- Vol-users - volatilityfoundation.org

by Bridgey theGeek

(I definitely have the reply I sent hours ago in my 'Sent Items', but maybe the Internet ate it. Anyway...) Just to add to what MHL said, I notice your error concerns fileparam.py which is odd. It should be present: /path/to/volatility$ find -type f -name fileparam.py ./volatility/plugins/fileparam.py In case MHL's suggestion doesn't fix it, can you find the fileparam.py file? Where did you get your copy of 2.4 from? Might be worth grabbing it again from github. Bridgey

10 years, 7 months

1
0
0 0

zeusscan

by dnardoni

Is zeusscan depreciated in version 2.4? Volatility Foundation Volatility Framework 2.4 ERROR : volatility.plugins.fileparam: The requested file doesn't exist

10 years, 7 months

4
3
0 0

Facebook Doubles Volatility Contest Prizes

by AAron Walters

As mentioned earlier this week, we have extended the deadline for the 2014 Volatility Plugin Contest until October 1st because an organization wanted to augment the prizes. We are excited to share that due to an extremely generous donation from Facebook, the total cash prizes have been doubled from $2250 USD to $4500 USD! If you have already submitted to the contest, you can use this extra time to fine tune your submission or submit another entry to improve your chances. If you were considering submitting, you now have an extra month to demonstrate your creativity, become a memory analysis pioneer, win the admiration of your peers, and give back to the community! It’s great to see some of the largest companies in the world showing their support for and giving back to the memory forensics community! Thank you, Facebook, and good luck to all participants in the contest - the stakes have literally just doubled! AAron Walters The Volatility Foundation

10 years, 7 months

1
0
0 0

2014 Volatility Plugin Contest Deadline Extended

by AAron Walters

Despite the fact we have already surpassed the number of submissions to last year’s contest, we are excited to announce that we have extended the deadline for the 2014 Volatility Plugin Contest until October 1st, 2014. We received a number of inquiries from people who recently learned about the competition when they purchased “The Art of Memory Forensics” and an exciting new competition sponsor (more details next week) that wanted to further augment our prizes. If you have already submitted to the contest, you can use this extra time to fine-tune your submission. If you were considering submitting, you now have an extra month to demonstrate your creativity and implement an innovative, interesting, and useful Volatility extension! It’s great to see some of the largest companies in the world showing their support for and giving back to the memory forensics community! AW The Volatility Foundation

10 years, 7 months

1
0
0 0

New Volatility Video: Automatic Detection and Extraction of Rootkits

by Andrew Case

This is the 2nd of 3 videos that we showed at Black Hat Arsenal this year: http://volatility-labs.blogspot.com.au/2014/08/volatility-24-at-blackhat-ar… This video takes you through using Volatility to automatically find, extract, and analyze a rootkit with both kernel and userland components. -- Thanks, Andrew (@attrc)

10 years, 7 months

1
0
0 0

New Volatility video: Tracking Mac OS X User Activity

by Andrew Case

We (the Volatility team) recently released Volatility 2.4 at Black Hat Arsenal in Vegas. To drive the demonstrations, MHL made 3 videos showing off interesting features of the framework. The first of these, Tracking Mac OS X User Activity, is now publicly available: http://volatility-labs.blogspot.com/2014/08/volatility-24-at-blackhat-arsen… We will be releasing the rest over the next several weeks. Please send us any feedback you may have on the videos, and we hope you enjoy the new features of 2.4! -- Thanks, Andrew (@attrc)

10 years, 8 months

1
0
0 0

Decompressing Windows 8 hiberfil.sys files

by J U

The "imagecopy" plugin in Volatility 2.4 does not decompress hiberfil.sys files from Windows 8 machines, at least in the tests that I have tried. In most cases, I'm getting identical files out, which means that the hiberfil.sys wasn't translated into a native physical address space, which suggests it's not supported? I have also tried using the Moonsols Windows Memory Toolkit which claims to support Windows 8, but that software seems to fail as well. Has anybody had any luck with uncompressing a Windows 8 hiberfil.sys file? Is there any other tool I can use to accomplish this? TIA

10 years, 8 months

2
1
0 0

Official Volatility 2.4 Cheat Sheet released!

