Forensic IT How-To: Using Volatility to examine your RAM dump
In the previous forensic how-to, we have made a dump of your computer's active RAM, or Random Access Memory. This is the memory that stores everything you're working on and with when your computer is on. Viruses and other malware can run exclusively in your RAM, but you can also possibly find cryptographic keys - for example, for whole disk encryption - here.
As you can imagine, whether you're a forensic IT''ist (working for the police or a private company) or a home user, you can get some very interesting information from your RAM dump. So, let's Start!
Required software
Before we can actually start, we need some software. We need two pieces of software. Well, we actually need one, but to use it, we need another.
You may or may not be familiar with Python. Python is a multi-purpose scripting language where even you can script in. From entire programs to dedicated scripts for data processing, it's possible.
"So, where can I find this Python?" you ask? Well, we'll go to python.org. Please make sure you download the 2.x.x version of Python (I am using version 2.6.4)! The newer version, in the 3.x.x range, will not work with the next piece of software we'll need.
Install Python and go to the directory where you installed it.
The second piece of software we need it actually written in Python. It is called the Volatility Memory Forensics Framework. This software is capable of analyzing the RAM dump we made earlier. You can find the software on volatilesystems.com. Download the newest version (I am using version 1.3 beta in this post). Download, unpack and remember where you've unpacked it.
So, to sum up, we need the following two pieces of software, in order:
Download and install these two components according to the instructions above.
Step One: the command prompt and setting it up
Yes, a young person's nightmare; the command prompt. For the older - or crazier - people among you, you are most likely quite familiar with the command prompt.
To open one, simply press the Start button, and whether or not you're on an OS higher than XP, click "Execute...". If you have a search field, don't. Then type the command cmd. This will open a command prompt for you.
Now we only need to set it up. We need to add a path to the cmd's path string. For this, you need the directory you installed Python in. For me, this is D:\Program Files\Python 2.6.4. Type in the following (change the path to Python with your own path):
This will add your Python's install path to the paths of the command prompt. For experienced cmd/DOS people, you can of course do this in your sleep.
Now, go to the folder you unpacked Volatility in. For me, this is C:\Users\Michiel\Desktop\Volatility-1.3_Beta. I do this with the following command:
Now, you are in the folder you unpacked Volatility to. We are now ready to start for real.
Step Two: Dissect that dump!
Now you are ready to start for real. Yes - this time I mean it. If you've been smart enough to read the Readme.txt file that came along with Volatility, you know what is possible.
For now, we'll just print out a list of processes that were running when the RAM dump was made. My dump is located at D:\ram.dmp. I type in the following:
This gives me a list of all running processes, as demonstrated in this image (note that it may take a while - depending on the size of your RAM dump - before any results show up):
These processes were running when I made the dump. You can for example compare the list with the list your task manager process list, to find 'hidden' processes that might indicate malicious behavior.
Of course the Volatility Memory Forensics Framework can do lots and lots more. You can find a list of all its options in the readme file that accompanied it. For this example's sake, we'll show off one more:
This produces a list of all network connections that were active when the dump was made (this, also, may take a while):
Final words
And then some final words. The Volatility Framework is of course (almost) infinity more feature rich than shown in this how-to. I encourage you to walk through the readme file, it will provide you with a list of features.
I wish you much excitement when scavenging through your own memory dumps with Volatility. In the next how-to - I have no idea when it will come, though - I will write a piece about scanning for viruses within your dump.
Hope to see you later and don't forget to leave a comment if you liked it! See ya!