This article covers how to use Volatility memory forensics with Criminal IP threat intelligence data. Learn how to install and run the Criminalip-Volatility3 plugins integrated with threat intelligence data.
For an introduction to the Criminalip-Volatility3 plugins, please refer to the Criminal IP Volatility3 integration case and the official Criminal IP GitHub repository.
How to Install the Criminalip-Volatility3 Plugins
1. Download the plugins from the Criminal IP Integrations page for existing products and workflows
You can check out Volatility on the Criminal IP API Integrations page.
On the Criminal IP API Integrations page, click on the Volatility logo to see how it was integrated with Criminal IP, as well as a brief introduction to the plugins and how to use them.
Next, head to GitHub to download the Criminalip-Volatility3 plugins. Click the “Go to GitHub” button located on the top right side of the integration page.
After accessing GitHub, click the Code button to download the ZIP file.
2. Install the downloaded plugin files into the Volatility3 folder
Download the ZIP file and extract the compressed file. After decompressing the folder, the Criminalip folder inside the Criminalip-Volatility3-Plugins-main file is the part that contains the code for the Criminallip-Volatility3 plugins.
Copy and paste this Criminalip file into the /volatility3/volatility3/plugins directory located inside the volatility3 folder.
3. Complete the Criminalip-Volatility3 Plugin settings with DB configuration
If you have moved the Criminalip file to where the plugin code is, you can now start configuring the DB. Primarily, you must install alembic.
pip install alembic alembic init practice
Once the installation for alembic is complete, locate sqlalchemy.url in the alembic.ini file and change it as shown in the image below.
- Before the edit: sqlalchemy.url
- After the edit: sqlalchemy.url = sqlite:///db_file.db
Occasionally, if it says that the content does not exist in the DB even after configuring all settings correctly, check whether the name in line 3 of the alembic.ini file is set to alembic. If the name is not written, please enter in alembic as shown in the image below.
Once alembic has been installed and configured, you can see that the practice file and db_file.db exist in the volatility3 location. Now copy the practice files and db_file.db that exist inside Criminalip-Volatility3-Plugins-main file to volatility3.
Once the copying process is complete, run the following command. This command is used to upgrade the database’s current schema version to the latest version, and is executed to maintain consistency between the changed database schema and codebase.
alembic upgrade head
The Criminal IP-Volatility3 Plugins setup is now complete. Now, let’s put the plugin to work.
Generate a Volatility Memory Dump File
We will now try and create a memory dump file for the Windows OS. FTK Imager will be utilized to generate the dump file. Once you run FTK Imager, you will see the following screen. From this screen, click on the part marked in red.
You can see that a pop-up window for Capture Memory has been generated. On this screen, click Browse to select the segment you want to create as a dump file. During this process, you can change the destination filename of the dump file to whatever you desire. Once you have made all selections, click the Capture Memory button.
If a pop-up window like the image below appears after clicking Capture Memory, run FTK Imager as an administrator and follow the dump file creation procedure again.
If you see the screen below after clicking Capture Memory, the memory capture process is working correctly.
When the Status bar hits 100%, you will see the message “Memory capture finished successfully” displayed in the Status section. After this message, you can proceed to close the pop-up window.
Now, check to see the dump file created in the C:\<set path>\ directory. You will see that the dump file has been created as shown in the red box in the image below.
We will now try and run the Criminalip-Volatility3 Plugins based on the created dump file.
Run the Criminalip-Volatility3 Plugins
The Criminalip-Volatility3 Plugins are divided into the following two configurations: A “criminalipip” plugin that can check information related to an IP address and a “criminalipdomain” plugin used to easily distinguish malicious URLs.
If you want to identify only malicious information through these two plugins, you can use the “malIP” option in the “criminalipip” plugin, and the “malD” option in the “criminalipdomain” plugin to only detect malicious information.
1. Identify malicious IP addresses using the malicious criminalipip plugin
Within the memory dump file, you can see the risk level of the external IP addresses diagnosed by Criminal IP.
python vol.py -f "<dumpfile_name.mem>" Criminalip.criminalipip
Use the –malIP option to select and display only high-risk information.
python vol.py -f "<dumpfile_name.mem>" Criminalip.criminalipip --malIP
2. Identify malicious URL information using the criminalipdomain plugin
The risk level of the URL present in the virtual memory of the process can be checked through phishing information diagnosed by Criminal IP.
Use the –malD option to select and display only high-risk information.
If you want to check malicious information more intuitively, you can add the ‘–Hardware’ option.
Today, we looked at how to install and run the Volatility integrated with Criminal IP API. You can also check the video on the official Criminal IP YouTube channel for instructions on how to install the Criminalip-Volatility3 plugins.
In the next article, we will introduce a real-world example of using the Criminalip-Volatility3 plugins for memory forensics.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine.
Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. You can refer to the Criminal IP Volatility Integration page and official Criminal IP GitHub for information on using the Criminalip-Volatility3 plugins for memory forensics.
Source: Criminal IP (https://www.criminalip.io)