Part 1: Memory and Volatility
An introduction to examining RAM with volatility
The Australian Cyber Security Centre released a "simulated cyber security challenge" which was first used at a security conference called BSides Canberra 2021. It is an awesome challenge to have a go at and provides questions and answers so you can test your knowledge. The challenge can be found here.
We will examine the memory file provided in the challenge using Volatility. In doing so, we will explore the functionality and features of Volatility that can be used when examining memory files in an incident response engagement.

What is RAM?

Random Access Memory, or RAM, is the memory that a computer uses to temporarily write information it has read from the hard disk so that it can use it quickly when required, resulting in a faster user experience as RAM is very quick compared to the read/write speeds of a hard disk.
For example, you may have noticed when running Google Chrome that if you look at the task manager, Chrome tends to use a lot of RAM. This is because Chrome uses the RAM to store information related to running the program. The specifics of why it uses so much? I'm not sure but many a joke has been had as a result.
As mentioned above RAM is only temporary storage, or what we refer to as volatile, meaning that when the computer is turned off, the RAM is erased too.

Why is RAM important to investigate?

When responding to an incident, RAM can be extremely useful in identifying artifacts relating to the attack and the actor involved.
It is important to consider if you are able to do a RAM dump (copy the contents of RAM) when dealing with a live system (hasn't been turned off).

Memory Analysis with Volatility

One of the commonly used tools for examining RAM is called Volatility created by The Volatility Foundation. It can be run on Windows, Linux or Mac operating systems adding to its usefulness and ease of use.
Let's take a look at how we would examine a RAM dump using Volatility. I will be using REMnux, a Linux distro created by Lenny Zeltser for malware analysis but includes tools such as volatility and doesn't require much setup.
Note: Some of the output from volatility in this article is lengthy but I believe it is a good habit to view what the output will look like if you were to be conducting memory analysis yourself and adjust to the output produced.

Volatility Overview in the terminal

When first looking at volatility, we can use the command "vol.py -h" shown in the snip below to identify what its features, arguments and plugins are.
vol.py -h output
All Volatility commands are based on the same command and only vary depending on the plugin you use which will determine if you are required to provide other arguments.
1
vol.py -f [image] profile=[profile] [plugin]
Copied!

