Memory Analysis with the Volatility Framework

The volatility framework serves as an open-source, cross-platform solution for memory forensics, offering plugins to extract valauble artifacts from memory dumps. It supports various operating systems including Windows, Linux, and macOS across both 32-bit and 64-bit architectures.

Supported memory dump formats include raw physical memory, VMware snapshots, crash dumps, and EWF files. For demonstration purposes, we'll use a Windows XP sample image named cridex.vmem.

Profile Selection

Before analysis, volatility requires a profile matching the target system's OS and service pack. The imageinfo plugin automatical detects potential profiles:

volatility -f cridex.vmem imageinfo

Output typically suggests profiles like WinXPSP2x86 or WinXPSP3x86, indicating Windows XP with specific service packs on 32-bit architecture.

Process Investigation

Several plugins help identify running processes and their relationships:

• pslist: Displays active processes with PID, PPID, and start times
• pstree: Shows hierarchical process relationships
• psscan: Reveals hidden or terminated processes
• psxview: Cross-references multiple scanning techniques to find concealed processes

Example usage:

volatility --profile=WinXPSP3x86 -f cridex.vmem pslist
volatility --profile=WinXPSP3x86 -f cridex.vmem pstree
volatility --profile=WinXPSP3x86 -f cridex.vmem psscan
volatility --profile=WinXPSP3x86 -f cridex.vmem psxview

Network Connection Analysis

To examine network activity within memory:

• connections: Lists active TCP connections (Windows XP/2003 only)
• connscan: Discovers closed connections through pool scanning
• sockets: Displays listening sockets and associated protocols

Usage examples:

volatility --profile=WinXPSP3x86 -f cridex.vmem connections
volatility --profile=WinXPSP3x86 -f cridex.vmem connscan
volatility --profile=WinXPSP3x86 -f cridex.vmem sockets

DLL and User Analysis

Dynamic Link Libraries (DLLs) can provide insights into process behavior:

• dlllist: Enumerates loaded DLLs per process
• verinfo: Extracts version information from PE files
• getsids: Maps security identifiers to user accounts

Commands:

volatility --profile=WinXPSP3x86 -f cridex.vmem dlllist
volatility --profile=WinXPSP3x86 -f cridex.vmem verinfo
volatility --profile=WinXPSP3x86 -f cridex.vmem getsids

Administrator privileges can be identified when SIDs end in ranges like 500 or show groups such as S-1-5-32-544.

Registry Examination

Registry hives contain critical system and user data:

• hivescan: Locates registry hive signatures
• hivelist: Provides virtual and physical addresses of hives

Execution:

volatility --profile=WinXPSP3x86 -f cridex.vmem hivescan
volatility --profile=WinXPSP3x86 -f cridex.vmem hivelist

These commands reveal paths like Windows\system32\config\SAM which stores hashed passwords.

Timeline Reconstruction

Creating chronological events aids investigation:

volatility --profile=WinXPSP3x86 -f cridex.vmem timeliner

This generates time-stamped entries covering process creation, network activity, and registry changes.

Malware Detection

The malfind plugin identifies suspicious process injections:

volatility --profile=WinXPSP3x86 -f cridex.vmem malfind
volatility --profile=WinXPSP3x86 -f cridex.vmem malfind -p 608

It highlights memory regions with unusual protection attributes that may indicate malicious code injection.

Network Traffic Analysis with Xplico

Xplico decodes network captures to extract application-layer data from protocols like HTTP, FTP, VoIP, and email services.

Environment Setup

In Kali Linux, ensure updated repositories before installing:

apt-get update
apt-get install xplico
service apache2 start
service xplico start

Access via browser at localhost:9876 using default credentials (xplico:xplico).

HTTP Traffic Decoding

Create a new case and session for analyzing web traffic:

1. Login to Xplico enterface
2. Create case named "HTTP-WEB"
3. Add session titled "WebAnalysis"
4. Upload .pcap file containing HTTP traffic

After decoding completes, explore categories like "Http" and "Undecoded" to view extracted URLs, images, and metadata.

VoIP Call Analysis

For SIP-based communications:

1. Establish new case "SIP_Analysis" with session "Sip_File"
2. Upload appropriate .pcap capture
3. Navigate to "Calls" section post-decoding

This reveals caller details, timestamps, codecs used, and enables audio playback of conversations.

Both tools demonstrate powerful capabilities for extracting actionable intelligence from volatile digital evidence sources.