This is a tutorial using Volatility Framework on the distro Remnux Linux. – https://twitter.com/ro0ted/
What is Volatility Framework?
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License (GPL v2), for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system.
If you don’t want to use remnux you can install it on Windows, Linux, and OS X. I would recommend you just get use to using Remnux for now though if you been following my tutorials just so you are on the same page. If you jump ahead that’s cool to but you may get lost.
The framework has been featured in the book The Art of Memory Forensics.
You can read it here: http://www.mediafire.com/view/wmaabxvnrtx53sf/The_Art_of_Memory_Forensics.pdf
Note: if you missed the last tutorial on the Remnux Linux vbox setup..
read here: https://archive.cyberguerrilla.org/a/2015/ro0ted-opnewblood-what-the-blackhats-dont-want-you-to-know-remnux-a-distro-for-analyzing-malware/
Start Remnux in your vbox and open a terminal:
(for this tutorial we will be analyzing the infamous ZeuS Bot)
Now for a list of commands type: volatility -h
Now you will see:
As you can see Volatility can do many things.
To get more detailed information
type: volatility –info
Looks pretty rad huh? well lots of platforms of all types use this framework like the
website malwr.com which is based off of Cuckoo Sandbox https://cuckoosandbox.org/.
For more commands checkout this cheat sheet for Volatility:
Well before we began it should be noted I don’t just have malware laying around but Volatility has sample malware you test out for using the Volatility Framework.
Make sure REMnux isn’t your main OS. When dealing with malware always use some type of Virtual Machine as you never know what the hell you are dealing with besides REMnux was made for Analyzing Malware.
Download your Memory Sample of your choice from the link above. For this I will use a same of the ZeuS bot for this analysis.
Open terminal to location you downloaded the malicious file
volatility -f ‘zeus.vmem’ imageinfo
When it’s finished you should see this:
volatility -f ‘zeus.vmem’ callbacks
Type: volatility -f ‘zeus.vmem’ connscan
Now google that IP Address:
We see the Pid is 856
so type: volatility -f ‘zeus.vmem’ psscan
Now show what processes are in use by that Pid
type: volatility -f ‘zeus.vmem’ handles -p 856 -t Process
Now type: volatility -f ‘zeus.vmem’ apihooks
This is just a volatility example. Next tutorial we will use it in full action.
REMnux: Volatility Framework ~ Memory Forensics +
- You can follow any responses to this entry through the RSS 2.0 feed.
- Both comments and pings are currently closed.