DEV Community

Cover image for forensics volatility
Noah Mugaya
Noah Mugaya

Posted on

forensics volatility

volatilitynotes.md
TOOLS SET UP Setup on this is actually very simple, seeing we will be focusing on one tool, Volatility (GitHub). Volatility supports Linux, MacOS and Windows. Volatility is a terminal(CMD) based application, meaning you have to run it via the terminal (the GUI version Volatility WorkBench can also be used but wont be covered here seeing its a windows based GUI).
**

INSTALLING VOLATILITY Volatility
can be installed from the official repository on Ubuntu 18.

Note: The following command is for reference purposes only and should not be executed in this scenario as the VM lacks internet access by design. Volatility has already been installed.

_apt install volatility -_y
The above command installs additional packages which are dependencies of Volatility tool:

... The following additional packages will be installed: dwarfdump libdistorm3-3 libjansson4 libjbig0 libjpeg-turbo8 libjpeg8 liblcms2-2 libtiff5 libwebp6 libwebpdemux2 libwebpmux3 libyara3 python-attr python-bs4 python-chardet python-crypto python-distorm3 python-et-xmlfile python-funcsigs python-html5lib python-jdcal python-lxml python-olefile python-openpyxl python-pil python-pkg-resources python-pluggy python-py python-pytest python-six python-tz python-webencodings python-yara volatility-tools Suggested packages: liblcms2-utils python-attr-doc python-crypto-doc python-funcsigs-doc python-genshi python-lxml-dbg python-lxml-doc python-pil-doc python-pil-dbg python-setuptools subversion python-pytest-xdist python-mock libraw1394-11 lime-forensics-dkms gcc make zip The following NEW packages will be installed: dwarfdump libdistorm3-3 libjansson4 libjbig0 libjpeg-turbo8 libjpeg8 liblcms2-2 libtiff5 libwebp6 libwebpdemux2 libwebpmux3 libyara3 python-attr python-bs4 python-chardet python-crypto python-distorm3 python-et-xmlfile python-funcsigs python-html5lib python-jdcal python-lxml python-olefile python-openpyxl python-pil python-pkg-resources python-pluggy python-py python-pytest python-six python-tz python-webencodings python-yara volatility volatility-tools 0 upgraded, 35 newly installed, 0 to remove and 289 not upgraded. Validate volatility installation by running the following command which outputs the tool usage command options:
_
volatility --help_
Sample Output:

Volatility Foundation Volatility Framework 2.6 Usage: Volatility - A memory forensics analysis platform. Options: -h, --help list all available options and their default values. Default values may be set in the configuration file (/etc/volatilityrc) --conf-file=/root/.volatilityrc User based configuration file -d, --debug Debug volatility --plugins=PLUGINS Additional plugin directories to use (colon separated) --info Print information about all registered objects --cache-directory=/root/.cache/volatility Directory where cache files are stored --cache Use caching --tz=TZ Sets the (Olson) timezone for displaying timestamps using pytz (if installed) or tzset -f FILENAME, --filename=FILENAME Filename to use when opening an image --profile=WinXPSP2x86 Name of the profile to load (use --info to see a list of supported profiles) -l LOCATION, --location=LOCATION A URN location from which to load an address space -w, --write Enable write support --dtb=DTB DTB Address --shift=SHIFT Mac KASLR shift address --output=text Output in this format (support is module specific, see the Module Output Options below) --output-file=OUTPUT_FILE Write output in this file -v, --verbose Verbose information --physical_shift=PHYSICAL_SHIFT Linux kernel physical shift address --virtual_shift=VIRTUAL_SHIFT Linux kernel virtual shift address -g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit Windows 8 and above this is the address of KdCopyDataBlock) ... LABS SET UP This scenario will be using MemLabs cloned from https://github.com/stuxnet999/MemLabs. The labs contain the CTF memory images as referenced earlier.

Note: The following command is for reference purposes only and should not be executed in this scenario as the VM lacks internet access by design. The labs have already been cloned located at /home/admin/labs/MemLab.

git clone https://github.com/stuxnet999/MemLabs.git
The scenario will head start on the first lab, Lab 1:

According to the ReadMe, this is the easiest of them all, and currently what i would urge all beginners to start from, starting from this will show you a clear path to how memory forensics work, and best of all an easier approach to what sometimes may be a huge learning curve, note also we will be learning about the tool more than the CTF itself which is crucial.