Volatility Profiles

Our first question is what version of Windows was in use when the RAM was captured? We need to know this to apply the correct 'profile' in Volatility for it to correctly parse the memory dump.
The below command can be used to identify what profiles are supported in the version of Volatility you are using.
1
vol.py --info | more
Copied!
The output of this command for Volatility 2.6.1 at the time of writing this article are outlined below and as we can see there is good support from Windows XP through to Windows 10.
1
VistaSP0x64 - A Profile for Windows Vista SP0 x64
2
VistaSP0x86 - A Profile for Windows Vista SP0 x86
3
VistaSP1x64 - A Profile for Windows Vista SP1 x64
4
VistaSP1x86 - A Profile for Windows Vista SP1 x86
5
VistaSP2x64 - A Profile for Windows Vista SP2 x64
6
VistaSP2x86 - A Profile for Windows Vista SP2 x86
7
Win10x64 - A Profile for Windows 10 x64
8
Win10x64_10240_17770 - A Profile for Windows 10 x64 (10.0.10240.17770 / 2018-02-10)
9
Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
10
Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
11
Win10x64_15063 - A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04)
12
Win10x64_16299 - A Profile for Windows 10 x64 (10.0.16299.0 / 2017-09-22)
13
Win10x64_17134 - A Profile for Windows 10 x64 (10.0.17134.1 / 2018-04-11)
14
Win10x64_17763 - A Profile for Windows 10 x64 (10.0.17763.0 / 2018-10-12)
15
Win10x64_18362 - A Profile for Windows 10 x64 (10.0.18362.0 / 2019-04-23)
16
Win10x64_19041 - A Profile for Windows 10 x64 (10.0.19041.0 / 2020-04-17)
17
Win10x86 - A Profile for Windows 10 x86
18
Win10x86_10240_17770 - A Profile for Windows 10 x86 (10.0.10240.17770 / 2018-02-10)
19
Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
20
Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)
21
Win10x86_15063 - A Profile for Windows 10 x86 (10.0.15063.0 / 2017-04-04)
22
Win10x86_16299 - A Profile for Windows 10 x86 (10.0.16299.15 / 2017-09-29)
23
Win10x86_17134 - A Profile for Windows 10 x86 (10.0.17134.1 / 2018-04-11)
24
Win10x86_17763 - A Profile for Windows 10 x86 (10.0.17763.0 / 2018-10-12)
25
Win10x86_18362 - A Profile for Windows 10 x86 (10.0.18362.0 / 2019-04-23)
26
Win10x86_19041 - A Profile for Windows 10 x86 (10.0.19041.0 / 2020-04-17)
27
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
28
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
29
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
30
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
31
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
32
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
33
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
34
Win2008R2SP1x64_23418 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.23418 / 2016-04-09)
35
Win2008R2SP1x64_24000 - A Profile for Windows 2008 R2 SP1 x64 (6.1.7601.24000 / 2016-04-09)
36
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
37
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
38
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
39
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
40
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
41
Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
42
Win2012x64 - A Profile for Windows Server 2012 x64
43
Win2016x64_14393 - A Profile for Windows Server 2016 x64 (10.0.14393.0 / 2016-07-16)
44
Win7SP0x64 - A Profile for Windows 7 SP0 x64
45
Win7SP0x86 - A Profile for Windows 7 SP0 x86
46
Win7SP1x64 - A Profile for Windows 7 SP1 x64
47
Win7SP1x64_23418 - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
48
Win7SP1x64_24000 - A Profile for Windows 7 SP1 x64 (6.1.7601.24000 / 2018-01-09)
49
Win7SP1x86 - A Profile for Windows 7 SP1 x86
50
Win7SP1x86_23418 - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
51
Win7SP1x86_24000 - A Profile for Windows 7 SP1 x86 (6.1.7601.24000 / 2018-01-09)
52
Win81U1x64 - A Profile for Windows 8.1 Update 1 x64
53
Win81U1x86 - A Profile for Windows 8.1 Update 1 x86
54
Win8SP0x64 - A Profile for Windows 8 x64
55
Win8SP0x86 - A Profile for Windows 8 x86
56
Win8SP1x64 - A Profile for Windows 8.1 x64
57
Win8SP1x64_18340 - A Profile for Windows 8.1 x64 (6.3.9600.18340 / 2016-05-13)
58
Win8SP1x86 - A Profile for Windows 8.1 x86
59
WinXPSP1x64 - A Profile for Windows XP SP1 x64
60
WinXPSP2x64 - A Profile for Windows XP SP2 x64
61
WinXPSP2x86 - A Profile for Windows XP SP2 x86
62
WinXPSP3x86 - A Profile for Windows XP SP3 x86
Copied!
In our case, as we haven't created the RAM dump and as such we do not know what version of Windows the computer was using, the challenge provides us with the profile 'Win10x64_17134'.
Fortunately, if for some reason or other we didn't know what version of Windows the RAM dump came from then we can use the below command to ask Volatility to attempt to identify the version.
1
vol.py -f <path to image> imageinfo
Copied!
This can take time in some cases but below is the snipped output from the terminal. As we can see the first suggested profile is 'Win10x64_17134'. Therefore a good bet is to try that profile first and work your way through the other suggestions if the first doesn't work.
1
Suggested Profile(s) : Win10x64_17134, Win10x64_14393, Win10x64_10586, Win10x64_16299, Win2016x64_14393, Win10x64_17763, Win10x64_15063 (Instantiated with Win10x64_15063)
Copied!

