How to Setup Volatility Tool for Memory Analysis

In the IT security field, memory or Random Access Memory (RAM) analysis  helps to identify the malicious or illegal activities in the system. RedLine is a free for volatile memory analysis tool which is provided by Mandiant (FireEye company). However, well-known open source security tool for volatile memory analysis is  volatility. It supports analysis of RAM for both 32/64 bit systems. It also supports analysis of  Linux, Windows, Mac and Android systems.  The Volatility framework is consist of  open source tools and implemented in Python scripting language. It  can be easily used on Windows and  Linux operating systems. It can analyze raw dumps, crash dumps, VMware dumps (vmem), virtual box dumps, and many others.  The extraction techniques are performed completely independent of the system being investigated and  gives complete visibility into the run time state of the system.

Installation of Volatility tool

Volatility memory analysis tool is already installed in SIFT (SANS Investigative Forensic Toolkit) and many other Linux security distributions.


However, volatility tool can be installed on the Ubuntu 16.04 using following command.

apt-get install volatility

Following packages are dependencies of Volatility tool which will be installed automatically with apt-get command.

dwarfdump libdistorm3-3 libjansson4 libyara3 python-distorm3 python-jdcal python-openpyxl python-py python-pytest python-yara volatility volatility-tools
installation of volatility

Following snapshot shows the volatility framework successful  installation on the Ubuntu platform.

volatility working

Analysis of memory dump using Volatility

In this article, detailed forensic analysis will be performed on memory dump (vmem file).  It is common in forensic investigation that the analyst found several malicious program on the hard disk image file. Therefore, in such cases memory analysis becomes very important because may be malicious program or malware were running in the compromise system.

Volatility Analysis

The details of vmem file is shown in following figure. imageinfo parameter gives possible profiles (operating system and service pack information) about the memory file. imageinfo -f vmem_file_name

As shown in the above output, three profiles are suggested with different service packs. It is also shown in the above figure that service pack is 1. Therefore,  image file will  be analyzed with profile Win2003SP1x86List of running  processes in the memory file is enumerated using pslist parameter. Pslist parameter is used to show process status, list information about processes running in memory. --profile=Win2003SP1x89 pslist -f vmem_file_name

Linking of process using pstree  parameter is given in following snapshot. Pstree shows running processes as a tree and tree is rooted at either pid or init if pid is omitted. --profile=Win2003SP1x89 pstree -f vmem_file_name

Two processes iexplorer.exe and tango.exe are highlighted . About output shows that tango.exe process is child process of cmd.exe which is not common in Windows OS. Another  malicious process  iexplorer.exe with has pid 1220 does not exist. Therefore, as per our analysis  both processes seems malicious.

In the next step, connscan parameter is used to scan  all network connections of victim with other hosts. Following figure shows the all network connection of victim ( with remote host ( --profile=Win2003SP1x89 connscan -f vmem_file_name

Volatility command is run with connections parameter which shows the  following output. --profile=Win2003SP1x89 connections -f vmem_file_name

This information is very important for further analysis because it shows that victim machine only established session with remote ip ( . Above output also shows the process id’s of the established sessions. Next we will analyze above listed processes only.

Before using malfind (which is used for the detection of malicious dll’s in the process) plugin on above  found pid’s, check which program or service is running against the above processes. Following figure  shows the highlighted  program or service against suspected pid’s.

pslist specific pid

Following snapshot shows the output of  malfind plugin which is run against the pid of iexplorer.exe and dump is stored in the iexplorer directory. --profile=Win2003SP1x89 malfind -D iexplorer/ -p 3280 -f vmem_file_name

Using following command on dump we have found dll in the process which is shown in figure 29.

file iexplorer/*.dmp | less
dll with malaicious

Scan this dll on online site to get more detail about the detected malicious activity on the compromised machine.

Virus total output against above dump file shows that iexplorer.exe is malicious program and it was running on the compromised system. It also shows that attacker malicious program exists on the system for persistent access.


Again same steps are performed on the 2nd process (tango.exe) and also scanned it virustotal.  Following snapshot shows the above complete process. --profile=Win2003SP1x89 malfind -D tango/ -p 3632 -f vmem_file_name

Run following command on the tango dump files.

file tango/*.dmp | less
tango dump

Following figure shows the output of virus total against dumps of tango.exe process.


Volatility analysis shows that malicious program were running on the system while this live dump was taken . It also ensure that an insider hacked the system and install backdoor and Trojans.


In this article, volatility framework an open source memory analysis tool is comprehensively explored. It is primarily used for the detection and in-depth analysis of  malicious program running in the compromised system.  It is already available in many security distributions of Linux.

Leave a Comment