VOLATILITY INTRODUCTION Lets start of by a small introduction to the tool and what exactly it does and why we would need it:

Memory forensics(volatile memory) is done to a system that was live and the investigator managed to grab a copy of the memory snapshot at the current time, this would and can help us investigate a few things, including, processes, files, IP addresses(network information) ,user information heck even dump some passwords, the list is huge!!

This would help an investigator find pattern to how/who attacked the system or they navigated , also find how a malware infected a system too etc. the possibilities are so many we wouldn't be able to cover them here however, take a look at volatility's wiki and read more.

MEMORY FORENSICS STEPS STEP 1 Change directory to the first Lab:

cd /home/ubuntu/labs/MemLabs/Lab\ 1
Check the contents of the README.md for lab challenge description and challenge instructions.

cat README.md
The readme file indicates the location of the image and pretty much where to download it.

Note: The image file has been downloaded and located in the Lab 1 directory.

root@labs:/home/ubuntu/labs/MemLabs/Lab 1# ls MemoryDump_Lab1.raw README.md The Lab 1 readme indicates the MD5 hash value of the memory dump as b9fec1a443907d870cb32b048bda9380. Validate the hash value of the above downloaded image before proceeding:

md5sum MemoryDump_Lab1.raw
b9fec1a443907d870cb32b048bda9380 MemoryDump_Lab1.raw STEP 2: IDENTIFY WHICH PROFILE TO USE We use plugins available on volatility to interact and manage the image , our first interaction is to identify which profile to use by first identifying what type of image and which system:

volatility -f MemoryDump_Lab1.raw imageinfo
Output:

Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/home/ubuntu/labs/MemLabs/Lab 1/MemoryDump_Lab1.raw) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800028100a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002811d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-12-11 14:38:00 UTC+0000 Image local date and time : 2019-12-11 20:08:00 +0530 STEP 3: KDGB SCAN The KDBG is a structure maintained by the Windows kernel for debugging purposes. It contains a list of the running processes and loaded kernel modules. It also contains some version information that allows you to determine if a memory dump came from a Windows XP system versus Windows 7, what Service Pack was installed, and the memory model (32-bit vs 64-bit).

Say you have a raw image with the profile Windows 7 SP2 etc, but doesn't show any processes from Pslist (another plugin), so we proceed ahead and use the first profile suggested : (on our case we do not need KDBG) but heres how to do it anyways):

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 kdbgscan
Output:
_
Volatility Foundation Volatility Framework 2.6_

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP0x64 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64_23418 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP0x64 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0)

Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf800028100a0 Offset (P) : 0x28100a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64_23418 Version64 : 0xf80002810068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17514.amd64fre.win7sp1_rtm. PsActiveProcessHead : 0xfffff80002846b90 (48 processes) PsLoadedModuleList : 0xfffff80002864e90 (140 modules) KernelBase : 0xfffff8000261f000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80002811d00 (CPU 0) STEP 4: LIST PROCESSES CAPTURED Basically as noted PSLIST shows a list of process on the captured memory image of applications that were running on the system as per the image collection:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist Output:

Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

0xfffffa8000ca0040 System 4 0 80 570 ------ 0 2019-12-11 13:41:25 UTC+0000
0xfffffa800148f040 smss.exe 248 4 3 37 ------ 0 2019-12-11 13:41:25 UTC+0000
0xfffffa800154f740 csrss.exe 320 312 9 457 0 0 2019-12-11 13:41:32 UTC+0000
0xfffffa8000ca81e0 csrss.exe 368 360 7 199 1 0 2019-12-11 13:41:33 UTC+0000
0xfffffa8001c45060 psxss.exe 376 248 18 786 0 0 2019-12-11 13:41:33 UTC+0000
0xfffffa8001c5f060 winlogon.exe 416 360 4 118 1 0 2019-12-11 13:41:34 UTC+0000
0xfffffa8001c5f630 wininit.exe 424 312 3 75 0 0 2019-12-11 13:41:34 UTC+0000
0xfffffa8001c98530 services.exe 484 424 13 219 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001ca0580 lsass.exe 492 424 9 764 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001ca4b30 lsm.exe 500 424 11 185 0 0 2019-12-11 13:41:35 UTC+0000
0xfffffa8001cf4b30 svchost.exe 588 484 11 358 0 0 2019-12-11 13:41:39 UTC+0000
0xfffffa8001d327c0 VBoxService.ex 652 484 13 137 0 0 2019-12-11 13:41:40 UTC+0000
0xfffffa8001d49b30 svchost.exe 720 484 8 279 0 0 2019-12-11 13:41:41 UTC+0000
0xfffffa8001d8c420 svchost.exe 816 484 23 569 0 0 2019-12-11 13:41:42 UTC+0000
0xfffffa8001da5b30 svchost.exe 852 484 28 542 0 0 2019-12-11 13:41:43 UTC+0000
0xfffffa8001da96c0 svchost.exe 876 484 32 941 0 0 2019-12-11 13:41:43 UTC+0000
0xfffffa8001e1bb30 svchost.exe 472 484 19 476 0 0 2019-12-11 13:41:47 UTC+0000
0xfffffa8001e50b30 svchost.exe 1044 484 14 366 0 0 2019-12-11 13:41:48 UTC+0000
0xfffffa8001eba230 spoolsv.exe 1208 484 13 282 0 0 2019-12-11 13:41:51 UTC+0000
0xfffffa8001eda060 svchost.exe 1248 484 19 313 0 0 2019-12-11 13:41:52 UTC+0000
0xfffffa8001f58890 svchost.exe 1372 484 22 295 0 0 2019-12-11 13:41:54 UTC+0000
0xfffffa8001f91b30 TCPSVCS.EXE 1416 484 4 97 0 0 2019-12-11 13:41:55 UTC+0000
0xfffffa8000d3c400 sppsvc.exe 1508 484 4 141 0 0 2019-12-11 14:16:06 UTC+0000
0xfffffa8001c38580 svchost.exe 948 484 13 322 0 0 2019-12-11 14:16:07 UTC+0000
0xfffffa8002170630 wmpnetwk.exe 1856 484 16 451 0 0 2019-12-11 14:16:08 UTC+0000
0xfffffa8001d376f0 SearchIndexer. 480 484 14 701 0 0 2019-12-11 14:16:09 UTC+0000
0xfffffa8001eb47f0 taskhost.exe 296 484 8 151 1 0 2019-12-11 14:32:24 UTC+0000
0xfffffa8001dfa910 dwm.exe 1988 852 5 72 1 0 2019-12-11 14:32:25 UTC+0000
0xfffffa8002046960 explorer.exe 604 2016 33 927 1 0 2019-12-11 14:32:25 UTC+0000
0xfffffa80021c75d0 VBoxTray.exe 1844 604 11 140 1 0 2019-12-11 14:32:35 UTC+0000
0xfffffa80021da060 audiodg.exe 2064 816 6 131 0 0 2019-12-11 14:32:37 UTC+0000
0xfffffa80022199e0 svchost.exe 2368 484 9 365 0 0 2019-12-11 14:32:51 UTC+0000
0xfffffa8002222780 cmd.exe 1984 604 1 21 1 0 2019-12-11 14:34:54 UTC+0000
0xfffffa8002227140 conhost.exe 2692 368 2 50 1 0 2019-12-11 14:34:54 UTC+0000
0xfffffa80022bab30 mspaint.exe 2424 604 6 128 1 0 2019-12-11 14:35:14 UTC+0000
0xfffffa8000eac770 svchost.exe 2660 484 6 100 0 0 2019-12-11 14:35:14 UTC+0000
0xfffffa8001e68060 csrss.exe 2760 2680 7 172 2 0 2019-12-11 14:37:05 UTC+0000
0xfffffa8000ecbb30 winlogon.exe 2808 2680 4 119 2 0 2019-12-11 14:37:05 UTC+0000
0xfffffa8000f3aab0 taskhost.exe 2908 484 9 158 2 0 2019-12-11 14:37:13 UTC+0000
0xfffffa8000f4db30 dwm.exe 3004 852 5 72 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000f4c670 explorer.exe 2504 3000 34 825 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000f9a4e0 VBoxTray.exe 2304 2504 14 144 2 0 2019-12-11 14:37:14 UTC+0000
0xfffffa8000fff630 SearchProtocol 2524 480 7 226 2 0 2019-12-11 14:37:21 UTC+0000
0xfffffa8000ecea60 SearchFilterHo 1720 480 5 90 0 0 2019-12-11 14:37:21 UTC+0000
0xfffffa8001010b30 WinRAR.exe 1512 2504 6 207 2 0 2019-12-11 14:37:23 UTC+0000
0xfffffa8001020b30 SearchProtocol 2868 480 8 279 0 0 2019-12-11 14:37:23 UTC+0000
0xfffffa8001048060 DumpIt.exe 796 604 2 45 1 1 2019-12-11 14:37:54 UTC+0000
0xfffffa800104a780 conhost.exe 2260 368 2 50 1 0 2019-12-11 14:37:54 UTC+0000
STEP 5: SHOW HIDDEN AND/OR UNLINKED PROCESSES Show hidden(injected) and or unlinked processes, an example on our CTF:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pstree
Output:

