Hack Like a Pro: Digital Forensics for the Aspiring Hacker, Part 15 (Parsing Out Key Info from Memory)

Digital Forensics for the Aspiring Hacker, Part 15 (Parsing Out Key Info from Memory)

Hack Like a Pro: Digital Forensics for the Aspiring Hacker, Part 15 (Parsing Out Key Info from Memory)

Welcome back, my budding hackers!

Digital forensics is one of IT's most rapid-growing disciplines. All hackers should be familiar with digital forensics if for no other reason than to protect themselves. More than one hacker has been apprehended because they were unaware of the evidence trail they left behind.

In my previous tutorial in this series, we looked at how to grab a forensic image of the RAM and pagefile.sys of a Windows system. We then used the open-source tool Volatility on our Kali OS to parse the type of image and the registry hives.

In this tutorial, we will look to find other information on that image that we can parse out that may have forensic significance. As we know, there is voluminous amount of information in the RAM of a running system that can reveal what the suspect was doing at the time of the system capture. This would include, of course, much of the same information we can get from Sysinternals from a running system, but here we are working with a memory image and not a running system. In most forensic investigations of a suspect's computer, we are working with a forensic image of the RAM and not the running system.

Before we start here, I am assuming that you have captured the memory image with one of the many memory-capturing tools such as FTK Imager and have parsed out the profile from the image with Volatility.

Parsing out the image profile is crucial, as each operating system stores information in different places in RAM. Volatility needs to know the profile (OS, service pack, and architecture) to know where to look in the memory image for the necessary information. If you put in the wrong profile information, Volatility will throw errors telling you it can't parse the information properly. In that case, try another image profile. Unfortunately, the profile image that this tool provides is not always correct.

Step 1: Getting the List of Processes

As our first step, let's see if we can find the processes that the suspect had running when we captured the RAM image. We can do this by typing:

kali > python vol.py --profile Win7SP1x64 pslist -f /root/Desktop/memdump.mem

Let's break that down:

  • python is the interpreter.
  • vol.py is the name of the Volatility script.
  • --profile Win7SP1x64 is the profile of the system the memory image was captured from.
  • pslist is the plugin to parse out the running processes.
  • -f /root/Desktop/memdump.mem is the location of the image file.

As you can see, Volatility has parsed out all the running processes. To gather even more information from the RAM image, we can use exactly the same command as above with the exception of changing the name of the plugin.

To get a list of available plugins you could use, type:

kali > python vol.py -h

Step 2: Getting the Running DLLs

To view the running DLLs on the system, we simply use the dlllist plugin like below:

kali > python vol.py --profile Win7SP1x64 dlllist -f /root/Desktop/memdump.mem

As you can see, Volatility parsed out a list of all the running DLLs.

Step 3: Getting the Contents of the System's Clipboard

Sometimes, what the suspect had in their clipboard can be incriminating. We can retrieve the information from the suspect's RAM by using the clipboard plugin like below.

kali > python vol.py --profile Win7SP1x64 clipboard -f /root/Desktop/memdump.mem

Unfortunately, all this information is in hexadecimal and must be translated to ASCII.

Step 4: Getting a Timeline of Events

Often times, to prove that a suspect actually committed the action they are accused of, we may need a timeline of events that took place on that system. We can retrieve this timeline information from the memory image by using the timeliner plugin like below.

kali > python vol.py --profile Win7SP1x64 timeliner -f /root/Desktop/memdump.mem

Note that each process is time stamped.

Step 5: Looking for Malware in the Memory

Lastly, let's look for any malware running in the memory of the suspect system. Volatility has a plugin especially designed for this purpose, appropriately named malfind. We can use it like any other Volatility plugin. Simply type the same command as above but replace the name of the plugin with malfind.

kali > python vol.py --profile Win7SP1x64 malfind -f /root/Desktop/memdump.mem

As you can see, this suspect had numerous pieces of malware running on their system. This information may actually be exculpating as the presence of malware would indicate that someone else had control of the system and may have committed the actions the suspect is accused of.

Keep coming back, my budding hackers, as we explore the world of digital forensics. Be safe!

Cover image via Shutterstock

8 Comments

This forensics thing really has me intrigued. Keep up the good work OTW!

P.S. can you recommend me a book or something as additional study material for digital forensics? I'm really intrigued by it!

-Phoenix750

Glad you like it, Phoenix750. Probably the best book is "The Handbook for Digital Forensics and Investigations".

I agree with Phoenix, this forensics thing really really and I mean really marvels me. How investigators can know everything you do, and I believe with this knowledge as a hacker, you are going to be very difficult to catch. I have some tasks I would like to start on after my final examinations and forensics is third. In the movies, how they collect the victim's phone and analyze it and tell all sort of things really wonders me. Thanks for laying the foundation OTW, I don't know about them but I really appreciate you especially for this part of your series.

( Perhaps you could list some aspects of the field and assign books to them for those who are interested in your future article. )

# Sergeant

Thanks Sploit! I'm glad you and Phoenix like this series. I'll keep it going!

Love this series too :D
Thanks mate!!!

thanks alot for your post. as an investigator on LEA, yout posts serie really2 help me out. and today, i decide to make an account on WTH to say thanks alot for you and i really2 appriciate your kindness for sharing with us.

So glad to hear you like this series. I'll keep it going if enough people like it.

Yes, keep it going, I'm loving it. I have gone through all your forensic guides. Looking at the limited number of kudos, not many people have made it this far. So those who have, good job :-). Also a big thank you OTW for such great guides, I feel very privileged to be learning from you.

Forensics should be a mandatory step before even proceeding to anything security and hacker related. I think this should be a module included in anything IT related or a prerequisite. I used to think I could build a secure network before, but after going through this, now I can really see the bigger picture. Obviously nothing is ever perfectly secure, merely in a temporary state of being secure.

Share Your Thoughts

  • Hot
  • Latest