Mastering Memory Forensics with Volatility

Hello everyone, welcome back to the Blue Team training series sponsored or brought to you by Linode and Hackersploit. In this video we're going to be exploring the process of performing memory forensics with volatility, more specifically how to analyze memory dumps with volatility. So in the previous video, we essentially took a look at how we can essentially dump our memory or volatile memory, if you will, also known as RAM from an infected Linux system for the purpose of analysis. And in this video, we'll be taking a look at how to utilize pretty much, you know, one of the most powerful memory forensics tools, which is called volatility. So More specifically, we'll be focusing on how to analyze Windows memory dumps because those are the memory dumps that you're going to be frequently dealing with. But you can simply apply the same process to Linux memory dumps. I'll be explaining what volatility is and how it can be used because it really is very simple and very powerful. The only thing that you'll need in regards to prerequisites is, of course, as I'll explore shortly, you need to have an understanding of how to essentially dump memory from both Windows and Linux systems. In this case, we're really not going to be covering the process of dumping Windows memory, because, again, there's plenty of tools that can be used to do that. So what will we be covering in this video? I'll give you an introduction to volatility. We'll then take a look at how to install volatility and how to analyze memory dumps with volatility. So the prerequisites are going to be, you know. Fairly simple. So you can see that you need to have a basic familiarity with digital forensics, familiarity with Linux and various command line utilities, and a basic understanding of how the Linux kernel works, primarily because we're going to be working on Linux. So let's get an introduction to volatility. So what is volatility? Well, volatility is an open source memory forensics framework for incident response and malware analysis. It is written in Python. and supports Microsoft Windows, Mac OS and Linux. We can utilize volatility to analyze and extract important information from a memory dump. This information will help us identify running processes, files, user information, hashes, etc. This information is very important because it allows an incident responder to identify when an attack occurred, where it originated from, and much more. So, you know, by analyzing a memory dump, you pretty much get a good idea of what was running at the time what files were open what files were being modified etc etc and this you know can be used to to sort of get a holistic view of what happened with regards to the actual intrusion or the compromise of this system it's very important to note however that volatility has two versions namely volatility 2 and volatility 3 now these versions are based on the fact that you know volatility was written in Python so volatility 2 is written in Python 2 and volatility 3 is written in Python 3 in this case we'll be utilizing volatility 2 as it has a large number of useful plugins if you're not familiar with plugins don't worry this will make sense in a couple of seconds as for the learning resources you can take a look at the volatility github repository and we are going to be utilizing a few you know, intentionally created memory labs that have been structured in a CTF format. So our objective will be to find flags within the actual memory. And, you know, we'll be utilizing some of these labs to essentially learn how to extract useful information from a Windows memory dump. Now in regards to the actual infrastructure, we're going to be utilizing the same Ubuntu 18.04 server that we had set up for analysis. And the reason I'm using Ubuntu 18.04 is primarily because Ubuntu 18.04 repositories already have the volatility to package within them. And that means we can easily install volatility without any issues. So with that being said, we can actually get started with a practical demonstration. So I'll just switch over to my Ubuntu VM. All right, so I am back on my Ubuntu VM and I'm currently on the Volatility GitHub repository. This link will be added as a resource to this video and of course all the links used will also be added. So you can see this is the GitHub repo here. You can take a look at the brief description that it provides us. So this is a volatile memory extraction utility framework. The volatility framework is a completely open collection of tools implemented in Python under the GNU general public license. for the extraction of digital artifacts from volatile memory also known as RAM. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. So again based on the documentation here, you can see that all utility supports investigations of the following memory images. So this is for Windows. So you can see it supports memory images taken or dumped from Windows XP all the way to Windows Server 2016. In the case of Windows 10 and Windows Server 2016, you can see it provides you with, you know, the requirements in terms of the build number for Windows 10. So including at least the following, the following build number there. As for Linux, you can see it supports 32-bit Linux kernels and 64-bit Linux kernels from version 2.6.11 to 5.5. And these are the supported distributions. So we have OpenSUSE, Ubuntu, Debian, CentOS, Fedora, Mandravia, etc. And you can also, again, extract information from macOS memory dumps right over here. So it's important to note. that volatility does not provide memory sample acquisition capabilities for acquisition they are both free and commercial solutions available one of them is lime and of course in the case of windows which we will not be covering in this series there's plenty of tools that can be used to dump windows memory one of which we'll actually see running you know within the actual memory dump of the windows system that we'll be analyzing or extracting information from so in terms of the usage it's fairly simple to use if you type in the info command with volatility you'll be provided with the address spaces here also the profiles this is very important and we'll get to that when we get there and then plug-in so this is arguably the most important aspect of volatility these are the plugins so plugins essentially allow you to extract or dump information from the actual memory dump so you know for example we can display the process command line arguments, we can extract history by scanning for command history, etc, etc. So as I said, I'm going to be, I'm going to be utilizing an Ubuntu 18.04 server set up on Linode. And what I'm going to do is I'm just going to change this to, we can just say DFIR, because we're not dealing with a compromised Linux system now. And we're going to be downloading the memory dump, you know, from another GitHub repo that I'll showcase in a couple of seconds. So I've already logged into that server via SSH, as you can see here. And if we take a look at the Memlabs GitHub repository, you can see this is a GitHub repository that essentially contains, as it says here, it essentially contains an introductory set of CTF style challenges, which is aimed to encourage students, security researchers, and also CTF players to get started with the field of memory forensics. So there's about six