Examining Memory Dumps with Volatility

From csn
Jump to navigation Jump to search

The operating system that you are using today is neither Windows or OSX (Apple). We are using a Linux based operating system called Kali Linux which is specifically designed for digital forensics and penetration testing. Linux is open source, which means that the computer code used to build it is publicly available. Kali Linux is preinstalled with over 300 penetration-testing programs.

Much of the software is command line based. There are a wide range of reasons why security testing software does not come with a point and click Graphical User Interface (GUI). These are:

Kali Linux CLI
Kali Linux CLI
  • The software is often produced by programmers in their own time
  • The ability search the output of one command, and feed it into another means that amazing things can be done
  • A natural preference of people in this field

You can learn more about Kali Linux and download it for free here: https://www.kali.org/

Today we will use Volatility, an open source memory forensics framework which is included in the Kali Linux distribution. The software can be used to investigate memory dumps from a range of operating systems to respond to incidents. It comes packaged with the Kali Linux Operating System.

In this lab we are going to investigate a memory dump from a computer. You can download this image http://it.murdoch.edu.au/nsrg/memory_dump.img.zip but we have already provided the file for you on your computer in the Downloads directory. Lets take a look at how we get there on the command line.

After this you want to open the command line on Kali Linux. You should have a prompt that looks like:

root@kali:~#

Once you have this you should cd to your Downloads directory

root@kali:~#cd Downloads
root@kali:~/Downloads# 

List the files in the directory.

root@kali:~/Downloads# ls

Find the memory dump file.

See if you can answer the following questions.

What is the Operating System of the computer being investigated and what was the date that this image was made?______________________________________________

Try:

root@kali:~/Downloads#volatility -f memory_dump.img imageinfo

When and in what timezone was the memory dump taken?______________________________________________

Try:

root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 psscan

What do you think is the name or username of the user using this computer?______________________________________________

Try:

root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 hashdump

What are the IP addresses of the other computers that this computer was talking to?______________________________________________

Try:

root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 connscan

As the memory dump is very old this information is potentially unhelpful, but you could lookup the owner and country of origin for these IP addresses here http://ip-lookup.net/. Your machine is not currently connected to the Internet.

What commands did this user recently type into the command line of their computer?______________________________________________

Try:

root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 cmdscan

What websites was this user visiting?______________________________________________

Try:

root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 yarascan -Y "/www/" | more

Try replacing www, which is a search string, with other search terms. The date of the capture was 2005 and the user was reading some news sites so you will have hits with "george" or "bush".