Over the past couple of years the Guidance Software EnCase consultants and trainers have provided advice and assistance concerning how to manage the digital artifacts from RAM or memory analysis when using Volatility as their tool of choice. The two blog posts below provide insight into the progress.
Using Volatility with EnCase
June 8, 2012
Volatility Reporting Plugin for EnCase Forensic v7
August 7, 2013
In the latter blog post from August 2013, John Lukach, a Guidance Software trainer introduced an EnScript or app on EnCase App Central that eliminated the monotonous and time-consuming task of cutting and pasting Volatile data in order to bring the data into an EnCase report. This process is now handled by simply bookmarking the data through a plugin which completely automates the importing process.
As the Volatility Reporting Plugin has grown in popularity, now reaching the top spot in App Central’s most downloaded apps, the demand for additional functionality grew.
Let’s walk through the functionality in the new and improved Volatility Reporting Plugin. In an Incidence Response scenario, you receive an alert from the security monitoring tool of your choice that identifies an open network connection that may be of risk to your organization. The EnCase Enterprise or Forensic Snapshot feature will be used first to examine the memory due to the speed and performance of the feature.
Confirmation has initiated your triage process requiring a memory image from the system in question using the EnCase servlet for efficiencies and compression during the acquisition to help limit business impact. Once the data has been preserved, you can proceed with an in-depth analysis of the memory artifacts. The plugin allows investigators to seamlessly use Volatility to perform analysis while using EnCase for centralized reporting through the use of bookmarks.
We added three new features due to the high number of requests to improve the plugin for our students. First the Executable Location, Profile Selection, Check for Updates, Remove Plugin, and Help choices have all been consolidated into the Open Plugin Tab option. This provides additional space for the Last Command option that displays the previous call to Volatility for review and changes to assist with using the advanced Command Ninja option. Second, the Ninja Apprentice was added to quickly allow for the use of other Volatility plugins that are not part of the preset options. Third, the memory path and profile are appended to the right of the command behind the scenes.
Download the Volatility Reporting Plugin from the EnCase App Central Store.
Download the Volatility Standalone Executable from The Volatility Framework project hosted on the Google Code site.
Launch the Volatility Reporting Plugin by choosing run in the EnScript menu and browsing to the apps location. You may have to delete the previous EnPack from one of the paths shown below if you’re performing an update of an earlier version.
The plugin needs to be configured with the location of the Volatility program by right clicking on the memory image that displays a tool menu called Volatility Reporting Plugin. Choose the Open Plugin Tab option that will display the settings that can be configured.
Click Executable Location and browse to select the location of the Volatility Standalone Executable program. Volatility by default uses a XP profile thus if your conducting memory forensics on a different operating system make sure to set the profile appropriately using the Profile Selection choice. Settings are stored in configuration files shown below.
EnCase will export the acquired PhysicalMemory to a DD format using the unique GUID as identification for cases containing multiple memory images that are stored in the case specific temporary folder. Volatility will run the requested commands against the memory and return the completed analysis to the Console View plus create a Note Bookmark for centralized reporting.
This app was developed by instructors in support of the Professional Development and Training Course offerings.
For more information about its use and investigative context, attend the Advanced Computer Forensics course.