Memory Analysis using Volatility - timeliner

Download Volatility Standalone 2.6 for Windows
Install Volatility in Linux

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

timeliner – a volatility plugin that is used to create timeline for various artifacts found in the memory.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

 

Plugins
It is essential for any digital investigator to know when the incident initially happened and which files are to responsible for the system’s unusual modifications.
 
Referring to the image below, we can see that the timeliner plugin provides the timestamp, process name, file name, and path for every artifacts volatility found in the memory.