ĢƵ

Volatility Is an Essential DFIR Tool—Here’s Why

Written by Remi Olatona

mirror modifier object code

Open-source software has robust forensics capabilities

Digital forensics and incident response (DFIR) analysts constantly face the challenge of quickly acquiring and extracting value from raw digital evidence. Investigators must make sense of unfiltered accounts of all attacker activities recorded during incidents. They need to analyze attacker activities against data at rest, data in motion, and data in use. And they must accomplish all this while operating within resource constraints. That’s why DFIR analysts should have(OSS) in their toolkits.

Volatility is a command-line tool that lets DFIR teams acquire and analyze the volatile data that is temporarily stored in random access memory (RAM). Such data often contains critical clues for investigators. Volatility’s extraction techniques are performed completely independent of the system being investigated, yet still offer visibility into the runtime state of the system. What’s more, Volatility’s source code is freely available for inspection, modifying, and enhancement—and that brings organizations financial advantages along with improved security.

Memory Acquisition

Memory acquisition is the process of dumping the memory of the device of interest on the physical machine (Windows, Linux, and Unix). With Volatility, this process can be applied against hibernation files, crash dumps, pagefiles, and swap files. For memory acquisition, DFIR analysts can also use tools like Win32dd/Win64dd, Memoryze, DumpIt, and FastDump.

And on a virtual machine (VM), analysts can use Volatility to easily acquire the memory image by suspending the VM and grabbing the “.vmem" file.

Learn More from our blog series

Memory Forensics

Analysts can use Volatility for memory forensics by leveraging its unique plug-ins to identify rogue processes, analyze process dynamic link libraries (DLL) and handles, review network artifacts, and look for evidence of code injection. Volatility has multiple plug-ins that enable the analyst to analyze RAM in 32-bit and 64-bit systems. These plug-ins also allow the DFIR analysts to extract the process, drives, and objects, and check for the rootkit signs running on the device of interest at the time of infection.

Once the random-access memory (RAM) artifacts found in the memory image are acquired, the next step is to analyze the obtained memory dump file for forensic artifacts. The memory image analysis can determine information about the process running, created files, users' activities, and the overall state of the device of interest at the time of the incident.

The Device Operating System (OS)

Volatility is written in Python and supports Microsoft Windows, Mac OS X, and Linux operating systems. Volatility requires the OS profile name of the volatile dump file. The “imageinfo” plug-in command allows Volatility to suggest and recommend the OS profile and identify the dump file OS, version, and architecture.

The Process Identifier

The process identifier (PID) is automatically assigned to each process when created on Windows, Linux, and Unix. Each process running on Windows, Linux, and Unix OS has a unique identification decimal number “process ID” assigned to it.

PIDs can only identify a process during the lifetime of the process and are reused over time, so it does not identify processes that are no longer running. The PID will help to identify specific files of interest using “pslist” plug-in command.

The User's Activities

ShellBags is a popular Windows forensics artifact used to identify the existence of directories on local, network, and removable storage devices. DFIR teams can use Volatility’s “ShellBags” plug-in command to identify the files and folders accessed by the user, including the last accessed item.

In Windows 7 through Windows 10, these artifacts are stored as a highly nested and hierarchal set of subkeys in the UsrClass.dat registry hive—in both the NTUSER.DAT and USRCLASS.DAT folders. These locations can be found below:

  • NTUser.Dat: HKCU\Software\Microsoft\Windows\Shell
  • USRClass.Dat: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell

Volatility’s plug-in parses and prints a file named “that will identify files, folders, zip files, and any installers that existed at one point in this system even if the file was already deleted. The plug-in will identify the file metadata that includes, for instance, the file path, timestamp, and size.

Learn More

Volatility can be used during an investigation to link artifacts from the device, network, file system, and registry to ascertain the list of all running processes, active and closed network connections, running Windows command prompts, screenshots, and clipboard contents that ran within the timeframe of the incident.

DFIR analysts not already using Volatility should seize the opportunity to learn more about how this very powerful open-source tool enables analysts to interact with the memory artifacts and files on a compromised device. See the reference links below for further guidance.

To sign up for more technical content like this blog post

If you would like to learn about ĢƵ Allen's acquisition of Tracepoint, an industry-leading DFIR company

External References

Forensics – 2021; classification of extracted material is Unclassified

Volatility Integration in AXIOM – ; 2020; classification of extracted material is Unclassified

2014; classification of extracted material is Unclassified

2020; classification of extracted material is Unclassified

; 2020; classification of extracted material is Unclassified

; 2021; classification of extracted material is Unclassified

; 2020; classification of extracted material is Unclassified

; 2018; classification of extracted material is Unclassified

; 2019; classification of extracted material is Unclassified

This blog seriesis brought to you by ĢƵ Allen DarkLabs. OurDarkLabsis an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.

This article is for informational purposes only; its content may be based on employees’ independent research and does not represent the position or opinion of ĢƵ Allen. Furthermore, ĢƵ Allen disclaims all warranties in the article's content, does not recommend/endorse any third-party products referenced therein, and any reliance and use of the article is at the reader’s sole discretion and risk.

1 - 4 of 8