Memory Acquisition Memory Artifact Timelining

Remember to open command prompt as Administrator The timeliner plugin parses time-stamped objects found in
memory images. Output is sorted by:
winpmem ➢ Process creation time
-o Output file location ➢ Thread creation time Memory Forensics Cheat Sheet v2.0
-p <path to pagefile.sys> Include page file ➢ Driver compile time
-e Extract raw image from AFF4 file ➢ DLL / EXE compile time POCKET REFERENCE GUIDE
-l Load driver for live memory analysis ➢ Network socket creation time SANS Institute by Chad Tilbury
➢ Memory resident registry key last write time http://computer-forensics.sans.org http://forensicmethods.com
C:\> winpmem_<version>.exe -o F:\mem.aff4
C:\> winpmem_<version>.exe F:\mem.aff4 -e ➢ Memory resident event log entry creation time
PhysicalMemory -o F:\mem.raw timeliner Purpose
--output-file Optional file to write output This cheat sheet supports the SANS FOR508 Advanced Forensics and Incident
DumpIt --output=body Bodyfile format (also text,xlsx) Response and SANS FOR526 Memory Analysis courses. It is not intended to be
/f Output file location --type=Registry Extract registry key last write times an exhaustive resource for Volatility™ or other highlighted tools. Volatility™ is a
/s <value> Hash function to use trademark of Verizon. The SANS Institute is not sponsored or approved by, or
# vol.py -f mem.img timeliner --output-file out.body affiliated with Verizon.
/t <addr> Send to remote host (set up listener with /l) --output=body --profile=Win10x64
C:\> DumpIt.exe /f F:\mem.raw /s 1

Registry Analysis Plugins How To Use This Document

Alternate Memory Locations
hivelist - Find and list available registry hives Memory analysis is one of the most powerful tools
Hibernation File # vol.py hivelist available to forensic examiners. This guide hopes to
Compressed RAM Image; available in Volume Shadow Copies hivedump - Print all keys and subkeys in a hive simplify the overwhelming number of available options.
%SystemDrive%\hiberfil.sys -o Offset of registry hive to dump (virtual offset)
# vol.py hivedump –o 0xe1a14b60 Analysis can generally be accomplished in six steps:
Page and Swap Files
printkey - Output a registry key, subkeys, and values 1. Identify Rogue Processes
%SystemDrive%\pagefile.sys
-K “Registry key path” 2. Analyze Process DLLs and Handles
%SystemDrive%\swapfile.sys (Win8+\2012+) # vol.py printkey –K
“Microsoft\Windows\CurrentVersion\Run” 3. Review Network Artifacts
Memory Dump 4. Look for Evidence of Code Injection
%WINDIR%\MEMORY.DMP dumpregistry - Extract all available registry hives 5. Check for Signs of a Rootkit
-o Extract using virtual offset of registry hive
--dump-dir Directory to save extracted files 6. Extract Processes, Drivers, and Objects
Converting Hibernation Files and Crash Dumps # vol.py dumpregistry --dump-dir ./output
We outline the most useful Volatility™ plugins supporting
userassist - Find and parse userassist key values
imagecopy - Convert alternate memory sources to raw
# vol.py userassist
these six steps here. Further information is provided for:
-f Name of source file ➢ Memory Acquisition
-O Output file name hashdump - Dump user NTLM and Lanman hashes ➢ Alternate Memory Locations
--profile Source OS from imageinfo # vol.py hashdump
➢ Converting Hibernation Files and Crash Dumps
# vol.py imagecopy -f hiberfil.sys -O hiber.raw autoruns - Map ASEPs to running processes ➢ Memory Artifact Timelining
--profile=Win7SP1x64 -v Show everything ➢ Registry Analysis Plugins
# vol.py imagecopy -f MEMORY.DMP -O crashdump.raw # vol.py autoruns -v

