I recently came across Volatility which is an advanced forensic framework implemented in Python. This is an effective tool for digital artifacts extraction from volatile memory or the RAM. Volatility can analyze raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire.
There are a set of plugins that could be used with Volatility, that makes it really special. There are some of the plugins that I found really interesting.
- dlldump: Extract specified dll from the memory
- pslist: Prints all the process by following the EPROCESS lists.
- psscan: Find process that were previously terminated or unlinked by a rootkit. It has the ability to list hidden/unlinked process.
- dlllist: Display every dll that a process calls.
- file_scan: List file_object in physical memory
- malfind: Finds hidden or injected code and injected dlls useful in analysis of malware. It also displays process, flags, memory segments etc.
- svsscan: Scans for windows services
- API hooks: Detects API hooks in process and kernel memory.
- callbacks: Display instance of software listings for callbacks.
- iehistory: Reconstruct Internet Explorer cache/history.
If you are interested in exploring more about Volatility, these are some good tutorials that helped me to get started: