Jun asked me about a paper I wrote and which Harlan's tools were
based. Although I can't send out the full paper, I can show you a
slide from my talk at the 2007 DoD Cyber Crime Conference athttp://jessekornblum.com/tmp/determine-os.pdf
. The slide shows how you can use the spaces between known values, in
this case between the Eprocess header and the name of the process, to
identify what OS you're working with.
For the record, Volatility looks at each process' Peb, IIRC, which in
turn contains a string naming the Service Pack number. The framework
records how many processes indicate which string (e.g. 7 say "Service
Pack 2" and 2 say (null)). The string encountered the most times is
Suppose that I have a raw memory image of a particular Windows
machine. Is there any way to determine its version? It can be W2k,
WinXP SP2 or SP3 or Vista.
Perhaps we can look into some places into the image to get those
I am interested in working with the experimental version that supports Linux memory images and integrates with PyFlag. I would greatly appreciate a copy of the source code with those features (e.g. the version used in the DRFWS 2008 challenge).
Here's a Volatility plugin to first recover the command line for each process and
then find any suspicious ones. I wrote it to get a feel for the framework's
Object model. Please note that the current version of the framework has a (soon
to be corrected) bug that can result in a crash. Don't panic!
The plugin considers a command line to be suspicious if it contains the word
"TrueCrypt" or if it starts with a lower case drive letter. The latter is
indicative of a manually typed command line. I've found it handy to examine
TrueCrypt command lines because they can contain the filename of a mounted
Attached please find a Volatility plugin to scan for TrueCrypt passphrases using
the method described in Brian Kaplan's thesis, 'RAM is Key, Extracting Disk
Encryption Keys From Volatile Memory', pages 22-23. You can downlaod the thesis
python volatility cryptoscan -f [FILE]
The output will look like:
Found TrueCrypt passphrase "8964h khI@*TGUIG!!" at offset 0x65f8094
Anybody know where we can get the sample image mentioned
xp-laptop-2005-07-04-1430.img in README.txt?
I got http://www.cfreds.nist.gov/mem/memory-images.rar, but inside I
found only an Win2003 image, and it doesnt work with 1.3-beta.
If it is not there anymore, can anybody upload the XP image somewhere
for us to try?