labs here and they're sorted based on their difficulty. So lab zero will essentially give you a write up as to what needs to be done and how to utilize volatility to essentially find the flags. And we're going to be using lab one. So if we click on lab one, which is called beginner's luck, that is also easy, we'll click on that there. And you will be provided with the actual challenge description, which is very important. So again, this sets the stage for you being a or for you essentially emulating the role of an incident responder. So my sister's computer crashed. We are very fortunate to recover this memory dump. Your job is to get all the important files from the system. From what we remember, we suddenly saw a black window pop up with something being executed. All right, so that looks like there's some form of malware here. When the crash happened, she was trying to draw something. Hmm, interesting. That's all we remember from the time of the crash because the memory dump was taken at that particular point in time Which is you know, very useful. So this challenge is composed of three flags. I'll not be going I'll not be getting all the flags. I'll only maybe get one or two and I can leave the rest to you guys So we have the MD5 hash for the memory dump so you can compare it when you actually download it and extract it. So the challenge file is available on Mega. It's about 155 megabytes and it is a 7-zip archive and once you extract it it's going to the memory dump is I think a couple of gigabytes. So I've already downloaded this within my downloads directory. And in terms of resources, we're going to be utilizing CyberChef, which I'll be explaining. It essentially allows you to encode and decode various types of hashes and a ton more. But yeah, so what we'll do firstly is we'll get a volatility installed. So make sure you update your repository. So sudo apt-get update and sudo apt-get install volatility. I already have volatility installed. And we'll give this a couple of seconds. All right, so volatility is running, or we're running the latest version of volatility, which is version 2.6. That's perfectly fine. And now we actually need to transfer the memlabs 1.7 zip file onto this analysis server or the system we're going to be using for the analysis. So that file is on my local system, so I can copy it over with SSH. So I'll use the SCP command. and say from my downloads directory I want you to transfer memlabs 1.7 zip to the following server so I'll just get my server ip here on linode there we are I'll just copy that there and I want to save it in the in the home directory of the root user so I'll hit enter that's going to prompt me to my to enter my password here which I will do and that's going to transfer that file so you can see it's about 150 megabytes or so and we're going to give this a couple of seconds so that's going to transfer over i'm just going to wait for this to complete all right so once the file is transferred i'm just going to close this particular window there and if i list out the contents of my home directory you can see we have memlabs there so to install or to extract this we're going to be using a utility called p7 zip which you can install using the aptitude package manager. And we're going to say decompress or unzip memlabs. This is going to take a while because the file is quite large, as you'll actually see in a couple of seconds. So there we are, it's going to extract memory dump lab one dot raw, which is a Windows memory dump. However, we don't know the actual operating system or the addition of Windows. So I'll say D U S H here. to display the size of the memory dump, it's about one gig. So that's perfectly fine there. Once that is done, what we need to do now is we can actually open up volatility, right. So I'll, I'll just run the volatility command, and we can open up the help menu, right. So there we are, you can see it's working perfectly fine. And the help command will essentially give you the various command line options to use. So You have the ability to debug volatility, specify the plugin you'd like to use, print information about all registered objects, that's very important, and then you can specify the file name. And of course, in a couple of seconds, this argument is pretty much going to be used to load in the memory dump itself. And we can also, there are a few other options here that we can use. These are the supported plugin commands that we can use. And if we actually display the info command here, just going to type that in there, that's going to give you an idea of all the plugins. So these are all the plugins available. So you can see they're sorted based on the operating system. So these are the Mac plugins. And then you have the Linux plugins here. And the reason why I ran the help command is because it displays the it actually displayed the active plugins, which are currently available to us. So these are all the Windows plugins here, which we'll be exploring, we'll actually be focusing on some of the most important ones. And then of course, if we take a look at the other options here, you can see we have the profiles, right. So the profile aspect of volatility is very important because this, you will need to specify the profile based on the type of memory dump you're dealing with. So for example, if the memory dump A file was taken from a Windows 10 system, which is a 64 bit, you'd need to specify that profile. Now we can easily identify the profile to use for our memory dump that we have right over here, which is just called memory dump lab one, by typing in the following the following command. So we can say volatility file, memory dump lab one dot raw. And we can then say image info, we can use the image info plugin. And that will tell us the version of Windows here. So let's go ahead and do that. We'll give this a couple of seconds and that should actually tell us what version of Windows is running or what version of Windows this memory dump was taken from. All right. So as you can see, it tells us right over here. So the suggested profiles, the first one is pretty much the best option here. So it looks like this dump was taken from. a system running Windows 7 Service Pack 1 x64. And you know, it then gives you information here regarding, you know, the actual AS layer one, which tells you right over here, the Windows AMD 64 page memory, and then the file address space. And then of course, you have the DTB address there, etc. Okay, so the image date and time, that's when it was taken. and the local time is set here so uh plus five hours and 30 minutes i think that's uh plus five hours 30 minutes gmt time but i could be wrong there all right so this information is very useful because what we can do now is we can perform a k a kdgb scan the kdgb the kdbg scan is used to essentially display the structure maintained by the Windows kernel for debugging processes or purposes. It essentially contains a list of the running processes and the loaded kernel modules and will essentially you know give us information regarding the actual operating system that it came from. So this is much more accurate and it'll tell us the architecture. So what we can do is again just specify that we want to in this case we'll just say profile We can just say KDGB scan, and we'll give that a couple of seconds. We must specify what we want to do. We've