VOLATILITY 101
What Is Volatile Data:
In computer forensics, volatile data refers to information that is temporarily stored in a computer’s memory (RAM) and can be easily lost or altered when the computer is powered off or restarted.
Volatile data is crucial for digital investigators because it provides a snapshot of the computer’s state at the time of an incident.
Any incident responder should be aware of what volatile data is.
The reason is that when looking into a device that has been compromised, an initial reaction might be to turn off the device to contain the threat.
Some examples of volatile data are running processes, network connections, and RAM contents.
“ Volatile data is not written to disk and is constantly changing in memory “.
The issue here is that any malware will be running in memory, meaning that any network connections and running processes that spawned from the malware will be lost.
What Is Memory Forensics:
Memory forensics, also known as volatile memory analysis or random access memory (RAM) forensics, is a branch of digital forensics.
It involves the examination and analysis of a computer’s volatile memory (RAM) to uncover digital evidence and artefacts related to computer security incidents, cybercrimes, and other forensic investigations.
This differs from hard disk forensics, where all files on the disk can be recovered and then studied.
Memory forensics focuses on the programs that were running when the memory dump was created.
This type of data(valuable evidence) is volatile because it will be deleted(destroyed) when the computer is turned off.
What Is a Memory Dump:
A memory dump is a snapshot of memory that has been captured to perform memory analysis.
It will contain data relating to running processes captured when the memory dump was created.
Benefits of Memory Forensics:
- Memory forensics offers valuable benefits in digital investigations by capturing real-time data from a computer’s volatile memory.
- It provides rapid insight into ongoing activities, detects stealthy threats, captures volatile data like passwords, and allows investigators to understand user actions and system states during incidents — all without altering the target system.
- Memory forensics helps confirm malicious actors’ activities by analysing a computer system’s volatile memory to uncover evidence of unauthorised or malicious actions.
- It provides crucial insights into the attacker’s tactics, techniques, and potential indicators of compromise (IOC).
Another thing to keep in mind is that capturing a hard disk image of a device can be time-consuming.
“ Then, you have to consider the problem of transferring the image, which could be hundreds of gigabytes in size — and that’s before you even consider how long the analysis will take the incident response (IR) team. “
This is where memory analysis can really help the IR team; capturing a memory dump from any device will be much faster and smaller.
Suppose we prioritise RAM over a hard disk image.
In that case, the IR team can already start analysing the memory dump for IOCs while beginning the process of capturing an image of the hard drive.
What Are Processes:
A process is an independent, self-contained unit of execution within an operating system that consists of its own program code, data, memory space, and system resources.
“ Imagine your computer as a busy chef in a kitchen.
The chef can cook multiple dishes simultaneously, but to keep things organised, they use separate cooking stations for different tasks.
Each cooking station has its own ingredients, pots, and pans.
These cooking stations represent what we call “processes” in a computer.
This is crucial in memory forensics because knowing the processes that were running during the capture of the memory dump will tell us what programs were also running at that time. “
Volatility:
Volatility is a command-line tool that lets digital forensics and incident response teams analyse a memory dump in order to perform memory analysis.
Volatility is written in Python, and it can analyse snapshots taken from Linux, Mac OS, and Windows.
Volatility has a wide range of use cases, including the following:
- Listing any active and closed network connections.
- Listing a device’s running processes at the time of capture.
- Listing possible command line history values.
- Extracting possible malicious processes for further analysis.
- And the list keeps on going.
Installing Volatility “ Some easy way “:
Head over to hadrian3689 and git clone the Volatility Install then bash install.sh then vol.py -h and vol3 with vol -h.
this Bash install has been scripted to contain all the volatility requirements for a succesful install… You can analyse it!
It saves us the time of this:
Give it some time to install the dependencies…
Next let’s learn how to Volatility Linux Profiles:
First , let’s get the Kernel Version of our memory dump.
git clone https://github.com/volatilityfoundation/volatility
cd volatility/tools/linux/
Now, 💡replace the automatic kernel detection with a static value, which is your target linux kernel for this case it is 5.4.0–166-generic…
sed -i ‘s/$(shell uname -r)/5.4.0–166-generic/g’ Makefile
Now here is where every… no … mostly “ i “ got stuck with ‘sedding an in-place substitution within a file named ‘ Makefile ‘
the problem is in the substitution expression mainly the ‘ Delimeter for the different parts….
If we use :
Notice the Action: Substitute ‘ $(shell uname -r)’ with our kernel did not seem to work !
This is where everyone is going crazy https://tryhackme.com/r/room/profilesroom
THE RIGHT WAY !
“ To include a literal dollar sign in the search pattern, you need to escape it with a backslash (‘ / ’) and (‘ \ ‘). Therefore , make sure that the kernel version has been imprinted on to the Makefile… “
docker run -it — rm -v $PWD:/volatility ubuntu:20.04 /bin/bash
- We have already Done…
- Linux Kernel Version…
- Ubuntu Version for thdocker container command because it is the target operating system to install all it’s necessary packages…
- This is where number (3) is needed…
- Update the required packages…
Next , cd to volatility then ‘ make ‘ and ensure module.dwarf is there …! then zip Ubuntu2004.zip module.dwarf /boot/System.map-5.4.0.166-generic…
exit , then copy the image to volatility/plugins/overlays/linux path…ensure it is there…
Test it to verify that it is indeed there…
ANALYSIS:
If we run volatility with vol.py — info | grep Ubuntu , we get our created profile for analysis…
Then we can run this profile against the Memory dump…
Let’s try : linux_bash :- QUESTION 1 , QUESTION 2 WITH ( HALF ) OF QUESTION 3:
We get some credentials !!!!
exposed root password
users.db file approximately accessed
We discovered a suspecious entry , let’s enumerate because on trying to list it in the pslist , it was missing…
We use ‘ linux_enumerate_files ‘
QUESTION 3:
We use ‘ linux_find_files ‘
*** We can now get the MD5 hash of the malicious file found…
QUESTION 4:
IP address and port of the malicious actor? Format is IP:Port:
We can ‘ strings ‘ against the malicious file… to get the Ip.
*** Then we shall use ‘ linux_netstat ‘ to get a full dive into this IP with it’s PORT….
QUESTION 5 AND QUESTION 6:
- The full path of the cronjob file and its inode number? Format is filename:inode number:
- Command is found inside the cronjob file
Well , that’s all folks …till’ next time …
