Memory Analysis using Volatility - auditpol

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

auditpol – a volatility plugin that is used to verify what types
of events to expect.By default, the Security event log is turned off in Windows XP.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Using the Volatility auditpol plugin, we can see what are the logs to expect when extracting event logs on our captured memory.

Here are some things to note when using auditpol plugin:

      • Not logged – Disabled logging
      • SSuccessful operation is logged
      • F – Failed operation is logged

The syntax will be like:

In Windows: vol.exe -f <memdump> –profile=<OS> auditpol

In Linux: python -f <memdump> –profile=<OS> auditpol

#Note: For the sake of demo, we use Windows XP distro that is why all logs were disabled by default.