I am analyzing a memory dump and looking at execution in a period of known
bad activity, and have been able to gather quite a bit of information using
volatility. For some reason though, shimcache and psscan return no results,
although all the other plugins I've run (and volshell) have worked fine. I
find it hard to believe that psscan for one can find no _EPROCESS
structures, so I'm not sure what's happening. Also, in the results from the
timeliner, I have several entries with blank shimcache entries like
"macb,---------------,0,0,0,"[SHIMCACHE] "" during times I can correlate
with shimcache entries on disk, so I know something is just not being
Any ideas on why shimcache/psscan would produce no results? I'm not sure
about the best way to track down the reason.
thanks to your suggestion, I make great progresses but I still not get
the target: localize the master password of an android app.
I run the app and set a password as "mypassword2016". With yarascan I
was able to see that this password is store in memory in unicode (I run
"python vol.py linux_yarascan -W -A -Y "mypassword2016"").
Then, I would like to see if there some "signature" that helps me to
locate the password. So I decide to use volshell and see around the
passwod, but I have no luck (see the attachment, where I showed that
there is before and after of the two occurrences of the password
Of course I've repeated the same workflow for other two passwords, but I
did not get anything that helps me to figure out if there is way to
locate where the password is store.
Do you have any suggestion, please?
Thanks in advance,
Not necessarily. You're assuming that everything once in memory stays in
memory...which isn't the case. If you have an IP and you pass it to
ws2_32.connect() and then free or overwrite the memory containing the
IP...the connection stays up and running just fine. It could also be
swapped to the page file.
On 5/17/16 5:14 AM, Laurent LF wrote:
> Thanks Michael,
> What I don't understand is that yarascan on the "IP to integer" value on
> the full mem dump gives a result in the svchost process only and not
> anywhere else. I should have at least two occurences, one in the svchost
> process and one other in the System process, right ?
> On 2016-05-12 23:18, Michael Ligh wrote:
>> I can't speak to whether its "normal" but its not surprising. The System
>> process is the default home for threads that start in kernel mode. Thus
>> any kernel driver using the winsock APIs for networking will make it
>> appear as if the System process is responsible. Now combine that with a
>> DLL that's implementing a particular service (and running inside
>> svchost.exe process) who wants to communicate with its corresponding
>> driver...it could send an IOCTL and say "go connect to this x.x.x.x IP
>> address." In that case you could easily end up with a reference to the
>> IP in svchost.exe.
>> On 5/10/16 2:34 PM, Laurent LF wrote:
>>> I have progressed a bit on this.
>>> I was first limiting my IP addresses searches on the process returned by
>>> "netscan", which was "System" with pid=4. As I was convinced I should
>>> have got some results within "System", I supposed I was wrong with the
>>> syntax or the IP representation and made several other tries (IP as
>>> string, little indian ordering as suggested by Andrew,...), still with
>>> pid=4. I also made a few tries on the whole memory dump but with no
>>> luck. It looks like I was doing something wrong because today I made
>>> some tries again on full memory dump and finally found the IPs (Big
>>> Indian ordering) in ... a "svchost" process.
>>> I still need to go deeper in the analysis (as far as my little knowledge
>>> will allow me to go :-) ) but is it normal behavior to have netscan
>>> reporting some connections linked with "System" when IP search with
>>> yarascan on given IPs returns only a "svchost" process ?
>>> Also, I was expecting to find references to the IPs in several memory
>>> locations but only one occurence in this case, in the given svchost
>>> Le 10/05/2016 17:14, Michael Ligh a écrit :
>>>> Also note yarascan only accesses available pages. The IP could be in a
>>>> page that's swapped to the pagefile or in a page that's been
>>>> freed/deallocated and is no longer referenced from any page
>>>> table(s). In
>>>> the later case, you could find it by extracting strings from the memory
>>>> dump or by scanning with yara signatures across the memory dump file
>>>> (i.e. not caring about virtual address spaces)...however if you find it
>>>> in either of two methods, there's no way to trace the page back to its
>>>> On 5/10/16 7:56 AM, Andrew Case wrote:
>>>>> Did you try the IP hex value in reverse? It is likely that the IP
>>>>> address is stored as little endian in memory.
>>>>> Andrew (@attrc)
>>>>> On 05/10/2016 05:15 AM, tech(a)nisteo.fr wrote:
>>>>>> I am starting to play with Volatility (2.5) and I am currently
>>>>>> on a Win2008R2 image (memory dump with winpmem). I would like to
>>>>>> understand what is causing some network connections initiated by the
>>>>>> "System" process.
