In the IT security field, memory or Random Access Memory (RAM) analysis helps to identify the malicious or illegal activities in the system. RedLine is a free for volatile memory analysis tool which is provided by Mandiant (FireEye company). However, well-known open source security tool for volatile memory analysis is volatility. It supports analysis of RAM for both 32/64 bit systems. It also supports analysis of Linux, Windows, Mac and Android systems. The Volatility framework is consist of open source tools and implemented in Python scripting language. It can be easily used on Windows and Linux operating systems. It can analyze raw dumps, crash dumps, VMware dumps (vmem), virtual box dumps, and many others. The extraction techniques are performed completely independent of the system being investigated and gives complete visibility into the run time state of the system.
Installation of Volatility tool
Volatility memory analysis tool is already installed in SIFT (SANS Investigative Forensic Toolkit) and many other Linux security distributions.
However, volatility tool can be installed on the Ubuntu 16.04 using following command.
apt-get install volatility
Following packages are dependencies of Volatility tool which will be installed automatically with apt-get command.
dwarfdump libdistorm3-3 libjansson4 libyara3 python-distorm3 python-jdcal python-openpyxl python-py python-pytest python-yara volatility volatility-tools
Following snapshot shows the volatility framework successful installation on the Ubuntu platform.
Analysis of memory dump using Volatility
In this article, detailed forensic analysis will be performed on memory dump (vmem file). It is common in forensic investigation that the analyst found several malicious program on the hard disk image file. Therefore, in such cases memory analysis becomes very important because may be malicious program or malware were running in the compromise system.
The details of vmem file is shown in following figure. imageinfo parameter gives possible profiles (operating system and service pack information) about the memory file.
vol.py imageinfo -f vmem_file_name
As shown in the above output, three profiles are suggested with different service packs. It is also shown in the above figure that service pack is 1. Therefore, image file will be analyzed with profile Win2003SP1x86. List of running processes in the memory file is enumerated using pslist parameter. Pslist parameter is used to show process status, list information about processes running in memory.
vol.py --profile=Win2003SP1x89 pslist -f vmem_file_name
Linking of process using pstree parameter is given in following snapshot. Pstree shows running processes as a tree and tree is rooted at either pid or init if pid is omitted.
vol.py --profile=Win2003SP1x89 pstree -f vmem_file_name
Two processes iexplorer.exe and tango.exe are highlighted . About output shows that tango.exe process is child process of cmd.exe which is not common in Windows OS. Another malicious process iexplorer.exe with has pid 1220 does not exist. Therefore, as per our analysis both processes seems malicious.
In the next step, connscan parameter is used to scan all network connections of victim with other hosts. Following figure shows the all network connection of victim (10.10.5.69) with remote host (10.10.5.199).
vol.py --profile=Win2003SP1x89 connscan -f vmem_file_name
Volatility command is run with connections parameter which shows the following output.
vol.py --profile=Win2003SP1x89 connections -f vmem_file_name
This information is very important for further analysis because it shows that victim machine only established session with remote ip (10.10.5.199) . Above output also shows the process id’s of the established sessions. Next we will analyze above listed processes only.
Before using malfind (which is used for the detection of malicious dll’s in the process) plugin on above found pid’s, check which program or service is running against the above processes. Following figure shows the highlighted program or service against suspected pid’s.
Following snapshot shows the output of malfind plugin which is run against the pid of iexplorer.exe and dump is stored in the iexplorer directory.
vol.py --profile=Win2003SP1x89 malfind -D iexplorer/ -p 3280 -f vmem_file_name
Using following command on dump we have found dll in the process which is shown in figure 29.
file iexplorer/*.dmp | less
Scan this dll on online site virustotal.com to get more detail about the detected malicious activity on the compromised machine.
Virus total output against above dump file shows that iexplorer.exe is malicious program and it was running on the compromised system. It also shows that attacker malicious program exists on the system for persistent access.
Again same steps are performed on the 2nd process (tango.exe) and also scanned it virustotal. Following snapshot shows the above complete process.
vol.py --profile=Win2003SP1x89 malfind -D tango/ -p 3632 -f vmem_file_name
Run following command on the tango dump files.
file tango/*.dmp | less
Following figure shows the output of virus total against dumps of tango.exe process.
Volatility analysis shows that malicious program were running on the system while this live dump was taken . It also ensure that an insider hacked the system and install backdoor and Trojans.
In this article, volatility framework an open source memory analysis tool is comprehensively explored. It is primarily used for the detection and in-depth analysis of malicious program running in the compromised system. It is already available in many security distributions of Linux.