Process Plugins

One of the process plugins I find most useful to start analysing is 'pstree'. This plugin allows you to view the processes running on the device at the time of capture in a tree format showing the parent-child relationships between processes, their Process ID (PID) and time of execution. The output of this command can be lengthy depending on how many processes are running. So, let's have a look and see if anything piques our interest.
1
vol.py -f ~/Volatility-Sleuthifer/memory.raw --profile=Win10x64_17134 pstree
2
Volatility Foundation Volatility Framework 2.6.1
3
​
4
Name Pid PPid Thds Hnds Time
5
-------------------------------------------------- ------ ------ ------ ------ ----
6
0xffffac81901ee080:wininit.exe 632 548 1 0 2021-04-01 05:05:00 UTC+0000
7
. 0xffffac8190e52100:services.exe 768 632 7 0 2021-04-01 05:05:01 UTC+0000
8
.. 0xffffac8191485080:svchost.exe 2560 768 6 0 2021-04-01 05:05:03 UTC+0000
9
.. 0xffffac81914db0c0:spoolsv.exe 2588 768 15 0 2021-04-01 05:05:03 UTC+0000
10
.. 0xffffac819112b080:svchost.exe 4128 768 4 0 2021-04-01 05:48:24 UTC+0000
11
... 0xffffac81927a90c0:TabTip.exe 4680 4128 11 0 2021-04-01 05:48:25 UTC+0000
12
.... 0xffffac8192727080:TabTip32.exe 4756 4680 1 0 2021-04-01 05:48:25 UTC+0000
13
... 0xffffac81914e9080:ctfmon.exe 4192 4128 8 0 2021-04-01 05:48:24 UTC+0000
14
... 0xffffac81928ca080:TabTip.exe 3964 4128 0 ------ 2021-04-06 01:56:26 UTC+0000
15
.. 0xffffac8191feb340:svchost.exe 1456 768 2 0 2021-04-01 05:48:24 UTC+0000
16
.. 0xffffac819169b080:svchost.exe 3112 768 13 0 2021-04-01 05:05:04 UTC+0000
17
.. 0xffffac819120c080:svchost.exe 2396 768 10 0 2021-04-01 05:05:03 UTC+0000
18
.. 0xffffac819139b380:svchost.exe 2092 768 5 0 2021-04-01 05:05:03 UTC+0000
19
.. 0xffffac819101f340:svchost.exe 1092 768 40 0 2021-04-01 05:05:02 UTC+0000
20
... 0xffffac8191f8d2c0:rdpclip.exe 2392 1092 10 0 2021-04-01 05:48:23 UTC+0000
21
.... 0xffffac81927570c0:rdpinput.exe 4628 2392 4 0 2021-04-01 05:48:25 UTC+0000
22
.. 0xffffac8191204340:svchost.exe 1612 768 5 0 2021-04-01 05:05:03 UTC+0000
23
.. 0xffffac81901f4080:msdtc.exe 1104 768 9 0 2021-04-01 05:07:04 UTC+0000
24
.. 0xffffac8190f8d2c0:svchost.exe 624 768 7 0 2021-04-01 05:05:02 UTC+0000
25
... 0xffffac8190e21080:winlogon.exe 700 624 2 0 2021-04-01 05:05:00 UTC+0000
26
.... 0xffffac8191005100:LogonUI.exe 512 700 10 0 2021-04-01 05:05:02 UTC+0000
27
.... 0xffffac819100f080:dwm.exe 1028 700 12 0 2021-04-01 05:05:02 UTC+0000
28
.... 0xffffac8190f2f200:fontdrvhost.ex 960 700 5 0 2021-04-01 05:05:01 UTC+0000
29
... 0xffffac81901f3140:csrss.exe 640 624 9 0 2021-04-01 05:05:00 UTC+0000
30
