Memory Analysis using Volatility - dlldump
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
dlldump – a volatility plugin that is used to dump a module from a process using its address space.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
In this sample, we will dump a loaded module from process id 2076(notepad.exe) using the Volatility dlldump plugin.
First, list the loaded module of a process using dlllist plugin.
Next, get the base address of the module.
Then, supply the base address to the -b option.
Finally, supply the directory path to the -D option where you want to dump the module.
Our syntax will be like:
vol.exe -f <memory_dump> –profile=<OS_version> dllldump -p <PID> -b <base_addr> -D <directory>