not specified a profile yet. In that case, we can specify the profile that was recommended. So we can say profile is equals to Windows 7 SP1. x64 and then specify KDGB scan so I'll hit enter and in this case it looks like we're still getting an error let me see that here so KDBG scan not GB so KDBG scan and I'll hit enter and this should work now and we'll give this a couple of seconds so remember our objective is to find the flags you know hidden and of course this is just used for training purposes so again there we are you can see that it's going to display quite a lot of output but it actually tells us right over here so in instantiating kdbg using the following kernel and we get the actual kdbg owner tag check which is set to true the profile suggestion in this case is windows 7 service pack 1 x64 and the version is 64-bit all right so that means we're using the correct profile and we can essentially get started with extracting important information so the first bit of information that we can try and extract is the list of running processes that was or the processes that were running during the actual capture or the actual dump so now that we have the profile specified we're just going to say ps list to display the list of running processes there we are and we'll give this a couple of seconds and there we go so from that memory dump volatility allows us to see what windows processes were running at the time of this particular at the time when that memory dump was taken and you can actually see we have the offset here we then have the name of the process the process id which is going to be very important and then you have the ppid the threads handles and then of course the actual start time which is really, really cool. And if we take a look at the brief here, we can see that this individual's sister's computer crashed and what she was doing, there wasn't any mention of her name, but she saw a black window pop up with something being executed and she was trying to draw something. So let's see if we can identify any of those processes here. If we take a look at all the processes, we can see that the dump it utility here was actually used to make the dump, which is again, that's a tool you can use to make a Windows memory dump. We don't see anything interesting here. So maybe those processes were hidden. So how do we identify hidden processes? Well, we can do that by essentially running the following command. So instead of saying PS list, we can essentially type in PS. A tree. All right, so we'll give that a couple of seconds. And there we are. Okay, so we can now start to see that we have cmd.exe and MsPaint. So it looks like the individual sister was actually utilizing MsPaint to draw something that makes sense. And then she actually saw a black screen, which, you know, would be cmd.exe. So this, we actually need to investigate these processes. However, let's take a close look at some of the other processes here. We can actually see at the time of this memory dump, we have WinRAR also running at the time. And yeah, that pretty much looks like the most important ones here. So we know that we have, you know, MS Paint and cmd.exe. So what we can do is let's explore the WinRAR process. And let's see what it was doing. Alright, so we're going to check the commands that launched that specific program. And in order to do that, we're just going to copy the process ID for WinRAR, which is 1512. And we can use the previous command here. And instead of saying PS tree, we can say command line. And you know, we can specify the process ID, which is 1512. And hit enter. And in this case, it tells us that this is what was done. So command line C program files, WinRAR, WinRAR.exe. And it looks like WinRAR was pressing or extracting the following file. So important dot raw, very, very interesting there. Okay, so important or raw. And we know that the sister's name is Elisa Simpson, and this was under documents. Okay, so that is very, very important information. So we've identified that now one thing I want to do is actually want to utilize the console plugin. So what I'll do here is I'll just say volatility. just to explain what it does info and i'll just grep and say consoles there we are we'll give this a couple of seconds and you can see con the consoles plugin is used to extract command history all right so let's see what uh what commands were being executed in cmd.exe so what we could do is we could specify the process id for that uh using the command line uh plugin or we can also use the consoles plugin but let's say 1984 just to see what what was going on here all right so yeah that makes sense cmd was executed with system or administrative privileges so we can now say consoles and hit enter and let's see what this displays here so command history okay i think i saw a flag there but uh let's go back here. So we can see that the console process connection host.exe. Let's see. Nothing there command history. If we take a look at this here, we can see that see users smartnet ran the following process. And we then get the following base 64 encoded string of text. So I'm guessing this is a flag here. And yeah, it is a flag. So because it's encoded in base 64, we can essentially just echo the content of the flag here. So I'll just say echo, and we can then pipe this to base 64. And say, you know, we can actually just decrypt that. And there we are. So we get the first flag. So flag, this is the first flag. Excellent. So hopefully, this is giving you an insight as to how to utilize volatility to identify impetus. important bits of information. Now, again, in this case, you know, this is just being used to find flags, but it's giving you an idea of the various plugins to use and where to use them. All right, so we found the first flag, which is great. I think I'll find one more and then I'll leave the final one to you guys. Okay, so that's flag one down. One thing I realized, if we actually take a look at, if we take a look at the WinRAR, process because we had there we are so command line process 1512 we actually saw this very interesting file here right so that file is uh under c uses alyssa simpson documents important dot rar so i'm guessing that that was actually the output file so something was compressed within that and saved under the following path as important of raw so how can we actually uh you know perform a file scan on this particular file to learn more about it well we can save volatility and again we're just going to get rid of command line and we're going to use the file scan plugin and we're then going to say grip I and we're looking for an we're looking for a specific file. In this case, it's important dot RAR. And let's get the information for that particular file. So we would need the actual there we are. So it actually displays that there. Now if you want to learn more about this, I can say volatility. And you know, I can say info. and let me just cancel that there and I'm going to pipe and say grep and file scan just to learn what it does. You can see that this is a pool scanner for file objects so we've identified the offset for that particular file and what we can do now to actually dump the file from the actual memory dump onto our local system is we can utilize volatility again with the previous command here And in this case, we can get rid of that there. And I'm just going