Memory Analysis Archives - Page 5 of 5

Volatility imageinfo

Posted on June 17, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - imageinfo

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

imageinfo – a volatility plugin that is used to identify the information of an image or memory dump.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

In some cases, an investigator will perform and you won’t know the profile ahead of time.

For example, another investigator might have acquired the memory and have not documented the operating system version. the Volatility imageinfo plugin helps the analyst determine the proper profile if that happens.

Our syntax will be like: vol.exe -f <memory_dump> imageinfo

After identifying the right image version we can then feed this information to the –profile parameter

Then, Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> <plugin>

Volatility psxview

Posted on June 17, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - psxview

psxview – a volatility plugin that find hidden processes with various process listings. This plugin compares the active processes indicated within psActiveProcessHead with any other possible sources within the memory image.

This combines the output of plugins pslist and psscan. Some malware manipulates the EPROCESS structure, which is part of the stealth technique they use. A malicious sample can detach itself from the active process link which has FLINK (forward link) and BLINK (backward link) that is use by Windows EPROCESS structure to link the all processes.

Using the Volatility psxview plugin, we can see if the process appears in pslist and psscan plugin by the boolean value True. A False within the column indicates that the process is not found in that area.

This allows the analyst to review the list and determine if there’s a legitimate reason for that.

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS_version> psxview

Volatility pstree

Posted on June 17, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - pstree

pstree – a volatility plugin that print all running processes as a tree(parent-child relationship).

Using the Volatility pstree plugin, we can see the parent child relationship of all the processes.

This plugin can be a good use to detect if the sample have spawned another process.

#note: We can identify the child process because it is indented from the parent process.

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS_version> pstree

In this sample, we can see that NjRAT malware spawned another processes when infecting the system.

Volatility pslist

Posted on June 17, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - pslist

pslist – a volatility plugin that print all running processes by following the EPROCESS (a structure that Windows used to represent a process) lists.

Volatility pslist plugin enumerates all the running processes inside the captured memory dump.

This includes the (1) Process ID, (2) Parent Process ID, (3) Session ID and etc.

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS_Version> pslist

To filter running processes,

We can use the -p option then feed it with the Process ID of choice.

Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS> pslist -p <PID>

In this sample we can see that pslist has enumerated all running processes, including a process that has an odd name with the process ID 4040.