Memory Analysis using Volatility - printkey
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
printkey – a volatility plugin that is used print a registry key, and its subkeys and values. This plugin will search all hives and print the key information(if found) for the requested key. Therefore, if the key is located in more than one hive, the information for the key will be printed for each hive that contains it.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
In this sample, we will use the Volatility printkey plugin to print a specific registry location from our captured memory dump. In our case, we list “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” registry key.
This plugin can help the analyst enumerate a registry key and check what its subkeys, and values, without extracting the registry hives.
Looking at the sample below, we can see the value, and subkeys inside this registry key.
If the information of interest is found, we can then dump the registry hives for further analysis.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> printkey -K <registry_key>
In this sample, we will use the printkey plugin to investigate the registry hive of our system infected with Zeus Banking malware.
The image below, we list the registry key “Software\Microsoft\Windows\CurrentVersion\Run” to see its values and subkeys. This registry key is commonly used by malware to persist on the system and survive the reboot.
We can see by listing the Run registry key using the plugin a value named GoogleUpdate.exe is found and we can see that it is residing inside AppData\Local which is not a normal location for Google Update.