–-profile=Win2016x64_14393

FOR508HANDOUT_MemForensCheatSheetv2_E02_03
 Getting Started with Volatility™ Review Network Artifacts Extract Processes, Drivers, and Objects
Getting Help netscan - Scan for TCP connections and sockets dlldump - Extract DLLs from specific processes
# vol.py –h (show options and supported plugins) # vol.py netscan -p Dump DLLs only for specific PIDs
# vol.py plugin –h (show plugin usage) Note: Use connscan and sockscan for XP systems -b Dump DLL using base offset
-r Dump DLLs matching REGEX name
# vol.py plugin --info (show available OS profiles)
--dump-dir Directory to save extracted files
Sample Command Line Look for Evidence of Code Injection # vol.py dlldump --dump-dir ./output –r metsrv
# vol.py -f image --profile=profile plugin malfind - Find injected code and dump sections moddump - Extract kernel drivers
Identify System Profile -p Show information only for specific PIDs -o Dump driver using offset address (from modscan)
-o Provide physical offset of single process to scan -r
imageinfo - Display memory image metadata Dump drivers matching REGEX name
--dump-dir Directory to save suspicious memory sections --dump-dir Directory to save extracted files
# vol.py –f mem.img imageinfo # vol.py malfind --dump-dir ./output_dir # vol.py moddump --dump-dir ./output –r gaopdx
Using Environment Variables ldrmodules - Detect unlinked DLLs
Set name of memory image (takes place of -f ) procdump - Dump process to executable sample
-p Show information only for specific PIDs -p Dump only specific PIDs
# export VOLATILITY_LOCATION=file:///images/mem.img -v Verbose: show full paths from three DLL lists -o Specify process by physical memory offset
Set profile type (takes place of --profile= ) # vol.py ldrmodules –p 868 -v --dump-dir Directory to save extracted files
# export VOLATILITY_PROFILE=Win10x64_14393 # vol.py procdump --dump-dir ./output –p 868
hollowfind - Detect process hollowing techniques
-p Show information only for specific PIDs memdump - Extract every memory section into one file
Identify Rogue Processes -D Directory to save suspicious memory sections -p Dump memory sections from these PIDs
# vol.py hollowfind -D ./output_dir
pslist - High level view of running processes --dump-dir Directory to save extracted files
# vol.py pslist # vol.py memdump –-dump-dir ./output –p 868
Check for Signs of a Rootkit filescan - Scan memory for FILE_OBJECT handles
psscan - Scan memory for EPROCESS blocks
# vol.py filescan
# vol.py psscan psxview - Find hidden processes using cross-view
# vol.py psxview dumpfiles - Extract FILE_OBJECTs from memory
pstree - Display parent-process relationships -Q Dump using physical offset of FILE_OBJECT
# vol.py pstree modscan - Scan memory for loaded, unloaded, and -r Extract using a REGEX (add -i for case insensitive)
unlinked drivers -n Add original file name to output name
# vol.py modscan --dump-dir Directory to save extracted files
Analyze Process DLLs and Handles
# vol.py dumpfiles -n -i -r \\.exe --dump-dir=./
dlllist - List of loaded dlls by process apihooks - Find API/DLL function hooks
-p Operate only on specific PIDs svcscan - Scan for Windows Service record structures
-p Show information only for specific processes (PIDs)
-Q Only scan critical processes and DLLS -v Show service DLL for svchost instances
# vol.py dlllist –p 1022,868 # vol.py apihooks # vol.py svcscan -v
getsids - Print process security identifiers ssdt - Hooks in System Service Descriptor Table cmdscan - Scan for COMMAND_HISTORY buffers
-p Show information only for specific PIDs # vol.py ssdt | egrep –v ‘(ntoskrnl|win32k)’ # vol.py cmdscan
# vol.py getsids –p 868
driverirp - Identify I/O Request Packet (IRP) hooks consoles - Scan for CONSOLE_INFORMATION output
handles - List of open handles for each process -r Analyze drivers matching REGEX name pattern
# vol.py consoles
-p Show information only for specific PIDs # vol.py driverirp –r tcpip
-t Display only handles of a certain type
{Process, Thread, Key, Event, File, Mutant, Token, Port} idt - Display Interrupt Descriptor Table
# vol.py handles –p 868 –t File,Key # vol.py idt

FOR508HANDOUT_MemForensCheatSheetv2_E02_01