.. 0xffffac81912372c0:svchost.exe 1660 768 4 0 2021-04-01 05:05:03 UTC+0000
31
.. 0xffffac8194af2080:svchost.exe 652 768 11 0 2021-04-05 21:59:50 UTC+0000
32
.. 0xffffac8191238080:svchost.exe 1668 768 6 0 2021-04-01 05:05:03 UTC+0000
33
.. 0xffffac8191053340:svchost.exe 1164 768 3 0 2021-04-01 05:05:02 UTC+0000
34
.. 0xffffac819123a700:svchost.exe 1680 768 9 0 2021-04-01 05:05:03 UTC+0000
35
.. 0xffffac819267c2c0:svchost.exe 1688 768 7 0 2021-04-01 05:48:24 UTC+0000
36
.. 0xffffac8191058700:svchost.exe 1180 768 4 0 2021-04-01 05:05:02 UTC+0000
37
.. 0xffffac81914e2080:amazon-ssm-age 2728 768 13 0 2021-04-01 05:05:03 UTC+0000
38
... 0xffffac818dea2080:ssm-agent-work 3992 2728 13 0 2021-04-01 05:05:09 UTC+0000
39
.... 0xffffac8191997080:conhost.exe 4004 3992 4 0 2021-04-01 05:05:09 UTC+0000
40
.. 0xffffac8192630080:svchost.exe 6828 768 3 0 2021-04-06 01:30:54 UTC+0000
41
.. 0xffffac81912502c0:svchost.exe 1712 768 4 0 2021-04-01 05:05:03 UTC+0000
42
.. 0xffffac8191225080:svchost.exe 2848 768 2 0 2021-04-01 05:05:04 UTC+0000
43
.. 0xffffac819298f080:svchost.exe 4292 768 1 0 2021-04-01 05:58:48 UTC+0000
44
.. 0xffffac8191546080:LiteAgent.exe 2768 768 2 0 2021-04-01 05:05:03 UTC+0000
45
.. 0xffffac8191542080:svchost.exe 2784 768 7 0 2021-04-01 05:05:04 UTC+0000
46
.. 0xffffac8191370340:svchost.exe 1260 768 7 0 2021-04-01 05:05:03 UTC+0000
47
.. 0xffffac8191089380:svchost.exe 1264 768 6 0 2021-04-01 05:05:02 UTC+0000
48
.. 0xffffac81911b4340:svchost.exe 1576 768 12 0 2021-04-01 05:05:03 UTC+0000
49
.. 0xffffac8191034300:svchost.exe 1152 768 2 0 2021-04-01 05:05:02 UTC+0000
50
.. 0xffffac818d508080:svchost.exe 2336 768 7 0 2021-04-01 05:05:03 UTC+0000
51
... 0xffffac8191fe82c0:sihost.exe 1956 2336 14 0 2021-04-01 05:48:24 UTC+0000
52
.. 0xffffac818d4f2080:svchost.exe 2352 768 5 0 2021-04-01 05:05:03 UTC+0000
53
.. 0xffffac8191ff32c0:svchost.exe 1328 768 7 0 2021-04-01 05:48:24 UTC+0000
54
.. 0xffffac81912c4340:svchost.exe 1848 768 11 0 2021-04-01 05:05:03 UTC+0000
55
.. 0xffffac819198c080:NisSrv.exe 3904 768 4 0 2021-04-01 05:05:06 UTC+0000
56
.. 0xffffac81915d5080:svchost.exe 2956 768 3 0 2021-04-01 05:05:04 UTC+0000
57
.. 0xffffac8191616080:svchost.exe 2896 768 3 0 2021-04-01 05:05:04 UTC+0000
58
.. 0xffffac81910c4080:svchost.exe 6484 768 11 0 2021-04-06 01:56:17 UTC+0000
59
.. 0xffffac8191614080:svchost.exe 2904 768 6 0 2021-04-01 05:05:04 UTC+0000
60
.. 0xffffac818d503080:svchost.exe 1884 768 5 0 2021-04-01 05:07:07 UTC+0000
61
.. 0xffffac81912e22c0:svchost.exe 1888 768 10 0 2021-04-01 05:05:03 UTC+0000
62
... 0xffffac819262c340:taskhostw.exe 2236 1888 6 0 2021-04-01 05:48:24 UTC+0000
63
