Best Telegram Programming Groups For Coders &Developers   It Wasn’t Me - Secure Your Account   Mr.Robot All Seasons 1,2,3 Full | Free Torrent Download   Mr.Robot All Seasons 1,2,3,4 Full | Watch Online [FREE]   5 Tips Will Keep You Safe During Christmas Holiday’s Online Shopping   You Can Get All Adobe Apps For $30 a Month Right Now   How To Wipe An iPhone Clean (ERASE) Before Selling?   Programming Languages To Learn To Be An Expert Hacker!   Cybercriminals exchange tips on underground forums about avoiding arrests   A comprehensive look into emerging Signal encrypted messaging application   A Detailed Comparison of WhatsApp, Telegram & Signal   How Telegram End-to-end Encryption Works To Provide Security ?   Flubot Malware is Spreading Quickly Through Android Devices   WhatsApp End-to-End Encryption and its Privacy Importance - Alternatives,Signal & Telegram   What is Credit Card Skimming And How To Protect Yourself From it ?   Where to hire react programmer and 3 essential skills to look for   Top 8 Basic Google Search Dorks [Live Examples]   [Penetration Testing] Top 70 Most Interview Questions   Why VPN Is Necessary ? [Detailed Guide]   Top 10 Dangerous Viruses Of All Times   List Of Common HTTP Error Status Codes   “Hello World!” Program In Different Programming Languages   100 Basic Computer Related G.K. Questions   Email Security - Tips And Tricks   Fonts Hub Collection (Free Design Resources)   Top 8 Softwares Free Download - No Credit Card Needed [2022 Update]   Shortcomings That Leads An Entrepreneur Towards Failure   5 Basic Steps To Protect Your Personal Data Online   What is Intel SGX and What are the Benefits ?   15 Things You Need to Know About Maintaining The Logs   How to think like a programmer - lessons in problem solving   How To Get Voice Like Anonymous Voice   Life Story of Microsoft Founder Bill Gates - Documentary   Own Private Search Engine in Linux Will Save Our Privacy   Best Etcher alternatives to Create Bootable USB   Music For Programming - Coding Music / Hacking Music   School Management Software v3.1 Premium + Crack   JavaFX Chat Client/Server + Source Code   Top 25 Keyword Research Tools [Search Engine Optimization]   A Quick SEO Checklist - 2023 Update   Online Domain Authority (DA) Rank Checker Websites   33 Things In SEO For Which Google Will Give Your Student Blog High Positions   How to Close the Site from indexing using robots.txt   10 SEO Tools all Small Businesses Need in 2023   Earth Rise Application + Code   Animation along a path + Code   Zen Pong Game in Java Language + Code   Simple Flying Bird Game + Code Files   Game Snake Simple + Code Files   The Space 'Sun & Earth' | HTML,CSS,JavaScript   File System in Web (Explorer in Windows and Finder in OSX)   Admin Dashboard Template built using Bootstrap + Code   Website Template For Admin Dashboard + Code   Youtube Playlist Downloader Script   How To Create A Stopwatch In Python   Python TicTacToe with Tk and minimax AI   Deskreen turns any device with a web browser into a secondary screen for your computer   Download Algorithms Book | Dummies Store   OSI Model And TCP/IP Model   How to Fix SSH Failed Permission Denied (publickey,gssapi-keyex,gssapi-with-mic)   What Is Load Balancing? Definition and How It Works   How to Setup FTP Server on Your Raspberry Pi   Download Windows 10 Lite Edition x64 | Direct Link   How To Recover Permanently Deleted Files In Windows 10 ?   How to make Fake Error Message Script in Windows   20 Essential Windows keyboard Shortcuts that will make you forget your mouse   How To Fix The DLL Missing Error In Windows 7 ?   Create Hotspot on Windows 10 in 6 steps   Download Microsoft Office Professional Plus 2016   Download DriverPack Solution Offline | Full   How To Create Simple And Password Protected ZIP File in Linux   2 Ways To Save Terminal Output of a Command in Linux   6 Best Tools to Monitor Disk IO Performance in Linux   Top 15 Best Websites (Blogs) to Learn Linux Online   How to Delete files older than 30 Days in Linux   What is the difference between apt and apt-get command   Fail2Ban Installation & Setup: Ubuntu, CentOS, Fedora & Debian   How to List Running Processes in Linux   How to Use the who Command in Linux with Examples   FOREMOST - Recover Permanently Deleted Files Easily in Kali Linux   Funny Linux Commands to Try   Command line interface guidelines, to help you write better command-line programs ...   