Lead Image © Bruce Rolff, 123RF.com

Lead Image © Bruce Rolff, 123RF.com

Forensic main memory analysis with Volatility

Fingerprints

Article from ADMIN 49/2019

By Prof. Dr. Tobias Eggendorfer

When you examine the memory of a computer after a break-in, take advantage of active support from the Volatility framework to analyze important memory structures and read the volatile traces of an attack.

When you think of IT forensics, you usually have the analysis of non-volatile data carriers, such as hard disks or SSDs, in mind. But volatile RAM is also worth a look. It usually contains important traces (e.g., of processes or network connections) and thus provides indications of a successful attack.

The detective work is preceded by the task of creating a RAM image. This memory dump must then be analyzed. With Linux onboard tools, users already can find out and learn a lot, but it's also quite a time-consuming process. Luckily, you can find support in Volatility [1], a framework written in Python that identifies the most important memory structures of an operating system and presents the content in a human-readable form. Its big advantage is the many plugins that support a wide variety of analysis activities (Table 1).

Table 1

Volatility Enhancements

Plugin	Function
Processes
`linux_apihooks`	Checks for userland API hooks
`linux_bash`	Extracts the Bash history from the process memory
`linux_check_creds`	Checks whether processes share credential structures

...

Use one of the options below to read the full article

Buy this article as PDF

Download Article PDF now with Express Checkout

Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES

SUBSCRIPTIONS

Print Subscriptions

Digital Subscriptions

Related content

Forensic Analysis on Linux

In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

more »
Malware Analysis
We show you how to dig deep to find hidden and covert processes, clandestine communications, and signs of misconduct on your network.

more »
Maintaining Android in the enterprise
No matter how insecure Android might appear, you can't escape the "bring your own device" philosophy in today's corporate environment. In this article, we show how admins can use on-board tools in Android phones to regain a little control.

more »
Acquiring a Memory Image
Be ready before disaster strikes. In this article we describe some tools you should have on hand to obtain a memory image of an infected system.

more »
NVDIMM and the Linux kernel
Non-volatile dual in-line memory modules will provide storage as fast as RAM and keep its content through a reboot. The Linux kernel is already geared to handle the new technology and can even serve the modules up as block devices.

more »

comments powered by Disqus

Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Self-Hosting

Self-Hosted PaaS with Coolify

Build and Host Docker Images

Self-Hosted Pritunl VPN Server with MFA

Self-Hosted Chat Servers

Self-Hosted Remote Support with RustDesk

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
</a>

<hr>
</div>
</div>

<div class=