Memory Analysis using Volatility - modules
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
modules – a volatility plugin that is used print list of loaded modules/drivers.
an incident response perspective, the volatile data residing inside the
system’s memory contains rich information such as passwords,
credentials, network connections, malware intrusions, registry hives,
and etc. that can be a valuable source of evidence and is not typically
stored on the local hard disk. This is one of the investigator’s
favorite data sources to perform digital forensics on, and knowing the
right tool to dump memory is a must.
Using the Volatility modules plugin, we can able to extract all the loaded modules/drivers inside the volatile memory.
Here are the following details that you will see:
- Name – of the loaded modules/drivers
- Base Address – where the loaded module is located in the system.
- File – where the loaded module is located in the disk.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> modules
#note: In digital forensics, modules can be a persistence technique of a malware that can let itself operate in a low level function that allows the malware to takeover the whole system. Being able to parse these artifacts during investigation is a great leap for the investigator when investigating a possible rootkit malware.