Memory Extraction and Analysis Lab: Acquiring Volatile Memory

00:00

hi and welcome to every digital forensics. I'm your hostess and you said, and today we're going to go over image acquisition using involves home memory

00:09

and say his episode. We're going to discuss the analyze delicious activity and memory using boats Italy Lap available in Sai Buri that I t

00:16

discussed the volatility to itself. Initial steps for that lab and a Demel showing how to acquire data in memory using volatility.

00:25

So I had to recommend that you go through this. Love yourself. As you can see, it's an hour long. You will not get the full details of the lob itself for the full experience. Oven are myself in this episode, as I've focused solely on the acquisition process being performed in his I've and leave the rest for you to go explore.

00:46

So of all, Tate was an open source tool. Implemented mainly python.

00:50

The framework herself is used for extracting digital artifacts from volatile memory

00:55

such as Ram.

00:57

This is supported across all Major Wes is from Windows Lennox Max and can be used either as a standalone tool or in your county Lennox.

01:06

I've provided the guy how people for those that wish to look more into a source code and understand what the tool itself does. And, of course, a tool comes in various formats, such as Dean

01:15

Virtual Box, Van Maar or Eel. One

01:19

volatility itself is a command line tool.

01:22

If you search for the help, you can see that there's multiple functions that can be called. You can attach additional plug ins,

01:30

get some cash information based on directory file itself.

01:33

Set the time zones for what the information means. Slade.

01:37

I understand the founding being used when opening image and so on

01:42

from the Kalyan Annexe site. I pulled this volatility example just so you can understand what the information that it will provide. Teoh

01:51

on top is an example of an image, and it is face the processes that were running

01:56

from the PS list at the time of that image.

02:00

There's no major set up for this lab.

02:04

You'll be primarily working with a dot the memory file, which is an extension that gave found as a paging file from the Bolivian, where workstation virtualization applications

02:15

of a man file stores backup of the guests main memory on the host file system.

02:21

So here we are within me analyzed malicious activity and memory using vaulted the lap as you can see the terminals open. I started the pre set ups and I'm gonna move forward into

02:32

following the instructions. Each lower contains its own instructions. So I definitely advise you to go through alive and explore on your own.

02:39

I moved to the test Act directory.

02:44

Check the files and you can see that I have the virtual meme file called Zeus.

02:53

Do note that the lab itself contains a file so here ago how? Start using volatility Tash F and call the file.

03:01

I'll ask for the image. Information to itself will begin to work.

03:07

Once the command completes running, you'll be presented with the following information. You have your suggestion profile. So where this image actually was taken from,

03:17

which kind of layers in particular it is in the sun. Since your page memory from the file address space.

03:24

Then I break down into further information, such as number of processors, your image type.

03:30

Such was your service package, your image date and your image. Local dates

03:36

cool. So we use fertility to tell us information about the virtual memory alone. Let's see if we can break it down into a little bit further and analyze the file itself. So a cop

03:47

P s list two shows the types of processes that were running at that time

03:57

starting from the top of list. You can see that we have a full list to some executable objects that were running. You have your spc host your wind log in your *** MSs

04:09

and so on. It also tells you what pit idea it is. The number of threads

04:15

moving down to a list. You see your VM upgrade Helper Gertie P Auto Connect service your Explorer, your via Maura, Trey, your view, more user and your command that's been executed.

04:28

Those try another command.

04:29

The seal connections were available.

04:31

Running can scan shows the network address information for this virtual memory. So this isn't network information that was available during the time that this virtual memory was pulled.

04:47

So now let's try a new command.

04:49

What happens when I do the PS tree

04:53

and search for and search for the process of 856? You can see that we're looking at the c v

04:59

CVC host execute and it gives you the same information just a breakdown

05:03

instead of a full list of all the processes were given at the time.

05:08

Grab command searches for that particular string and parses that line from your output.

05:19

Now we'll try them union scam.

05:23

So in order to scan the physical memory, you'll run the mutants can

05:27

on the for K muted objects with the poll tongues canny

05:30

by default into space all the objects. But if you pass an s or a dash, just sentence it only show you the name of the new Texas

05:40

the C. I. D column, which is that blank column. In between the zeros and the A V, I R. Contains a process i d and 30 of them you text owner. If one exists a V i. R. A is the name of the object itself. This gives you a quick show of the different commands that you can run using vaulted.

06:00

You have your connects scan your mutant scan, your PS list your PS tree using grab you gun purse and grab ah, particular line. And there's so many more commands that you could also be using with the volatility command line tool.

06:16

This is just to kind of open your eyes so that you see that This how this works?

06:21

No, I just recommend that you go in and you participate in these labs

06:26

and see for yourself the information that you can pull.

06:29

I hope you enjoyed taste like sure. Where we went over the analyzed malicious activity and memory using volatility now have available in cyber unity.

06:36

Went over the voluntary tool the initial steps for this particular lab and showed a demo off a query memory using positivity

06:46

in future courses were gonna be exploring mobile for insects, techniques, technology and the android operating system. We're gonna be examining the images acquired during the acquisition process

06:57

perform data carving and sina graphic techniques. We're gonna see how to perform properly, track and execute malicious files and exploring professional tools both at a beginner and advanced level.