How to Install Google Chrome Web Browser on Ubuntu 20.04   Learn Adobe Photoshop | 33 Episode Course   Window Privilege Escalation: Automated Script   Linux Privilege Escalation: Automated Script   How To Retrieve & Decrypt Stored Passwords in Firefox & Chrome Remotely   ACLight: An Advanced Privileged Account Discovery Tool   How to change Lock Screen Background on Kali Linux XFCE   Best 20 Kali Linux Tools For Hacking And Penetration Testing   How to Run Windows Application and Games on Kali Linux   How to run C and C++ programs in Kali Linux   Control Kali Linux PC From any Mobile or Tablet   How to Enable root User Account in Kali Linux   How to Configure Static IP address in Kali Linux   Bash vs ZSH in Kali Linux   [Solved] E: Unable to locate package in Kali Linux   Hosting a Local Website with Domain Name on Kali Linux over WiFi   Install Docker in Kali Linux and Run Other OS   How to Install Kali Linux | A Total Guide to Install Kali Linux   NetHunter Rootless - Official Kali NetHunter for non rooted phones   How to set up own VPN server in 10 minutes on Kali Linux using OpenVPN   Configuring The ProxyChains   Install Python3 in Kali Linux   TempoMail - Command Line Temporary Email in Linux   NIPE - Fully Anonymize Total Kali Linux System   How to Install Google Chrome & Chromium on Kali Linux [Official Method]   15 Best Laptops For Kali Linux & Cyber Security - Check This Before Buy   Volatolity - Digial Forensic Testing of RAM on Kali Linux   Limit the Internet Speed of LAN Users [Evil Limiter]   Find Virtual Machine IP Through Kali Linux - 3 Methods   Privilege Escalation with PowerShell Empire and SETOOLKIT [Kali Linux]   How to use kill, pkill and killall Commands to Kill any Linux Process   20 Useful Tar Commands For Extraction and Compression   Create a Fake AP with DNSMASQ and HOSTAPD [Kali Linux]   How to Fully Anonymize Your Linux System with Tor using Nipe   Hack Windows/Linux using ARCANUS Framework – 100% FUD   Simple and Target Mac Flooding - Kali Linux   Get Free Kali Linux on AWS with Public IP - Real Time Penetration Testing   What’s the difference Between Tails and Tor browser?   Does Tor Hide you From Your ISP? Should I surf internet using Tor ?   Wireshark for Pentester: Decrypting RDP Traffic   Exploit Wi-Fi Vulnerabilities with Routersploit on Termux and Linux   Man in The Middle Attack & How To Prevent it   Masscan - 1000 Times Faster Than NMAP   Wireshark - Shark in Wires | Network Protocol Analyzer in Kali Linux   Wifite - Easy Automated Wireless Attack   WiFi-Pumpkin 3 - Dangerous Access Point   Evil Twin Attack with DNSMASQ - Wireless WPA2-PSK Cracking   Sniffing with Rogue Access Point [DNSMASQ and TCPFLOW]   Hack Wi-Fi Settings of Windows Machine Remotely [After Meterpreter]   Wi-Fi deauthentication attack against 802.11 protocol   Bypass Hidden SSID in a Wireless Network [Full Proof Method]   Crack WPA/WPA2-PSK using Aircrack-ng and Hashcat   Crack WPA2-PSK Wi-Fi with automated python script - FLUXION PART 1   Set Default Version of Python : [SOLVED] update-alternatives: error: no alternatives for p   Python Scripting: Information Gathering and Automating Ethical Hacking   15 Essential Meterpreter Commands Everyone Should Know   Find Vulnerable Webcams with Shodan [Metasploit Framework]   TCP & SYN Scanning with Metasploit Framework without NMAP   Meterpreter Useful Top 60 Commands List   The Web Application Hacker's Handbook 2   Hacking GPS Book   MadCam - Termux Hack Front camera by Sending link   How to Download Files In Termux   IPdrone Termux - Find Location of Person it IP in Termux   ReconDog Termux - Best Reconnaissance Tool For Termux   Termux SSH: Use Termux in Windows Using SSH Server   How to Install and Use Fsociety-Tool In Termux   Termux-YTD : Download Youtube Videos with Termux   Use CMatrix Package Like a Pro   L3MON - Access Android Devices Remotely   Hack Android using Metasploit over LAN/WAN   Ghost Framework - Control Android Devices Remotely   Top 10 Vulnerable Android Applications [Penetration Testing]   Find Hidden Subdomains on Any Website with Subfinder   Blind Sql Injection with Regular Expressions Attack   Useful Google Dorks For Bug Bounty Hunters   HTML5 Security CheatSheet - What your browser does when you look away...   30,000 Sites Is In RISK, The Plus Addons For Elementor WordPress Plugin Hacked   WPScan - Find Vulnerabilities in WordPress Websites on Kali Linux   Wapiti - Automated Vulnerability Scanner   Generate 100% FUD Backdoor with TheFatRat - Windows 10 Exploitation   TheFatRat hacking tool to create undetectable backdoors   How to Make a Keylogger in Python + Code   How to create a keylogger in PowerShell ?   Backdoor Program using Python (Remote Access Explain)   Man in the Middle Attack with Websploit Framework   Hack Windows 10 Remotely over WAN with Metasploit [No Port Forwarding]   15 Powerful Gadgets For Ethical Hackers | Hardware Tools for Hackers   Find Vulnerabilities using NMAP Scripts (NSE)   Free Vulnerability Database And Resources   Firefox Browser Vulnerable to (MITM) Man-in-the-Middle Attack   Find Vulnerabilities in Military Networks By Participating Hack The Army Bug Bounty Progr. 


