(EN) Volatility - Forensic Cheatsheet

## Introduction Most cases in the past analyzed artifacts to get to a conclusion, The basic technology of artifact forensics are getting slowly developed and researches about extracting data from volatile sources such as memory forensic is a hot potato. How do we analyze memory dumps? Which are one of the most common questions, they are a blockage for sure. When you open a memory dump file, it just looks so random without any structures. Memory is one of the barriers for people who are familiar with file formatted data/structures. Most popular method is to use commands such as `strings` or `regex` to get “readable” type of data and filter strings that might help you. Limitation of this method is that it is consequential. Knowing the target string of search could only prove that that string is in the memory dump. No explanations why these strings are made, when these strings are generated and what kind of informations could be related with it. But it is important to notice that these kinds of methods are not worthless. They have their own meanings. So Volatility is a tool using various plugins that helps you find what process left data and what kinds of processes were used by structuring memory data. Let’s take a deep look. ## Installation There is 2 version. One that works in Python2 environment is volatility2, and other is volatility3 that works in Python3 environment. To install volatility reference the link below which is the official install guide since the program is based on python. By the way, we will focus more on volatility3 than volatility2. [Volatility 3 Github](https://github.com/volatilityfoundation/volatility3/tree/develop) First, we have to install Python. Volatility3 supports python3 versions later than 3.7.0 which is the minimal requirement. So when you use 3.7.0 there could be some limitations using some plugins. ``` git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3 pip3 install -r requirements-minimal.txt python3 setup.py build python3 setup.py install ``` Copy & paste these commands. Without errors it will work fine. Or there are options using standalone versions if you have troubles installing. > [!NOTE] What is a StandAlone version? > Literally standalone versions are executables that needs nothing for their execution. They are complied with every dependencies which are python and imported libraries. > > You will easily find it by googling it. ## Prerequisites There are things you must acknowledge before using volatility. Its called Image Symbol File (ISF) Some of you might or might not know this word. The reason you have to know this will be explained. Every memory structures differs by operating system. Even if you use the same OS, it differ by versions. There are barely nothing common when analyzing memory so every single version requires a new tool. Volatility2 used option named profile to solve this problem. This function scans memory file for operating system version or it could be manually written if you know versions in advance. (~~Looks quite simple but it takes hours to find a exact profile so it was a pain in the …~~) ISF is the improvements introduced since volatility3. If you have information files about symbols, volatility finds the right symbol for your memory dump file and runs the tool. It looks like there are no differences, but there are massive time efficiency. if you install it via github it has symbols for well known version, moreover there are additional symbols provided in this [link](https://github.com/volatilityfoundation/volatility3/tree/develop#symbol-tables). Just leave it in under symbol directory and it will work nice and simple. > [!Question] Still there are no images that i want to use!! > > Linux based images that updates frequently and changes dynamically have high chance of missing ISF. But no need for frustration. ISF files could be created manually. (Make up your mind since it will be tough) > > Basic commands are written below. if you need comments for each line, have > [Volatility Readthedocs - Creating New Symbol Tables](https://volatility3.readthedocs.io/en/latest/symbol-tables.html) for your reference. > > ```shell > git clone https://github.com/volatilityfoundation/dwarf2json.git > apt install golang-go cd dwarf2json > go mod download github.com/spf13/pflag > go build > > uname -r # 5.15.0-XXXX-aws // Your version > > echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \ sudo tee -a /etc/apt/sources.list.d/ddebs.list > > apt install ubuntu-dbgsym-keyring > apt-key adv --keyserver keyserver.ubuntu.com -—recv-keys F2EDC64DC5AEE1F6B9C621F0C8CAB6595FDFF622 > > apt update > > apt install linux-image-5.15.0-XXXX-aws-dbgsym > // Your version > > cd /dwarf2json > ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-5.15.0.XXXX-aws --system-map /boot/System.map-5.15.0.XXXX-aws > Ubuntu22.04-5.15.0.XXXX-aws.json > > mkdir /volatility3/volatility3/symbols/linux > mv ./Ubuntu22.04-5.15.0.XXXX-aws.json /volatility3/volatility3/symbols/linux > ``` ## Function It also supports a variety of functions comparable to the sincerity of providing various symbol images. Each function var by operating system. ( Some commands are different even if it provides identical feature) In this article, default plugins will be explained and 3rd party plugins are well explained in their developers community or you might just email the guy who developed it. Every usage of commands are so simple. Just type the name. For example `Bash` command will be used like this. ``` python3 vol.py -f output.raw linux.bash.Bash ``` And every commands will be explained. Sorry for your high expectations, there will be only comments about commands that will be used frequently. If you want the specifics, go for the official document! ### Linux `isfinfo.IsfInfo` prints information about ISF file currently in use. `linux.bash.Bash` Recovers Bash history command from memory. Similar thing was dealt in [[(EN) Bash History]] `linux.check_afinfo.Check_afinfo` Verifies the operation function pointers of network protocols. `linux.check_creds.Check_creds` Checks if any processes are sharing credential structures `linux.check_idt.Check_idt` This