to say, sorry, let me just terminate that there, we're just going to use the previous command. And instead of using the file scan plugin, what we're going to say is we're going to utilize the dump files, the dump files plugin, and then specify the offset. So again, if I just open up the actual volatility help menu here, you should be able to see, sorry, that's on my own system, my bad. So let me let me just explain what we're going to be doing so volatility help and we used utilizing the Q The Q command here and we're going to use a couple of others that are very important So I just wanted to explain them with the official nomenclature So we are going to be utilizing the D the D option which is really not being displayed here So I'm guessing I'm going to be I'm going to have to utilize the actual info command so let me just open that up and I'll show you how to dump that particular file to our local system so these are all the plugins here we're then going to have the profiles and that should be displayed here it's not being displayed there that's very interesting but yeah I'll just give you the command that needs to be run so we're going to dump that But we're getting rid of the file scan plugin and we're going to be utilizing the dump files The dump files plugin we're going to specify the offset, but in order to do that we're going to need the offset So I'm just going to run the previous command again just to get the offset for that particular file there and There we are. Okay, so I can run the previous command and we can say dump files And then we use hyphen uppercase Q specify the actual offset here. And let's just copy that there. And what we're going to do then is we're going to specify where we want this saved, right, so I'm going to say D and in the current working directory, so D and we then specify file. And then we can say file dot data or file dot that hit enter, you can see that we should have that file there. So file dot data here. And if I say D, u, s, h, there we are, we can see we have dumped it. And we know that this is a tar file. So I'm just going to, you know, change the extension from file dot non dot data to important dot RAR. That is what the file was called, you know, on the system when the memory dump was taken. And if we say tar x z vf important dot tar, let's see that doesn't exist. That's very weird. ch mod plus x important dot tar. Let me just change that command accordingly. And if we say important.tar, that doesn't look like it's working. That's very interesting. Can we use unrar? Let's see if that works there. So important.rar, we need to get that. So yeah, that's we're not really dealing with a tar ball, we're actually dealing with a file that is in format. So apt-get install unrar. Let me just type that in here. So apt-get install unrar. and we're going to extract it so under our x important dot rar Okay, so it's saying we need a password and then it tells us the password is the NTLM hash in uppercase of Elisa's account password. Okay, so in order to get flag three, that's interesting. We actually got flag three. So in order to extract this, we are going to need to dump the hashes, the NTLM hashes. And, you know, we need the actual NTLM hash in uppercase for the for Elisa's account. In order to do this, we're going to need to utilize volatility again. So let me just select the previous command here. So instead of using the file scan plugin, we can utilize a plugin called hash dump. Absolutely insane. So I'll hit enter. And that should give us the hashes. Let's see if we actually get that. There we are. Fantastic. All right, so we need the actual hash. in uppercase for Elisa. So this is an NTLM system. So we know that, you know, this is going to be the hash here, because the first value really doesn't change. So we're going to need to copy that there. And that's where CyberChef comes into play. That'll just, you know, change it to uppercase. So we can say to uppercase, put our input and it changes it to uppercase there. And we can now try and extract. or unrar the file here. So there we are, I'll paste that in there. And we get flag three dot PNG. Alright, so it is a PNG flag, which is, which means we actually have to transfer it to our own system, or to my local Ubuntu system to actually view it. So the way we're going to do this is I'm going to open up my previous SCP command. So what we want to do here is we want to get the file called flag three dot PNG. So we're copying this from the remote server to our current working directory. And it's going to ask me for my server password, which I will gladly provide. There we are. So we've got flag three within my home directory. And if we open up like three, there we are. So there's the third flag. So flag three, there we are. So that was easy. Fair enough. That was easy. So That is how to utilize volatility for memory forensics. Now, of course, I haven't covered all the plugins you can utilize, you know, in order to extract important information. But as I said, everything is available to you, you know, with a click of a particular command. So, you know, you can just run the volatility info command and you can get access to the plugins you can use based on the operating system memory dump that you're trying to extract information from. Another interesting one that we can take a look at is dump registry and the environment variables, right? So we can say dump registry. And the other one that we wanted to use was, let's see if I can find it here. I believe the one that I wanted to showcase, let's see. So the one I wanted to showcase really was going to be the environment variable option. we can dump the registry with dumped files. So environment variables and dump registry. Alright, so we'll just say environment variables. And we can then say dump registry. So these are all the environment variables there, a lot of data is going to be produced. And then we can say dump registry. The most important thing to take into consideration is going to be the actual profile you use. In this case, we'll need to specify the dump directory or where we want to dump it to. And that's we had done previously with the dump files option. So, you know, if I say D and specify my current working directory, you can see it's going to write out the registry to the following registry files, which we can then analyze on a Windows system. So. If I list out the contents of my current working directory, you can see all of the registries there. So these are the registries for security, default software, etc. And you can go ahead and analyze them. So that is going to conclude the practical demonstration side of this video. So thank you very much for watching. If you have any questions, please feel to ask them on my Twitter, the link to that is going to be added as a resource. Furthermore, all the links highlighted in this video demonstration will also be added as a resource to this video. So you can actually go ahead or actually follow along with the challenge itself and take a look at some of the other challenges that you can actually play through or go through to learn more about how to utilize volatility. With that being said, in the next video, we're going to be continuing our journey into digital forensics by taking a look at how to perform disk analysis with autopsy. So... With that being said, I'll be seeing you in the next video.

