Memory Analysis using Volatility - moddump
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
moddump – a volatility plugin that is used dump a kernel driver to an executable file sample to disk.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
After listing all the loaded modules using modules plugin, we can then use the Volatility moddump to dump it to disk for further analysis. We will use -b option and feed it with the base address of the kernel driver of choice.
In the sample below, we will dump srv.sys to disk.
First, Run modules plugin and copy the base address.
Next, use the syntax below.
Our syntax will be: vol.exe -f <mem_dump> –profile=<OS_version> moddump -b <base_address> -D <dest>
Then, a kernel driver will be dumped to the specified location.
#note: These steps can help if the system is infected with low level operating malware specially rootkits which operates below the system level, most rootkit implement and use a service to install itself as a kernel driver which gives the malware a full access to the system. Dumping the said malicious driver can aid the analyst to analyze the driver to create and IOCs.