by Andrew Case

The 2.4 edition of our popular Volatility cheat sheet is released! It features an updated Windows page, all new Linux and Mac OS X pages, and an extremely handy RTFM-style insert for Windows memory forensics. http://volatility-labs.blogspot.com/2014/08/new-volatility-24-cheet-sheet-w… Please let us know if you have any questions with the new plugins, and we hope that you are putting 2.4 to good use ;) -- Thanks, Andrew (@attrc)

10 years, 8 months

1
0
0 0

Open Memory Forensics Workshop 2014

by AAron Walters

vol-users, Registration has officially opened for the 6th Annual Open Memory Forensics Workshop (OMFW) 2014. This half-day workshop will be held prior to the 2014 Open Source Digital Forensics Conference (OSDFC) in Herndon, VA, USA, on November 4, 2014. "OMFW is the only digital forensics workshop focused on providing a venue for the most advanced digital investigators. It is intended for those people who realize that the only real defense against a creative technical human adversary is a creative technical human analyst. No shady vendors trying to describe how they re-implemented open source tools or boisterous trainers attempting to discuss topics they only superficially understand. This is your opportunity to learn directly from an international cadre of pioneering researchers and practitioners who have been shaping the field of memory analysis since its inception. Through a series of invited talks you will have the opportunity to engage this exciting community." We are still accepting presentations from people who are performing innovative memory analysis research or from people who have interesting case studies where memory forensics provided a critical component of the investigation. If you are interested in participating, please contact us. Submissions are due no later than October 1, 2014. This year's workshop will also present the results of The 2nd Annual Volatility Framework Plugin Contest! If you are interested in presenting at the conference, submitting a contest entry is another option. Selected contestants may be asked to present their work at the workshop and have it featured on the Volatility Labs Blog. All contest submissions are due by September 1, 2014. To learn more about the workshop, read testimonials of previous attendees, and find out what makes OMFW so unique, please visit the workshop website: http://www.volatilityfoundation.org/#!2014/cwat Details about the location will be provided upon registration. Pre-registration is required and space is LIMITED, so register early. Please note that it will NOT be possible to register at the door. Registration closes on October 24, 2014. Reserve your seat by contacting: info [at] volatilityfoundation [dot] org. Thanks, AAron Walters The Volatility Foundation

10 years, 8 months

1
0
0 0

New Paper: In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux

by Andrew Case

The research paper that Dr. Golden Richard and I won "Best Paper" with at DFRWS 2014 is now available along with our slides: http://volatility-labs.blogspot.com/2014/08/new-paper-in-lieu-of-swap-analy… If you have any questions about the research then please let me know. -- Thanks, Andrew (@attrc)

10 years, 8 months

1
0
0 0

Volatility 2.4 released!

by Andrew Case

The Volatility Team is happy to announce that Volatility 2.4 is now publicly released. Volatility 2.4 adds support for Windows 8, 8.1, 2012, and 2012 R2 memory dumps, Mac OS X Mavericks (up to 10.9.4), and Linux kernels up to 3.16. It also contains a large number of new plugins and features. Full information can be found here: http://volatility-labs.blogspot.com/2014/08/presenting-volatility-foundatio… Please let me know if you have any issues or questions with the release. -- Thanks, Andrew (@attrc)

10 years, 8 months

2
3
0 0

can volatility analysis xl dump-core

by Tawfiq Shah

Hi all I am wanting to perform memory introspection in my xen setup. I have been using libvmi with volatility to analysis memory dumps of a domU. I have done and tested it in Dom0 and it works. I now want to create a similar setup in a pv domU but i am unable to get libVMI working,. Since i can use xl dump-core <domid> <filename> in my pv to extract any hvm dump. I am using xsm and i have added all the necessary rules for memory extraction. This is the command i use to analysis the dump extracted using xl dump-core note: i created the Linuxkbeastx86 profile to the kernel i have infecting kbeast and this profile worked in dom0 when i used libVMI dump memory but in the pv it does not, also tested xl dump with volatility in dom0 and it did not work. So can volatility process xl dump ? below is the example out put i get python /root/Volatility/vol.py -f /root/kbeastDump --profile=Linuxkbeastx86 linux_check_modules Volatility Foundation Volatility Framework 2.3.1 Module Name ----------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space PyVmiAddressSpace: Location doesn't start with vmi:// MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF error: did not find any PT_NOTE segment with VBCORE VMWareSnapshotFile: Invalid VMware signature: 0x464c457f WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile Linuxkbeastx86 selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check PyVmiAddressSpace: Must be first Address Space FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check if anyone could give me some advice on this Thank you

