Installing and Using Volatility 2 on Windows

Overview

Volatility 2 is powerful memory forensics tool that allows for the extraction of digital artifacts from volatile memory (RAM).

Installation

Volatility was initially built on Python 2.7, however it is possible to download and use the standalone executable version directly from the .

In the , download the win64 standalone file.

Extract the ZIP file to desired location and verify if the standalone executable works by running the executable with -h option to display help page and list all available options:

cd "\path\to\volatility"\volatility_2.6_win64_standalone
.\volatility_2.6_win64_standalone.exe -h

Usage

Volatility 2 works on the basis of profiles where profile must be specified for the give memory dump file in order to use some of the processing options and extract the artifacts. Another requirement is specifying the memory image file which can be achieved with -f option. And finally, plugin commands are in charge of the actual processing of the memory image and retrieving the artifacts. The final syntax looks like the following:

.\volatility_2.6_win64_standalone.exe -f "\path\to\image" --profile=<profile_name> <plugin_command>

imageinfo

As first, it is important to find out what profile should be used for the given memory dump file. This can be achieved by using imageinfo plugin:

.\volatility_2.6_win64_standalone.exe -f "\path\to\image" imageinfo

Plugin imageinfo retrieves multiple information about the memory image file like data and time when image was taken, number of processors, etc. However the most important information is the Suggested Profile(s) section, where usually the first on the list is the correct profile to be used with the given memory image file.

pstree

Plugin pstree extracts running processes from the memory and displays the list of these processes in tree-like structure. Information about the processes include name, PID, Parent PID, number of threads and handles, and time when the process was started.

memdump

Plugin memdump dumps the whole addressable memory for the specified process. This plugin needs to point to specific process either via process name (-n) or PID (-p). Additionally, -D option specifies the directory to which the memory (.dmp file) should be dumped. The final syntax looks like the following:

.\volatility_2.6_win64_standalone.exe -f "\path\to\image" --profile=<profile_name> memdump -p <PID> -D <output_directory>

The dumped memory (.dmp file) can be further analyzed with tools like strings to find malicious indicators and other artifacts within the memory of the dumped process.

filescan

This plugin finds file objects in physical memory and outputs physical offset address, number of pointers, number of handles, file permissions and file path.

This plugin can be used to look for specific file names within the memory when used together with grep or Select-String outlet when using PowerShell. For example, if looking for file called malicious.exe, the following syntax can be used:

.\volatility_2.6_win64_standalone.exe -f "\path\to\image" --profile=<profile_name> filescan | Select-String -Pattern 'malicious.exe'

dumpfiles

.\volatility_2.6_win64_standalone.exe -f "\path\to\image" --profile=<profile_name> dumpfiles -Q <physical_offset> -D <output_directory>

printkey

Displays subkeys, values, data and data types of specified registry key. This plugin looks up the information for the specified key in all hives and displays what was found. The key is specified with -K option and full syntax is:

.\volatility_2.6_win64_standalone.exe -f "\path\to\image" --profile=<profile_name> printkey -K <key_path>

handles

Used for displaying the open handles in running processes. The handles include files, registry keys, mutexes, named pipes, events, window stations, desktops, threads, etc.

.\volatility_2.6_win64_standalone.exe -f "\path\to\image" --profile=<profile_name> handles -p <PID> -t mutant

hashdump

This plugin can be used to extract and decrypt cached credentials from the registry. For this to happen, two options are required:

• -y to specify virtual address of the SYSTEM hive

• -s to specify virtual address of the SAM hive

.\volatility_2.6_win64_standalone.exe -f "\path\to\image" --profile=<profile_name> hashdump -y <SYSTEM_virtual_address> -s <SAM_virtual_address>

hivelist

Used for finding the physical and virtual addresses of registry hives in memory. This plugin displays virtual and physical address together with the full path to the corresponding hive.

mftparser

Used for scanning the MFT entries in memory and displaying the information like file name, file path and mac timestamps. Two options are especially important:

• --output= can be used to specify the type of output, for example text

• --output-file= can be used to specify the output file

netscan

This plugin is used to scan for network artifacts within the memory. It displays both TCP and UDP connections and listeners as well as the process owner of the connection and corresponding PID.

consoles

Finds commands executed on the system via cmd.exe. This plugin displays both input and output of the command that was executed on the system as well as additional information like console window title, name of the process and PID, and aliases associated with the executed commands.

iehistory

This plugin recovers artifacts from Internet Explorer history cache files. It displays accessed links and redirected links, together with information like related process name and its PID.

malfind

Finds hidden and injected code and DLLs within the memory. This can be used to identify malware that uses process injection to inject commands in the other running processes. Identified memory segments can be extracted with -D option which specifies the output directory while -p is used to specify the PID.