.. 0xffffac8190e50080:svchost.exe 1384 768 7 0 2021-04-01 05:05:03 UTC+0000
64
.. 0xffffac8190e82080:svchost.exe 7032 768 5 0 2021-04-02 01:20:04 UTC+0000
65
.. 0xffffac819163e080:svchost.exe 2964 768 7 0 2021-04-01 05:05:04 UTC+0000
66
.. 0xffffac8191055380:svchost.exe 1172 768 4 0 2021-04-01 05:05:02 UTC+0000
67
.. 0xffffac819132b340:svchost.exe 1924 768 6 0 2021-04-01 05:05:03 UTC+0000
68
.. 0xffffac8190076080:svchost.exe 908 768 1 0 2021-04-01 05:05:01 UTC+0000
69
.. 0xffffac8191333080:svchost.exe 2456 768 6 0 2021-04-01 05:05:03 UTC+0000
70
.. 0xffffac8190f182c0:svchost.exe 928 768 17 0 2021-04-01 05:05:01 UTC+0000
71
... 0xffffac819270d080:dllhost.exe 560 928 8 0 2021-04-01 05:49:08 UTC+0000
72
... 0xffffac8192d36080:RuntimeBroker. 1588 928 6 0 2021-04-01 05:48:43 UTC+0000
73
... 0xffffac8192b56080:RuntimeBroker. 5688 928 13 0 2021-04-01 05:48:32 UTC+0000
74
... 0xffffac81933eb740:smartscreen.ex 5184 928 8 0 2021-04-06 01:56:17 UTC+0000
75
... 0xffffac8192ae9080:SearchUI.exe 5588 928 39 0 2021-04-01 05:48:32 UTC+0000
76
... 0xffffac8192d3a080:dllhost.exe 5772 928 7 0 2021-04-06 01:56:58 UTC+0000
77
... 0xffffac8192a82080:ShellExperienc 5504 928 27 0 2021-04-01 05:48:31 UTC+0000
78
... 0xffffac8193cea080:backgroundTask 904 928 8 0 2021-04-06 01:56:18 UTC+0000
79
... 0xffffac8191fc2080:RuntimeBroker. 5620 928 5 0 2021-04-01 05:48:32 UTC+0000
80
... 0xffffac8192685080:wsmprovhost.ex 4076 928 15 0 2021-04-06 01:02:25 UTC+0000
81
.... 0xffffac81958dd080:PSclient.exe 32 4076 5 0 2021-04-06 01:02:26 UTC+0000
82
..... 0xffffac81959d6080:conhost.exe 3064 32 4 0 2021-04-06 01:02:26 UTC+0000
83
.. 0xffffac8190f6f340:svchost.exe 496 768 12 0 2021-04-01 05:05:02 UTC+0000
84
.. 0xffffac8191ff0080:svchost.exe 2196 768 4 0 2021-04-02 01:20:04 UTC+0000
85
.. 0xffffac81915d6080:svchost.exe 2472 768 19 0 2021-04-01 05:07:04 UTC+0000
86
.. 0xffffac8192615340:svchost.exe 2716 768 4 0 2021-04-01 05:48:24 UTC+0000
87
.. 0xffffac8190f71080:svchost.exe 4012 768 9 0 2021-04-01 05:07:05 UTC+0000
88
.. 0xffffac81929ce080:svchost.exe 4140 768 5 0 2021-04-01 05:48:28 UTC+0000
89
.. 0xffffac8191638080:MsMpEng.exe 2992 768 29 0 2021-04-01 05:05:04 UTC+0000
90
.. 0xffffac8191138340:svchost.exe 1476 768 3 0 2021-04-01 05:05:03 UTC+0000
91
.. 0xffffac8191347300:svchost.exe 2004 768 4 0 2021-04-01 05:05:03 UTC+0000
92
.. 0xffffac819168d080:svchost.exe 3036 768 2 0 2021-04-01 05:05:04 UTC+0000
93
.. 0xffffac8192760080:svchost.exe 4500 768 4 0 2021-04-01 05:48:25 UTC+0000
94
.. 0xffffac81910d0340:svchost.exe 1312 768 11 0 2021-04-01 05:05:02 UTC+0000
95
.. 0xffffac81913642c0:svchost.exe 2032 768 5 0 2021-04-01 05:05:03 UTC+0000
96
