This article covers how to use Volatility memory forensics with Criminal IP threat intelligence data. Learn how to install and run the Criminalip-Volatility3 plugins integrated with threat intelligence data.

For an introduction to the Criminalip-Volatility3 plugins, please refer to the Criminal IP Volatility3 integration case and the official Criminal IP GitHub repository.

How to Install the Criminalip-Volatility3 Plugins

1. Download the plugins from the Criminal IP Integrations page for existing products and workflows

You can check out Volatility on the Criminal IP API Integrations page.

Criminal IP API Integrations page: the integration case with Volatility is introduced

On the Criminal IP API Integrations page, click on the Volatility logo to see how it was integrated with Criminal IP, as well as a brief introduction to the plugins and how to use them.

Integration case for Criminal IP API and Volatility

Next, head to GitHub to download the Criminalip-Volatility3 plugins. Click the “Go to GitHub” button located on the top right side of the integration page.

After accessing GitHub, click the Code button to download the ZIP file.

Download the Criminalip-Volatility3 plugins ZIP file from the official Criminal IP GitHub

2.  Install the downloaded plugin files into the Volatility3 folder

Download the ZIP file and extract the compressed file. After decompressing the folder, the Criminalip folder inside the Criminalip-Volatility3-Plugins-main file is the part that contains the code for the Criminallip-Volatility3 plugins.

Copy and paste this Criminalip file into the  /volatility3/volatility3/plugins directory located inside the volatility3 folder.

Criminalip folder copied and pasted into the /volatility3/volatility3/plugins folder directory

3. Complete the Criminalip-Volatility3 Plugin settings with DB configuration

If you have moved the Criminalip file to where the plugin code is, you can now start configuring the DB. Primarily, you must install alembic.

pip install alembic
alembic init practice

Once the installation for alembic is complete, locate sqlalchemy.url in the alembic.ini file and change it as shown in the image below.

  • Before the edit: sqlalchemy.url
  • After the edit: sqlalchemy.url = sqlite:///db_file.db
Find the contents of sqlalchemy.url and edit it to sqlalchemy.url = sqlite: ///db_file.db

Occasionally, if it says that the content does not exist in the DB even after configuring all settings correctly, check whether the name in line 3 of the alembic.ini file is set to alembic. If the name is not written, please enter in alembic as shown in the image below.

If the DB content does not exist after configuration, check the name in line 3 of the alembic.ini file

Once alembic has been installed and configured, you can see that the practice file and db_file.db exist in the volatility3 location. Now copy the practice files and db_file.db that exist inside Criminalip-Volatility3-Plugins-main file to volatility3.

Once the copying process is complete, run the following command. This command is used to upgrade the database’s current schema version to the latest version, and is executed to maintain consistency between the changed database schema and codebase.

alembic upgrade head

The Criminal IP-Volatility3 Plugins setup is now complete. Now, let’s put the plugin to work.

Generate a Volatility Memory Dump File

We will now try and create a memory dump file for the Windows OS. FTK Imager will be utilized to generate the dump file. Once you run FTK Imager, you will see the following screen. From this screen, click on the part marked in red.

You can see that a pop-up window for Capture Memory has been generated. On this screen, click Browse to select the segment you want to create as a dump file. During this process, you can change the destination filename of the dump file to whatever you desire. Once you have made all selections, click the Capture Memory button.

If a pop-up window like the image below appears after clicking Capture Memory, run FTK Imager as an administrator and follow the dump file creation procedure again.

If you see the screen below after clicking Capture Memory, the memory capture process is working correctly.

When the Status bar hits 100%, you will see the message “Memory capture finished successfully” displayed in the Status section. After this message, you can proceed to close the pop-up window.

Now, check to see the dump file created in the C:\<set path>\ directory. You will see that the dump file has been created as shown in the red box in the image below.

We will now try and run the Criminalip-Volatility3 Plugins based on the created dump file.

Run the Criminalip-Volatility3 Plugins

The Criminalip-Volatility3 Plugins are divided into the following two configurations: A “criminalipip” plugin that can check information related to an IP address and a “criminalipdomain” plugin used to easily distinguish malicious URLs.

If you want to identify only malicious information through these two plugins, you can use the “malIP” option in the “criminalipip” plugin, and the “malD” option in the “criminalipdomain” plugin to only detect malicious information.

1. Identify malicious IP addresses using the malicious criminalipip plugin

Within the memory dump file, you can see the risk level of the external IP addresses diagnosed by Criminal IP.

python vol.py -f "<dumpfile_name.mem>" Criminalip.criminalipip

Use the –malIP option to select and display only high-risk information.

python vol.py -f "<dumpfile_name.mem>" Criminalip.criminalipip --malIP

2.  Identify malicious URL information using the criminalipdomain plugin

The risk level of the URL present in the virtual memory of the process can be checked through phishing information diagnosed by Criminal IP.

Use the –malD option to select and display only high-risk information.

If you want to check malicious information more intuitively, you can add the ‘–Hardware’ option.

Today, we looked at how to install and run the Volatility integrated with Criminal IP API.  You can also check the video on the official Criminal IP YouTube channel for instructions on how to install the Criminalip-Volatility3 plugins.

In the next article, we will introduce a real-world example of using the Criminalip-Volatility3 plugins for memory forensics.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine.  

Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. You can refer to the Criminal IP Volatility Integration page and official Criminal IP GitHub for information on using the Criminalip-Volatility3 plugins for memory forensics.

Source: Criminal IP (https://www.criminalip.io)

Related Article(s):

STIX Vulnerability Analysis Using IP Intelligence: Analyzing Criminal IP Data With STIX (1)