3 hours 41 minutes
Hello, everyone, and welcome to memory analysis. In this session, we're gonna learn about how we can analyze the memory we dumped from our machine in the last session. Using volatilities
memory analysis occurs after we've acquired a memory dump from the target system.
To perform our memory analysis, we can use a tool called volatility.
Volatility is an open source command line tool written in python that can be run on 32 bit and 64 bit versions of Windows, Linux and Mac OS.
This will allow us to extract digital artifacts from our memory image.
Now there's two ways that you can install a news volatility. You could download the source code in dependencies, but probably the easiest ways to download the volatility. Standalone Execute Herbal.
The advantage here is that you don't need to install Python or any of the volatility dependencies as it comes packaged with the execute Herbal. Then all you need to do is run it from the command line.
Volatility works by extracting different information from the memory image by using a series of plug ins using plug ins, you can enumerate running processes, look at virtual memory, understand what handles a piece of malware is using and many, many more.
The plug ins, however, are dependent on the OS you've acquired, so a necessary first step is to pass volatility. The image info target.
Using this option, Volatilities E will extract information from the various Windows operating system structures and output the proper profile so that you can use the various plug ins for the correct system. Architectures
to use volatilities and obtain the proper image is fairly straightforward.
The first command line switch that we want to use is Dash F.
This tells volatilities to use the file that we supply after the switch and run the image info on that target. This is going to be the memory file that you captured.
Now this could take a few minutes, depending on how big of a memory file you have.
Once Volatility completes its scan on the Target memory file, it outputs a list of suggested profiles to use as you further conduct your research. These suggestions are made based on the window structures and the process list. Now in my list, I've got a few suggested profiles,
and I typically begin by using the first one,
so to specify that I want to use the wind. Seven s p one x 64 profile. I can use it in my command line by using the profile command line switch
to use it, I replace the Image Info Command with a dash dash profile equal to the one that I want to use. So in this case, I want to use the win seven s p one x 64.
Now, before we press enter, we need to do something with this memory file
volatilities supports of myriad commands to see which commands volatility supports. You can always use the dash H flag and this output will help you To begin our analysis, we can start by Anouma rating processes using the P s list. Plug in to enable the PS list. Plug in
you simply type P s list
after the profile. Impress center PS list will then give you a list of running processes when you took the memory snapshot.
Okay, so at this point, you should be pretty comfortable with using volatility at the command line. It's pretty simple to use and remember, if you need additional assistance, you could always use the dash H flag in the next session. Let's look at some additional memory analysis features that we can use with volatility
Advanced Malware Analysis: Redux
In this course, we introduce new techniques to help speed up analysis and transition students from malware analyst to reverse engineer. We skip the malware analysis lab set up and put participants hands on with malware analysis.