3.2 Using Volatility

Volatility consists of various plugins that can extract different information from the memory image. The python vol.py -h option displays the supported plugins. For instance, if you wish to list the running processes from the memory image, you can use a plugin such a pslist, or if you wish to list the network connections, you can use a different plugin. Irrespective of the plugin that you use, you will use the following command syntax. Using -f, you specify the path to the memory image file, and ­ --profile tells Volatility which system and architecture the memory image was acquired from. The plugin can vary depending on what type of information you would like to extract from the memory image:

$ python vol.py -f <memory image file> --profile=<PROFILE> <PLUGIN> [ARGS]

The following command uses the pslist plugin to list the running processes from the memory image acquired from Windows 7 (32-bit) running Service Pack 1:

$ python vol.py -f mem_image.raw --profile=Win7SP1x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name        PID PPID Thds Hnds  Sess Wow64  Start
---------- ---------- ---- ---- ---- ----  ---- ----- ---------------------
0x84f4a958 System         4    0  86  448  ----    0  2016-08-13 05:54:20
0x864284e0 smss.exe     272    4   2   29  ----    0  2016-08-13 05:54:20
0x86266030 csrss.exe    356  340   9  504     0    0  2016-08-13 05:54:22
0x86e0a1a0 wininit.exe  396  340   3   75     0    0  2016-08-13 05:54:22
0x86260bd0 csrss.exe    404  388  10  213     1    0  2016-08-13 05:54:22
0x86e78030 winlogon.exe 460  388   3  108     1    0  2016-08-13 05:54:22

[....REMOVED....]

Sometimes, you might not know what profile to supply to Volatility. In that case, you can use the imageinfo plugin, which will determine the correct profile. The following command displays multiple profiles that are suggested by the imageinfo plugin; you can use any of the suggested profiles:

$ python vol.py -f mem_image.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s): Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
                    AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                    AS Layer2 : FileAddressSpace (Users/Test/Desktop/mem_image.raw)
                     PAE type : PAE
                          DTB : 0x185000L
                         KDBG : 0x82974be8L
         Number of Processors : 1
    Image Type (Service Pack) : 0
               KPCR for CPU 0 : 0x82975c00L
            KUSER_SHARED_DATA : 0xffdf0000L
          Image date and time : 2016-08-13 06:00:43 UTC+0000
    Image local date and time : 2016-08-13 11:30:43 +0530
Most of the Volatility plugins, such as pslist, rely on extracting the information from the Windows operating system structures. These structures vary across different versions of Windows; the profile (--profile) tells Volatility which data structures, symbols, and algorithms to use.

The help option, -h (--help), which that you saw previously, displays help that applies to all of the Volatility plugins. You can use the same -h (--help) option to determine various options and arguments supported by a plugin. To do that, just type -h (--help) next to the plugin name. The following command displays the help options for the pslist plugin:

$ python vol.py -f mem_image.raw --profile=Win7SP1x86 pslist -h

At this point, you should have an understanding of how to run Volatility plugins on an acquired memory image and how to determine various options supported by a plugin. In the following sections, you will learn about the different plugins and how to use them to extract forensic artifacts from the memory image.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.219.95.244