Memory Analysis using Volatility - yarascan
Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.
yarascan – a volatility plugin that is used to scan process or kernel memory with Yara signatures.
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
Using the Volatility yarascan plugin, we can be able to speed up the process to look for interesting information by using -y option and feed it with the signature we want to find.
In the sample below, we will attempt to use “notepad.pdb” that is found inside notepad.exe process to see if yarascan able to find it inside our volatile memory.
We can see that using yarascan, it able to find the owner process and the process ID.
Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> yarascan -Y “<signature”
In this sample, we will investigate a volatile memory that is infected with Sinowal malware using Volatility yarascan plugin.
First, we run netscan to list for connection and retrieve network related IOCs.
Next, if valuable information is retrieved using netscan plugin we can then use it as a signature for yarascan.
In this case we have detected that our local system is connecting to outbound ip address: 18.104.22.168
Now, we can see the processes that contains this signature.
In this case both these processes has the signature:
Process name: Sinowal.exe PID: 4016
Process name: regsvr32.exe PID: 3020
We can then use the information to investigate further.