Memory analysis

Volatools

AAron Walters and Nick L. Petroni Jr. released a new memory analysis software at Blackhat DC 2007. Volatools basic, as the free version is called, is based upon the FATkit framework by the same authors.

Volatools basic enables one to analyze memory dumps in raw (or dd) format; crash dumps are not supported. Also the free version is limited to analyze dumps of systems running Microsoft Windows XP Service Pack 2.

One of the first things you'd like to know about a memory dump of unknown origin is the operating system's version, the time the image was obtained and where the Page Directory Table of the System process is located. The ident command will answer these questions:

>python volatools ident -f Terminated_nc.vmem
              Image Name: Terminated_nc.vmem
              Image Type: XP SP2
                 VM Type: nopae
                     DTB: 0x39000
                Datetime: Tue Jul 18 00:35:04 2006

pslist enumerates the running processes:

>python volatools pslist -f Terminated_nc.vmem
Name                 Pid    PPid   Thds   Hnds   Time
Idle                 0      0      0      217    Thu Jan 01 00:00:00 1970
System               4      0      47     217    Thu Jan 01 00:00:00 1970
smss.exe             428    4      3      21     Mon Jul 17 22:08:31 2006
csrss.exe            484    428    11     347    Mon Jul 17 22:08:33 2006
winlogon.exe         508    428    21     527    Mon Jul 17 22:08:34 2006
services.exe         552    508    15     252    Mon Jul 17 22:08:37 2006
lsass.exe            564    508    16     287    Mon Jul 17 22:08:37 2006
...

Terminated processes are not included, even if their EPROCESS structures are still resident in memory.

The dlllist and filelist commands show Dynamic Link Libraries (DLLs) and files opened by each of the running processes. Likewise the modules command lists all the loaded modules.

The sockets and connections will unveil network actvity. Like in the process listing only current activity will be shown.

To sum up, Volatools basic provides an easy and free way to get into Windows memory forensics. An experienced examiner would welcome to see more data structures and traces of objects past the end of their lifetime. Supposedly that's what the commercial Volatools advanced will be for.

To learn more about Volatools and download Volatools basic, check Komoku's website. Also don't miss the whitepaper and the BlackHat presentation by AAron Walters and Nick Petroni.

12/04/2007: Volatools has been discontinued. Please read From Volatools to Volatility for more information.

Posted by Andreas Schuster on March 4, 2007 04:00 PM |

Search


Deutsch

Deutschsprachige Ausgabe

Categories

Latest articles

Subscribe

Imprint

This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de

Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.