Memory Analysis using Volatility - filescan

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

filescan a volatility plugin that is used to print file objects.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

In an incident, we must know what files are being extracted from the compromised systems or what file object is responsible for infecting our system, if it involves a phishing document, .exe, .dll and etc.

Using the Volatility filescan plugin, we can be able to open and search our volatile memory for opened file handles. 

This file handles are in a form of .pf, .txt, .docs, .pdf, .rar, .dll and many other file objects.

In searching the volatile memory, it will print a lot of information, so the best is to dump it to disk and save it as a .txt file or if you want a quick view when using Windows OS, you can filter it by using findstr, and on Linux, you can use grep.

In this lab, we are using Windows platform and we can pipe our output to findstr to search for specific file(s).

Our syntax will be like: vol.exe -f –profile= filescan | findstr -i