>>>>>> netscan shows those connections and I would like to be able to find
>>>>>> references to the IP addresses in the memory dump. I have tried
>>>>>> "yarascan -Y" plugin with the IP string, with the IP to integer value
>>>>>> (converted to Hex) but no luck finding IPs that , however, I can
>>>>>> see in
>>>>>> the netscan result...
>>>>>> Either I am wrong with the yarascan syntax or there is something I
>>>>>> know regarding how Win2008 stores IP...
>>>>>> Any hints ?
>>>>>> Vol-users mailing list
>>>>> Vol-users mailing list
Wondering if anybody's come across this scenario...
I want to read an address from my_offset:
my_address = obj.Object('address', offset=my_offset, vm=task_vm)
However, for Wow64 the address should only be 4 bytes, but because we're
analysing with a 64-bit profile, 'address' will cause 8 bytes to be parsed
Do I need to replace it with something like:
if profile_is_32bit or process_is_wow64:
my_address = obj.Object('unsigned long', offset=my_offset, vm=task_vm)
my_address = obj.Object('unsigned long long', offset=my_offset,
Or do I need to start manually unpacking structs?
The Call for Presentations for the Open Source Digital Forensics Conference (OSDFCon) ends on June 1 and we’ve just decided to have one presentation this year from someone who cannot physically attend the event. If you have a talk that you want to give about a tool you’ve developed or used, but don’t have the budget to travel to Virginia, then you can still submit. This is a test to see if we can open the event to more people.
All we need for the submission is an abstract about your software, use cases, or experiences. Feel free to submit topics that were submitted in past years, but not chosen from the crowd sourcing.
We’re also looking for more hands-on workshops. A lot of attendees last year requested more hands on sessions, so if you can give a 3-hour workshop the day before, it would be a great way to get awareness for your software.
Hello dear volatility community,
I am a ISE master student at Ben Gurion University in Israel.
And I need you help.
My research deals with extracting many features from a windows memory dump
taken from vSphere snapshots. (Mostly Windows 2012 R2).
In order to extract as many features as possible I am using volatility
framework which helps me to receive the most basic features I need.
I want to leverage volatility framework even more so I can extract more
Here is the list of features I want to try to extract from the memory:
- Achieving the stack of all processes. or any thing that can be deduced by
it, for example call sequence or function's parameters etc.
- Gathering information about reading or writing actions that were
happening while the snapshot was taken or before.
- Find / detect usages of cryptography keys in the memory, especially
- Find / detect changes in the registry.
I hope this post is not too abstract, and that maybe you can help me start.
I want to first know if what I am trying to do is even possible? Is
volatility the right tool?
If it is, where should I begin?
Appreciate your help!
That's great! Thank you so much :)
On 24 May 2016 at 16:06, wyatt roersma <wyattroersma(a)gmail.com> wrote:
> Yes I do. Here is the link the the exe and user guide.
> On May 24, 2016 7:13 AM, "Michael Ligh" <michael.ligh(a)mnin.org> wrote:
>> Wyatt - do you still have a copy of vm2dmp around?
>> On 5/24/16 5:55 AM, Bridgey theGeek wrote:
>> > Hi all,
>> > I've been given a .vsv and a .bin from a Server 2008R2 box.
>> > vm2dmp supposedly supported converting this into a raw image, but it
>> > seems to have disappeared off the face of the planet.
>> > Does anybody have:
>> > a) A copy of vm2dmp that they're allowed to share.
>> > and/or
>> > b) Recommendations for an alternative tool.
>> > Thanks!
>> > Adam
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
I've been given a .vsv and a .bin from a Server 2008R2 box.
vm2dmp supposedly supported converting this into a raw image, but it seems
to have disappeared off the face of the planet.
Does anybody have:
a) A copy of vm2dmp that they're allowed to share.
b) Recommendations for an alternative tool.
I am starting to play with Volatility (2.5) and I am currently working
on a Win2008R2 image (memory dump with winpmem). I would like to
understand what is causing some network connections initiated by the
netscan shows those connections and I would like to be able to find
references to the IP addresses in the memory dump. I have tried
"yarascan -Y" plugin with the IP string, with the IP to integer value
(converted to Hex) but no luck finding IPs that , however, I can see in
the netscan result...
Either I am wrong with the yarascan syntax or there is something I don't
know regarding how Win2008 stores IP...
Any hints ?
I managed to get something that guess the OS of a memory dump. I was
planning to call imageinfo from it in the case of a Windows dump or
get_mac_profile in case of an OSX dump (will figure out Linux later).
So my questions are:
- Does this kind of feature fits into Volatility, or do you prefer that
the plugins follow the Single Responsability Principle ?
- If not, what is the cleanest way to call a plugin from another one ?
Thank you !
Stanislas 'P1kachu' Lejay
EPITA - LSE
If you're sleeping, you're doing it wrong.