plugin verifies Interrupt Descriptor Table (IDT) forgery Some malware modifies IDT to counterfeit execution branches. With this plugin it helps making your decision for IDT tampering. `linux.check_modules.Check_modules` Compares module list with sysfs `linux.check_syscall.Check_syscall` Checks system call table. You can find out if there are any hookings. This is similar with IDT so keep your eyes on it. `linux.elfs.Elfs` Lists every ELF file of process `linux.lsmod.Lsmod` Lists loaded kernel modules `linux.lsof.Lsof` Prints memory map of process in use `linux.malfind.Malfind` Very interesting function. Shows every possible area where suspicious code(injected codes) could be placed. `linux.proc.Maps` Prints every process with memory map The difference between Lsof is that prints everything while lsof prints only processes in use. proc.Maps is the one that emphasizes memory mapping. `linux.pslist.PsList` The most commonly used commands. Used to find process lists. `linux.pstree.PsTree` Besides the list, there may be situations if you want hierarchy of process. For these cases, psTree is used to find parent process or child process. ### Windows `windows.bigpools.BigPools` List big page pools. `windows.cachedump.Cachedump` Dumps lsa secrets from memory `windows.cmdline.CmdLine` Lists process command line arguments. `windows.dlllist.DllList` Lists the loaded modules in a particular windows memory image. `windows.driverirp.DriverIrp` List IRPs for drivers in a particular windows memory image. `windows.driverscan.DriverScan` Scans for drivers present in a particular windows memory image. `windows.dumpfiles.DumpFiles` Dumps cached file contents from Windows memory samples. `windows.envars.Envars` Display process environment variables `windows.filescan.FileScan` Scans for file objects present in a particular windows memory image. `windows.getservicesids.GetServiceSIDs` Lists process token sids. `windows.getsids.GetSIDs` Print the SIDs owning each process `windows.handles.Handles` Lists process open handles. `windows.hashdump.Hashdump` Dumps user hashes from memory `windows.info.Info` Show OS & kernel details of the memory sample being analyzed. `windows.lsadump.Lsadump` Dumps lsa secrets from memory `windows.malfind.Malfind` Lists process memory ranges that potentially contain injected code. `windows.memmap.Memmap` Prints the memory map `windows.modscan.ModScan` Scans for modules present in a particular windows memory image. `windows.modules.Modules` Lists the loaded kernel modules. `windows.mutantscan.MutantScan` Scans for mutexes present in a particular windows memory image. `windows.netscan.NetScan` Scans for network objects present in a particular windows memory image. `windows.netstat.NetStat` Traverses network tracking structures present in a particular windows memory image. `windows.poolscanner.PoolScanner` A generic pool scanner plugin. `windows.privileges.Privs` Lists process token privileges `windows.pslist.PsList` Lists the processes present in a particular windows memory image. `windows.psscan.PsScan` Scans for processes present in a particular windows memory image. `windows.pstree.PsTree` Plugin for listing processes in a tree based on their parent process ID. `windows.registry.certificates.Certificates` Lists the certificates in the registry's Certificate Store. `windows.registry.hivelist.HiveList` Lists the registry hives present in a particular memory image. `windows.registry.hivescan.HiveScan` Scans for registry hives present in a particular windows memory image. `windows.registry.printkey.PrintKey` Lists the registry keys under a hive or specific key value. `windows.registry.userassist.UserAssist` Print userassist registry keys and information. `windows.ssdt.SSDT` Lists the system call table. `windows.statistics.Statistics` `windows.strings.Strings` Reads output from the strings command and indicates which process(es) each string belongs to. `windows.symlinkscan.SymlinkScan` Scans for links present in a particular windows memory image. `windows.vadinfo.VadInfo` Lists process memory ranges. `windows.virtmap.VirtMap` Lists virtual mapped sections. ### macOS `mac.bash.Bash` Recovers bash command history from memory. `mac.check_syscall.Check_syscall` Check system call table for hooks. `mac.check_sysctl.Check_sysctl` Check sysctl handlers for hooks. `mac.check_trap_table.Check_trap_table` Check mach trap table for hooks. `mac.ifconfig.Ifconfig` Lists loaded kernel modules `mac.kauth_listeners.Kauth_listeners` Lists kauth listeners and their status `mac.kauth_scopes.Kauth_scopes` Lists kauth scopes and their status `mac.kevents.Kevents` Lists event handlers registered by processes `mac.list_files.List_Files` Lists all open file descriptors for all processes. `mac.lsmod.Lsmod` Lists loaded kernel modules. `mac.lsof.Lsof` Lists all open file descriptors for all processes. `mac.malfind.Malfind` Lists process memory ranges that potentially contain injected code. `mac.mount.Mount` A module containing a collection of plugins that produce data typically foundin Mac's mount command `mac.netstat.Netstat` Lists all network connections for all processes. `mac.proc_maps.Maps` Lists process memory ranges that potentially contain injected code. `mac.psaux.Psaux` Recovers program command line arguments. `mac.pslist.PsList` Lists the processes present in a particular mac memory image. `mac.pstree.PsTree` Plugin for listing processes in a tree based on their parent process ID. `mac.socket_filters.Socket_filters` Enumerates kernel socket filters. `mac.timers.Timers` Check for malicious kernel timers. `mac.trustedbsd.Trustedbsd` Checks for malicious trustedbsd modules `mac.vfsevents.VFSevents` Lists processes that are filtering file system events ## Conclusion Today we mastered the basics of memory forensic tool “volatility” every explanations are made for people who want to try volatility. If you get used to it and utilize it by 100%, it will give you amazing enhancement in your digital forensic ability. When you need more probable results compared to `strings` and `regex` volatility is the first tool that you must use. You also can make your own plugin so you might add functions for your own.