Volatility

So the group I am working with is more fledgling than we would like to be. Granted I work with some really brilliant folks. They honestly make me feel stupid with the amount of knowledge they have, but one thing we are lacking is a good memory analysis technique. We spend countless hours pouring through the process dumps off of a box and then I'm not sure that it does any good. Let's face it, after multiple hours of looking at useless lines of code/commands/garbage you may miss the important stuff. Fortunately we always have an idea of what we are looking for. When will our luck run out?

So I have been looking at Volatility. I'm impressed and I'm disappointed.

The first disappointment that I have is with the connections command. I've dealt with numerous pieces of Malware that beacon, establish a connection as needed and then drop off to only connect again if the beacon returns a specific reply. It doesn't establish a connection nor does it listen on a port. I've found no way for Volatility to give me information on any connection attempts or IPs that the Malware is trying to talk to on an irregular basis.

The second disappointment is I haven't found a way to find any commands issued to a program. Many times memory will retain the list of commands and at times the passwords to specific encryption that was typed from a terminal and executed on the software. If would be very helpful if there were a way for Volatility to gather this information and which commands were executed on which pieces of Malware. Now this becomes an issue with privacy. Not sure how to get around that.

Now what impresses me is that amount of information that you can recover from memory by issuing a few commands. Many of the items that you would usually need SysInternals for you can now get from memory. Many times if there is a rootkit or a hidden piece of malware then you won't get any return from the SysInternals tools.

Example: There are ways to configure a secondary route. Possibly VPN subversion or just a forced route to a malicious site. SysInternals does not always show this location. Using Volatility you have a possibility to pull this information back. Does it always? No. This is where it's not always best to just rely on this tool to do the work for you.

Definitely has potential and I'll continue to watch, but I can't rely on it just yet.