October 2008 - Vol-users - volatilityfoundation.org

by Jesse Kornblum

Hi everybody, Jun asked me about a paper I wrote and which Harlan's tools were based. Although I can't send out the full paper, I can show you a slide from my talk at the 2007 DoD Cyber Crime Conference athttp://jessekornblum.com/tmp/determine-os.pdf . The slide shows how you can use the spaces between known values, in this case between the Eprocess header and the name of the process, to identify what OS you're working with. For the record, Volatility looks at each process' Peb, IIRC, which in turn contains a string naming the Service Pack number. The framework records how many processes indicate which string (e.g. 7 say "Service Pack 2" and 2 say (null)). The string encountered the most times is displayed. cheers, -- Jesse jessek(a)speakeasy.net

16 years, 6 months

2
1
0 0

Determine Windows version from raw image?

by Jun Koi

Hi, Suppose that I have a raw memory image of a particular Windows machine. Is there any way to determine its version? It can be W2k, WinXP SP2 or SP3 or Vista. Perhaps we can look into some places into the image to get those information out? Thanks, J

16 years, 6 months

2
4
0 0

Linux-PyFlag version

by Samuel Michael Eastman

Hi, I am interested in working with the experimental version that supports Linux memory images and integrates with PyFlag. I would greatly appreciate a copy of the source code with those features (e.g. the version used in the DRFWS 2008 challenge). Thanks, Sam

16 years, 7 months

2
1
0 0

Plugin to detect suspicious command lines

by Jesse Kornblum

Hi everybody, Here's a Volatility plugin to first recover the command line for each process and then find any suspicious ones. I wrote it to get a feel for the framework's Object model. Please note that the current version of the framework has a (soon to be corrected) bug that can result in a crash. Don't panic! The plugin considers a command line to be suspicious if it contains the word "TrueCrypt" or if it starts with a lower case drive letter. The latter is indicative of a manually typed command line. I've found it handy to examine TrueCrypt command lines because they can contain the filename of a mounted protected volume. cheers, -- Jesse jessek(a)speakeasy.net

16 years, 7 months

1
0
0 0

Plugin to find TrueCrypt passphrases

by Jesse Kornblum

Attached please find a Volatility plugin to scan for TrueCrypt passphrases using the method described in Brian Kaplan's thesis, 'RAM is Key, Extracting Disk Encryption Keys From Volatile Memory', pages 22-23. You can downlaod the thesis at http://www.andrew.cmu.edu/user/bfkaplan/. Usage: python volatility cryptoscan -f [FILE] The output will look like: Found TrueCrypt passphrase "8964h khI@*TGUIG!!" at offset 0x65f8094 cheers, -- Jesse jessek(a)speakeasy.net

16 years, 7 months

1
0
0 0

sample XP image?

by Jun Koi

Hi, Anybody know where we can get the sample image mentioned xp-laptop-2005-07-04-1430.img in README.txt? I got http://www.cfreds.nist.gov/mem/memory-images.rar, but inside I found only an Win2003 image, and it doesnt work with 1.3-beta. If it is not there anymore, can anybody upload the XP image somewhere for us to try? Thanks, J

16 years, 7 months

2
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users October 2008