Scribd
Upload
44 views21 pages

Experiment-2 Digital Forensics AIM-Capture The Memory of Any OS System and Try To Analyse .Mem File On Kali Using Volatility Tool DATE: 06-02-2021

This document describes using the Volatility tool to analyze a memory dump captured using FTK Imager. It provides commands to view process listings, connections, loaded DLLs, hidden code, API hooks, drivers, and registry keys to detect malware and analyze a memory dump from a Windows system or one known to contain Stuxnet.

Uploaded by

TANISHA PATHAK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
44 views21 pages

Experiment-2 Digital Forensics AIM-Capture The Memory of Any OS System and Try To Analyse .Mem File On Kali Using Volatility Tool DATE: 06-02-2021

This document describes using the Volatility tool to analyze a memory dump captured using FTK Imager. It provides commands to view process listings, connections, loaded DLLs, hidden code, API hooks, drivers, and registry keys to detect malware and analyze a memory dump from a Windows system or one known to contain Stuxnet.

Uploaded by

TANISHA PATHAK
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 21

EXPERIMENT-2

DIGITAL FORENSICS
AIM- Capture the Memory of any OS System and try to
analyse .mem file on Kali using Volatility tool
DATE: 06-02-2021
_______________________________________________
PART 1- To create Windows memory dump using FTK Imager
STEP 1- Open and run FTK Imager Tool.
STEP 2- Go in the File option and select Capture Memory option
STEP 3- Set Destination Path to save the memory dump.

STEP 4- Start Memory Capture and observe the status/progress.

STEP 5- Memory Capture is completed successfully.

___________________________________________________________________________

PART 2- Analyze Stuxnet and Windows RAM Dump with Volatility


To get more information of memory image
Command: volatility -f abc.vmem imageinfo
For stuxnet.vmem
For windows memory dump

To detect malicious process


To list out all the processes running at the time memory dump was created.
Command: volatility -f abc.vmem pslist
To view the processes listing in the tree form
Command: volatility -f abc.vmem pstree
For stuxnet.vmem
For windows memory dump
To detect malicious connections
To find out if these malicious processes were making connections, when the memory was
dumped.
Command: volatility -f abc.vmem connections

To identify the ports that were listening in the computer.


Command: volatility -f abc.vmem sockets
To detect DLL
To find out about dll’s, when the memory was dumped.
Command: volatility -f abc.vmem dlllist -p pid | wc -l
volatility -f abc.vmem ldrmodules -p pid
To get more information about this command
Command: volatility -f abc.vmem ldrmodules -p pid -v
To detect Injected Code
To identify hidden or injected code/DLLS in the user mode memory. Then we will export
these DLLs and we will upload them to www.virustotal.com to check if an anti-virus detects
them.
Command: volatility -f abc.vmem malfind -p pid –dump-dir evidences/
Then upload these files to www.virustotal.com to find out if some anti-virus vendor detects
them as malicious files. In accordance to not upload the files, we will obtain the sha256
checksum of the files and then we will search on the Virustotal website.
Results after uploading on www.virustotal.com website
To detect API Calls
To find API hooks of this memory dump that are related with some malicious processes.
Command: volatility -f abc.vmem malfind apihooks -p pid
To detect Malicious Drivers
To find out about the previously unloaded drivers and drivers that have been unlinked or
hidden by rootkits.
Command: volatility -f abc.vmem modscan
To detect Register Keys
To identify the register keys that have been added to the computer.
Command: strings abc.vmem | grep -I mrx | grep -i Services
volatility -f abc.vmem printkey -K ‘ControlSet001\Services\MrxNet’(example)

You might also like