Memory Analysis using Volatility - apihooks
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
procdump – a volatility plugin that is used to dump a specific process.
In an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connection, malware intrusions, registry hives and etc that can be a valuable source as an evidence and not typically stored on the local hard disk. This is one of the investigator’s favorite data source to perform digital forensics and knowing the right tool to dump memory is a must.
In this sample, we use Volatility procdump plugin to dump a process that we saw suspicious.
This can be a good for quick analysis like sending the executable or hash to online AV YARA scanner like VirusTotal, Hybrid Analysis or Any.run.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> procdump -p <PID> -D <Dest>