.. 0xffffac819105c380:svchost.exe 1192 768 4 0 2021-04-01 05:05:02 UTC+0000
97
.. 0xffffac81916a3080:svchost.exe 1524 768 7 0 2021-04-01 05:07:07 UTC+0000
98
.. 0xffffac81912bd2c0:svchost.exe 1824 768 5 0 2021-04-01 05:05:03 UTC+0000
99
. 0xffffac8190e54080:lsass.exe 776 632 7 0 2021-04-01 05:05:01 UTC+0000
100
. 0xffffac8190f2d200:fontdrvhost.ex 952 632 5 0 2021-04-01 05:05:01 UTC+0000
101
0xffffac81900e4140:csrss.exe 556 548 10 0 2021-04-01 05:05:00 UTC+0000
102
0xffffac818d45d080:System 4 0 158 0 2021-04-01 05:04:58 UTC+0000
103
. 0xffffac818d5ab040:Registry 88 4 4 0 2021-04-01 05:04:54 UTC+0000
104
. 0xffffac818dea7040:smss.exe 404 4 2 0 2021-04-01 05:04:58 UTC+0000
105
0xffffac81928ce080:mstsc.exe 4104 6236 0 ------ 2021-04-05 22:31:42 UTC+0000
106
0xffffac81959b9080:mstsc.exe 3392 6236 0 ------ 2021-04-05 22:41:38 UTC+0000
107
0xffffac8192b8c080:mstsc.exe 3508 6236 0 ------ 2021-04-05 22:54:17 UTC+0000
108
0xffffac81918eb080:csrss.exe 1136 2140 10 0 2021-04-01 05:48:16 UTC+0000
109
0xffffac819108b080:winlogon.exe 1532 2140 4 0 2021-04-01 05:48:16 UTC+0000
110
. 0xffffac818d52a080:fontdrvhost.ex 1636 1532 5 0 2021-04-01 05:48:16 UTC+0000
111
. 0xffffac8190e56080:dwm.exe 2660 1532 14 0 2021-04-01 05:48:17 UTC+0000
112
. 0xffffac81927b2080:userinit.exe 4604 1532 0 ------ 2021-04-01 05:48:25 UTC+0000
113
.. 0xffffac8192759080:explorer.exe 4636 4604 55 0 2021-04-01 05:48:25 UTC+0000
114
... 0xffffac8192b60080:powershell.exe 2844 4636 19 0 2021-04-06 01:56:26 UTC+0000
115
.... 0xffffac8191fb9580:winpmem_mini_x 6580 2844 3 0 2021-04-06 01:56:57 UTC+0000
116
.... 0xffffac8191950080:conhost.exe 1736 2844 12 0 2021-04-06 01:56:26 UTC+0000
117
0xffffac81937e72c0:mstsc.exe 5208 4276 0 ------ 2021-04-05 22:00:49 UTC+0000
118
0xffffac8192f7a080:mstsc.exe 6404 6276 0 ------ 2021-04-06 00:26:25 UTC+0000
119
0xffffac81960ac080:mstsc.exe 2344 6276 0 ------ 2021-04-06 01:30:53 UTC+0000
120
0xffffac819605d400:mstsc.exe 876 3624 0 ------ 2021-04-06 00:03:04 UTC+0000
121
0xffffac81947ef080:mstsc.exe 5704 6012 0 ------ 2021-04-06 00:25:22 UTC+0000a
Copied!
What are the items of interest here? Below are some of the processes I find interesting and would be looking to explore further around them.
  • amazon-ssm-age
    • This is a virtual machine running on Amazon Web Services (AWS)
  • powershell.exe
    • PowerShell was running.
  • winpmem_mini_x
    • A memory acquisition tool used in Velociraptor by Velocidex​
  • Several mstsc.exe processes
    • Used by Windows Remote Desktop Protocol (RDP)
Based on what we have seen in the process tree and identifying items of interest we can start to follow the trail of information to our next port of call.

