Using OSForensics with Volatility

The System Information function in OSForensics allows external tools, such as Volatility, to be called to retrieve information and save it to the case or export the information as a file. Volatility is a well know collection of tools used to extract digital artifacts from volatile memory (RAM). The physical memory dump obtained by OSForensics is compatible with Volatility.

In this tutorial, we are using the standalone EXE version of Volatility-2.1 (volatility-2.1.standalone.exe) to:

  • Get a list of running processes
  • Run several commands from a batch (.bat) file

After you have downloaded Volatility, copy the Volatility executable into:

  • Windows Vista/7 - C:\ProgramData\PassMark\OSForensics\SysInfoTools\
  • Windows XP - C:\Documents and Settings\All Users\Application Data\PassMark\OSForensics\SysInfoTools\

The most basic Volatility commands are constructed as show below. Replace plug-in with the name of the plug-in to use, image with the file path to your memory image and profile with the name of the profile.

volatility-2.1.standalone.exe [plugin] -f [image] --profile=[profile]

For a full list of plug-ins supported by Volatility and their usage, see their documentation section. Volatility needs to know what type of system, identified by the profile parameter, your memory dump came from, so it knows which data structures, algorithms, and symbols to use. A default profile of WinXPSP2x86 is set internally. To see a list of supported profile names and available plug-ins you can run "volatility-2.1.standalone.exe --info" command.

Obtaining a Memory Sample

You can obtain a memory dump from within OSForensics Memory Viewer Module. You will need to choose "Dump Physical Memory Contents" and then click the "Dump" button. Save the file and remember the location as we will use this sample in our tutorial.

Getting Acquainted with the System Information Function (Get a list of running processes)

To add a new command in the System Information tab in OSForensics, click the Edit button. A list management window will appear showing a list of available commands on the left and a list of commands in the currently loaded list on the right. Click on the "Add..." button to open the "New Command" dialog. In this example we are going to get a list of running processes from when the memory sample we have was obtained.

Our memory sample is named dump.bin was collected from a 64-bit system with Windows 7 & Service Pack 1 installed is located on our Desktop. In the command section we would enter:

volatility-2.1.standalone.exe pslist -f C:\Users\Passmark01\Desktop\dump.bin --profile=Win7SP1x64

We'll leave "Architecture" to the default 32/64 but check No for "Live system capable". Now click the Save button.

Adding the Volatility command

Highlight the newly added command and select the preferred list, you can add the command to one of the existing lists or create a new one to hold this and other Volatility commands.  Now with our new command selected click the "Add Selected" button to add the command to the list. Use the ok button to save the changes and close the dialog. You should now see the command listed in the System Information tab when you select the list.

After adding the Volatility command

After running with the "Go" button (this may take some time depending on the size of the memory sample) the results will be displayed on the results tab and can be saved or exported as required. Sample output from the command is below.

Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                Exit                

------------------ -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------

0xfffffa8006ce46f0 System                    4      0    164     1071 ------      0 2012-10-01 16:38:23                      

0xfffffa800aa9a590 smss.exe                368      4      3       36 ------      0 2012-10-01 16:38:23                      

0xfffffa800b3a3b30 smss.exe                440    368      0 --------      0      0 2012-10-01 16:38:28  2012-10-01 16:38:32 

0xfffffa800b315b30 csrss.exe               504    440      9      642      0      0 2012-10-01 16:38:31                      

0xfffffa800b818b30 wininit.exe             576    440      3       86      0      0 2012-10-01 16:38:32                      

0xfffffa800b80eb30 smss.exe                584    368      0 --------      1      0 2012-10-01 16:38:32  2012-10-01 16:38:33 

0xfffffa800b81e9e0 csrss.exe               600    584     15      943      1      0 2012-10-01 16:38:32                      

<snip>

0xfffffa800c55e790 chrome.exe             5088   3440     38     1049      1      1 2012-10-01 16:39:01                       

0xfffffa8006f23b30 OUTLOOK.EXE            2944   3440     17     2298      1      1 2012-10-01 16:55:31                      

0xfffffa8007452620 splwow64.exe           4320   5276      6      103      1      0 2012-10-01 17:36:55

...    
			

Run several commands from a batch (.bat) file

Starting in OSForensics 1.2 Build 100X, the ability to run simple batch files from within System Information tool was added. In this example we are going to write a batch script to run several Volatility plug-ins on a memory sample. Suppose we would like to get a list of running processes, of open handles, and any environment variables set. Our batch script looks like the following:

volatility-2.1.standalone.exe pslist -f %1 --profile=%2
volatility-2.1.standalone.exe handles -f %1 --profile=%2
volatility-2.1.standalone.exe envars -f %1 --profile=%2

The batch file should be placed in the "SysInfoTools" folder, the same location on where you placed the Volatility executable. We will call our batch file "volatility.bat". The %1 and %2 variables in the batch script will be replaced by the appropriate values when we run the command. Like in the previous example, we will create a new command that will run our batch script.

Like before, to add a new command in the System Information tab in OSForensics, click the Edit button to open the list management window. Click on the "Add..." button to open the "New Command" dialog.
Our memory sample is named dump.bin and is located on our Desktop. In the command section we would enter:

volatility.bat C:\Users\Passmark01\Desktop\dump.bin Win7SP1x64

We'll leave "Architecture" to the default 32/64 but check No for "Live system capable". Now click the Save button.

Adding the Volatility command

You can now add the command to one of the existing lists or create a new list. After running with the "Go" button (this may take some time depending on which plug-in is used) the results will be displayed on the results tab and can be saved or exported as required.

Adding the Volatility command