Memory Analysis using Volatility - cmdline
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
cmdline – a volatility plugin that is used to display the process command-line arguments. This plugin can be used to detect whether the process is launched using a malicious command or not.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
We can determine how the executable is launched by using the Volatility cmdline plugin. We can also see the path where the executable is located, which allows the analyst to determine whether an executable is in a legitimate or malicious directory.
In our sample, we can see that the process notepad.exe is legitimate because the path is legitimate @ System32
Our syntax will be like: Vol.exe -f <memory_dump> –profile=<OS_version> cmdline
In this sample, we can see that a suspicious dll is launched as a service by using regsrv32.exe.
Furthermore, we can see that the suspicious is located in the C:\ProgramData directory, which is not a typical location for legitimate dll.
We attempt to upload this sample dll to VirusTotal.