And in this video, we'll be taking a look at how to utilize pretty much, you know, one of the most powerful memory forensics tools, which is called volatility. So More specifically, we'll be focusing on how to analyze Windows memory dumps because those are the memory dumps that you're going to be frequently dealing with. But you can simply apply the same process to Linux memory dumps. I'll be explaining what volatility is and how it can be used because it really is very simple and very powerful.

The only thing that you'll need in regards to prerequisites is, of course, as I'll explore shortly, you need to have an understanding of how to essentially dump memory from both Windows and Linux systems. In this case, we're really not going to be covering the process of dumping Windows memory, because, again, there's plenty of tools that can be used to do that. So what will we be covering in this video? I'll give you an introduction to volatility.

We'll then take a look at how to install volatility and how to analyze memory dumps with volatility. So the prerequisites are going to be, you know. Fairly simple. So you can see that you need to have a basic familiarity with digital forensics, familiarity with Linux and various command line utilities, and a basic understanding of how the Linux kernel works, primarily because we're going to be working on Linux.

So let's get an introduction to volatility. So what is volatility? Well, volatility is an open source memory forensics framework for incident response and malware analysis.

It is written in Python. and supports Microsoft Windows, Mac OS and Linux. We can utilize volatility to analyze and extract important information from a memory dump.

This information will help us identify running processes, files, user information, hashes, etc. This information is very important because it allows an incident responder to identify when an attack occurred, where it originated from, and much more. So, you know, by analyzing a memory dump, you pretty much get a good idea of what was running at the time what files were open what files were being modified etc etc and this you know can be used to to sort of get a holistic view of what happened with regards to the actual intrusion or the compromise of this system it's very important to note however that volatility has two versions namely volatility 2 and volatility 3 now these versions are based on the fact that you know volatility was written in Python so volatility 2 is written in Python 2 and volatility 3 is written in Python 3 in this case we'll be utilizing volatility 2 as it has a large number of useful plugins if you're not familiar with plugins don't worry this will make sense in a couple of seconds as for the learning resources you can take a look at the volatility github repository and we are going to be utilizing a few you know, intentionally created memory labs that have been structured in a CTF format. So our objective will be to find flags within the actual memory. And, you know, we'll be utilizing some of these labs to essentially learn how to extract useful information from a Windows memory dump.

Now in regards to the actual infrastructure, we're going to be utilizing the same Ubuntu 18.04 server that we had set up for analysis. And the reason I'm using Ubuntu 18.04 is primarily because Ubuntu 18.04 repositories already have the volatility to package within them. And that means we can easily install volatility without any issues. So with that being said, we can actually get started with a practical demonstration. So I'll just switch over to my Ubuntu VM.

All right, so I am back on my Ubuntu VM and I'm currently on the Volatility GitHub repository. This link will be added as a resource to this video and of course all the links used will also be added. So you can see this is the GitHub repo here.

You can take a look at the brief description that it provides us. So this is a volatile memory extraction utility framework. The volatility framework is a completely open collection of tools implemented in Python under the GNU general public license. for the extraction of digital artifacts from volatile memory also known as RAM. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system.

The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. So again based on the documentation here, you can see that all utility supports investigations of the following memory images. So this is for Windows. So you can see it supports memory images taken or dumped from Windows XP all the way to Windows Server 2016. In the case of Windows 10 and Windows Server 2016, you can see it provides you with, you know, the requirements in terms of the build number for Windows 10. So including at least the following, the following build number there.

As for Linux, you can see it supports 32-bit Linux kernels and 64-bit Linux kernels from version 2.6.11 to 5.5. And these are the supported distributions. So we have OpenSUSE, Ubuntu, Debian, CentOS, Fedora, Mandravia, etc.

And you can also, again, extract information from macOS memory dumps right over here. So it's important to note. that volatility does not provide memory sample acquisition capabilities for acquisition they are both free and commercial solutions available one of them is lime and of course in the case of windows which we will not be covering in this series there's plenty of tools that can be used to dump windows memory one of which we'll actually see running you know within the actual memory dump of the windows system that we'll be analyzing or extracting information from so in terms of the usage it's fairly simple to use if you type in the info command with volatility you'll be provided with the address spaces here also the profiles this is very important and we'll get to that when we get there and then plug-in so this is arguably the most important aspect of volatility these are the plugins so plugins essentially allow you to extract or dump information from the actual memory dump so you know for example we can display the process command line arguments, we can extract history by scanning for command history, etc, etc. So as I said, I'm going to be, I'm going to be utilizing an Ubuntu 18.04 server set up on Linode.

And what I'm going to do is I'm just going to change this to, we can just say DFIR, because we're not dealing with a compromised Linux system now. And we're going to be downloading the memory dump, you know, from another GitHub repo that I'll showcase in a couple of seconds. So I've already logged into that server via SSH, as you can see here. And if we take a look at the Memlabs GitHub repository, you can see this is a GitHub repository that essentially contains, as it says here, it essentially contains an introductory set of CTF style challenges, which is aimed to encourage students, security researchers, and also CTF players to get started with the field of memory forensics. So there's about six labs here and they're sorted based on their difficulty.

So lab zero will essentially give you a write up as to what needs to be done and how to utilize volatility to essentially find the flags. And we're going to be using lab one. So if we click on lab one, which is called beginner's luck, that is also easy, we'll click on that there. And you will be provided with the actual challenge description, which is very important.

