For about a month now, a team of students lead by Forensics Intern Catherine Stamm has been working on a Volatility project at the LCDI. Volatility is an open source memory forensics framework that is capable of performing memory dumps for malware analysis, registry hive scans, and searches for hidden processes among other things. Team members include Computer and Digital Forensic majors Daniel Doonan and David Leberfinger and programmer Connor Hicks.
This project has several different components, making the possibilities for research extensive. Since Volatility is so complex, this project has been broken up into three parts: basic commands/summary of the tool, malware analysis, and running the tool on Android.
Dan and David have been researching the most commonly used Volatility plugins and providing in depth explanations of each. We plan on providing all the essential commands for Volatility in an organized tutorial so law enforcement and those new to forensics can easily understand this program’s potential and benefits. If we have enough time, we will give a detailed tutorial on how to install Volatility from the source code.
Once the basics of how to install and use Volatility are covered, we will create a virtual machine for malware analysis. It is possible to infect the machine with a virus and then use Volatility to find potential locations of the virus and search for hidden DLLs in memory. After playing around with Volatility’s malfind, devicetree, and other malware plugins, we will put the virtual machine in hibernation mode. We will then image the drive, find the hiberfil.sys hive, and convert it to a memory dump file using Moonsol’s Windows memory Toolkit. We will then look for suspicious DLLs and processes to determine the type of malware on the system.
The last part of this project is getting Volatility to run on an Android device. We are currently experimenting on how to get Volatility to work on an Android virtual machine and have an internet connection working. The next step is to create a virtual SD card so we can download applications, specifically the SL4A app. This will allow us to create a python egg within the Android VM and then install and run Volatility. Connor will lead mostly on this part of the project, as he knows the most about python programming.
More on this research project will follow at a later date. Subscribe to the blog to get the latest on this project.
If you have any comments, questions, and/or suggestions, please feel free to leave a comment here on the blog or feel free to email us at LCDI@champlain.edu, putting “Volatility” in the subject line.