Additional memory forensic using Volatility

Now after we dump the memory, we need to do some forensics on it. The tool we will use is called Volatility Framework. It can extract digital artifacts from volatile memory (RAM) dumps. Volatility can analyze RAM dumps from 32-bit and 64-bit Windows, Linux, Mac OS, and Android systems.

  1. Download the latest Volatility available.
  2. After you finish downloading the file, you have to extract the files into a folder:
    $ tar -zxvf volatility-2.2.tar.gz
    

    Note

    Find the latest Volatility download link here: https://code.google.com/p/volatility/wiki/VolatilityIntroduction

  3. Change the directory to volatility-2.2:
    $ cd volatility-2.2/
    $ ls
    

    Our memory analysis will be using the vol.py file.

    Note

    For a detailed documentation ...

Get Cuckoo Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.