In our some previous articles (Scalpel, Foremost etc) we have discussed how to can run digital forensics on hard disk drives. But data is not only stores there this included RAM and the swap partition, or paging, file, which is an area of the hard disk drive.

Now the issue is RAM's data is very volatile, means the data in the RAM easily lost, when there are no electrical charge or current in the RAM chip. With the data on RAM being the most volatile, it ranks high in the order of volatility and must be forensically acquired and preserved as a matter of high priority.

volatility thumbnail.jpg

Many types of data & forensics artifacts reside in Random Access Memory (RAM) and the paging file. They are might be login passwords, user information, running and hidden processes or even encrypted passwords are just some of the many types of interesting data that can be found when we run digital forensics test of RAM.

In our this article we use Volatility Framework to perform memory forensics on our Kali Linux system.

Volatility Framework is an open-source, cross-platform framework that comes with many useful plugins that provide us very good information from the snapshot of memory. This also known as memory dump.

The concept of Volatility is very old but it's works like magic. Not only analyzing running and hidden processes, is also a very popular choice for malware analysis.

As we said Volatility Framework is a cross platform framework. It can be run on any OS (32 and 64 bit) that supports Python including:
  • Windows XP, 7, 8,8.1, and Windows 10.
  • Windows Server 2003, 2008, 2012/R2, and 2016.
  • Linux 2.6.11 - 4.2.3 (including Kali, Debian, Ubuntu, CentOS, and more).
  • macOS Leopard (10.5.x) and Snow Leopard (10.12.x) and newer.
Volatility supports several memory dump formats (both 32- and 64-bit), including:
  • Windows crash and hibernation dumps (even Windows 7 and earlier).
  • VirtualBox.
  • VMWare .vmem dump.
  • VMware saved state and suspended dumps—.vmss/.vmsn.
  • Raw physical memory—.dd.
  • Direct physical memory dump over IEEE 1394 FireWire.
  • Expert Witness Format (EWF)—.E01.
  • QEMU (Quick Emulator).
Even we can convert between these formats and boosts of being able use Volatility with other tools.

