The Volatility Framework: Analyze Volatile Memory

No fancy words. Just plain english. The Volatility Framework is THE application suite you need to analyze volatile memory. What is volatile memory? It is the RAM.

It is an open source, Python based extensible framework for conducting analysis on memory images. It supports flat file images, crash dump files, and hibernation files and will run on any operating system that supports Python. Officially - Linux, Cygwin, Windows & OSX 10.5 platforms are supported. It can extract digital artifacts from volatile memory samples captured from Windows XP Service Pack 2 and Service Pack 3. Currently it includes virtual address translation modules for Intel x86 32-bit windows platforms (PAE and NOPAE). It also supports plugins.

This is the feature list:

Image date and time

Running processes

Open network sockets

Open network connections

DLLs loaded for each process

Open files for each process

Open registry handles for each process

A process’ addressable memory

OS kernel modules

Mapping physical offsets to virtual addresses (strings to process)

Virtual Address Descriptor information

Scanning examples: processes, threads, sockets, connections,modules

Extract executables from memory samples

Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)

Automated conversion between formats

We will be trying to list all of the known plugins here for your help:

Command Shell

• volshell (By Moyix)- Creates a python shell can be used with the framework.

Malware Detection

• malfind (By Michael Hale Ligh) – Automates the process of finding and extracting (usually malicious) code injected into another process
• usermode_hooks (By Michael Hale Ligh) – Detect IAT/EAT/Inline rootkit hooks in usermode processes

Data Recovery

• cryptoscan (By Jesse Kornblum) – Finds TrueCrypt passphrases
• moddump (By Moyix) – Dump out a kernel module (aka driver)
• Registry tools (By Moyix) – A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
• Modified Regripper & Glue Code (By Moyix) – Code to run a modified RegRipper against the registry hives embedded in a memory dump. Note that due to a dependency on Inline::Python, this only works on Linux.
• getsids (By Moyix) – Get information about what user (SID) started a process.
• ssdt (By Moyix) – List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
• threadqueues (By Moyix) – Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
• objtypescan (By Andreas Schuster) – Enumerates Windows kernel object types. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
• keyboardbuffer (By Andreas Schuster) – Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
• mutantscan (By Andreas Schuster) – Extracts mutexes from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
• symlinkobjscan (By Andreas Schuster) – Extracts symbolic link objects from the Windows kernel.(Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
• driverscan (By Andreas Schuster) – Scan for kernel _DRIVER_OBJECTs. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)
• fileobjscan (By Andreas Schuster) – File object -> process linkage, including hidden files. (Note: If running the SVN version of Volatility, just install the plugin file from this archive.)

Process Enumeration

• suspicious (By Jesse Kornblum) – Identify “suspicious” processes. This version counts any command line running TrueCrypt or any command line that starts with a lower case drive letter as suspicious.

Output Formatting

• pstree (By Scudette) – Produces a tree-style listing of processes
• vol2html (By Jamie Levy AKA Gleeda) – Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.

All of these plugins make the framework fun to work with. You can view the homepage here. Additionally, if you want to download the following versions here:

Volatility-1.3_Beta: tar.gz zip md5 sha1 gpg tar.gz gpg zip gpg_key
Volatility-1.1.2: tar.gz zip md5 sha1 gpg tar.gz gpg zip gpg_key
Volatility-1.1.1: tar.gz md5 sha1 gpg gpg_key

Searches leading to this post:
volatility framework, volatility framework tutorial, volatility backtrack, volatility malware, volatility framework download, volatility tutorial, install Volatility, running volatility in windows, volitility framework memory analysis, volatility install, volatility forensics tutorial, volatility framework is used for, volatility framework malware, recover dll volatility, install Volatility Framework mac os x, volatility suspicious, Live Memory dump Analysis volatile python script, Volatility vista, volatility 1 3 tutorial, Volatility Tutorial Memory Analysis

Related Posts

• January 27, 2010 -- Windows File Analyzer: A Tool for Forensic File Analysis!
• January 21, 2010 -- Windows System State Analyzer- A must have tool for system analyzers!
• November 9, 2009 -- ff3hr: The Firefox 3 History Recoverer!
• October 22, 2009 -- UserAssist: View the running count & last execution time of a program
• September 10, 2009 -- GrokEVT – Read Windows NT/2K/XP/2K3 event logs
• July 2, 2009 -- SIFT: SANS Investigative Forensic Toolkit
• March 1, 2010 -- TweakNow PowerPack : Tweak your machine fast and easy.
• February 24, 2010 -- Export all Windows Logs from the Event Viewer from a Remote Machine!
• February 11, 2010 -- WebJob: The Minimally Invasive Incident Response Framework!

Tagged as: Forensics, Volatility Framework, windows forensics