Enhance Investigations with Memory Artifacts through Volatility in AXIOM 2.0

Whether you seize computers in the field for criminal investigations, or responding to cyber incidents for a corporation, forensic memory analysis gives you access to evidence you can’t obtain through “dead-box” forensics alone. In many cases, memory analysis may be the only way to obtain evidence critical to solving your investigation.

If memory analysis is an important part of your forensic examinations, then you’re probably familiar with Volatility, the open-source framework that is already known, trusted, and popular among both law enforcement and corporate investigators.

As we wrote previously, we’re very excited to integrate some of the most popular core plugins from the Volatility Framework into the AXIOM 2.0 Computer module. This integration, along with AXIOM’s easy-to-use artifacts-oriented approach, has four main benefits:

  • The user interface and ability to run multiple instances of Volatility at one time will make memory analysis faster.
  • The interface will also make memory analysis more accessible to a broader range of investigators.
  • By combining Volatility parsing along with AXIOM-carved pictures, URLs, and operating system artifacts from memory, you can see a more complete picture of activity that has taken place on a device.
  • With the ability to correlate memory and disk data, AXIOM further enhances the ability to prove attribution or intent in an investigation, as well as to develop more complete timelines of the.

AAron Walters, President of the Volatility Foundation, had this to say about the integration:

“We developed Volatility to encourage collaboration, innovation, and accessibility within the exciting field of memory analysis. Volatility’s integration into Magnet AXIOM emphasizes the vital role that memory analysis plays in modern investigations and the importance of open source contributions to the forensics community. We appreciate Magnet’s support and their desire to make these skills more accessible to a broader mix of forensics examiners.”

From Command Line to GUI

For many years, memory analysis has been the province of experienced forensic examiners. Traditional command-line memory analysis requires examiners to jump back and forth between programs, create custom scripts, and recall complex command line prompts to recover and analyze memory.  Just one wrong character can cause the command to fail.

To address this issue, we focused on simplifying memory analysis by integrating a number of Volatility’s core plugins into AXIOM’s artifacts-oriented approach to investigations. In fact, AXIOM’s time-saving integration starts with the very first command you’d need to run when recovering memory:

  • Instead of manually searching for the correct memory profile in the command line, AXIOM automatically runs the command (with the proper parameters) and returns the recommended profiles.
  • You can either use the AXIOM-recommended profile, or select a known profile from the dropdown interface.
  • Afterwards, you can select the memory artifacts that you want to include, along with any web-related, email, and/or operating system artifacts you want to carve for and build connections to.

AXIOM then uses the artifact output from this profile to automatically formulate all future commands. This capability saves significant time, as you no longer need to manually look up the correct profile and repeatedly insert it in the command line. In addition, AXIOM provides full filtering, keyword searching (and highlighting!), and sorting on all the returned artifact data.

You can even run multiple commands simultaneously, as AXIOM runs multiple instances of Volatility at the same time. This way, you can conduct your memory analysis significantly faster than the traditional method that only permits one command at a time.

Further Enhancing Memory Analysis with Connections in AXIOM

Connections in AXIOM enables examiners to learn where key digital evidence came from, where it is currently located, who it was shared with, and when (or if) it was opened.

In AXIOM 2.0, Connections incorporates artifacts from conventional disk images, Windows OS, and some of the most popular Volatility core commands as artifacts in AXIOM. These new artifacts include active and historical loaded drivers and running processes; hidden processes; loaded, unlinked, hidden and injected DLLs; open files, handles, active and historical connections and sockets, and timeline.

By reviewing memory, disk and Windows OS artifacts in Connections, you can now visualize the relationships between files and user actions to prove attribution and/or intent:

  • For example, memory evidence can help prove or disprove the “some other dude did it” defense in child exploitation investigations, by showing who was logged into the computer at a given time, what programs were open, what connections were active, when key files—such as pictures or videos—were created, and when they were moved. System artifacts, meanwhile, can show recently or frequently viewed files.
  • Likewise, artifacts like $LogFile can help corporate investigators trace user activities in IP theft and fraud investigations. Cyber security incident responders can also conduct a root cause analysis. By using Connections to identify and track malware on an endpoint, they can better understand how it got there, what it did, and where else it went.

The Strategic Benefits of Memory Analysis

Whether your business outsources to a managed security services provider, or your law enforcement agency outsources to the state police or federal task force forensic lab, you may find that memory analysis allows you to reduce your reliance on outside sources. By expanding your capabilities to include memory analysis, you may be able to bring some services in-house, saving both time and money.

Corporate investigators, for example, can perform the basic analysis needed to assess whether a data breach has occurred and requires a more thorough incident response—or was simply a false positive. Law enforcement investigators, meanwhile, may start to be empowered to act quickly to address smaller-scale data breaches that affect small local business owners, while reducing reliance (and the potential for backlog) on state or federal task forces.

While integration of the Volatility Framework into the AXIOM platform allows you to run built-in Volatility commands on a memory dump image, we also encourage you to view our Volatility integration as a starting point towards deeper forensic analysis.

By making it possible to access some memory analysis fundamentals, AXIOM enables you to see the power of memory analysis. You can then eventually take your forensic skills further, learning to use the Volatility command-line interface to validate the results from the integration. Learn more about Volatility training here.

If there are additional plugins you’d like us to consider adding, please get in touch with Customer Support or your sales representative, or email me at christa.miller@magnetforensics.com. To see our integration in action, contact us here for a free demo.