Several months ago i finally managed to attend the SANS memory forensics course (FOR526) . Taught by the very knowledgeable @sibertor. The course covers memory structures and focuses on the two key frameworks for memory analysis, Volatility and Rekall.
Im not going to get in to which is best, each has their uses and most times I will flip between the two. That being said for basic IR work I prefer Volatility.
tl;dr Web Interface that makes analyzing the output from volatility easier. https://github.com/kevthehermit/VolUtility
Here is a quick demo showcasing the main features and usage.
Volatility is a fairly simple beast when it comes to using it. Point volatility at your memory image tell it what OS it as and then what information you want to extract. Once you provide this information the incredibly complex calculations on the memory are performed for you and the results are displayed for you.
There are a lot of plugins that form a part of the core volatility platform and these can be extended with community plugins.
I don’t want to focus too much on using the command line there are plenty of writeups on this but a basic usage goes something like this.
determine the OS with image info
vol.py -f /path/to/memory.vmem
list running processes
vol.py --profile=Win7SP1x86 -f /path/to/memory.vmem pslist
scan for hidden / terminated processes
vol.py --profile=Win7SP1x86 -f /path/to/memory.vmem psscan
I want to view all connections which plugin was that again?
Ahh thats right netscan
vol.py -f /path/to/memory.vmem netscan
With the correct profile this time.
vol.py --profile=Win7SP1x86 -f /path/to/memory.vmem netscan
Ok so what pid was xxxx again Ahh cant scroll that far back up will have to run the command again, this time I might pipe the output to a text file or use one of the output methods to generate a csv.
Volatility gives you all the information you need when you ask for it, but when it comes to analysing the data you need to use a lot of grep, cut, sed and awk to find the results you want.
Since Volatility version 2.5 the team has introduced unified output for most of the core plugins. This can write out to json, excel, html, sqlite with relative ease. I had also been playing with mongodb which is a document based database that includes gridfs used to store files and documents.
This coupled with the json output meant I could store all the plugin output as well as extracted files in to a single data store and run concurrent analysis on different samples at the same time. without getting lost in folders full of text outputs.
And so VolUtility was born i set my self some key points i wanted to achieve
- Session based - To handle multiple samples at once.
- All plugins should store output even if not in json.
- Store files.
- Export results
- export files
- Allow for extra tools like yara, virustotal, pe info to be integrated.
It took a couple of weeks to get the core functionality working. I initially had some issues when running plugins that failed. When they failed the volatility debug and logging system would call sys.exit and terminated the Django request. This meant I couldn’t get any exception handling back in and displayed to the user. Turns out, After several hours of googling and many
ctrl+z later this could be monkey patched to override the default debugging behavior with my own error handler.
From here it was a lot easier to get error messages and adjust workflows based on this.
Anyway you don’t have to worry about that let me show you the results.
Installation is relatively simple following the wiki. on the GitHub Page There are also some bootstrap and vagrant scripts that have been provided. If you find something is broken or can be improved please open an issue. I’m keen to keep this alive.
That’s all for now as usual Questions, Queries, Comments below.