Memory Analysis using Volatility - mftparser
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
mftparser – a volatility plugin that is used to scan for and parses potential MFT entries.
MFT – can be considered one of the most important files in the NTFS files system. It keeps records of all files in a volume, the file’s location in the directory, the physical location of the files in on the drive and the file metadata. There is at least on entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and data stamps, permissions, and data content is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must
Using Volatility mftparser plugin, it can help the investigator answer the following questions
- What time was the attack delivered?
- How long was the system compromised?
- What was the first sign of lateral movement?
- What data are exfiltrated?
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> mftparser
#note: You can use filtering like findstr or grep for this plugin as it returns huge amount of data.
#note: mftparser plugin will return huge amount of information as it prints all the file in the MFT entries, the best use is to extract the output and dump to disk as a .txt file for better analysis.