Memory Analysis using Volatility - imageinfo
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
imageinfo – a volatility plugin that is used to identify the information of an image or memory dump.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
In some cases, an investigator will perform and you won’t know the profile ahead of time.
For example, another investigator might have acquired the memory and have not documented the operating system version. the Volatility imageinfo plugin helps the analyst determine the proper profile if that happens.
Our syntax will be like: vol.exe -f <memory_dump> imageinfo
After identifying the right image version we can then feed this information to the –profile parameter
Then, Our syntax will be like: vol.exe -f <memory_dump> –profile=<OS_version> <plugin>