Now that you have performed investigations in the infrastructure (refer to Chapter 4, Using Python for Network Forensics), common IT equipment (refer to Chapter 3, Using Python for Windows and Linux Forensics), and even in the virtualized (refer to Chapter 5, Using Python for Virtualization Forensics) and mobile worlds (refer to Chapter 6, Using Python for Mobile Forensics), in this chapter, we will show you how to investigate in volatile memory with the help of Volatility, a Python-based forensics framework, on the following platforms:
After showing you some basic Volatility plugins for Android and Linux and how to get the required RAM dump for analysis, we will go hunting for malware in RAM. Therefore, we will use YARA rules—based on pattern matching—and combine them with the power of Volatility.
In general, memory forensics follow the same pattern as other forensic investigations:
In the previous chapters, we already presented various technologies on how to select the target of an investigation, for example, starting from the system with unusual settings in the virtualization layer.
The acquisition of forensic data for memory analysis is highly dependent on the environment and we will discuss it in the Using Volatility on Linux and Using Volatility on Android sections of this chapter.
Always consider the virtualization layer as data source
Acquisition of memory from a running operating system always requires administrative access to this system and it is an intrusive process, that is, the process of data acquisition changes the memory data. Moreover, advanced malware is capable of manipulating the memory management of the operation system to prevent its acquisition. Therefore, always check and try to acquire the memory on the hypervisor layer as described in Chapter 5, Using Python for Virtualization Forensics.
The, by far, most prominent tool for the analysis of memory data is Volatility. Volatility is available at the Volatility Foundation on http://www.volatilityfoundation.org/.
The tool is written in Python and can be used free of charge under the terms of the GNU General Public License (GPL) version 2. Volatility is able to read memory dumps in various file formats, for example, hibernation files, raw memory dumps, VMware memory snapshot files, and the Linux Memory Extractor (LiME) format produced by the LiME module, which will be discussed later in this chapter.
The most important terms in the Volatility world are as follows:
linux_pslist
plugin is used.Volatility provides a comprehensive documentation and we recommend that you get familiar with all the module descriptions to get the most usage out of Volatility.