Examining Memory Dumps with Volatility
The operating system that you are using today is neither Windows or OSX (Apple). We are using a Linux based operating system called Kali Linux which is specifically designed for digital forensics and penetration testing. Linux is open source, which means that the computer code used to build it is publicly available. Kali Linux is preinstalled with over 300 penetration-testing programs.
Much of the software is command line based. There are a wide range of reasons why security testing software does not come with a point and click Graphical User Interface (GUI). These are:
- The software is often produced by programmers in their own time
- The ability search the output of one command, and feed it into another means that amazing things can be done
- A natural preference of people in this field
You can learn more about Kali Linux and download it for free here: https://www.kali.org/
Today we will use Volatility, an open source memory forensics framework which is included in the Kali Linux distribution. The software can be used to investigate memory dumps from a range of operating systems to respond to incidents. It comes packaged with the Kali Linux Operating System.
In this lab we are going to investigate a memory dump from a computer. You can download this image http://it.murdoch.edu.au/nsrg/memory_dump.img.zip but we have already provided the file for you on your computer in the Downloads directory. Lets take a look at how we get there on the command line.
After this you want to open the command line on Kali Linux. You should have a prompt that looks like:
root@kali:~#
Once you have this you should cd to your Downloads directory
root@kali:~#cd Downloads root@kali:~/Downloads#
List the files in the directory.
root@kali:~/Downloads# ls
Find the memory dump file.
See if you can answer the following questions.
What is the Operating System of the computer being investigated and what was the date that this image was made?______________________________________________
Try:
root@kali:~/Downloads#volatility -f memory_dump.img imageinfo
When and in what timezone was the memory dump taken?______________________________________________
Try:
root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 psscan
What do you think is the name or username of the user using this computer?______________________________________________
Try:
root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 hashdump
What are the IP addresses of the other computers that this computer was talking to?______________________________________________
Try:
root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 connscan
As the memory dump is very old this information is potentially unhelpful, but you could lookup the owner and country of origin for these IP addresses here http://ip-lookup.net/. Your machine is not currently connected to the Internet.
What commands did this user recently type into the command line of their computer?______________________________________________
Try:
root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 cmdscan
What websites was this user visiting?______________________________________________
Try:
root@kali:~/Downloads#volatility -f memory_dump.img --profile=WinXPSP2x86 yarascan -Y "/www/" | more
Try replacing www, which is a search string, with other search terms. The date of the capture was 2005 and the user was reading some news sites so you will have hits with "george" or "bush".