Volatility and Memory forensics

My latest endeavor has been to figure out memory forensics using volatility or any other tool currently available.  We have a copy of Encase Forensics so I’m comparing and contrasting which is better.  It’s most likely that we will end up using both, but trying them out.  Currently the biggest problem I have noticed in the latest version of Volatility is that is does not meet current python standards.  It makes use of the sha module where sha has been replaced by the hashlib module.

So far the use of Volatility has not impressed me much.  Most of what I have encountered can be accomplished with Sysinternals tools.  There are a few things that I would find useful.  Sysinternals does rely on the internal libraries on a system that it is being run against, while Volatility will actually search the memory for items that are running.  This will give a forensic examiner the ability to check for hidden rootkits etc.. While I find this useful it appears to be ‘flaky’.  I’m planning on running some test comparisons with some Malware that is somewhat hidden within the system.  If I can compare what I see to what Volatility sees it may prove useful yet to make Volatility a standard in my forensic investigations.

Another interesting tool that I have found is PyFlag.  While this tool has not yet reached it’s 1.0 version it looks like it may be very useful.  Seeing as both these tools are written in Python I am more interested than some of the other tools that are currently available out there.

I prefer Python over other tools out there.  I have used multiple tools in Perl (there is a very good suite of tools available for Forensics as part of the book Windows Forensic Analysis Toolkit) and a handful of tools within the Ruby scripting language.

I’ll update this blog entry as I find research more information.  I have been working on my personal blog lately and neglecting the Archlinux blog.  I should be able to focus on both more frequently however.

Leave a Reply