Memory Analysis using Volatility - deskscan

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

deskscan – a volatility plugin that is used to scan window station and then walks the lists of desktops.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Using the Volatility deskscan plugin, we can able to scan window stations.

Here are things to note when using deskscan:

      • The Winlogon desktop is what presents the login prompt in which you enter your
        username and password. If successful, the system switches you into the Default
      • The number of windows in the Default desktop is much higher than the others
        (238 compared with 25 in Disconnect and 6 in Winlogon)
      • The only desktop with global hooks installed is Default because the fsHooks value is non-zero.

The syntax will be like:

In Windows: vol.exe -f <memdump> –profile=<OS> deskscan

In Linux: python -f <memdump> –profile=<OS> deskscan

#note: The only threads in the Winlogon desktop actually belong to winlogon.exe. If you ever see threads belonging to a different process in this desktop, it may indicate an attempt to steal login credentials.