Determining what profile to use when analyzing Windows memory in Volatility

No need to guess or experiment with different profiles, let Volatility figure that out for you. In testing, this worked with all formats that Volatility supports. If you were the one to do the memory dump or if the file was labeled OS information, this wouldn’t be a concern or a needed step. To let the magic happen, follow the below.

This analyzes the memory capture metadata and displays which profile is suggested to be used.

forensics@sift: -f /location/of/my/image.raw imageinfo

The output will be something similiar to this:

	Volatility Foundation Volatility Framework 2.3.1
	Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/sansforensics/Desktop/WIN7-NO-PATCH-20150107-041118.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a470a0
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a48d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2015-01-07 04:11:26 UTC+0000
     Image local date and time : 2015-01-06 23:11:26 -0500

From the above example, you see it suggests four different ones to use. I always go with the first one and usually don’t have a problem. If there is no suggestion, it is because the profile doesn’t exist and may require you to build a profile based on the kernel of the system the memory capture came from.

Next, we will be using the following syntax to run the profile with the memory capture. At the end of the syntax, I used ‘info’ to display all the plugins and scanners that can be used.

forensics@sift: -f /location/of/my/image.raw --profile=Win7SP0x64 info