Memory Analysis using Volatility - handles
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
handles – a volatility plugin that is used to print list of open handles for each process.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
Using the Volatility handles plugin to display open handles. This applies to files, registry keys, mutexes, named pipes, events, windows stations, desktops, threads, and all other types of securable executive objects.
To use this plugin, we need to use -p option and supply with the target process id.
Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> handles -p <PID>
When using the Volatility handles plugin, you will be presented with a lot of data, so it is important to be able to filter the results based on what we need.
Process Handles can give us the important data such as:
- File that relates to the process.
- Process that is attached to the process itself.
- Mutex names which can be a good as host based indicator of compromise.
- Key or registry keys that is used by the process itself.
To be able to filter these data we can then use the -t option and supply it with the data we want to see.
To see this in action, our syntax will be like:
vol.exe -f <memory_dump> –profile=<OS_VERSION> handles -p <PID> -t <handles_data>
In our case, at (1) we use file to see the, at (2) we use mutant to see the mutex names, at (3) for Keys registry keys found inside the process, (4) we use Process if the process attached itself to another process.
In this sample, using the handles filtering we can able to carve important information that lies beneath the volatile memory.
Sample 1: NjRAT a famous backdoor rootkit malware that inject itself into other processes, and using the Process filter we are able to detect the processes it spawns and injects.
Sample 2: NjRAT uses the following mutex name to persist inside the system and make sure that there is only one process running on the system. Using mutant handles filter we are able to extract this data.