Hacker, Researcher and Author.

Memory Forensics, Analysis And Techniques PART 2


Volatility is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of samples of digital artifacts from volatile memory (RAM).

Note: Before reading this post, i'd recommend you to go ahead and read the part 1 - Memory Forensics, Analysis And Techniques PART 1


The tool supports a variety of formats "dump", performs some automatic conversion between formats and can be used on any platform that supports Python. Installation and use are simple, simply unzip the package supplied by Systems Volatility in a system where Python already installed.
C:\Volatility>python volatility

Figure 1) Supported Internel Comands.

Example: volatility pslist -f /path/to/my/file

Figure 2) Use the command volatility

The image 3 shows the use of the command "ident", which can be used to identify the date and time the image was collected, as well as providing information about the operating system on which the dump was generated:

C:\Volatility>python volatility ident –f C:\memorytest_rafael_fontes.dmp

Figure 3) Command ident.
You can use the --help option with any command to get help:

C:\Volatility>python volatility ident –-help

Figure 4) Option Volatility help tool.

To list the processes that were running at the time it was generated dump can use the "pslist." As can be seen below, the output will contain the name of the process, its identifier (Pid) and father process ID (PPID) beyond the time when it was started and other useful information.

C:\Volatility>python volatility pslist –f C:\memorytest_rafael_fontes.dmp

Figure 5) Use the command pslist.

The "connscan" provides information about the network connections that were active at the time the data were collected memory. Already the "sockets" displays the open sockets at the time the dump was generated. The command "files" displays open files for each process. You can specify the case number on the command line to display only those files opened by a particular process.
C:\Volatility>python volatility files –p 1740 –f C:\ memorytest_rafael_fontes.dmp

Figure 6) Use the command files.

The command "dlllist" displays a list of DLLs loaded for each process, and the command "regobjkeys" displays a list of registry keys opened by each process.
C:\Volatility>python volatility dlllist –p 1740 –f C:\memorytest_rafael_fontes.dmp

Figure 7) Use the command dlllist
C:\Volatility>python volatility regobjkeys –p 1740 –f C:\memorytest_rafael_fontes.dmp

Figure 8) Use the command regobjkeys.

It is possible, through command "procdump" extracting executable from the dump of memory, allowing access to the code that was running on the machine, and thus better understand their behavior.
C:\Volatility>python volatility procdump –p 1740 –f C:\ memorytest_rafael_fontes.dmp

Figure 9) Use the command procdump.

It was possible to observe the generation of executable "executable.1740.exe" and the occurrence of informational messages like "Memory Not Accessible" after using the command "ProcDump". This is because not all the virtual memory addresses are accessible on the image because it may have been, for example, paged to disk. Thus, these messages provide an audit log so that you can determine which parts of the executable generated were successfully retrieved.

Practical examples,to determine the date and time of the image, for example, one can use the following command:

>>> Python volatility datetime -f target-2013-10-10.img

    Image Local date and time: Mon Oct 10 16:20:12 2013
The command pslist, in turn, determines the procedures that were running at the time the image was captured:

 >>> Python volatility pslist -f target-2013-10-10.img

Name Pid PPID THDs HNDs Time
lsass.exe 536 480 20 369 Mon Oct 10 16:22:18 2013
 To determine which system ports were open, one can employ the command "socks". For the system under analysis, it is possible to detect, for example, the process LSASS.exe listening on port 4500.

>>> Python volatility sockets -f target-2013-10-10.img

Forensic Memory for Linux distributions:        

S.M.A.R.T Linux  http://smartlinux.sourceforge.net/                                                                                      

Figure 1) S.M.AR.T. Linux.
S.M.A.R.T. Linux is a bootable floppy distribution containing tool (smartmontools) for monitoring IDE/SCSI hard disks (using Self-Monitoring, Analysis and Reporting Technology). Why floppy? Probably because all other distributions containing this useful utility are CD versions [and not everybody has a CD-ROM ;)]. It's going to be free, small, helpful and easy to use. Current version is based on Kernel 2.4.26, uClibc 0.9.24 and BusyBox 1.00 official release. Built on Slackware 10.0.
The Sleuth Kit and Autopsy http://www.sleuthkit.org/

Figure 2) Autopsy.                                                                                    

Figure 3) The Sleuth Kit.

Autopsy™ and The Sleuth Kit™ are open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows, Linux, OS X, and other Unix systems. They can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types.
CAINE (Computer Aided Investigative Environment)  http://www.caine-live.net/

Figure 4) C.A.I.N.E.

CAINE(Italian GNU/Linux live distribution created as a project of Digital Forensics) offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.
The main design objectives that CAINE aims to guarantee are the following:
• An interoperable environment that supports the digital investigator during the four phases of the digital investigation.
• A user friendly graphical interface.
• A semi-automated compilation of the final report.


Below are some tools that can be used for forensic analysis on computers with Mac OS X.

Mac OS X Forensics Imager: http://www.appleexaminer.com/Utils/Downloads.html

Figure 1) Mac OS X Forensics Imager.

Tool for imaging disk byte by byte format Encase or FTK for later forensic analysis in these tools.

Metadata Extractor
Application to extract meta-data files for a specific folder in Mac Displays location on google maps in case there are geo-location information in the file.

File Juicer: http://echoone.com/filejuicer/

Figure 2) File Juicer 1.

Figure 3) File Juicer 2.

Commercial software that enables the extraction of images and texts from any file. Ignores format, and scans files byte by byte for identifying the data supported. Among other features, there are the following, which find application in forensic analysis:

· Extract images from PowerPoint presentations and PDFs
· Recover deleted pictures and videos from memory cards
· Recover text from corrupt
· Extract images and html files from the cache of Safari
· Extract attachments from email archives
· Generate Word document from simple PDFs
· Recover photos from iPods in TIFF
· Convert ZIP files which are in. EXE
· Extract JPEG images in RAW format (Canon & Nikon)
· Extracting data from different types of cache file
· Find and extract file in general data in JPEG, JP2, PNG, GIF, PDF, BMP, WMF, EMF, PICT, TIFF, Flash, Zip, HTML, WAV, MP3, AVI, MOV, MPG, WMV, MP4, AU, AIFF or text.


There are several trends that are revolutionizing the Forensic Memory. The process to do the analysis in memory forensics also walks for a better solution and refinement of the technique, it is an approach increasingly relevant in the context of Computer Forensics. In certain cases the popularity and use of tools for encrypting volumes as TrueCrypt, or creating malware residing only in volatile memory, raise the difficulty of analyzing the data stored in these devices.

However, it is interesting to note that the Forensic Memory is best seen as a complement to other approaches. An example of this is the procedure in which an investigation after the image capture of volatile memory, it uses the "Analysis of Living Systems" as a way to determine the next step in solving the case. Later, in the laboratory, we use the "Memory Forensics" as a complement to traditional forensics, giving greater agility and precision to the process.

I hope my article has helped computational experts and specialists in information security.
This is a guest post written by , RAFAEL FONTES SOUZA. He is the maintainer of the “Project Backtrack Team Brazilian”, He works at RHAinfosec as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. 

No comments:

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.