So again, this sets the stage for you being a or for you essentially emulating the role of an incident responder. So my sister's computer crashed. We are very fortunate to recover this memory dump.

Your job is to get all the important files from the system. From what we remember, we suddenly saw a black window pop up with something being executed. All right, so that looks like there's some form of malware here.

When the crash happened, she was trying to draw something. Hmm, interesting. That's all we remember from the time of the crash because the memory dump was taken at that particular point in time Which is you know, very useful. So this challenge is composed of three flags. I'll not be going I'll not be getting all the flags.

I'll only maybe get one or two and I can leave the rest to you guys So we have the MD5 hash for the memory dump so you can compare it when you actually download it and extract it. So the challenge file is available on Mega. It's about 155 megabytes and it is a 7-zip archive and once you extract it it's going to the memory dump is I think a couple of gigabytes.

So I've already downloaded this within my downloads directory. And in terms of resources, we're going to be utilizing CyberChef, which I'll be explaining. It essentially allows you to encode and decode various types of hashes and a ton more.

But yeah, so what we'll do firstly is we'll get a volatility installed. So make sure you update your repository. So sudo apt-get update and sudo apt-get install volatility. I already have volatility installed. And we'll give this a couple of seconds.

All right, so volatility is running, or we're running the latest version of volatility, which is version 2.6. That's perfectly fine. And now we actually need to transfer the memlabs 1.7 zip file onto this analysis server or the system we're going to be using for the analysis.

So that file is on my local system, so I can copy it over with SSH. So I'll use the SCP command. and say from my downloads directory I want you to transfer memlabs 1.7 zip to the following server so I'll just get my server ip here on linode there we are I'll just copy that there and I want to save it in the in the home directory of the root user so I'll hit enter that's going to prompt me to my to enter my password here which I will do and that's going to transfer that file so you can see it's about 150 megabytes or so and we're going to give this a couple of seconds so that's going to transfer over i'm just going to wait for this to complete all right so once the file is transferred i'm just going to close this particular window there and if i list out the contents of my home directory you can see we have memlabs there so to install or to extract this we're going to be using a utility called p7 zip which you can install using the aptitude package manager. And we're going to say decompress or unzip memlabs.

This is going to take a while because the file is quite large, as you'll actually see in a couple of seconds. So there we are, it's going to extract memory dump lab one dot raw, which is a Windows memory dump. However, we don't know the actual operating system or the addition of Windows.

So I'll say D U S H here. to display the size of the memory dump, it's about one gig. So that's perfectly fine there.

Once that is done, what we need to do now is we can actually open up volatility, right. So I'll, I'll just run the volatility command, and we can open up the help menu, right. So there we are, you can see it's working perfectly fine. And the help command will essentially give you the various command line options to use.

So You have the ability to debug volatility, specify the plugin you'd like to use, print information about all registered objects, that's very important, and then you can specify the file name. And of course, in a couple of seconds, this argument is pretty much going to be used to load in the memory dump itself. And we can also, there are a few other options here that we can use.

These are the supported plugin commands that we can use. And if we actually display the info command here, just going to type that in there, that's going to give you an idea of all the plugins. So these are all the plugins available. So you can see they're sorted based on the operating system.

So these are the Mac plugins. And then you have the Linux plugins here. And the reason why I ran the help command is because it displays the it actually displayed the active plugins, which are currently available to us.

So these are all the Windows plugins here, which we'll be exploring, we'll actually be focusing on some of the most important ones. And then of course, if we take a look at the other options here, you can see we have the profiles, right. So the profile aspect of volatility is very important because this, you will need to specify the profile based on the type of memory dump you're dealing with.

So for example, if the memory dump A file was taken from a Windows 10 system, which is a 64 bit, you'd need to specify that profile. Now we can easily identify the profile to use for our memory dump that we have right over here, which is just called memory dump lab one, by typing in the following the following command. So we can say volatility file, memory dump lab one dot raw. And we can then say image info, we can use the image info plugin.

And that will tell us the version of Windows here. So let's go ahead and do that. We'll give this a couple of seconds and that should actually tell us what version of Windows is running or what version of Windows this memory dump was taken from. All right. So as you can see, it tells us right over here.

So the suggested profiles, the first one is pretty much the best option here. So it looks like this dump was taken from. a system running Windows 7 Service Pack 1 x64. And you know, it then gives you information here regarding, you know, the actual AS layer one, which tells you right over here, the Windows AMD 64 page memory, and then the file address space. And then of course, you have the DTB address there, etc.

Okay, so the image date and time, that's when it was taken. and the local time is set here so uh plus five hours and 30 minutes i think that's uh plus five hours 30 minutes gmt time but i could be wrong there all right so this information is very useful because what we can do now is we can perform a k a kdgb scan the kdgb the kdbg scan is used to essentially display the structure maintained by the Windows kernel for debugging processes or purposes. It essentially contains a list of the running processes and the loaded kernel modules and will essentially you know give us information regarding the actual operating system that it came from. So this is much more accurate and it'll tell us the architecture. So what we can do is again just specify that we want to in this case we'll just say profile We can just say KDGB scan, and we'll give that a couple of seconds.

We must specify what we want to do. We've not specified a profile yet. In that case, we can specify the profile that was recommended.

