Memory Analysis using Volatility - strings

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

strings a volatility plugin that is used to translate the offset in physical memory to their virtual memory address. The plugin traverses the page tables of all processes in the active process list, including the system process, which has the kernel address space mappings. Based on this mappings, it determines which processes were able to access the specified strings.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Using the Volatility strings plugin, we can translate raw dumped strings to match its process that able to access the specified string. Not only, giving us the ability to know who owns the specific string, but we can also see the address where the strings is found inside the memory.

Using this plugin, it can be very useful to the investigator during investigation to look for IOC specially strings inside the captured volatile memory.

The syntax will be like:

vol.exe -f <memdump> –profile=<OS> strings -s <rawstrings>.txt > translated_mapped.txt

#note: When using this plugin it will require the -s option which needs the raw text file for translating.