Memory Analysis using Volatility - symlinkscan

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

symlinkscan a volatility plugin that is used to print symlink objects.

Symbolic Link – is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects path name resolution.

MUP (Multiple UNC provider) – is a kernel-mode component responsible for channeling all remote file system accesses using a Universal Naming Convention(UNC) name to a network redirector(the UNC provider) that is capable of handling the remote file system requests. MUP is involved when a UNC path is used by an application.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

During an incident, after an attacker has successfully compromised level 1 initial access, it may conduct reconnaissance to other system, preparing for level 2 lateral movement, and this can be done by enumerating all mounted SMB shares from that local endpoint which an attacker may execute WMI, net use, and other commands.

Now, The trick to finding evidence of remote mapped drives in memory is to look for file handles prefixed with \Device\Mup and \Device\LanmanRedirector.

The example below are the artifacts using Volatility handles plugin together with Volatility symlinkscan plugin.

Typically, inside this artifact in volatile memory, when lateral movement is done by the attacker, the MUP in the handles output will contain the local drive name, the remote BIOS name and the share and file system path. 

Here are the sample output for handles MUP: \Device\Mup\<drive_letter>\<net_bios_name>\<file_system_path>

You may also want to check the Process ID responsible for SMB sharing which can also be found using handles plugin.

Also, we can correlate the output from handles plugin with symlinkscan which can gives us also the local drive name and the creating time if such action is being done on the system.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> symlinkscan | findstr -i lanman

#note: You can correlate Volatility plugins results from cmdscan, consoles, handles and symlinkscan to follow the actions of the attacker, this can allow us to timeline the events during the incident.