Networking Plugins

Let's have a look at what sort of network connections have been captured using the 'netscan' plugin.
1
vol.py -f ~/Volatility-Sleuthifer/memory.raw --profile=Win10x64_17134 netscan
2
Volatility Foundation Volatility Framework 2.6.1
3
​
4
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
5
0xac818d494050 UDPv4 0.0.0.0:0 *:* 776 lsass.exe 2021-04-01 05:05:03 UTC+0000
6
0xac818d494050 UDPv6 :::0 *:* 776 lsass.exe 2021-04-01 05:05:03 UTC+0000
7
0xac818db93980 UDPv4 0.0.0.0:0 *:* 1180 svchost.exe 2021-04-01 05:05:02 UTC+0000
8
0xac818db93ad0 UDPv4 0.0.0.0:0 *:* 1180 svchost.exe 2021-04-01 05:05:02 UTC+0000
9
0xac818db93ad0 UDPv6 :::0 *:* 1180 svchost.exe 2021-04-01 05:05:02 UTC+0000
10
0xac818db932f0 TCPv4 0.0.0.0:49664 0.0.0.0:0 LISTENING 632 wininit.exe 2021-04-01 05:05:02 UTC+0000
11
0xac818db94d30 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 496 svchost.exe 2021-04-01 05:05:02 UTC+0000
12
0xac81910fa440 UDPv4 10.1.1.182:138 *:* 4 System 2021-04-01 05:05:03 UTC+0000
13
0xac81910fa980 UDPv4 127.0.0.1:55467 *:* 1612 svchost.exe 2021-04-01 05:05:03 UTC+0000
14
0xac81910fb550 UDPv4 0.0.0.0:0 *:* 2992 MsMpEng.exe 2021-04-06 01:56:51 UTC+0000
15
0xac81910fb550 UDPv6 :::0 *:* 2992 MsMpEng.exe 2021-04-06 01:56:51 UTC+0000
16
0xac819144ed30 UDPv4 0.0.0.0:3389 *:* 1092 svchost.exe 2021-04-01 05:05:03 UTC+0000
17
0xac8191729830 UDPv4 127.0.0.1:63783 *:* 1660 svchost.exe 2021-04-01 05:05:04 UTC+0000
18
0xac81910fa830 TCPv4 10.1.1.182:139 0.0.0.0:0 LISTENING 4 System 2021-04-01 05:05:03 UTC+0000
19
0xac81910faad0 TCPv4 0.0.0.0:49667 0.0.0.0:0 LISTENING 1888 svchost.exe 2021-04-01 05:05:03 UTC+0000
20
0xac81910faad0 TCPv6 :::49667 :::0 LISTENING 1888 svchost.exe 2021-04-01 05:05:03 UTC+0000
21
0xac81910fac20 TCPv4 0.0.0.0:3389 0.0.0.0:0 LISTENING 1092 svchost.exe 2021-04-01 05:05:03 UTC+0000
22
0xac81910fac20 TCPv6 :::3389 :::0 LISTENING 1092 svchost.exe 2021-04-01 05:05:03 UTC+0000
23
0xac81910fad70 TCPv4 0.0.0.0:3389 0.0.0.0:0 LISTENING 1092 svchost.exe 2021-04-01 05:05:03 UTC+0000
24
0xac81910faec0 TCPv4 0.0.0.0:49668 0.0.0.0:0 LISTENING 776 lsass.exe 2021-04-01 05:05:03 UTC+0000
25
0xac819144e7f0 TCPv4 0.0.0.0:49701 0.0.0.0:0 LISTENING 768 services.exe 2021-04-01 05:05:04 UTC+0000
26
0xac819144ee80 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System 2021-04-01 05:05:04 UTC+0000
27
0xac819144ee80 TCPv6 :::445 :::0 LISTENING 4 System 2021-04-01 05:05:04 UTC+0000
28
0xac81917292f0 TCPv4 0.0.0.0:47001 0.0.0.0:0 LISTENING 4 System 2021-04-01 05:05:04 UTC+0000
29
0xac81917292f0 TCPv6 :::47001 :::0 LISTENING 4 System 2021-04-01 05:05:04 UTC+0000
30
0xac81919fec20 UDPv4 0.0.0.0:123 *:* 1180 svchost.exe 2021-04-01 05:05:13 UTC+0000
31
0xac81919ff550 UDPv4 0.0.0.0:5355 *:* 1312 svchost.exe 2021-04-06 01:50:24 UTC+0000
32
0xac81919ff550 UDPv6 :::5355 *:* 1312 svchost.exe 2021-04-06 01:50:24 UTC+0000
33
0xac81919ff940 UDPv4 0.0.0.0:0 *:* 652 svchost.exe 2021-04-06 01:56:38 UTC+0000
34
0xac81919ff940 UDPv6 :::0 *:* 652 svchost.exe 2021-04-06 01:56:38 UTC+0000
35
0xac81918791a0 TCPv4 0.0.0.0:49713 0.0.0.0:0 LISTENING 776 lsass.exe 2021-04-01 05:05:11 UTC+0000
36
0xac81918796e0 TCPv4 0.0.0.0:49713 0.0.0.0:0 LISTENING 776 lsass.exe 2021-04-01 05:05:11 UTC+0000
37
0xac81918796e0 TCPv6 :::49713 :::0 LISTENING 776 lsass.exe 2021-04-01 05:05:11 UTC+0000
38
0xac8192d4c910 TCPv4 10.1.1.182:52871 13.75.160.154:443 SYN_SENT -1
39
0xac81949e9930 TCPv4 10.1.1.182:52763 13.54.35.87:5555 ESTABLISHED -1
40
0xac81959954a0 TCPv4 10.1.1.182:3389 10.2.0.196:56343 ESTABLISHED -1
Copied!
Looking through the information provided to us we can identify what was the IP address of the device by looking at the 'Local Address' column. 127.0.0.1 is the loopback address, 0.0.0.0 is a non-routable address but we see that the address 10.1.1.182 is the unique local address and signifies the IPv4 address of the device another key piece of information.
Next, looking at the "Remote Address' column we notice two addresses with established connections. I will leave any further analysis so as not to spoil the challenge.