10 years, 8 months

3
3
0 0

Malware Memory Forensics Workshop in conjunction with ACSAC

by Andrew Case

I am writing to help spread the word of the first annual Malware Memory Forensics (MMF) workshop that will be held along side ACSAC later this year in New Orleans: http://www.acsac.org/2014/workshops/issues/ I am on the review committee and the conference is being organized by academics with deep experience related to malware and memory forensics (e.g. General Co-Chair Golden Richard was who we chose as tech editor for The Art of Memory Forensics). If you are working with Volatility and performing your research inside the framework then this is the perfect venue for a formal/academic publication of your research . If you are a student, it would be an ideal fit for Masters or PHD projects, and if you are in industry then this conference works well as a bridge between industry and academia. Any questions can be sent to myself or to Golden (CC'ed). -- Thanks, Andrew (@attrc)

10 years, 8 months

1
0
0 0

problem with mftparser

by dnardoni

Anyone have any idea what is causing this error with mftparser? I have tried this in volatility versions 2.3 and 2.4. Might be a config issue with my system but not sure what it might be, so I thought I would ask the group. Volatility Foundation Volatility Framework 2.4 Scanning for MFT entries and building directory, this can take a while Traceback (most recent call last): File "vol.py", line 192, in <module> main() File "vol.py", line 183, in main command.execute() File "/Users/dnardoni/volatility/volatility_24/volatility/commands.py", line 127, in execute func(outfd, data) File "/Users/dnardoni/volatility/volatility_24/volatility/plugins/mftparser.py", line 728, in render_body for offset, mft_entry, attributes in data: File "/Users/dnardoni/volatility/volatility_24/volatility/plugins/mftparser.py", line 706, in calculate mft_entry.add_path(temp.FileName) File "/Users/dnardoni/volatility/volatility_24/volatility/obj.py", line 747, in __getattr__ return self.m(attr) File "/Users/dnardoni/volatility/volatility_24/volatility/obj.py", line 721, in m return element(self) File "/Users/dnardoni/volatility/volatility_24/volatility/plugins/mftparser.py", line 497, in <lambda> 'FileName': lambda x : obj.Object("FILE_NAME", offset = x.obj_offset + x.ContentOffset, vm = x.obj_vm), File "/Users/dnardoni/volatility/volatility_24/volatility/obj.py", line 377, in method proxied = self.proxied(name) File "/Users/dnardoni/volatility/volatility_24/volatility/obj.py", line 433, in proxied return self.v() File "/Users/dnardoni/volatility/volatility_24/volatility/obj.py", line 443, in v (val,) = struct.unpack(self.format_string, data) struct.error: unpack requires a string argument of length 2 Dave

