Documenting some common usages (plugins) of Volatility 3 for memory forensics.
As it provides plugins for 3 common operating system (Linux, Mac, and Windows), adjust the command base on the operating system of the given memory.
# Retrieve memory information
vol -f memory.dmp windows.info
# View process hierachy
vol -f memory.dmp windows.pstree
# Search for filepath
vol -f memory.dmp filescan
# List network connection
vol -f memory.dmp netscan
# Dumping executable file
vol -f memory.dmp windows.dumpfiles --virtaddr <address from filescan>
vol -f memdump.mem windows.pslist --pid <pid> --dump
# Identifying suspicious memory regions
vol -f MemoryDump.mem windows.malfind
# Listing Command-line
vol -f 192-Reveal.dmp windows.cmdline
# Usage statistics (the UserAssist explained below)
vol -f memdump.mem windows.registry.userassist
# Listed hollow process
vol -f memory.dmp windows.malware.hollowprocesses.HollowProcesses
# Lists the registry keys under a hive or specific key
vol -f memory.dmp windows.registry.printkey.PrintKey
# Dumping Hive
vol -f memory.dmp hivelist
# Search for handles
vol -f memory.dmp windows.handles
# Print the SIDs owning each process
vol -f memory.dmp getsidsBetter output
The command line can be hard to view, especially when most of the results from the
volare very long. The flag option-ror--renderercan be used to format the output and it can be combined withgrep,awk,sed.vol -r pretty -f memdump.mem windows.netscan # Using grep vol -f MemoryDump.mem windows.pstree | grep --color=always -E "(oneetx\.exe|$)" # Using awk vol -f MemoryDump.mem windows.pstree | awk '/oneetx\.exe/ {print "\033[43m" $0 "\033[0m"; next} {print}' # Using sed vol -f MemoryDump.mem windows.pstree | sed 's/.*oneetx\.exe.*/\x1b[41m&\x1b[0m/'
Retrieving non-executable files
At some point, I forgot how to dump non-executable file so I want to note it down.
Start with examining potential threats, run pslist, pstree, and cmdline plugins to have a good overview of the system. A malicious program tend to have a stand-out name, file-path, or flags with sketchy parameters.
After that, if it is a non-executable file that you are looking for, search it with filescan plugins + grep. For example, I want to look for VS Code’s extension files, due to the amount of processes Code.exe has spawned while checking process list.
$ vol -r pretty -f memdump.dmp windows.filescan | grep -i 'extension'
# Result
* | 0x850cd2e704f0 | \Users\User2\.vscode\extensions\0xs1rx58d3v.chatgpt-b0t-0.0.1\extension.js
# Dumping the extension file
$ vol -r pretty -f memdump.dmp windows.dumpfiles --virtaddr 0x850cd2e704f0
Volatility 3 Framework 2.26.2
Formatting...0.00 PDB scanning finished
| Cache | FileObject | FileName | Result
* | DataSectionObject | 0x850cd2e704f0 | extension.js | Error dumping fileDetermining running processes
For determining running processes when the image is acquired, we use pslist plugins, but pay attention to the timestamp:
$ vol -f IMAGE.raw windows.pslist
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0x89c037f8 55 245 N/A False N/A N/A Disabled
368 4 smss.exe 0x89965020 3 19 N/A False 2023-02-14 04:54:15.000000 UTC N/A Disabled
592 368 csrss.exe 0x89a98da0 11 321 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
616 368 winlogon.exe 0x89a88da0 18 508 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
660 616 services.exe 0x89938998 15 240 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
672 616 lsass.exe 0x89aa0020 21 335 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
832 660 VBoxService.exe 0x89aaa3d8 9 115 0 False 2023-02-14 04:54:15.000000 UTC N/A Disabled
