Now that you have performed investigations in the infrastructure (refer to Chapter 4, Using Python for Network Forensics), common IT equipment (refer to Chapter 3, Using Python for Windows and Linux Forensics), and even in the virtualized (refer to Chapter 5, Using Python for Virtualization Forensics) and mobile worlds (refer to Chapter 6, Using Python for Mobile Forensics), in this chapter, we will show you how to investigate in volatile memory with the help of Volatility, a Python-based forensics framework, on the following platforms:
- Android
- Linux
After showing you some basic Volatility plugins for Android and Linux and how to get the required RAM dump for analysis, we will go hunting for malware in RAM. Therefore, we will use YARA rules—based on pattern matching—and combine them with the power of Volatility.
In general, memory forensics follow the same pattern as other forensic investigations:
- Selecting the target of the investigation.
- Acquiring forensic data.
- Forensic analysis.
In the previous chapters, we already presented various technologies on how to select the target of an investigation, for example, starting from the system with unusual settings in the virtualization layer.
The acquisition of forensic data for memory analysis is highly dependent on the environment and we will discuss it in the Using Volatility on Linux and Using Volatility on Android sections of this chapter.
Tip
Always consider the virtualization layer as data source
Acquisition of memory from a running operating system always requires administrative access to this system and it is an intrusive process, that is, the process of data acquisition changes the memory data. Moreover, advanced malware is capable of manipulating the memory management of the operation system to prevent its acquisition. Therefore, always check and try to acquire the memory on the hypervisor layer as described in Chapter 5, Using Python for Virtualization Forensics.
The, by far, most prominent tool for the analysis of memory data is Volatility. Volatility is available at the Volatility Foundation on http://www.volatilityfoundation.org/.
The tool is written in Python and can be used free of charge under the terms of the GNU General Public License (GPL) version 2. Volatility is able to read memory dumps in various file formats, for example, hibernation files, raw memory dumps, VMware memory snapshot files, and the Linux Memory Extractor (LiME) format produced by the LiME module, which will be discussed later in this chapter.
The most important terms in the Volatility world are as follows:
- Profile: A profile helps Volatility in interpreting the memory offsets and structures of memory. The profile is dependent on the operating system, especially the OS kernel, machine, and CPU architecture. Volatility contains a variety of profiles for the most common use cases. In the Using Volatility on Linux section of this chapter, we will describe how to create your profiles.
- Plugin: Plugins are used to perform actions on the memory dump. Every Volatility command that you use calls a plugin to perform the corresponding action. For example, to get a list of all the processes that were running during the memory dump of a Linux system, the
linux_pslistplugin is used.
Volatility provides a comprehensive documentation and we recommend that you get familiar with all the module descriptions to get the most usage out of Volatility.