Name Pid PPid Thds Hnds Time

0xfffffa8000f4c670:explorer.exe 2504 3000 34 825 2019-12-11 14:37:14 UTC+0000 . 0xfffffa8000f9a4e0:VBoxTray.exe 2304 2504 14 144 2019-12-11 14:37:14 UTC+0000 . 0xfffffa8001010b30:WinRAR.exe 1512 2504 6 207 2019-12-11 14:37:23 UTC+0000 0xfffffa8001c5f630:wininit.exe 424 312 3 75 2019-12-11 13:41:34 UTC+0000 . 0xfffffa8001c98530:services.exe 484 424 13 219 2019-12-11 13:41:35 UTC+0000 .. 0xfffffa8002170630:wmpnetwk.exe 1856 484 16 451 2019-12-11 14:16:08 UTC+0000 .. 0xfffffa8001f91b30:TCPSVCS.EXE 1416 484 4 97 2019-12-11 13:41:55 UTC+0000 .. 0xfffffa8001da96c0:svchost.exe 876 484 32 941 2019-12-11 13:41:43 UTC+0000 .. 0xfffffa8001d327c0:VBoxService.ex 652 484 13 137 2019-12-11 13:41:40 UTC+0000 .. 0xfffffa8000eac770:svchost.exe 2660 484 6 100 2019-12-11 14:35:14 UTC+0000 .. 0xfffffa80022199e0:svchost.exe 2368 484 9 365 2019-12-11 14:32:51 UTC+0000 .. 0xfffffa8001e50b30:svchost.exe 1044 484 14 366 2019-12-11 13:41:48 UTC+0000 .. 0xfffffa8001d8c420:svchost.exe 816 484 23 569 2019-12-11 13:41:42 UTC+0000 ... 0xfffffa80021da060:audiodg.exe 2064 816 6 131 2019-12-11 14:32:37 UTC+0000 .. 0xfffffa8001c38580:svchost.exe 948 484 13 322 2019-12-11 14:16:07 UTC+0000 .. 0xfffffa8001eba230:spoolsv.exe 1208 484 13 282 2019-12-11 13:41:51 UTC+0000 .. 0xfffffa8001d376f0:SearchIndexer. 480 484 14 701 2019-12-11 14:16:09 UTC+0000 ... 0xfffffa8000fff630:SearchProtocol 2524 480 7 226 2019-12-11 14:37:21 UTC+0000 ... 0xfffffa8001020b30:SearchProtocol 2868 480 8 279 2019-12-11 14:37:23 UTC+0000 ... 0xfffffa8000ecea60:SearchFilterHo 1720 480 5 90 2019-12-11 14:37:21 UTC+0000 .. 0xfffffa8000f3aab0:taskhost.exe 2908 484 9 158 2019-12-11 14:37:13 UTC+0000 .. 0xfffffa8001cf4b30:svchost.exe 588 484 11 358 2019-12-11 13:41:39 UTC+0000 .. 0xfffffa8001d49b30:svchost.exe 720 484 8 279 2019-12-11 13:41:41 UTC+0000 .. 0xfffffa8001da5b30:svchost.exe 852 484 28 542 2019-12-11 13:41:43 UTC+0000 ... 0xfffffa8000f4db30:dwm.exe 3004 852 5 72 2019-12-11 14:37:14 UTC+0000 ... 0xfffffa8001dfa910:dwm.exe 1988 852 5 72 2019-12-11 14:32:25 UTC+0000 .. 0xfffffa8001e1bb30:svchost.exe 472 484 19 476 2019-12-11 13:41:47 UTC+0000 .. 0xfffffa8000d3c400:sppsvc.exe 1508 484 4 141 2019-12-11 14:16:06 UTC+0000 .. 0xfffffa8001f58890:svchost.exe 1372 484 22 295 2019-12-11 13:41:54 UTC+0000 .. 0xfffffa8001eda060:svchost.exe 1248 484 19 313 2019-12-11 13:41:52 UTC+0000 .. 0xfffffa8001eb47f0:taskhost.exe 296 484 8 151 2019-12-11 14:32:24 UTC+0000 . 0xfffffa8001ca0580:lsass.exe 492 424 9 764 2019-12-11 13:41:35 UTC+0000 . 0xfffffa8001ca4b30:lsm.exe 500 424 11 185 2019-12-11 13:41:35 UTC+0000 0xfffffa800154f740:csrss.exe 320 312 9 457 2019-12-11 13:41:32 UTC+0000 0xfffffa8000ca0040:System 4 0 80 570 2019-12-11 13:41:25 UTC+0000 . 0xfffffa800148f040:smss.exe 248 4 3 37 2019-12-11 13:41:25 UTC+0000 .. 0xfffffa8001c45060:psxss.exe 376 248 18 786 2019-12-11 13:41:33 UTC+0000 0xfffffa8001c5f060:winlogon.exe 416 360 4 118 2019-12-11 13:41:34 UTC+0000 0xfffffa8000ca81e0:csrss.exe 368 360 7 199 2019-12-11 13:41:33 UTC+0000 . 0xfffffa8002227140:conhost.exe 2692 368 2 50 2019-12-11 14:34:54 UTC+0000 . 0xfffffa800104a780:conhost.exe 2260 368 2 50 2019-12-11 14:37:54 UTC+0000 0xfffffa8002046960:explorer.exe 604 2016 33 927 2019-12-11 14:32:25 UTC+0000 . 0xfffffa80021c75d0:VBoxTray.exe 1844 604 11 140 2019-12-11 14:32:35 UTC+0000 . 0xfffffa8002222780:cmd.exe 1984 604 1 21 2019-12-11 14:34:54 UTC+0000 . 0xfffffa80022bab30:mspaint.exe 2424 604 6 128 2019-12-11 14:35:14 UTC+0000 . 0xfffffa8001048060:DumpIt.exe 796 604 2 45 2019-12-11 14:37:54 UTC+0000 0xfffffa8001e68060:csrss.exe 2760 2680 7 172 2019-12-11 14:37:05 UTC+0000 0xfffffa8000ecbb30:winlogon.exe 2808 2680 4 119 2019-12-11 14:37:05 UTC+0000 So what stands out: (most are system apps/services) so we ignore them, I suspect DumpIT.exe is not relevant for now (might be a dumping tool for the memory) but this will be last for me to run and check ...

