Memory Analysis using Volatility - callbacks
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
callbacks – a volatility plugin that is used to print system-wide notification routines.
Windows Callback – Windows operating system allows the driver to register a callback routine which will be called when a particular event occurs. Also, this functionality gives the rootkit driver the ability to monitor system activities and take necessary action depending on the activity.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
In using Volatility callbacks plugin, we can see different information such as:
Type – is monitored by the module.
Callback – callback function address.
Module – is responsible for monitoring the function.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> callbacks
#note: To use callbacks to look for suspicious driver/module, look for unknown name and unknown details.