Parsing random-access memory (RAM) dumps is a vital process that allows us to preserve the contents of physical memory for its later use and examination.
A memory dump helps developers and analysts to view the last state of the applications and systems before they terminated abnormally. It consists of the recorded state of the working memory of a computer program at a specific time.
Parsing RAM dumps may be necessary for various reasons.
First of all, memory dumps can be used to diagnose a bug in the software, as applications create memory dumps when they halt unexpectedly.
The point is that the computer’s RAM contains an enormous amount of system information, uploaded branches of the registry, information about the open network connections, unpacked and decoded versions of the protected software, and more.
Analyzing memory dumps is a sure way to detect viruses. If a computer is virus-infected or it has a Trojan Horse software launched on it, malware will be easier to spot when examining the RAM image.
Also, the process of examining the RAM dumps is often used in digital forensics to help investigators uncover electronic data, reconstruct past events, and collect evidence.
Moreover, most of the physical memory is volatile, which means that it can potentially store sensitive data, such as cryptographic keys and passwords.
Analysts can use many tools to parse and examine the contents of the memory dump. However, choosing the right tool to examine collected dumps remains an issue. In this article, we take a look at several free utility functions, analyze them, and highlight the major pros and cons of each tool.
Volatility
Volatility was developed by Volatility Framework, a non-profit initiative that strives to spread the word about the memory analysis within the forensics community.
This tool is considered as one of the most popular collections of tools among all free software for physical memory analysis, which provides an opportunity to analyze RAM dumps, gathered from Windows, Linux, and Mac OS.
The Volatility functionality has been constantly advanced with every new release. The latest versions improved support for Windows, Mac OS Sierra 10.12, and Linux with KASLR kernels. Initially, the Volatility tool could only be installed on Linux and Windows.
Successful parsing requires profiles, and there are two ways to get them:
- GitHub has a repository for storing profiles for different operating systems
- Linux system allows for gathering profiles using a script
Volatility is based on a comprehensive research of its contributors, which makes it a decent tool for extracting digital artifacts from the RAM dumps. It can significantly simplify the memory analysis because of its benefits:
- Provides the list of running processes
- Shows the list of open network sockets
- Displays the list of uploaded DDL for each process
- Has a large repository that stores profiles for various operating systems
- Ensures that the profiles for new operating systems appear in the repository quite fast
- Works with addressable memory and loadable kernel module
- Shows the names of the open files for each process
The major Volatility downsides are:
- The absence of a graphic interface
- The inconvenience of working through the command line
Redline
Redline belongs to free Windows memory analysis tools that examine physical memory dumps and allow you to create data analysis reports conveniently.
Redline was developed by FireEye to help its users thoroughly examine and analyze RAM dumps to find signs of malicious activity.
The software developers assure that with Redline, users can:
- View, filter, and analyze imported audit data
- Streamline memory analysis
- Gather all the data from memory, services, event logs, web history, etc.
- Discover additional features when using Redline with other FireEye’s tools, for example, the ability to establish the timeline of an incident
Redline has one significant disadvantage: it only supports Windows and can’t be applied for other operating systems. The latest version supports Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10.
On the other hand, it’s easy to use thanks to its graphic interface. Moreover, you don’t need to collect profiles for different versions of the Windows operating system. Also, Redline allows for convenient formatting.
Rekall Forensics
Rekall Forensics is another free utility function for analyzing a physical memory dump with an open-source license. This software has started as a memory forensic framework, but then it managed to evolve into a complete platform.
The Rekall project also includes an alpha version of a forensic tool, called Rekall Agent, designed around the Google Cloud Platform.
The most important advantages of the Rekall framework are the following ones:
- A repository, which contains profiles for the majority of operating systems
- An opportunity to examine dumps gathered from Windows, Linux, and Mac OS
- An opportunity to automatically detect profiles for Windows operating systems
- An opportunity to gather all the profiles you need for Linux systems manually, using the script, stored on the official GitHub account
However, working with Rekall Forensics can be inconvenient for two reasons:
- You can launch this tool only on Linux and Windows through the command line
- Rekall’s repository can lack profiles for some new operating systems
MemGator
MemGator is a convenient utility function, created by Orion Forensics for analyzing physical memory dumps. This software allows for automated data extraction from a memory file. Also, it provides a feature of reports compiling for an investigation
MemGator creators claim that this software combines the best features of alternative frameworks like Volatility Framework, Scalpel File Carver, and AESKeyFinder. Basically, this utility function is the analog of Volatility, but with a graphic interfac
Just like Redline, MemGator only works with Windows systems and doesn’t require gathering profiles for different operating systems.
MemGator has lots of advantages:
- Automated data extraction from memory files and creates reports for investigators
- Automated execution of almost all the commands from the Volatility Framework
- Automatic selection of the right OS profile for all the Volatility commands
- Opportunity for users to manually pick the OS profile, if they wish not to let the tool do it automatically
- Opportunity to create reports in HTML
- Automated running of Scalpel, including carving for usernames and passwords for email and social media accounts, such as Gmail, Yahoo, and Facebook, and auto-filling form entries for the Chrome browser
However, the tool has several significant downsides:
- No updates in a long time
- No support for new Windows operating systems such as Windows 10 x86 and x64
- No support for other operating systems, except for Windows
Parsing tools comparative analysis
First of all, we should say that all of the utility functions, mentioned in this article, managed to analyze RAM dumps, gathered on Windows 7 x64 operating system.
Now, let’s create a table for a convenient and straightforward comparison of free parsing tools we have examined.
| Name | Has an interface | Can analyze dumps for Linux, Mac OS | An opportunity to gather profiles for new OS manually |
| Volatility | – | + | + |
| Redline | + | – | – |
| Rekall Forensics | – | + | + |
| MemGator | + | – | – |
As you can see, Redline and MemGator have interfaces, which is a crucial advantage, as it simplifies the working process. Unfortunately, they can only analyze dumps for Windows and don’t allow users to gather profiles for the new operating system manually.
Volatility and Rekall Forensics, on the contrary, can be used for all three operating systems most users are interested in Windows, Linux, and Mac OS. Although these tools don’t have graphic interfaces, they provide users with the opportunity to gather profiles for the new operating system manually.
Conclusion
To sum up, all the described free memory analysis tools for RAM dumps parsing like Volatility, Redline, Rekall Forensics, and MemGator decently cope with their physical memory analysis.
Surely, paid software such as WindowsSCOPE Cyber Forensics and PlainSight usually has a graphic interface that simplifies the memory dump analysis and offers features for Windows forensic analysis. Not to mention, these tools support new versions of various operating systems and provide immediate updates for better performance.
Obviously, the paid utility functions for physical memory dump parsing is more of an option for those who regularly need to analyze RAM dumps. The reason is that such tools can analyze data from new operating systems.
