Using OSForensics with Volatility
While OSF has the ability to intergrate with older versions of Volatility, it is important to note that OSForensics has the inbuilt ability extract digital artefacts from memory dumps with the built in Volatility Workbench This software
Volatility Workbench is a graphical user interface (GUI) for the Volatility tool. Volatility is a command line memory analysis and forensics tool for extracting artifacts from memory dumps. Volatility Workbench is free, open source and runs in Windows.
This build is based on Volatility 3 Framework
To Use OSForensics with Volatility:
The System Information function in OSForensics allows external tools, such as Volatility, to be called to retrieve information and save it to the case or export the information as a file. Volatility is a well know collection of tools used to extract digital artifacts from volatile memory (RAM). The physical memory dump obtained by OSForensics is compatible with Volatility.
In this tutorial, we are using the standalone EXE version of Volatility 2.6 to:
- Get a list of running processes
- Run several commands from a batch (.bat) file
After you have downloaded Volatility, copy the Volatility executable into:
- Windows 10 - C:\ProgramData\PassMark\OSForensics\SysInfoTools\
The most basic Volatility commands are constructed as show below. Replace plug-in with the name of the plug-in to use, image with the file path to your memory image and profile with the name of the profile.
volatility-2.6_win64_standalone.exe [plugin] -f [image] --profile=[profile]
For a full list of plug-ins supported by Volatility and their usage, see their documentation section. Volatility needs to know what type of system, identified by the profile parameter, your memory dump came from, so it knows which data structures, algorithms, and symbols to use. To see a list of supported profile names and available plug-ins you can run "volatility-2.6_win64_standalone.exe --info" command.
Obtaining a Memory Sample
You can obtain a memory dump from within OSForensics Memory Viewer Module. You will need to choose "Dump Physical Memory Contents" and then click the "Dump" button.
Getting Acquainted with the System Information Function (Get a list of running processes)
To add a new command in the System Information tab in OSForensics, click the Edit button. A list management window will appear showing a list of available commands on the left and a list of commands in the currently loaded list on the right. Click on the "Add..." button to open the "New Command" dialog. In this example we are going to get a list of running processes from the Sample Memory Dumps available for Volatility Workbench.
Our memory sample is named WinDump.mem and was collected from a 64-bit system with Windows 10 & is located on our Desktop. In the command section we would enter:
volatility_2.6_win64_standalone.exe pslist -f C:\Users\Rachel\Desktop\WinDump\WinDump.mem --profile=Win10x64
We'll leave "Architecture" to the default 32/64 but check the button for "Drive Letter Aquisition". Now click the Save button.
Highlight the newly added command and select the preferred list, you can add the command to one of the existing lists or create a new one to hold this and other Volatility commands. Now with our new command selected click the "Add Selected" button to add the command to the list. Use the ok button to save the changes and close the dialog. You should now see the command listed in the System Information tab when you select the list.
After running with the "Go" button (this may take some time depending on the size of the memory sample) the results will be displayed on the results tab and can be saved or exported as required. Sample output from the command is below.
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ -------------------- -------------------- 0xfffffa8006ce46f0 System 4 0 164 1071 ------ 0 2012-10-01 16:38:23 0xfffffa800aa9a590 smss.exe 368 4 3 36 ------ 0 2012-10-01 16:38:23 0xfffffa800b3a3b30 smss.exe 440 368 0 -------- 0 0 2012-10-01 16:38:28 2012-10-01 16:38:32 0xfffffa800b315b30 csrss.exe 504 440 9 642 0 0 2012-10-01 16:38:31 0xfffffa800b818b30 wininit.exe 576 440 3 86 0 0 2012-10-01 16:38:32 0xfffffa800b80eb30 smss.exe 584 368 0 -------- 1 0 2012-10-01 16:38:32 2012-10-01 16:38:33 0xfffffa800b81e9e0 csrss.exe 600 584 15 943 1 0 2012-10-01 16:38:32 <snip> 0xfffffa800c55e790 chrome.exe 5088 3440 38 1049 1 1 2012-10-01 16:39:01 0xfffffa8006f23b30 OUTLOOK.EXE 2944 3440 17 2298 1 1 2012-10-01 16:55:31 0xfffffa8007452620 splwow64.exe 4320 5276 6 103 1 0 2012-10-01 17:36:55 ...
Run several commands from a batch (.bat) file
Starting in OSForensics 1.2 Build 100X, the ability to run simple batch files from within System Information tool was added. In this example we are going to write a batch script to run several Volatility plug-ins on a memory sample. Suppose we would like to get a list of running processes, of open handles, and any environment variables set. Our batch script looks like the following:
volatility-2.1.standalone.exe pslist -f %1 --profile=%2
volatility-2.1.standalone.exe handles -f %1 --profile=%2
volatility-2.1.standalone.exe envars -f %1 --profile=%2
The batch file should be placed in the "SysInfoTools" folder, the same location on where you placed the Volatility executable. We will call our batch file "volatility.bat". The %1 and %2 variables in the batch script will be replaced by the appropriate values when we run the command. Like in the previous example, we will create a new command that will run our batch script.
Like before, to add a new command in the System Information tab in OSForensics, click the Edit button to open the list management window. Click on the "Add..." button to open
the "New Command" dialog.
Our memory sample is named dump.bin and is located on our Desktop. In the command section we would enter:
volatility.bat C:\Users\Passmark01\Desktop\dump.bin Win7SP1x64
We'll leave "Architecture" to the default 32/64 but check No for "Live system capable". Now click the Save button.
You can now add the command to one of the existing lists or create a new list. After running with the "Go" button (this may take some time depending on which plug-in is used) the results will be displayed on the results tab and can be saved or exported as required.