So we can say profile is equals to Windows 7 SP1. x64 and then specify KDGB scan so I'll hit enter and in this case it looks like we're still getting an error let me see that here so KDBG scan not GB so KDBG scan and I'll hit enter and this should work now and we'll give this a couple of seconds so remember our objective is to find the flags you know hidden and of course this is just used for training purposes so again there we are you can see that it's going to display quite a lot of output but it actually tells us right over here so in instantiating kdbg using the following kernel and we get the actual kdbg owner tag check which is set to true the profile suggestion in this case is windows 7 service pack 1 x64 and the version is 64-bit all right so that means we're using the correct profile and we can essentially get started with extracting important information so the first bit of information that we can try and extract is the list of running processes that was or the processes that were running during the actual capture or the actual dump so now that we have the profile specified we're just going to say ps list to display the list of running processes there we are and we'll give this a couple of seconds and there we go so from that memory dump volatility allows us to see what windows processes were running at the time of this particular at the time when that memory dump was taken and you can actually see we have the offset here we then have the name of the process the process id which is going to be very important and then you have the ppid the threads handles and then of course the actual start time which is really, really cool. And if we take a look at the brief here, we can see that this individual's sister's computer crashed and what she was doing, there wasn't any mention of her name, but she saw a black window pop up with something being executed and she was trying to draw something. So let's see if we can identify any of those processes here.

If we take a look at all the processes, we can see that the dump it utility here was actually used to make the dump, which is again, that's a tool you can use to make a Windows memory dump. We don't see anything interesting here. So maybe those processes were hidden. So how do we identify hidden processes? Well, we can do that by essentially running the following command.

So instead of saying PS list, we can essentially type in PS. A tree. All right, so we'll give that a couple of seconds.

And there we are. Okay, so we can now start to see that we have cmd.exe and MsPaint. So it looks like the individual sister was actually utilizing MsPaint to draw something that makes sense.

And then she actually saw a black screen, which, you know, would be cmd.exe. So this, we actually need to investigate these processes. However, let's take a close look at some of the other processes here. We can actually see at the time of this memory dump, we have WinRAR also running at the time. And yeah, that pretty much looks like the most important ones here.

So we know that we have, you know, MS Paint and cmd.exe. So what we can do is let's explore the WinRAR process. And let's see what it was doing. Alright, so we're going to check the commands that launched that specific program.

And in order to do that, we're just going to copy the process ID for WinRAR, which is 1512. And we can use the previous command here. And instead of saying PS tree, we can say command line. And you know, we can specify the process ID, which is 1512. And hit enter. And in this case, it tells us that this is what was done.

So command line C program files, WinRAR, WinRAR.exe. And it looks like WinRAR was pressing or extracting the following file. So important dot raw, very, very interesting there. Okay, so important or raw. And we know that the sister's name is Elisa Simpson, and this was under documents.

Okay, so that is very, very important information. So we've identified that now one thing I want to do is actually want to utilize the console plugin. So what I'll do here is I'll just say volatility. just to explain what it does info and i'll just grep and say consoles there we are we'll give this a couple of seconds and you can see con the consoles plugin is used to extract command history all right so let's see what uh what commands were being executed in cmd.exe so what we could do is we could specify the process id for that uh using the command line uh plugin or we can also use the consoles plugin but let's say 1984 just to see what what was going on here all right so yeah that makes sense cmd was executed with system or administrative privileges so we can now say consoles and hit enter and let's see what this displays here so command history okay i think i saw a flag there but uh let's go back here.

So we can see that the console process connection host.exe. Let's see. Nothing there command history.

If we take a look at this here, we can see that see users smartnet ran the following process. And we then get the following base 64 encoded string of text. So I'm guessing this is a flag here.

And yeah, it is a flag. So because it's encoded in base 64, we can essentially just echo the content of the flag here. So I'll just say echo, and we can then pipe this to base 64. And say, you know, we can actually just decrypt that.

And there we are. So we get the first flag. So flag, this is the first flag. Excellent.

So hopefully, this is giving you an insight as to how to utilize volatility to identify impetus. important bits of information. Now, again, in this case, you know, this is just being used to find flags, but it's giving you an idea of the various plugins to use and where to use them. All right, so we found the first flag, which is great.

I think I'll find one more and then I'll leave the final one to you guys. Okay, so that's flag one down. One thing I realized, if we actually take a look at, if we take a look at the WinRAR, process because we had there we are so command line process 1512 we actually saw this very interesting file here right so that file is uh under c uses alyssa simpson documents important dot rar so i'm guessing that that was actually the output file so something was compressed within that and saved under the following path as important of raw so how can we actually uh you know perform a file scan on this particular file to learn more about it well we can save volatility and again we're just going to get rid of command line and we're going to use the file scan plugin and we're then going to say grip I and we're looking for an we're looking for a specific file.

In this case, it's important dot RAR. And let's get the information for that particular file. So we would need the actual there we are.

So it actually displays that there. Now if you want to learn more about this, I can say volatility. And you know, I can say info. and let me just cancel that there and I'm going to pipe and say grep and file scan just to learn what it does.

You can see that this is a pool scanner for file objects so we've identified the offset for that particular file and what we can do now to actually dump the file from the actual memory dump onto our local system is we can utilize volatility again with the previous command here And in this case, we can get rid of that there. And I'm just going to say, sorry, let me just terminate that there, we're just going to use the previous command. And instead of using the file scan plugin, what we're going to say is we're going to utilize the dump files, the dump files plugin, and then specify the offset. So again, if I just open up the actual volatility help menu here, you should be able to see, sorry, that's on my own system, my bad.

