Memory Analysis using Volatility - dumpfiles

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

Dumpfiles – Files are cached in memory for system performance as they are accessed and used. This makes the cache a valuable source from a forensic perspective since we are able to retrieve files that were in use correctly, instead of file carving, which does not make use of how items are mapped in memory. Dumpfiles iterates through the VAD and extracts all the files that are mapped as DataSectionObject, ImageSectionObject, or SharedCacheMap.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins

Using the Volatility dumpfiles plugin, we can extract the file using either targeted search that matches our regex pattern or by using the physical offset address of the file of interest.

In this demo, we will be using the physical offset address to dump the file.

First, we can use Volatility filescan plugin and get the file’s equivalent physical address.

In this case, we are hunting for file name wuaumqr.exe inside our volatile memory.

Next, we use Volatility dumpfiles with -Q option.

Finally, we can view the extracted file of interest. We can now perform further analysis.

The syntax will be like:

On Windows: vol.exe -f <memorydump> –profile=<OS> dumpfiles -Q <physical_offset> -D <directory>

On Linux: python vol.py -f <memorydump> –profile=<OS> dumpfiles -Q <physical_offset> -D <directory>

#note: To get the physical address of the file, use filescan plugin from volatility.
 

Using the Volatility dumpfiles plugin, we can extract the file using either targeted search that matches our regex pattern or by using the physical offset address of the file of interest.

In this demo, we will be using a regex pattern to dump the file of interest.
 
The syntax will be like:
 
In Windows: vol.exe -f <memdump> –profile=<OS> dumpfiles –regex .evtx$ –ignore-case -D <directory>
In Linux: python vol.py -f <memdump> –profile=<OS> dumpfiles –regex .evtx$ –ignore-case -D <directory>
 
What this command does is:
 
First, it uses regex pattern to search if there are “.evtx$” files inside our volatile memory.
Then, it uses –ignore-case to search for all strings in a non-sensitive case format.
 
#note: This approach dumps the mft residents that contains .evtx$ regex pattern from the volatile memory in Windows 7 and later.