Volatility is able to read suspended states of virtual machines. The advantage of such tools is that malware, such as rootkits, that try to hide themselves from user domains can be extracted using memory forensic tools.
Extracting a memory dump can be done in several ways, depending on the requirements of the investigation:
win32dd.exe / win64dd.exe
Most tools will output a
.raw file, with some exceptions like Redline using its own agent and session structure.
For virtual machines, gathering a memory file can be done by collecting the virtual memory file from the host machine’s drive. The file extension depends on the hypervisor used:
VMWare - .vmem
Hyper-V - .bin
Parallels - .mem
VirtualBox - .sav file *this is only a partial memory file
Identifying image info and profiles
By default, Volatility comes with all existing Windows profiles from Windows XP to Windows 10.
Image profiles can be hard to determine if you don’t know exactly what version and build the machine you extracted
a memory dump from was. In some cases, a memory file with no other context can be a given. In that case, use
imageinfo plugin. It will take the provided memory dump and assign it a list of the best possible
OS profiles. OS profiles have been deprecated with Volatility3.
imageinfo is not always correct and can have varied results depending on the provided dump; use with caution
and test multiple profiles from the provided list.
To get information about what the host is running from the memory dump, use
python3 vol.py -f <file> <os>.info
Listing processes and connections
Five different plugins within Volatility allow for dumping processes and network connections.
pslist will get the list of processes from the doubly-linked list that keeps track of processes in memory. The
output from this plugin will include all current processes and terminated processes with their exit times.
python3 vol.py -f <file> windows.pslist
Some malware (rootkits), will try to hide their processes by unlinking itself from the list. By
unlinking rom the list, their processes will not be visible when using
To combat this evasion technique, we can use
psscan. This technique of listing processes will locate processes
by finding data structures that match
_EPROCESS. But, it can also cause false positives.
python3 vol.py -f <file> windows.psscan
pstree does not offer any other kind of special techniques to help identify evasion like the last two plugins.
This plugin will list all processes based on parent process ID, using the same methods as
pslist. This can be
useful for an analyst to get a full story of the processes and what may have been occurring at the time of extraction.
python3 vol.py -f <file> windows.pstree
netstat will attempt to identify all memory structures with a network connection.
python3 vol.py -f <file> windows.netstat
This volatility3 command can be unstable, particularly for old Windows builds. Use other tools like
bulk_extractor to extract a
PCAP file from the memory file.
In some cases, this is preferred in network connections that cannot be identified from Volatility alone.
dlllist will list all
DLLs associated with processes at the time of extraction. This can be useful when having
done further analysis: filter output to a specific DLL that might be an indicator for a specific type of malware
believed to be present on the system.
python3 vol.py -f <file> windows.dlllist
Hunting and detection capabilities
Although Volatility offers many commands useful for hunting for malware or other anomalies within a system’s memory, a few are designed specifically for hunting rootkits and malicious code. The most comprehensive documentation for these commands can be found in the Malware Analyst’s Cookbook and DVD: Tools and Techniques For Fighting Malicious Code.
Real world memory forensics
When dealing with an advanced adversary, you may encounter malware, most of the time rootkits that will employ very nasty evasion measures that will require you as an analyst to dive into the drivers, mutexes, and hooked functions. A number of modules can help us in this journey to further uncover malware hiding within memory.
The first evasion technique we will be hunting is hooking; there are five methods of hooking employed by adversaries:
Focusing on hunting
SSDT hooking (for now) as this one of the most common techniques when dealing with malware
evasion and the easiest plugin to use with the base volatility plugins.
SSDT stands for System Service Descriptor Table. The Windows kernel uses this table to look up system functions.
An adversary can hook into this table and modify pointers to point to a location the rootkit controls.
There can be hundreds of table entries: analyse the output further or compare against a baseline. A suggestion is to use this plugin after investigating the initial compromise and working off it as part of your lead investigation.
Syntax: python3 vol.py -f <file> windows.ssdt
Adversaries will also use malicious driver files as part of their evasion. Volatility offers two plugins to list drivers.
modules plugin will dump a list of loaded kernel modules; this can be useful in identifying active malware.
If a malicious file is idly waiting or hidden, this plugin may miss it.
This plugin is best used once you have further investigated and found potential indicators to use as input for searching and filtering.
python3 vol.py -f <file> windows.modules
driverscan plugin will scan for drivers present on the system at the time of extraction. This plugin can help
identify driver files in the kernel that the modules plugin might have missed or which were hidden.
It is recommended to have a prior investigation before moving on to this plugin. It is also recommended to look
modules plugin before
python3 vol.py -f <file> windows.driverscan
In most cases,
driverscan will come up with nothing.
Other plugins which can be helpful when attempting to hunt for advanced malware in memory:
Some of these are only present on Volatility2 or are part of third-party plugins.