Volatility, the memory forensics framework, is equipped with an abundance of powerful plugins and this number is continuously growing. It is important for law enforcement to understand which plugins to use and when, as well as how to get them to function properly. Testing and running the different commands within Volatility was the first part of our project.
Dan Doonan spent a significant amount of time generating data, capturing RAM and then running the most necessary commands Volatility provides. Our report outlines the basics of installing Volatility; as well the preliminary steps one would need to follow in order to successful analyze a RAM image.
Because Volatility is full of plugins, we chose the ones we thought were most important and would be most used in the field. We then broke them up into the following categories: images, processes, memory and kernel objects, networking, registry, malware analysis, GUI analysis, and other plugins. We came up with close to 40 plugins that we deemed necessary for law enforcement to learn, be aware of, and use during investigations.
In our report, we provided each command for the 40 plugins and gave a brief description of what the plugin would achieve and why it is useful. Along with a description, we added screenshots for most of the plugins to give a sense of what the output would look like.
Once getting through the frequently used plugins and understanding how to drive through Volatility, we could continue with the rest of the aspects of this project: malware analysis and remotely capturing RAM for further analysis with Volatility.
More on this research project will follow at a later date. Subscribe to the blog to get the latest on this project.
If you have any comments, questions, and/or suggestions, please feel free to leave a comment here on the blog or feel free to email us at LCDI@champlain.edu, putting “Volatility-Plugins” in the subject line.