10 years, 8 months

2
1
0 0

Samsung GT-I9023 Google Nexus S memory acquisition and analysis

by masdif

Hi all, I pre-ordered “The Art of Memory Forensics” at March 22nd :-) and as of today delivery is estimated for September 1st :-(. I really hope there is a chapter about debugging the memory acquisition process. ;-) Meanwhile may I kindly ask for your advice/hints how to debug the following? I am not able to successfully acquire and analyze a Nexus S Android memory dump. Where could I start to look for errors? How can I assure that the dump is valid? How can I assure that the profile is valid? Any hint is highly appreciated! :-) Thank you, Philipp ************************************************************ 0 Where I failed :-( Google at [1] offers three “Factory Images ‘soju’ for Nexus S (worldwide version, i9020t and i9023)”: 2.3.6 (GRK39F) 4.0.4 (IMM76D) 4.1.2 (JZO54K) Up to now I tried the first two. Just in case the two memory dumps as well as the two Volatility profiles are available here: https://mega.co.nz/#F!CEczgBqR!ksYLENHXoMCU8qzSBn79WA ************************************************************ 1 Nexus S with Android 2.3.6 Gingerbread ________________________________________ 1.1 Prepare the phone 1.1.0 Boot loader is unlocked: $ adb reboot bootloader $ fastboot oem unlock 1.1.1 Get the factory image from [2] and flash it $ tar –zxvf soju-grk39f-factory-5ab09c98.tgz $ cd soju-grk39f $ adb reboot bootloader $ ./flash-all.sh 1.1.2 Start phone Click through the initial settings Enable USB debugging Get version info: $ adb shell $ cat /proc/version Linux version 2.6.35.7-gf5f63ef (android-build(a)apa28.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #1 PREEMPT Tue Aug 2 13:57:05 PDT 2011 1.1.3 Root the phone Get custom recovery from [5] (…because otherwise ADB sideload SuperSU won’t work) and flash custom recovery $ adb reboot bootloader $ fastboot flash recovery openrecovery-twrp-2.7.1.0-crespo.img Get SuperSU from [6] Sideload SuperSU $ adb reboot bootloader Go to “Recovery” -> “Advanced” -> “ADB Sideload” -> “Swipe to start sideload” $ adb sideload UPDATE-SuperSU-v2.01.zip Reboot the phone ________________________________________ 1.2 Prepare LiME 1.2.1 Get the Samsung kernel source from AOSP [7] $ mkdir -p ~/android/kernel && cd $_ $ git clone https://android.googlesource.com/kernel/samsung.git $ cd samsung $ git checkout f5f63ef 1.2.2 Setting Up a Build Environment with AOSP from [8] $ mkdir -p ~/android/aosp && cd $_ $ repo init -u https://android.googlesource.com/platform/manifest -b android-2.3.6_r0.9 $ repo sync $ . build/envsetup.sh $ lunch full_crespo-user Check compiler: $ arm-eabi-gcc --version arm-eabi-gcc (GCC) 4.4.3 Set environment variables: $ cd ~/android/kernel/samsung $ export ARCH=arm $ export SUBARCH=arm $ export CROSS_COMPILE=arm-eabi- 1.2.3 Compile the Samsung kernel Configure the kernel: $ make herring_defconfig Build the Samsung kernel: $ make 1.2.4 Download LiME from [9] and Cross Compile $ mkdir -p ~/android && cd $_ $ svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime $ cd ~/android/lime/src Edit Makefile (I take CCPATH from printenv | grep arm-eabi ) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ obj-m := lime.o lime-objs := tcp.o disk.o main.o KDIR := ~/android/kernel/samsung CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin PWD := $(shell pwd) default: $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR) M=$(PWD) modules $(CCPATH)/arm-eabi-strip --strip-unneeded lime.ko $(MAKE) tidy tidy: rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d rm -rf \.tmp_versions clean: $(MAKE) tidy rm -f *.ko ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Build LiME module: $ make ________________________________________ 1.3 Dump volatile memory $ adb push ~/android/lime/src/lime.ko /sdcard/lime.ko Screen must be unlocked now in order to grant ADB shell root access $ adb shell $ su # insmod /sdcard/lime.ko "path=/sdcard/lime.dump format=lime" # exit $ exit $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_2.3.6.dump ________________________________________ 1.4 Build a Volatility Profile Get Volatility from [10]: $ svn checkout https://volatility.googlecode.com/svn/trunk/ ~/android/volatility $ cd ~/android/volatility/tools/linux Edit Makefile: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ obj-m += module.o KDIR := ~/android/kernel/samsung CCPATH := ~/android/aosp/prebuilt/linux-x86/toolchain/arm-eabi-4.4.3/bin -include version.mk all: dwarf dwarf: module.