in python.

After the analysis is done, the malicious program was extracted using the procdump tag (procexedump in previous versions of Volatility). During the walkthrough, you may realise that some of the commands you're entering are not being recognized by Volatility. In that case, check the possible tags you can use in Volatility by typing Volatility -h.


The field of memory forensics is very deep so we will not delve into the other multiple things Volatility or vol.py can be used for. However, a background in how the operating system you are investigating or trying to rescue is highly necessary. In this case, it is a Windows XP target that was compromised so knowledge of Windows OS operation and libraries is also necessary if you intend to be very effective with this task.



Comments

Popular posts from this blog

Password Cracking: RainbowCrack table generation, sorting and usage

I had to do this demo after one of my students asked for my assistance regarding how to use this tool. Usually, I just assign different tools to them individually depending on the aspect of penetration testing we are covering (session hijacking, vulnerability scanning, etc) and then tell them to submit a report and a video demo of how the tool is used. Anyway, after a brief one-to-one discussion I realized the student had actually done the research on how rainbow tables operate (above and beyond the material in the lecture slides) so I figured that if he was here asking for assistance, he genuinely needed it. The tool is available at the RainbowCrack site.  A detailed description of this nifty tool can also be found here . So, firstly I had to generate the rainbow tables. The command line syntax is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index where: hash_algorithm  Rainbow table is hash algorithm sp...

Forensics: Extraction of email evidence using Wireshark and NetworkMiner

The video at the end of this post is a demo of a solution to a forensic challenge from this site .   The goal of the challenge is to extract necessary information for an investigation from a pcap file. the site, forensicscontest.com, has a number of similar challenges that you can try out as well. Obviously, there is more than one way to skin a pcap (the other methods can be found among the solutions/walkthroughs on the site itself) and in this case 2 tools were used: Wireshark NetworkMiner Just to cover a few "mysterious" sections of the video, there is a point where I sorted the packets in wireshark in alphabetical order then looked for the first SMTP packet. The reason is that since we are investigating email evidence, the common protocols we should search for include IMAP, SMTP etc. In this case, the criminal used SMTP. Next, there is a point where we highlight the stream index in the detailed section of the packet. This is because each stream refers ...

How I Recovered my Corrupted 2TB Hard Drive without having to copy everything to another Drive

So, a little back story. I have a 2 Terabyte external hard drive that's split into 3 partitions for backup; one for entertainment, one for work and one for personal projects. A friend of mine had a Lenovo laptop that was having challenges with installing WLAN drivers (you'd install the drivers and they'd keep giving an error that drivers aren't working. If you tried to uninstall them, they'd just reappear...but that's a whole different story). Anyway, my friend decided to roll-back from Windows 10 to Windows 8 and wanted to copy one of the test builds from my 2TB HDD so I lent it to him. Little did I know that that Lenovo laptop had other plans for me. Upon connecting the external hard drive to the Lenovo laptop, it immediately read it as a FAT32 formatted drive (it was actually NTFS formatted) and had 1.82 TB free space of the "actual" size 1.82 TB. Where panic would have ensued for many, I managed to keep in the growing irritation at such a thing ...