memory-forensics

Purpose

When to Use

Key Capabilities

• Parse memory dumps to extract processes, network connections, and injected code using Volatility's plugins.
• Detect hidden processes and rootkits via checks for process hollowing or DKOM (Direct Kernel Object Manipulation).
• Analyze hibernation files or pagefiles for artifacts like command history or encryption keys.
• Support for multiple dump formats, including raw, VMware, and crash dumps, with automated profile detection.

Usage Patterns

import subprocess
dump_file = 'memory.dmp'
subprocess.run(['volatility', '-f', dump_file, 'pslist'])

Common Commands/API

$VOLATILITY_PROFILE=Win7SP1x64

• Command:

  volatility -f memory.dmp imageinfo

  — Identifies the OS profile from the dump.
  • Flags:

    -f

    for file path,

    --profile=Win10x64

    to override auto-detection.
• Command:

  volatility -f memory.dmp malfind

  — Scans for injected code or malware hooks.
  • Example: Pipe output:

    volatility -f memory.dmp malfind > malware_output.txt

• API Endpoint: If using Volatility3 via Python API, import as

  from volatility3.framework import interfaces

  , then call

  interfaces.configuration.ConfObject()

  for configurations.
  • Snippet:
    python

    from volatility3 import framework
    config = framework.require_plugin('windows').build_configuration()
    config['primary'] = 'memory.dmp'

• Config Format: JSON-based, e.g.,

  {"plugin": "pslist", "dumpfile": "memory.dmp"}

  for custom runs.

Integration Notes

pip install volatility

$AWS_ACCESS_KEY_ID

$AWS_SECRET_ACCESS_KEY

volatility -f memory.dmp strings | grep suspicious

Error Handling

imageinfo

try:
    result = subprocess.run(['volatility', '-f', 'memory.dmp', 'pslist'], capture_output=True, check=True)
except subprocess.CalledProcessError as e:
    print(f"Error: {e.returncode} - {e.stderr.decode()}")

$VOLATILITY_DEBUG=1

Concrete Usage Examples

1. Detect Malware in a Windows Dump: Load a memory dump from a suspected infected machine and scan for anomalies.
   • Command:

     volatility -f infected.dmp --profile=Win10x64 malfind

   • Steps: First run

     volatility -f infected.dmp imageinfo

     to confirm profile, then analyze output for PID and virtual address of suspicious processes.
2. Investigate Rootkit Presence: Analyze a Linux memory dump for hidden kernel modules.
   • Command:

     volatility -f linux.dmp linux_pslist

   • Steps: Cross-reference with

     linux_modules

     to spot discrepancies, then use

     strings

     on flagged addresses for further inspection.

Graph Relationships

• Related to: blue-team cluster skills like "incident-response" (depends on outputs) and "threat-intelligence" (provides input data).
• Connected via: tags such as "forensics" and "security", linking to skills like "network-forensics" for comprehensive breach analysis.