Before use Volatility Framework we need to create a memory dump for testing. We can use several tools such as FTK imager, Helix, LiME can be used to acquire the memory image or memory dump. Then it can be investigated and analyzed by the Volatility Framework.

For this tutorial we are going to use a Windows XP image (named cridex.vmem) which is downloaded from here. Volatility have uploaded lots of memory samples publicly available for testing there. We can use them for our practice with the Volatility Framework and enhance our skills. We can download as many as we like and we can use various plugins available in Volatility. In the following screenshot we can see that our dump image is saved on our Desktop for easy access.

volatility memory dumb file.png

Using Volatility in Kali Linux
Volatility Framework comes pre-installed with full Kali Linux image. We can see the help menu of this by running following command:
volatility -h

Then we got the help of Volatility Framework as we can see in the following screenshot:

volatility help.png

If we scroll down a little bit on the help menu we can find the list of all plugins within Volatility Framework.

volatility plugins.png

This list comes in handy when performing analysis as each plugin comes with it's own short description. In the following screenshot we can see a plugin with it's description.
volatility plugin descriptions.png

Gaining Information using Volatility
This imageinfo plugin will tell us about the image. The format for using plugins in Volatility is:
volatility -f [filename] [plugin] [options_if_required]

Now we have stored our image file on Desktop so first we change our working directory by using cd Desktop command. Then we run imageinfo plugin to check information of the image by applying following command:
volatility -f cridex.vmem imageinfo

In the following screenshot we can see the information about our image file.

volatility imageinfo run.png

In the above screenshot we can see some information about the image used, including the suggested operating system and Image Type (Service Pack), the Numbers of Processor used and the date and time of the image. Some valuable information we got from this image is listed:
  • WinXP: Windows XP.
  • SP3: Service Pack 3.
  • x86: 32 bit architecture.
We also can see the suggested profiles WinXPSP2x86 (Windows XP Service Pack 2x86), WinXPSP3x86 (Windows XP Service Pack 3x86) but in the image type section we can see that service pack is 3 so we can use "WinXPSP3x86" profile for our analysis.

Process Analysis using Volatility on Kali
To identify & link connected processes, their ID's, running time and offset locations within the RAM image, we need these four plugins to get started:
  1. pslist
  2. pstree
  3. psscan
  4. psxview
1. Pslist Plugin on Volatility
This plugin or tool shows a list of all running processes, also it gives very crucial information like, Process ID (PID) and the Parent PID (PPID). Not only that it also shows the time when the processes started.

Let we run the pslist first then we explain the things. We use following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem pslist

The following screenshot shows the output of the preceding command:

volatility pslist run.png

In the above screenshot we can see the System, winlogon.exe, services.exe, svchost.exe, and explorer.exe services are all started first and then followed by reader_sl.exe, alg.exe, and finally wuauclt.exe.

The PID identifies the process and the PPID identifies the parent of the process. Looking at the pslist output, we can see that the winlogon.exe process has a PID of 608 and a PPID of 368. The PPID’s of the services.exe and the lsass.exe processes (directly after the winlogon.exe process) are both 608, indicating that winlogon.exe is in fact the PPID for both services.exe and lsass.exe.

For those new to process IDs and processes themselves, a quick Google search can assist with identification and description information. It is also useful to become familiar with many of the startup processes in order to readily point out processes that may be unusual or suspect.

The timing and order of the processes should also be noted as these may assist us in investigations. In the above screenshot, we can see that several processes, including explorer.exe, spoolsv.exe, and reader_sl.exe, all started at the same time of 02:42:36 UTC+0000. We can also tell that explorer.exe is the PPID of reader_sl.exe.

In this analysis, we can see that there are two instance of wuauclt.exe with svchost.exe as the PPID.

2. Pstree Plugin on Voltility
pstree is another process identification command that can be used to list processes. pstree shows output the same list of processes as the pslist command did in previous, but identification is also used to know which one child process and which one is parent process.

To run pstree we use following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem pstree

Following screenshot shows the output of the preceding command:

volatility pstree command.png

In the above screenshot, the last two processor listed are explorer.exe and reader_sl.exe. The explorer.exe is not indented, while reader_sl is indented, indicating that sl_reader is the child process and explorer.exe is the parent process. This is how we can identify the parent process and child process.