Registry Plugins

UserAssist

The UserAssist artifact tracks executed GUI programs and it is an incredibly useful piece in building a picture of what has occurred on a system. It is found in Windows systems at the location below if you are completing disk forensics.
1
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Coun
Copied!
The output, in this case, is far too long to show here so we will take a look at some of the key findings instead.
I know I said we would look at the total output earlier but trust me there was a lot and you can go have a go at doing it yourself :)
Two items of interest are identified being 'WF.msc' and 'powershell.exe' as shown below.
1
vol.py -f ~/Volatility-Sleuthifer/memory.raw --profile=Win10x64_17134 userassist
2
Volatility Foundation Volatility Framework 2.6.1
3
​
4
REG_BINARY %windir%\system32\WF.msc :
5
Count: 1
6
Focus Count: 2
7
Time Focused: 0:02:42.766000
8
Last updated: 2021-04-01 05:49:10 UTC+0000
9
Raw Data:
10
0x00000000 00 00 00 00 01 00 00 00 02 00 00 00 da 79 02 00 .............y..
11
0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
12
0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
13
0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 40 20 9c bc [email protected]
14
0x00000040 ba 26 d7 01 00 00 00 00 .&......
15
​
16
REG_BINARY %windir%\system32\WindowsPowerShell\v1.0\powershell.exe :
17
Count: 2
18
Focus Count: 1
19
Time Focused: 0:00:02.047000
20
Last updated: 2021-04-06 01:56:24 UTC+0000
21
Raw Data:
22
0x00000000 00 00 00 00 02 00 00 00 01 00 00 00 0b 06 00 00 ................
23
0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
24
0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
25
0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff e0 e6 b4 0c ................
26
0x00000040 88 2a d7 01 00 00 00 00 .*......
27
​
Copied!
WF.msc is used to view 'Windows Defender Firewall with Advanced Security' and PowerShell is used for executing commands or scripts on a Windows device. This could be normal but seeing as it is an incident response case, I'd be curious to explore further.

Conclusion

We have looked at how we can identify the correct profile of the RAM dump you would like to examine. A plugin to view running processes in memory, a networking plugin to view what connections were present and a registry plugin using the UserAssist artifact to identify what programs have been executed on the device.
Hopefully, you can now have a go at doing some memory analysis testing using Volatility or start to make use of it in your incident response engagements. Volatility is very powerful as we have seen, and I plan to do a couple more posts regarding other plugins and what information we can gather using them.
Finally, a reminder that memory analysis and disk forensics should complement each other and not be used on their own. Although circumstances will dictate that but hopefully, you have the opportunity to capture both on your next engagement.

References

ACSC | Cyber.gov.au
BSides Canberra
ACSC cyber security challenge | Cyber.gov.au
The Volatility Foundation - Open Source Memory Forensics
volatilityfoundation
REMnux: A Linux Toolkit for Malware Analysts
Lenny Zeltser
Lenny Zeltser
GitHub - Velocidex/WinPmem: The multi-platform memory acquisition tool.
GitHub
​
Last modified 2mo ago