Incident Response Using Volatility Framework

By Bryan Macario, Network Security Engineer at Tec-Refresh, Inc.

It’s 2021, and Cybersecurity has been a hot item on everybody’s list. Whether at home or in the corporate world, our technology is constantly evolving, and with the latest security patches and operating systems updated, our defenses have been getting better and better. That being said, hackers also endlessly test and experiment with new exploits and attack vectors to get a foothold on our systems.

So, what exactly can you do as an Incident Response Analyst when you are tasked to look at a computer that’s “running slow” and are responsible for finding out exactly what’s going on with it? There are many forensic tools out there that can be used for this job, such as FTK, Encase, Autopsy, etc.

However, in this article, I will highlight a tool that can be used to analyze live memory, and that tool is called Volatility. I will also demonstrate how this tool can be used in an actual Incident Response engagement with screenshots. I will also provide a link to a talk that I did at DerbyCon regarding this tool.

Volatility framework is an open-source collection of tools implemented in Python to analyze and extract forensic artifacts from live memory (RAM). RAM stands for random access memory, and it is more volatile than data on a disk. Hackers are not able to easily erase their tracks on RAM, as they do with the disk.

You can check out the GitHub at https://github.com/volatilityfoundation/volatility.

To get started using Volatility, you’re going to need to have the following:

And that is pretty much all you need to get started doing some forensics. Just the Volatility tool itself and a memory sample, plain and simple!

For this demonstration, I am going to use an infected memory sample that I found online on https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples.

Scenario

You get a call from a user experiencing issues with their computer running extremely sluggish as if something is taking up the computer resources. They believe it has been infected, and you are tasked to find out what’s going on with it.

Running pslist

Running pslist

Pslist is a tool within Volatility that will show you an output of all the different processes running on the machine when the memory dump was captured. This is useful in finding out if any processes seem suspicious right off the bat.

Running psscan

Running psscan

In this command, I run a psscan, which is similar to a pslist. However, I output the results to a visual graph using xdot. The xdot output is great because you can visually see the parent/child processes from the psscan results.

1_doc_RCData_61 invoked by ImmunityDebugger

As you can see, the process “1_doc_RCData_61” was invoked by the “ImmunityDebugger.” This process did not initially show with the psslist, but the psscan is great for digging deeper and locating any hidden processes.

Running connscan

Now that I have a suspicious process I want to further examine, we can run a connscan. Connscan is a tool that is used to show any active TCP connections with a matching process ID.

Running connscan

As you can see in the picture above, PID 1136 has created an active TCP connection from the host to remote address 67.208.216.86:80. A quick google search on that IP address shows that the IP belongs to a “TERENAP” domain. This is all valuable information you can collect and save for later.

Running cmdline

Another tool I like to use within volatility is called cmdline. Since I have a specific process I want to examine, I can use cmdline to show any cmdline executables running in the processes.

By running the cmdline tool on the process id “1136”, we were able to see that the process had the “1_doc_RCData_612.exe” running within the process.

Running procdump

Now that we know the process 1136 has an executable running, I can go ahead and procdump the process into an actual executable and run some tests.

Running procdump

At this point, I’ve turned the process into a full-fledged, live executable called “executable.1336.exe”.

I can now run this executable through VirusTotal and see what I get.

VirusTotal Screenshot

As you can see, VirusTotal has found 54 malicious hits on the executable file. The actual virus embedded inside the executable is called Prolaco. Prolaco is a popular internet worm that propagates and multiplies itself within a host, taking up system resources and causing the computer to run very slow.

As I said, I also did a talk on DerbyCom IE about Volatility and how it can be used for Incident Response.

Link to YouTube video for Volatility Demo: https://www.youtube.com/watch?t=3604&v=kz_SRcidetI (Starts at 1:00:04).

I hope this article has helped you learn more about computer forensics and memory forensics’ power using Volatility. Thanks for reading, and stay tuned for more content!


As a Managed Service Provider (MSP) and Managed Security Services Provider (MSSP), we manage your IT services, offer backup and disaster recovery, and provide network visibility and security. Our knowledgeable and customer-oriented staff engages to accelerate your network and simplify its security, visibility and automation. Questions? Contact Tec-Refresh, Inc.

Leave a Comment

Your email address will not be published. Required fields are marked *

What is digital transformation, and do you need it?