The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
Volatility is no longer packaged with Kali in the 2020 releases, but can be manually installed. In this tutorial I will show you how to install Volatility 2.6 in Kali 2020.4. Unfortunately it relies on Python 2 dependencies and if you simply clone and run vol.py you will see an error similar to below:
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)
As Volatility relies on certain Python 2 dependencies, we will need to install Python 2 Pip:
What is the IPv4 address that myaccount.google.com resolves to?
To solve this question, I decided to try using bulk_extractor. I haven’t used this tool before but just learned about it from BakerStreetForensics’ Week 10 writeup. This is a powerful tool that can extract tons of information from an image. In this case I was interested in the generated PCAP file, in order to find DNS queries. For more information on bulk_extractor see the Kali Tools page.
*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. * What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
The netscan module in volatility will show an output similar to netstat. Here we can see local and remote addresses and their state. The one highlighted below is in an established state, and if we do a whois lookup on the IP it will come back as being owned by Google. Therefore the IP and port we’re after is 126.96.36.199:443.
[email protected]:~$ volatility -f memdump.mem --profile=Win7SP0x64 netscan
Volatility Foundation Volatility Framework 2.4
--- SNIPPED ---
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x13ec87cd0 TCPv4 192.168.10.146:54282 188.8.131.52:443 ESTABLISHED -------- --------------
--- SNIPPED ---
[email protected]:~$ whois 184.108.40.206
available at: https://www.arin.net/resources/registry/whois/tou/
If you see inaccuracies in the results, please report at
Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
NetRange: 220.127.116.11 - 18.104.22.168
Parent: NET172 (NET-172-0-0-0-0)
NetType: Direct Allocation
Organization: Google LLC (GOGL)
This week was a dive into the world of memory forensics. It’s a long one with lots of good questions. Let’s take a look at how to solve them.
Challenge 9 ( Nov 30 – Dec 7 ) Part 1 – 25pts
The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
Before we get too involved, lets find out more about the image and what profile we should be using:
[email protected]:~$ volatility -f ./memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c2a120L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c2c000L
KPCR for CPU 1 : 0xfffff88002f00000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-04-20 23:23:26 UTC+0000
Image local date and time : 2020-04-20 19:23:26 -0400