Skip to content Skip to footer
Previously, we explored the versatility of Volatility3 and its application in analyzing Linux memory dumps, as discussed here. This page also tied into the CSI Linux Certified Computer Forensic Investigator (CSIL-CCFI).Now, let’s shift our focus to a different landscape: Windows memory dumps.
Delving into Windows Memory with Volatility3
Volatility3 is not just limited to Linux systems. It’s equally adept at dissecting Windows memory images, where it unveils hidden processes, uncovers potential malware traces, and much more.
The Craftsmanship Behind Volatility3
Crafted by the Volatility Foundation, this open-source framework is designed for deep analysis of volatile memory in systems. It’s the product of a dedicated team of forensic and security experts, evolving from Volatility2 to meet the challenges of modern digital forensics.
Revealing Windows Memory Secrets
  • Active and hidden processes, indicating possible system breaches.
  • Network activities and connections that could point to malware communication.
  • Command execution history, potentially exposing actions by malicious entities.
  • Loaded kernel modules, identifying anomalies or rootkits.
Applying Volatility3 in Real Scenarios
  • Incident Response: Swiftly identifying signs of compromise in Windows systems.
  • Malware Analysis: Dissecting and understanding malware behavior.
  • Digital Forensics: Gathering critical evidence for investigations and legal proceedings.
Volatility3 remains a guiding force in digital forensics, offering clarity and depth in the analysis of Windows memory images.
Windows Memory Analysis with Volatility3: Detailed Examples
Process and Thread Analysis
  • List Processes (windows.pslist):
    • Command: python vol.py -f memory.vmem windows.pslist – Lists all running processes in the memory dump.
  • Process Tree (windows.pstree):
    • Command: python vol.py -f memory.vmem windows.pstree – Displays process tree showing parent-child relationships.
  • Process Dump (windows.proc_dump):
    • Command: python vol.py -f memory.vmem windows.proc_dump --dump-dir /path/to/dump – Dumps the memory of all processes to the specified directory.
  • Thread Information (windows.threads):
    • Command: python vol.py -f memory.vmem windows.threads – Displays detailed thread information.
  • LDR Modules (windows.ldrmodules):
    • Command: python vol.py -f memory.vmem windows.ldrmodules – Identifies loaded, linked, and unloaded modules.
  • Malfind (windows.malfind):
    • Command: python vol.py -f memory.vmem windows.malfind – Searches for patterns that might indicate injected code or hidden processes.
  • Environment Variables (windows.envars):
    • Command: python vol.py -f memory.vmem windows.envars – Lists environment variables for each process.
  • DLL List (windows.dlllist):
    • Command: python vol.py -f memory.vmem windows.dlllist – Lists loaded DLLs for each process.
Network Analysis
  • Network Scan (windows.netscan):
    • Command: python vol.py -f memory.vmem windows.netscan – Scans for network connections and sockets.
  • Open Sockets (windows.sockets):
    • Command: python vol.py -f memory.vmem windows.sockets – Lists open sockets.
  • Network Routing Table (windows.netstat):
    • Command: python vol.py -f memory.vmem windows.netstat – Displays the network routing table.
Registry Analysis
  • Registry Print Key (windows.registry.printkey):
    • Command: python vol.py -f memory.vmem windows.registry.printkey – Prints a registry key and its subkeys.
