How to process recent Windows 10 memory dumps in Volatility 2

Today I want to briefly take up a topic already addressed in a previous post: analysis of Windows 10 memory dumps using Volatility 2.

In my previous article, I’ve recommended to use a FireEye‘s custom version of Volatility [1], with additional profiles specific to Windows 10 memory dumps.

However, this version is now little updated, and also the official version on Volatility 2 has been updated with profiles for latest Windows 10 version.

In a recent commit [2], has been added a profile for Windows 10 19041:

Volatility supports investigations of the following memory images:

Windows:
* 32-bit Windows XP Service Pack 2 and 3
* 32-bit Windows 2003 Server Service Pack 0, 1, 2
* 32-bit Windows Vista Service Pack 0, 1, 2
* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
* 32-bit Windows 7 Service Pack 0, 1
* 32-bit Windows 8, 8.1, and 8.1 Update 1
* 32-bit Windows 10 (initial support)
* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows Vista Service Pack 0, 1, 2
* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2008 R2 Server Service Pack 0 and 1
* 64-bit Windows 7 Service Pack 0 and 1
* 64-bit Windows 8, 8.1, and 8.1 Update 1
* 64-bit Windows Server 2012 and 2012 R2 
* 64-bit Windows 10 (including at least 10.0.19041)
* 64-bit Windows Server 2016 (including at least 10.0.19041)

So, my suggestion in now to use directly the official release of Volatility available on GitHub [3].


How to install Volatility

from Official Wiki:

Getting Volatility

You can get the source code by either downloading a stable release or cloning from github. To do the latter, type:

$ git clone https://github.com/volatilityfoundation/volatility.git

This will create a volatility folder that contains the source code and you can run Volatility directory from there.


Installing Volatility

If you’re using the standalone Windows, Linux, or Mac executable, no installation is necessary – just run it from a command prompt. No dependencies are required, because they’re already packaged inside the exe.

If you’re using the Pyinstaller (Windows-only) executable, double click and follow through with the installation instructions (which basically consists of clicking Next a few times and then Finish). You must already have a working Python 2.7. Also see below for the dependency libraries.

If you downloaded the zip or tar source code archive (Windows, Linux, OSX) there are two ways to “install” the code:

  1. Extract the archive and run setup.py. This will take care of copying files to the right locations on your disk. Running setup.py is only necessary if you want to have access to the Volatility namespace from other Python scripts, for example if you plan on importing Volatility as a library. Pros: easy use as a library. Cons: more difficult to upgrade or uninstall.
  2. Extract the archive to a directory of your choice. When you want to use Volatility just do python /path/to/directory/vol.py. This is a cleaner method since no files are ever moved outside of your chosen directory, which makes it easier to upgrade to new versions when they’re released. Also, you can easily have multiple versions of Volatility installed at the same time, by just keeping them in separate directories (like /home/me/vol2.0 and /home/me/vol2.1). Pros: clean, easy to run multiple versions, easy to upgrade or uninstall. Cons: more difficult to use as a library.

Dependencies

This section does not apply to the standalone Windows executable, because the dependent libraries are already included in the exe. Also please note the majority of core Volatility functionality will work without any additional dependencies as well. You will only need to install packages if you plan on using specific plugins that leverage those packages (see recommended dependencies), or if you want to enhance your experience (see optional dependencies). Note: for Linux you may have to install a few other packages/libraries as prerequisites for the following recommended packages (Example: apt-get install pcregrep libpcre++-dev python-dev -y)

Recommended packages

For the most comprehensive plugin support, you should install the following libraries. If you do not install these libraries, you may see a warning message to raise your awareness, but all plugins that do not rely on the missing libraries will still work properly.

  • Distorm3 – Powerful Disassembler Library For x86/AMD64
    • Dependent plugins
      • apihooks
      • callbacks
      • impscan
      • kdbgscan, pslist, modules etc for Windows 8/2012 machines
      • the disassemble command in volshell, linux_volshell, and mac_volshell
  • Yara – A malware identification and classification tool
    • Dependent plugins
      • yarascan, linux_yarascan, mac_yarascan
    • Note: get yara from the project’s main website, do not install it with pip.
    • Note: if you are on Linux, you may have to issue the following command: echo "/usr/local/lib" >> /etc/ld.so.conf && ldconfig
  • PyCrypto – The Python Cryptography Toolkit
    • Dependent plugins
      • lsadump
      • hashdump
    • Note: this requires python-dev to build (unless you get pre-built binaries)
  • PIL – Python Imaging Library
    • Dependent plugins
      • screenshots
  • OpenPyxl – Python library to read/write Excel 2007 xlsx/xlsm files
    • Dependent plugins
      • Any plugin that has been converted to unified format (with --output=xlsx option)
  • ujson – Ultra fast JSON parsing library
    • Dependent plugins: anything using --output=html

References

  1. https://github.com/fireeye/win10_volatility
  2. https://github.com/volatilityfoundation/volatility/commit/bdb2b4d1c7474932d6be9fc2d83ad7aae6fc2f17
  3. https://github.com/volatilityfoundation/volatility/

Related posts

  1. Some thoughts about Stuxnet
  2. dfir_ntfs: a forensic parser for NTFS filesystems
  3. iLEAPP: an iOS logs, events, and plists parser
  4. iOS Forensics: how to perform a logical acquisition with libimobiledevice
  5. How to sort and organize files recovered by PhotoRec