Scribd
Upload
132 views8 pages

Memory Forensics With Volatility Framework

The document outlines a project focused on performing memory forensics using the Volatility Framework to identify malware artifacts in a memory dump. It details the setup process, including downloading necessary files and installing the Volatility framework, followed by specific commands to analyze the memory dump for active processes, network connections, and potential malware. The analysis reveals the presence of malware, identified as KB00207877.exe, which is set to run at system startup, indicating malicious activity.

Uploaded by

Binayak Prasad Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
132 views8 pages

Memory Forensics With Volatility Framework

The document outlines a project focused on performing memory forensics using the Volatility Framework to identify malware artifacts in a memory dump. It details the setup process, including downloading necessary files and installing the Volatility framework, followed by specific commands to analyze the memory dump for active processes, network connections, and potential malware. The analysis reveals the presence of malware, identified as KB00207877.exe, which is set to run at system startup, indicating malicious activity.

Uploaded by

Binayak Prasad Gupta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Project Title: Memory Forensics with Volatility Framework.

Objective: Perform forensic analysis on a memory dump to identify malware artifacts.

Tools required: Volatility Framework.

Prerequisites: CSI Linux

Tasks to be Followed:

1. Setting up the Environment for Testing


2. Starting the Analysis in Autopsy

Task 1: Setting up the Environment for Testing

1.1Download the required file from the link:


https://drive.google.com/file/d/
1LzLIb1DBbWDYYeoy20u1aO7F6TJD_7gb/view?usp=sharing

1.2 After downloading the file, right-click on it and select the “Extract to”
option from the pop-up menu.

1.2 First, go to the Desktop, create a folder named “memdumps,” and extract the file into
that folder.
1.5 After that, go back to the Desktop where the file is located, right-click on the file, and
select “Open Terminal Here.”
1.6 Install the Volatility framework using the command:
sudo snap install volatility-phocean

Task 2: Scan the memory dump to identify the Malware

2.1 First, use the command volatility -f cridex.vmem imageinfo. This analyzes the memory
image and suggests the best OS profile (e.g., WinXPSP2x86).

From the output, we can identify that the OS is most likely Windows XP SP2 (WinXPSP2x86),
which is the source of the memory dump.

2.2 Then use the command volatility -f cridex.vmem --profile=WinXPSP2x86 pslist to list all
active processes at the time the memory dump was created.
From the output, we can see that explorer.exe and reader_sl.exe are running, which should
not be the case.

2.3 Then use the command volatility -f cridex.vmem --profile=WinXPSP2x86 pstree. This
command displays a hierarchical tree view of all running processes at the time the memory
dump was created.

From the output, we can verify that explorer.exe is running, and under it, reader_sl.exe is
also running.

2.4 Then, use the command volatility -f cridex.vmem --profile=WinXPSP2x86 cmdline to


display the command-line arguments used to launch each process in the memory image.
From the analysis, we identified the PID for sl.exe as 1640 and for explorer.exe as 1484.

2.5 Then, use the command volatility -f cridex.vmem --profile=WinXPSP2x86 connscan to


scan for active and closed TCP connections in the memory dump, including those that may
be hidden, unlinked, or malicious and not listed in standard connection tables.

At this step we can identify that explorer.exe (PID 1484) is connected to the remote address
41.168.5.140.
2.6 Then use the command volatility -f cridex.vmem --profile=WinXPSP2x86 procdump -p
1640 --dump-dir=. to dump the memory of a specific process with PID 1640 from the
memory image.

At this step, we have extracted the memory of the process with PID 1640 and saved it as the
file

2.7 Then, use the command volatility -f cridex.vmem --profile=WinXPSP2x86 memdump -p


1640 --dump-dir=. to dump the entire memory space of the process.

2.8 Then, use the command strings 1640.dmp | grep -Fi "41.168.5.140" -C 5 to extract the
context surrounding the specific IP address (41.168.5.140) from the process memory dump.

This suggests that the malware was exfiltrating data via an HTTP POST request.

2.9 After this, we can scan the dump file using virus total to determine whether the
malware is present or not. Using the (executable.1640.exe)
2.10 Then, use the command volatility -f cridex.vmem --profile=WinXPSP2x86 printkey -K
"Software\\Microsoft\\Windows\\CurrentVersion\\Run" to dump the contents of a specific
Windows Registry key. In this case, it's the Run key, which is commonly used by malware to
maintain persistence on the system.

In this step, we aim to detect any unauthorized file executing during system startup. The file
KB00207877.exe was found to be running, which is not expected and indicates potential
malicious activity.
2.11 Now use the command strings 1640.dmp | grep -Fi "KB00207877.exe" to search for the
string KB00207877.exe in the process memory dump file 1640.dmp using the strings utility.

From this, we can see that KB00207877.exe is present in the dump file. It is identified as
malware and is also set to run at system startup. Based on this, we can conclude that we
have found the malware

You might also like