So let me let me just explain what we're going to be doing so volatility help and we used utilizing the Q The Q command here and we're going to use a couple of others that are very important So I just wanted to explain them with the official nomenclature So we are going to be utilizing the D the D option which is really not being displayed here So I'm guessing I'm going to be I'm going to have to utilize the actual info command so let me just open that up and I'll show you how to dump that particular file to our local system so these are all the plugins here we're then going to have the profiles and that should be displayed here it's not being displayed there that's very interesting but yeah I'll just give you the command that needs to be run so we're going to dump that But we're getting rid of the file scan plugin and we're going to be utilizing the dump files The dump files plugin we're going to specify the offset, but in order to do that we're going to need the offset So I'm just going to run the previous command again just to get the offset for that particular file there and There we are. Okay, so I can run the previous command and we can say dump files And then we use hyphen uppercase Q specify the actual offset here. And let's just copy that there.

And what we're going to do then is we're going to specify where we want this saved, right, so I'm going to say D and in the current working directory, so D and we then specify file. And then we can say file dot data or file dot that hit enter, you can see that we should have that file there. So file dot data here. And if I say D, u, s, h, there we are, we can see we have dumped it. And we know that this is a tar file.

So I'm just going to, you know, change the extension from file dot non dot data to important dot RAR. That is what the file was called, you know, on the system when the memory dump was taken. And if we say tar x z vf important dot tar, let's see that doesn't exist.

That's very weird. ch mod plus x important dot tar. Let me just change that command accordingly.

And if we say important.tar, that doesn't look like it's working. That's very interesting. Can we use unrar?

Let's see if that works there. So important.rar, we need to get that. So yeah, that's we're not really dealing with a tar ball, we're actually dealing with a file that is in format. So apt-get install unrar.

Let me just type that in here. So apt-get install unrar. and we're going to extract it so under our x important dot rar Okay, so it's saying we need a password and then it tells us the password is the NTLM hash in uppercase of Elisa's account password. Okay, so in order to get flag three, that's interesting.

We actually got flag three. So in order to extract this, we are going to need to dump the hashes, the NTLM hashes. And, you know, we need the actual NTLM hash in uppercase for the for Elisa's account. In order to do this, we're going to need to utilize volatility again.

So let me just select the previous command here. So instead of using the file scan plugin, we can utilize a plugin called hash dump. Absolutely insane. So I'll hit enter. And that should give us the hashes.

Let's see if we actually get that. There we are. Fantastic. All right, so we need the actual hash. in uppercase for Elisa.

So this is an NTLM system. So we know that, you know, this is going to be the hash here, because the first value really doesn't change. So we're going to need to copy that there. And that's where CyberChef comes into play. That'll just, you know, change it to uppercase.

So we can say to uppercase, put our input and it changes it to uppercase there. And we can now try and extract. or unrar the file here. So there we are, I'll paste that in there. And we get flag three dot PNG.

Alright, so it is a PNG flag, which is, which means we actually have to transfer it to our own system, or to my local Ubuntu system to actually view it. So the way we're going to do this is I'm going to open up my previous SCP command. So what we want to do here is we want to get the file called flag three dot PNG. So we're copying this from the remote server to our current working directory.

And it's going to ask me for my server password, which I will gladly provide. There we are. So we've got flag three within my home directory. And if we open up like three, there we are.

So there's the third flag. So flag three, there we are. So that was easy. Fair enough. That was easy.

So That is how to utilize volatility for memory forensics. Now, of course, I haven't covered all the plugins you can utilize, you know, in order to extract important information. But as I said, everything is available to you, you know, with a click of a particular command. So, you know, you can just run the volatility info command and you can get access to the plugins you can use based on the operating system memory dump that you're trying to extract information from.

Another interesting one that we can take a look at is dump registry and the environment variables, right? So we can say dump registry. And the other one that we wanted to use was, let's see if I can find it here. I believe the one that I wanted to showcase, let's see.

So the one I wanted to showcase really was going to be the environment variable option. we can dump the registry with dumped files. So environment variables and dump registry. Alright, so we'll just say environment variables.

And we can then say dump registry. So these are all the environment variables there, a lot of data is going to be produced. And then we can say dump registry. The most important thing to take into consideration is going to be the actual profile you use. In this case, we'll need to specify the dump directory or where we want to dump it to.

And that's we had done previously with the dump files option. So, you know, if I say D and specify my current working directory, you can see it's going to write out the registry to the following registry files, which we can then analyze on a Windows system. So. If I list out the contents of my current working directory, you can see all of the registries there. So these are the registries for security, default software, etc.

And you can go ahead and analyze them. So that is going to conclude the practical demonstration side of this video. So thank you very much for watching. If you have any questions, please feel to ask them on my Twitter, the link to that is going to be added as a resource.

Furthermore, all the links highlighted in this video demonstration will also be added as a resource to this video. So you can actually go ahead or actually follow along with the challenge itself and take a look at some of the other challenges that you can actually play through or go through to learn more about how to utilize volatility. With that being said, in the next video, we're going to be continuing our journey into digital forensics by taking a look at how to perform disk analysis with autopsy. So... With that being said, I'll be seeing you in the next video.

Transcript for:Mastering Memory Forensics with Volatility

Transcript for:
Mastering Memory Forensics with Volatility