Memory Forensics a.k.a Memory Analysis this terms means analyzing of volatile data(temporary memory i.e. is stored on RAM) from a memory dump of an computer. This is majorly used by IT Security professional to find out the root cause or things that can be found on the memory dump of an attack.
Memory Forensics provides an new perspective to an investigate of an attack or system activity. The memory consist of majorly most of the things as to run an program, make network connection, chatting and internet history can be in the memory dump of the ram you analyzing that can make thing easier to identify. Majorly during attack people clear the track usually on the secondary memory which like HDD or SSD but not the RAM as the many people aren’t aware of the memory analysis part. This skill is in high demand for security professionals.
Volatility - This is a famous tools among security professional for memory forensics. Volatility is free, open source and has support to many third party plugins. They organize an event where the user develops an innovative extension to the framework isn’t this a fun fact.
┌──(sanlivey㉿LAPTOP-DUGID9EC)-[~]
└─$ git clone <https://github.com/volatilityfoundation/volatility3.git>
Cloning into 'volatility3'...
remote: Enumerating objects: 30339, done.
remote: Counting objects: 100% (1181/1181), done.
remote: Compressing objects: 100% (620/620), done.
remote: Total 30339 (delta 756), reused 924 (delta 554), pack-reused 29158
Receiving objects: 100% (30339/30339), 6.15 MiB | 1024.00 KiB/s, done.
Resolving deltas: 100% (22944/22944), done.
┌──(sanlivey㉿LAPTOP-DUGID9EC)-[~]
└─$ cd volatility3/
┌──(sanlivey㉿LAPTOP-DUGID9EC)-[~/volatility3]
└─$
┌──(sanlivey㉿kali)-[~/Downloads/volatility3]
└─$ sudo pip3 install -r requirements.txt
Requirement already satisfied: pefile>=2017.8.1 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2022.5.30)
Requirement already satisfied: yara-python>=3.8.0 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 8)) (4.2.0)
Collecting capstone>=3.0.5
Downloading capstone-4.0.2-py2.py3-none-manylinux1_x86_64.whl (2.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 616.6 kB/s eta 0:00:00
Collecting pycryptodome
Downloading pycryptodome-3.17-cp35-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 645.7 kB/s eta 0:00:00
Collecting leechcorepyc>=2.4.0
Downloading leechcorepyc-2.14.1-cp36-abi3-manylinux1_x86_64.whl (126 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 126.8/126.8 kB 1.2 MB/s eta 0:00:00
Installing collected packages: pycryptodome, leechcorepyc, capstone
Successfully installed capstone-4.0.2 leechcorepyc-2.14.1 pycryptodome-3.17
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: <https://pip.pypa.io/warnings/venv>
┌──(sanlivey㉿kali)-[~/Downloads/volatility3]
└─$ python3 vol.py -h
Volatility 3 Framework 2.4.2
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND]
[-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q]
[-r RENDERER] [-f FILE] [--write-config] [--save-config SAVE_CONFIG]
[--clear-cache] [--cache-path CACHE_PATH] [--offline]
[--single-location SINGLE_LOCATION] [--stackers [STACKERS ...]]
[--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
plugin ...
┌──(sanlivey㉿kali)-[~/Downloads/volatility3]
└─$ sudo python3 setup.py build 130 ⨯
┌──(sanlivey㉿kali)-[~/Downloads/volatility3]
└─$ sudo python3 setup.py install