Memory Analysis using Volatility - consoles
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
consoles – a volatility plugin that is used to extract command history by scanning for _CONSOLE_INFORMATION structure.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
During an incident, an attacker may perform lateral movement to gain full access to the whole organization.
For us, responders/analyst/investigator, when investigating patient zero we must know what commands are executed by the attacker to perform such attacks and what tools the attacker uses to perform lateral movement.
After running the Volatility cmdscan plugin and identifying that certain commands that are used for lateral movement is used by the attacker to compromise the system, we can then use the Volatility consoles plugin to view the command history and its output.
In this sample, we run the Volatility consoles plugin to our dumped volatile memory.
We can then see that certain commands are being executed and we can also see the output of that commands.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> consoles
#note: The result of this plugin may vary depending on the command history on the system itself. It may print a huge amount of information in which case we can extract the result and dump it to disk as a .txt file to give us a good view.