Analise RAM dump file

In forensic investigations it's very important thing dump the RAM's data into a file and analyze the processes / tasks that were running on the dumped time. So let's look at how we can dump the RAM's content as a raw file and how we can analyze that file for get further more details.

For this we are going to use MoonSols  windows memory toolkit. This toolkit contains with four or more related tools. But for in this case we need only one tool which is "ramdumpit.exe". We can build the raw file of our ram's dump in a particular time using this tool. Just run it and it will ask the ordinary "Are you sure?" question just give yes for it. now you will see the blahblah.raw file has been created which is the dump of our RAM. Now we need our second tool which is going to analyze our dump file.



To analyze our dumped file we are using volatility.exe you can download(volatility-2.2.standalone.exe) this but if you are using kali don't bother for download it just run the terminal and follow the command.

If you have downloaded volatility.exe goto the directory you have downloaded and and open your cmd in that directory. Type

volatility_x-x.exe -f "filename.raw" imageinfo

This will result the image info. In this result you can see it shows related OS versions that can be guess. Select the correct OS from those. Mark and copy that os version

ex : Win7SP1x64

After you have  copied it type the following to go forward.

volatility-2.2.standalone.exe -f ADMIN-PC-20151207-061148.raw --profile=Win7SP1x64 kdbgscan

 Replace  the  --profile = ________ with the relevant OS version.

Now it will result other information related to this raw file. You will see something like following in the result
copy the Offset (V)    : 0xXXXXXXXX

copy the value in front of offset(V). Its looks like this

ex: 0xf80002c520a0

Copy that value and we will get into the next code.
Now we are going to get the processes that were running when we getting the dump of ram. Here is how

volatility-2.2.standalone.exe -f ADMIN-PC-20151207-061148.raw --profile=Win7SP1x64 kdbg=0xf80002c520a0 pslist

The value in front of kdbg=_____ replace with the offset  value.

with syntax of pslist it will display all the processes that were running on terminal. If you want to get these details on a txt file type the following code.

volatility-2.2.standalone.exe -f ADMIN-PC-20151207-061148.raw --profile=Win7SP1x64 kdbg=0xf80002c520a0 pslist > filename.txt

All the processes that were running will gives you.

Note and Remeber;
This volatility.exe we can use for many forensic investigations such as hybersys file analyze, analizing VM ware partitions also.