cmd.exe PID 1984

mpsaint.exe PID 2424

Winrar.exe PID 1512

Now let's see what command launched this apps in question.
**
STEP 6: INVESTIGATE COMMANDS THAT LAUNCHED APPLICATIONS We use the PIDs from which we suspect the process seems to have been initiated:**

_volatility -f MemoryDump_Lab1.raw --_profile=Win7SP1x64 cmdline -p 1984,2424,1512 Output:

_Volatility Foundation Volatility Framework 2._6

cmd.exe pid: 1984 Command line : "C:\Windows\system32\cmd.exe"

mspaint.exe pid: 2424 Command line : "C:\Windows\system32\mspaint.exe"

WinRAR.exe pid: 1512 Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Alissa Simpson\Documents\Important.rar" Trying with console:

volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles
Output:

Volatility Foundation Volatility Framework 2.6

ConsoleProcess: conhost.exe Pid: 2692 Console: 0xff756200 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: %SystemRoot%\system32\cmd.exe Title: C:\Windows\system32\cmd.exe - St4G3$1 AttachedProcess: cmd.exe Pid: 1984 Handle: 0x60
CommandHistory: 0x1fe9c0 Application: cmd.exe Flags: Allocated, Reset CommandCount: 1 LastAdded: 0 LastDisplayed: 0 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x60 Cmd #0 at 0x1de3c0: St4G3$1
Screen 0x1e0f70 X:80 Y:300 Dump: Microsoft Windows [Version 6

follow me on twitter
https://twitter.com/noahparagon

Top comments (0)