As most investigators know, volatile memory contains valuable information about the runtime state of the system, registry keys, network connections in memory and much more. One of the most popular tools to handle memory analysis is Volatility, an open source tool created by Volatile Systems.
Prior to the introduction of the new “Volatility Reporting Plugin,” any analysis of memory had to be handled outside of EnCase Forensic v7 than the results from Volatility typically required cutting and pasting data into your report. The plugin allows investigators to bring analysis results in from Volatility seamlessly so that they can be efficiently bookmarked and thus added to the EnCase report.
VOLATILITY REPORTING PLUGIN SETUP
Download the Volatility Reporting Plugin from the EnCase App Central Store. Choose the EnScript drop down menu from within EnCase then select the Run option that will allow you to browse and select the downloaded EnPack file for execution. The EnCase V7 Plugin Installer will prompt you to choose the type of installation to perform.
Download the Volatility 2.2 Standalone executable from The Volatility Framework project hosted on the Google Code site: http://code.google.com/p/volatility/. The plugin needs to be configured with the location of the Volatility program by right clicking on the memory image that displays a tool menu called Volatility 2.2 Standalone. Choose the Executable Location option that will allow you to browse and select the program. The identified location will be stored in a configuration file that the plugin will reference.
VOLATILITY REPORTING PLUGIN USAGE
EnCase will export the acquired PhysicalMemory to a DD format using the unique GUID as identification for cases containing multiple memory images that are stored in the case specific temporary folder. Volatility will run the requested commands against the memory and return the completed analysis to the Console View plus create a Note Bookmark for centralized reporting. The examiner can execute their own Volatility analysis by using the Command Ninja option that provides a completed command line -f argument for the memory location to get them started. The Volatility Framework site should be referenced for additional details on using their tool for memory forensics as it contains a wealth of information!
No comments :
Post a Comment