Memory Analysis using Volatility - volshell
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
volshell – a volatility plugin that is used to interactively explore a memory image. This gives you an interface similar to WinDbg into the memory dump. For example, you can:
- List Process
- Switch into a process’s context
- Displays types of structure/objects
- Overlay a type over a given address
- Walk linked lists
- Disassemble code at a given address.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
Using Volatility volshell plugin, we can peak inside the memory address.
We can choose to use -p(PID) supplied with PID of the process to investigate to interact directly inside the memory.
Here are the few commands we can use to view content inside the volatile memory:
- dis – Disassemble.
- dd – Display as double word.
- db – Display as Hex Dump.
- dt – Display structure then followed by like “_EPROCESS”.
In this sample, we take the address 0x1000000 of PID 1560 and disassemble using dis command.
The syntax will be like:
In Windows: vol.exe -f <memdump> –profile=<OS> volshell -p 1560
In Linux: python vol.py -f <memdump> –profile=<OS> volshell -p 1560