3. Psscan Plugin on Volatility
With the help of pslist and pstree we have checked the running processes, now it's time look for inactive and even hidden processes using psscan. Now this hidden processes may be caused by malwares (like rootkits), and they are well known for doing just that to evade discovery by users & antivirus programs.

To check the inactive process using psscan we can use following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem psscan

The output of the command shows in the following screenshot:
psscan command in volatility.png

Now we can compare the outputs of both paslist and psscan to find any anomalies.

3. Psxview Plugin on Volatility
As with psscan, the psxview plugin is used to find and list hidden processes. With psxview however, a variety of scans are run, including pslist and psscan.

To run the psxview we apply following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem psxview

The output of the command shows in the following screenshot:

psxview in volatility.png

Analyzing Network Services & Connections using Volatility
Volatility can be used to find and analyze active, terminated, and hidden connections along with ports and processes. All the protocols are supported and Volatility also reveals details of ports used by the processes including the times the processes were started.

To do this we are going to use the following three commands:
  1. connections
  2. connscan
  3. sockets
1. Connection Plugin on Volatility
The connections command lists active connections at that time. It also displays local and remote IP with the ports and PID. The connection command can be used only for Windows XP and Microsoft 2003 server (both 32 bit and 64 bit).

To use the connections command in Volatility we can use following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem connections

The following screenshot shows the output of the connections command and we can see the IP address (both local and remote) along with the port numbers and PID.

connections in volatility.png

2. Connscan Plugin on Volatility
The connections command displayed only on connection as active at that time. To see a list of connections that have been terminated, we can use the connscan command. This connscan command is also only for Windows XP and 2003 Server (both 32 bit and 64 bit) systems.

To use connscan we run the following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem connscan

The screenshot of this command is following:

connscan volatility.png

In the above screenshot we can see that same local address was previously connected to another Remote Address with the IP address on port 8080. The PID of 1484 is proof that connection was made by the explorer.exe (tested on pslist earlier).

Here we got the Remote IP address. Now for more information we can search the IP address on some IP Look up web services like or We got some additional information from there as we can see in the following screenshot.

ip look up.png

We can get IP details like, ISP (Internet Service Provider) name, Continent, Country and City. We also got a map co-ordinate of the city.

3. Sockets Plugin on Volatility
We use the sockets plugin to give additional connectivity information listening sockets.

To use sockets plugin we can use following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem sockets

We can see the output of the command in the following screenshot:

sockets in volatility.png

We can see in the above that only UDP and TCP protocols are showing in this case. But sockets plugin supports all types of protocols.

Dynamic Link Libraries Analysis using Volatility
DDL a.k.a. Dynamic Link Libraries are only for Microfost (Windows & Servers). It contains code that can be used by multiple programs simultaneously.

Inspection of a process's running DDLs and the version information of files and products may assist in correlating processes. Processes and DLL information should also be analyzed as they relate to the user accounts. For these tests we can use the following plugins:
  1. verinfo
  2. dlllist
  3. getsids
1. Verinfo plugin on Volatility
This plugin lists version information as we can see in the plugin name (verinfo) about PE (portable executable) files. The output of this file is usually quite lengthy and so can be run in a separate terminal, if we not wish to continuously scrool through the current terminal to review past plugin command lists and output.

We can use verinfo plugin by running following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem verinfo

The screenshot of the command is following:

verinfo in volatility.png

2. Dlllist plugin on Volatility
This dlllist plugin lists all running DLLs at that time in memory. DLLs are composed of code that can be used by multiple programs concurrently.

We can use the dlllist plugin by running the following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem dlllist

The following screenshot shows the output of the command:

dlllist on volatility.png

3. Getsids plugin on Volatility
To identify all users we can use Security Identifier (SID). The getsids command has four very useful items in the order in which the processes were started (refer to pslist and pstree command screenshots).