880 660 svchost.exe 0x89aab590 21 295 0 False 2023-02-13 17:54:16.000000 UTC N/A Disabled
968 660 svchost.exe 0x89a9f6f8 10 244 0 False 2023-02-13 17:54:17.000000 UTC N/A Disabled
1060 660 svchost.exe 0x89730da0 51 1072 0 False 2023-02-13 17:54:17.000000 UTC N/A Disabled
1108 660 svchost.exe 0x897289a8 5 78 0 False 2023-02-13 17:54:17.000000 UTC N/A Disabled
1156 660 svchost.exe 0x899adda0 13 192 0 False 2023-02-13 17:54:17.000000 UTC N/A Disabled
1484 1440 explorer.exe 0x89733938 14 489 0 False 2023-02-13 17:54:18.000000 UTC N/A Disabled
1608 660 spoolsv.exe 0x897075d0 10 106 0 False 2023-02-13 17:54:18.000000 UTC N/A Disabled
480 1060 wscntfy.exe 0x89694388 1 28 0 False 2023-02-13 17:54:30.000000 UTC N/A Disabled
540 660 alg.exe 0x8969d2a0 5 102 0 False 2023-02-13 17:54:30.000000 UTC N/A Disabled
376 1484 VBoxTray.exe 0x89982da0 13 125 0 False 2023-02-13 17:54:30.000000 UTC N/A Disabled
636 1484 msmsgs.exe 0x8994a020 2 157 0 False 2023-02-13 17:54:30.000000 UTC N/A Disabled
1880 1484 taskmgr.exe 0x89a0b2f0 0 - 0 False 2023-02-13 18:25:15.000000 UTC 2023-02-13 18:26:21.000000 UTC Disabled
964 1484 rootkit.exe 0x899dd740 0 - 0 False 2023-02-13 18:25:26.000000 UTC 2023-02-13 18:25:26.000000 UTC Disabled
1960 964 cmd.exe 0x89a18da0 0 - 0 False 2023-02-13 18:25:26.000000 UTC 2023-02-13 18:25:26.000000 UTC Disabled
528 1484 notepad.exe 0x896c5020 0 - 0 False 2023-02-13 18:26:55.000000 UTC 2023-02-13 18:27:46.000000 UTC Disabled
1432 1484 notepad.exe 0x89a0d180 0 - 0 False 2023-02-13 18:28:25.000000 UTC 2023-02-13 18:28:40.000000 UTC Disabled
1444 1484 notepad.exe 0x899e6da0 0 - 0 False 2023-02-13 18:28:42.000000 UTC 2023-02-13 18:28:47.000000 UTC Disabled
276 1484 DumpIt.exe 0x89a0fda0 1 25 0 False 2023-02-13 18:29:08.000000 UTC N/A DisabledThe highlighted lines display the process that has been terminated before the image is acquired, leftovers are the one that still active.
What is the UserAssist artifact?
UserAssist is a feature in Windows that tracks the usage of executable files and applications launched by the user. It stores this information in the Windows Registry, which can be accessed by forensic analysts to reconstruct a timeline of application usage and user activity. Specifically, it is located within the NTUSER.DAT hive located at Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
What is Process Hollowing?
Process hollowing, or Hollow Process Injection, is a code injection technique in which the executable section of the legitimate process in the memory, is replaced with a malicious executable. This technique allows an attacker to disguise his malware as a legitimate process and execute malicious code. The advantage of this technique is that the path of the process being hollowed out will still point to the legitimate path, and, by executing within the context of a legitimate process, the malware can bypass firewalls and host intrusion prevention systems. For example, if the svchost.exe process is hollowed out, the path will still point to the legitimate executable path (C:\Windows\system32\svchost.exe …
Mutex object
Mutex (a.k.a. mutant) objects, which are frequently used by legitimate software, can also help defenders discover the presence of malicious programs on the system. Incident responders can examine the infected host or reverse-engineer malware to identify mutex names used by the specimen, which will allow them to define the signs of the infection (a.k.a. indicators of compromise). Let’s take a look at how mutex objects are used and what tools are available to identify them on a system.
Retrieving hostname
Start with dumping the hives to get the offset of the ones where we will find the hostname:
$ vol -f memory.vmem hivelist
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
Offset FileFullPath File output
0x8a0d91490000 Disabled
0x8a0d9148a000 \REGISTRY\MACHINE\SYSTEM Disabled
0x8a0d91530000 \REGISTRY\MACHINE\HARDWARE Disabled
0x8a0d91dce000 \Device\HarddiskVolume1\EFI\Microsoft\Boot\BCD Disabled
0x8a0d9187b000 \SystemRoot\System32\Config\SOFTWARE Disabled
0x8a0d91b17000 \SystemRoot\System32\Config\DEFAULT Disabled
0x8a0d91e32000 \SystemRoot\System32\Config\SECURITY Disabled
0x8a0d94b29000 \SystemRoot\System32\Config\SAM Disabled
0x8a0d94bee000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Disabled
0x8a0d94d5a000 \SystemRoot\System32\Config\BBI Disabled
0x8a0d94d86000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Disabled
0x8a0d95359000 \??\C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\dosvcState.dat Disabled
0x8a0d95caf000 \??\C:\Windows\AppCompat\Programs\Amcache.hve Disabled
0x8a0d91b10000 \??\C:\Users\John\ntuser.dat Disabled
0x8a0d95e95000 \??\C:\Users\John\AppData\Local\Microsoft\Windows\UsrClass.dat Disabled
0x8a0d966c0000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\MicrosoftWindows.Client.CBS_120.2212.3920.0_x64__cw5n1h2txyewy\ActivationStore.dat Disabled
0x8a0d966c2000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled
0x8a0d96709000 \??\C:\Users\John\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat Disabled
0x8a0d96d61000 \??\C:\Users\John\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat Disabled
0x8a0d967dc000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled
0x8a0d96d94000 \??\C:\Users\John\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat DisabledThe current computer name for the Window’s image can be found in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName for Windows 7,8, and 10.
$ vol -r pretty -f memory.vmem windows.registry.printkey --offset 0x8a0d9148a000 --key 'ControlSet001\Control\ComputerName\ComputerName'
Volatility 3 Framework 2.26.2
Formatting...0.00 PDB scanning finished
| Last Write Time | Hive Offset | Type | Key | Name | Data | Volatile
* | 2023-05-22 07:00:31.000000 UTC | 0x8a0d9148a000 | REG_SZ | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName | (Default) | mnmsrvc | False
* | 2023-05-22 07:00:31.000000 UTC | 0x8a0d9148a000 | REG_SZ | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName | ComputerName | DESKTOP-38NVPD0 | FalseChaining attack
Most of the time, a malicious program will elaborate different applications to gain access, retrieve information, etc. In order to identify it, examining the Process ID (PID) and Parent Process ID (PPID). Following the example below:
| PID | PPID | ImageFileName | Offset(V) | Threads | Handles | SessionId | Wow64 | CreateTime | ExitTime | Audit | Cmd | Path
**** | 8108 | 3128 | Code.exe | 0x850cd13c3080 | 42 | - | 1 | False | 2024-07-23 02:28:58.000000 UTC | N/A | \Device\HarddiskVolume3\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe | "C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe" | C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe
***** | 7904 | 8108 | Code.exe | 0x850cd27a3080 | 19 | - | 1 | False | 2024-07-23 02:29:03.000000 UTC | N/A | \Device\HarddiskVolume3\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe | "C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\User2\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --mojo-platform-channel-handle=3508 --field-trial-handle=1692,i,16467833647474465927,11985723710901115035,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8 | C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe
***** | 4424 | 8108 | Code.exe | 0x850cd20fa080 | 20 | - | 1 | False | 2024-07-23 02:29:03.000000 UTC | N/A | \Device\HarddiskVolume3\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe | "C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\User2\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --mojo-platform-channel-handle=3532 --field-trial-handle=1692,i,16467833647474465927,11985723710901115035,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8 | C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe
***** | 1612 | 8108 | Code.exe | 0x850cd21d5080 | 19 | - | 1 | False | 2024-07-23 02:29:03.000000 UTC | N/A | \Device\HarddiskVolume3\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe | "C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe" --type=utility --utility-sub-type=node.mojom.NodeService --lang=en-US --service-sandbox-type=none --dns-result-order=ipv4first --inspect-port=0 --user-data-dir="C:\Users\User2\AppData\Roaming\Code" --standard-schemes=vscode-webview,vscode-file --enable-sandbox --secure-schemes=vscode-webview,vscode-file --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --code-cache-schemes=vscode-webview,vscode-file --mojo-platform-channel-handle=3464 --field-trial-handle=1692,i,16467833647474465927,11985723710901115035,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8 | C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe
****** | 2816 | 1612 | Code.exe | 0x850cd2811080 | 11 | - | 1 | False | 2024-07-23 02:29:06.000000 UTC | N/A | \Device\HarddiskVolume3\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe | "C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe" --max-old-space-size=3072 "c:\Users\User2\AppData\Local\Programs\Microsoft VS Code\resources\app\extensions\node_modules\typescript\lib\tsserver.js" --useInferredProjectPerProjectRoot --enableTelemetry --cancellationPipeName C:\Users\User2\AppData\Local\Temp\vscode-typescript\9d249217e63ce7e06175\tscancellation-a07770651154e5cb65a6.tmp* --globalPlugins @vsintellicode/typescript-intellicode-plugin,ms-vsintellicode-typescript --pluginProbeLocations c:\Users\User2\.vscode\extensions\visualstudioexptteam.vscodeintellicode-1.3.1,c:\Users\User2\.vscode\extensions\visualstudioexptteam.vscodeintellicode-1.3.1 --locale en --noGetErrOnBackgroundUpdate --canUseWatchEvents --validateDefaultNpmLocation --useNodeIpc | C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe
******* | 7868 | 2816 | Code.exe | 0x850cd1ba6080 | 9 | - | 1 | False | 2024-07-23 02:29:07.000000 UTC | N/A | \Device\HarddiskVolume3\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe | "C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe" "c:/Users/User2/AppData/Local/Programs/Microsoft VS Code/resources/app/extensions/node_modules/typescript/lib/typingsInstaller.js" --globalTypingsCacheLocation C:/Users/User2/AppData/Local/Microsoft/TypeScript/5.5 --enableTelemetry --typesMapLocation "c:/Users/User2/AppData/Local/Programs/Microsoft VS Code/resources/app/extensions/node_modules/typescript/lib/typesMap.json" --validateDefaultNpmLocation | C:\Users\User2\AppData\Local\Programs\Microsoft VS Code\Code.exe
****** | 4196 | 1612 | cmd.exe | 0x850cd1d83080 | 1 | - | 1 | False | 2024-07-23 02:32:35.000000 UTC | N/A | \Device\HarddiskVolume3\Windows\System32\cmd.exe | C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Public\RuntimeBroker.exe | C:\Windows\system32\cmd.exe
| | | | | | | | | | | | " |
******* | 7864 | 4196 | conhost.exe | 0x850cd1e6a080 | 2 | - | 1 | False | 2024-07-23 02:32:35.000000 UTC | N/A | \Device\HarddiskVolume3\Windows\System32\conhost.exe | \??\C:\Windows\system32\conhost.exe 0x4 | C:\Windows\system32\conhost.exe
******* | 1224 | 4196 | RuntimeBroker. | 0x850cd1cbf300 | 4 | - | 1 | False | 2024-07-23 02:32:35.000000 UTC | N/A | \Device\HarddiskVolume3\Users\Public\RuntimeBroker.exe | C:\Users\Public\RuntimeBroker.exe | C:\Users\Public\RuntimeBroker.exe
******** | 9008 | 1224 | cmd.exe | 0x850cd1bc7080 | 3 | - | 1 | False | 2024-07-23 02:35:37.000000 UTC | N/A | - | - | -
*The first Code.exe with PID of 8108 has spawned a few processes, one of them has spawned a cmd.exe process with PID of 7864. Then cmd.exe created RuntimeBroker.exe process with PID of 1224.