Windows Memory Forensics Technical Guide Part 2

Introduction to Structured Analysis with Volatility.  Investigative Process Steps. Windows Processes.

Structured Analysis and Investigative Process
After a short introduction into unstructured memory analysis in Part I of the Windows Memory Forensics series, now it is time to get more… structured! Let us begin with parsing memory objects. We will discuss two major memory analysis frameworks later in this series: Volatility and Rekall. Rekall is Volatility’s fork, based on the development branch from 2011.  After two years, results still were not accepted into the Volatility trunk, so the branch turned into a new project – on December 13, 2013, Rekall was born.
Volatility is a framework written in Python. Memory analysis with Volatility consists of running various Python plugins against a memory dump. Each plugin has a specific use-case and can have specific command line options. Where to start an investigation? There are several options on how to approach memory forensics. In these articles, we will roughly follow guidelines published by SANS institute. SANS divides RAM analysis process into the following phases:

1. Identify rogue processes
2. Analyze process DLLs and handles
3. Review network artifacts
4. Look for evidence of code injection
5. Check for signs of a rootkit
6. Dump suspicious processes and drivers

 

Download “Windows Memory Forensics Technical Guide Part 2” Technical Guide

Relevant resources:
Read Part 1 of Windows Memory Forensics Guide.