To run the getsids we can use following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem getsids

The screenshot of the command is following:

getsids on volatility.png

The format for the getsids plugin output is like following:
[Process] (PID) [SID] (User)

On the first line of the output we can see follwoing:
System (4): S-1-5-18 (Local System)

Here we explained in following bullets:
  • Process : System
  • PID : 4
  • SID : S-1-5-18
  • User : Local System
If the last number if SID is in a range of 500, that indicates the user with adminstratative privileges. For an example:
S-1-5-32-544 (Administrators)

Here we got something when we are scrolling down the getsids output, we can see that a user called Robert with an SID of S-1-5-21-789336058 (non-admin) has used started or accessed explorer.exe PID 1484.

Resgistry Analysis
Information about every users, settings, programs and the Windows operating system itself can be found within the registry. Even encrypted passwords can be found in the registry.

In the Windows registry analysis, we will be using the following two plugins.
  1. hivescan
  2. hivelist
1. Hivescan plugin on Volatility
This hivesan plugin display the physical locations of available registry hives.

To use this plugin we need to run following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem hivescan

We can see the physical locations of available registry hives in the following screenshot:

hivescan on volatility.png

2. Hivelist plugin on Volatility
Hivelist plugin is used for more details (and helpful) information on registry hives and locations with RAM. This plugin shows the details of Virtual and Physical address along with the easier readable plaintext names and locations.

We use following command to run hivelist plugin on Volatility
volatility --profile=WinXPSP3x86 -f cridex.vmem hivelist

The output shows in the following screenshot:

hivelist on volatility.png

In the above screenshot we can see information about vitual and physical address.

Password Dumping using Volatility
We know that Windows password stored on the SAM (Security Accounts Manager) file on Windows. This SAM file stores hashd passwords for usernames in Windows system. This file can't be accessed by any user when the Windows system is on.

When we have used the hivelist command (previous screenshot) we have seen the SAM file if we carefully checked the output.

sam file on volatility.png

Timeline Investigation using Volatility
We can check timeline of all the events that took place when the image was acquired by using timeliner plugin on Volatility.

Although we have an idea of what took place within this scenario, many other dumps may be quite large and far more detailed and complex. The timeliner plugin will groups details by time and includes process, PID, process offser, DDLs used, registry details and other useful information.

To run timeliner command, we type the following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem timeliner

The output shows in the following screenshot:

timeliner command on volatility.png

This may produce long ouput and we need to scrool to see the full output.

Malware analysis
One of most important feature of Voatility is malfind plugin. This plugin is used to find, or at least direct us toward hints of malware that may have been injected into various processes.

The output of malfind plugin may be very lenghty so we should be run it in a separate terminal to avoid constant scrolling when reviewing the other plugin's output.

The command used to run malfind pluin will be following:
volatility --profile=WinXPSP3x86 -f cridex.vmem malfind

We can see the output on the following screenshot:

volatility malfind.png

We can see a very long output here. To be more specific we can use -p flag to analyse a specific PID. As we have discovered previously (pslist plugin), winlogon.exe is assigned to PID 608. To analyze this specific PID in malfind we use following command:
volatility --profile=WinXPSP3x86 -f cridex.vmem malfind -p 608

The output of the command shown in the following screenshot:

malfind volatility PID specific.png

Final Thoughts
In this article, we looked at memory forensics and analysis using some of the many plugins available within the Volatility Framework on our Kali Linux system.

One of the first, and most important, steps in working with Volatility is choosing the profile that Volatility will use throughout the analysis. This profile tells Volatility Framework what type of operating system is being used. Once the profile was chosen, we were able to successfully perform process, network, registry, DLL, and even malware analysis using this versatile framework.

As we've seen, Volatility can perform several important functions in digital forensics and should be used together with other tools we've used previously to perform in-depth and detailed forensic analysis and investigations.

Be sure to download more publicly available memory images and samples to test our skills in this area. Experiment with as many plugins as we can and of course, be sure to document our findings and consider sharing them online.

This is how we can perform Digital forensics on RAM and the swap partition etc using our Kali Linux system with the help of Volatility Framework.

Liked our article then make sure to follow our subscription to get all our articles directly on inbox. We are also available on Twitter and GitHub, we post article updates there.
For anything we always happy to help everyone on our Telegram Group. We also read every comment and we always reply.