Memory Analysis using Volatility - wndscan

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

wndscan – a volatility plugin that is used to display the window station and their properties. Volatility provides plugins designed to explore and extract evidence from the Windows GUI subsystem.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Using the Volatility wndscan plugin, we can use this to detect applications snooping like clipboard hooking that is one of the capabilities of any information stealing malwares.

In the image below, using wndscan plugin we can see “1560 IEXPLORE.EXE” is monitoring clipboard activity.

The syntax will be like:

In Windows: vol.exe -f <memdump> –profile=<OS> wndscan

In Linux: python -f <memdump> –profile=<OS> wndscan

#note: The memory image used below was infected with info-stealing malware.