    • Wi-Fi IP Address: python vol.py -f memory.vmem windows.registry.printkey --key "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces"
    • MAC Address: python vol.py -f memory.vmem windows.registry.printkey --key "SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}"
    • USB Storage Devices: python vol.py -f memory.vmem windows.registry.printkey --key "SYSTEM\CurrentControlSet\Enum\USBSTOR"
    • Programs set to run at startup: python vol.py -f memory.vmem windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    • Prefetch settings: python vol.py -f memory.vmem windows.registry.printkey --key "SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters"
    • User’s shell folders: python vol.py -f memory.vmem windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
    • Networks connected to the system: python vol.py -f memory.vmem windows.registry.printkey --key "SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged"
    • User profile information: python vol.py -f memory.vmem windows.registry.printkey --key "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
    • Mounted devices: Command: python vol.py -f memory.vmem windows.registry.printkey --key "SYSTEM\MountedDevices"
    • Recently opened documents: python vol.py -f memory.vmem windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
    • Recently typed URLs in Internet Explorer: python vol.py -f memory.vmem windows.registry.printkey --key "SOFTWARE\Microsoft\Internet Explorer\TypedURLs"
    • Windows settings and configurations: python vol.py -f memory.vmem windows.registry.printkey --key "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    • Windows Search feature settings: python vol.py -f memory.vmem windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Search"
  • Hash Dump (windows.hashdump):
    • Command: python vol.py -f memory.vmem windows.hashdump > hashes.txt
    • Hashcat:
      • Command: hashcat hashes.txt [wordlist]
    • John the Ripper:
      • Command: john hashes.txt --wordlist=[wordlist]
File and Service Analysis
  • File Scan (windows.filescan):
    • Command: python vol.py -f memory.vmem windows.filescan – Scans for file objects present in memory.
  • Service Scan (windows.svcscan):
    • Command: python vol.py -f memory.vmem windows.svcscan – Scans for services and drivers.
  • Shellbags (windows.shellbags):
    • Command: python vol.py -f memory.vmem windows.shellbags – Extracts information about folder viewing preferences.
  • File Download History (windows.filehistory):
    • Command: python vol.py -f memory.vmem windows.filehistory – Extracts file download history.
  • Scheduled Tasks (windows.schtasks):
    • Command: python vol.py -f memory.vmem windows.schtasks – Lists scheduled tasks.
  • Crash Dump Analysis (windows.crashinfo):
    • Command: python vol.py -f memory.vmem windows.crashinfo – Extracts information from crash dumps.
Tracing the Steps of ‘yougotpwned.exe’ Malware
In a digital forensics investigation, we target a suspicious malware, ‘yougotpwned.exe’, suspected to be a Remote Access Trojan (RAT). Our mission is to understand its behavior and network communication using Volatility3.
Uncovering Network Communications
We start by examining the network connections with Volatility3’s windows.netscan command. This leads us to a connection with the IP address 192.168.13.13, likely the malware’s remote command and control server.
Linking Network Activity to the Process
Upon discovering the suspicious IP address, we correlate it with running processes. Using windows.pslist, we identify ‘yougotpwned.exe’ as the process responsible for this connection, confirming its malicious nature.
Analyzing Process Permissions and Behavior
Further investigation into the process’s privileges with windows.privs and its disguise as a legitimate service using windows.services, reveals the depth of its infiltration into the system.
Isolating and Examining the Malicious Process
Next, we dump the process memory using windows.proc_dump for an in-depth analysis, preparing to unearth the secrets hidden within ‘yougotpwned.exe’.
Uploading to VirusTotal via Curl
For sending the process dump to VirusTotal, we use the `curl` command. This powerful tool allows for uploading files directly from the command line.
  • For the memory dump file: curl --request POST --url 'https://www.virustotal.com/api/v3/files' --header 'x-apikey: YOUR_API_KEY' --form file=@'/path/to/your/dumpfile'
  • For the IP address analysis: curl --request GET --url 'https://www.virustotal.com/api/v3/ip_addresses/192.168.13.13' --header 'x-apikey: YOUR_API_KEY'
This method enables us to efficiently validate our findings about the malware and its associated network activity.
Validating Findings with VirusTotal
The memory dump is then uploaded to VirusTotal. The comprehensive analysis there confirms the malicious characteristics of ‘yougotpwned.exe’, tying together our findings from the network and process investigations. This case study highlights the crucial role of digital forensic tools like Volatility3 and VirusTotal in unraveling the activities of sophisticated malware, paving the way for effective cybersecurity measures.