Memory Analysis using Volatility - cmdscan

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

cmdscan a volatility plugin that is used to extract command history by scanning for _COMMAND_HISTORY structure.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

During an incident, an attacker may perform lateral movement to gain full access to the whole organization. 

For us, responders/analyst/investigator, when investigating patient zero we must know what commands are executed by the attacker to perform such attacks and what tools the attacker uses to perform lateral movement.

Using the Volatility cmdscan plugin, we can extract the command line history that can be used as breadcrumbs to follow the 2nd stage of lateral movement the attack has made.

In this sample, we execute the sample command line arguments and then dump the volatile memory and run the Volatility cmdscan plugin.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> cmdscan

#note: The result of this plugin may vary depending on the command history on the system itself. It may print a huge amount of information, in which case we can extract the result and dump it to disk as a .txt file to give us a good view.