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules dwarfdump -di module.ko > module.dwarf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Build module: $ make Zip profile: $ zip ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_2.3.6_GRK39F_.zip module.dwarf ~/android/kernel/samsung/System.map ________________________________________ 1.5 Examine the Memory Dump with Volatility $ cd ~/android/volatility/ $ $ python vol.py --info | grep Linux Volatility Foundation Volatility Framework 2.3.1 Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux _NexusS_2.3.6_GRK39F_ ARM linux_banner - Prints the Linux banner information linux_yarascan - A shell in the Linux memory image $ $ python vol.py --profile=Linux_NexusS_2_3_6_GRK39F_ARM -f ~/android/dump/NexusS_2.3.6.dump linux_pslist Volatility Foundation Volatility Framework 2.3.1 Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x1 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile Linux_NexusS_2_3_6_GRK39F_ARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check ________________________________________ 1.6 First attempt to debug $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump 0000000: 454d 694c 0100 0000 0000 0040 0000 0000 EMiL.......@.... 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000 ...O............ => magic: 0x4c69 4d45 -> LiME version: 0x0000 0001 -> 1 s_addr: 0x0000 0000 4000 0000 e_addr: 0x0000 0000 4fff ffff reserved: 0x0000 0000 0000 0000 => Address range is: $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1' 268435456 But file size is much bigger: $ stat -c %s ~/android/dump/NexusS_2.3.6.dump 401604672 268.435.456 Bytes + 32 Bytes Header != 401.604.672 Bytes file size!!! ************************************************************ 2 Nexus S with Android 4.0.4 Ice Cream Sandwich ________________________________________ 2.1 Prepare the phone 2.1.0 Boot loader is unlocked 2.1.1 Get the factory image from [3] and flash it $ tar –zxvf soju-imm76d-factory-ca4ae9ee.tgz $ cd soju-imm76d $ adb reboot bootloader $ ./flash-all.sh 2.1.2 Start phone - as described before – $ cat /proc/version Linux version 3.0.8-g6656123 (android-build(a)vpbs1.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #1 PREEMPT Thu Feb 2 16:56:02 PST 2012 2.1.3 Root the phone - as described before - ________________________________________ 2.2 Prepare LiME 2.2.1 Get the Samsung kernel source from AOSP [7] $ mkdir -p ~/android/kernel && cd $_ $ git clone https://android.googlesource.com/kernel/samsung.git $ cd samsung $ git checkout 6656123 2.2.2 Setting Up a Build Environment with AOSP from [8] $ mkdir -p ~/android/aosp && cd $_ $ repo init -u https://android.googlesource.com/platform/manifest -b android-4.0.4_r1.1 $ repo sync $ . build/envsetup.sh $ lunch full_crespo-user Check compiler: $ arm-eabi-gcc --version arm-eabi-gcc (GCC) 4.4.3 Set environment variables: $ cd ~/android/kernel/samsung $ export ARCH=arm $ export SUBARCH=arm $ export CROSS_COMPILE=arm-eabi- 2.2.3 Compile the Samsung kernel - as described before - 2.2.4 Download LiME from [9] and Cross Compile - as described before - ________________________________________ 2.3 Dump volatile memory - as described before – $ adb pull /sdcard/lime.dump ~/android/dump/NexusS_4.0.4.dump ________________________________________ 2.4 Build a Volatility Profile Get and build Volatility - as described before - $ zip ~/android/volatility/volatility/plugins/overlays/linux/_NexusS_4.0.4_IMM76D_.zip module.dwarf ~/android/kernel/samsung/System.map ________________________________________ 2.5 Examine the Memory Dump with Volatility $ cd ~/android/volatility/ $ $ python vol.py --info | grep Linux Volatility Foundation Volatility Framework 2.3.1 linux_banner - Prints the Linux banner information linux_yarascan - A shell in the Linux memory image Linux_NexusS_2_3_6_GRK39F_ARM - A Profile for Linux _NexusS_2.3.6_GRK39F_ ARM Linux_NexusS_4_0_4_IMM76D_ARM - A Profile for Linux _NexusS_4.0.4_IMM76D_ ARM $ $ python vol.py --profile=Linux_NexusS_4_0_4_IMM76D_ARM -f ~/android/dump/NexusS_4.0.4.dump linux_pslist Volatility Foundation Volatility Framework 2.3.1 Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- No suitable address space mapping found Tried to open image as: - the rest as described before – ________________________________________ 2.6 First attempt to debug $ xxd -l 32 ~/android/dump/NexusS_2.3.6.dump 0000000: 454d 694c 0100 0000 0000 0040 0000 0000 EMiL.......@.... 0000010: ffff ff4f 0000 0000 0000 0000 0000 0000 ...O............ => magic: 0x4c69 4d45 -> LiME version: 0x0000 0001 -> 1 s_addr: 0x0000 0000 4000 0000 e_addr: 0x0000 0000 4fff ffff reserved: 0x0000 0000 0000 0000 => Address range is: $ python -c 'print int(0x4fffffff) - int(0x40000000) + 1' 268435456 But file size is still bigger: $ stat -c %s ~/android/dump/NexusS_4.0.4.dump 325775424 268.435.456 Bytes + 32 Bytes Header != 325.775.424 Bytes file size!!! ************************************************************ 3 Links [1] https://developers.google.com/android/nexus/images\#soju [2] https://dl.google.com/dl/android/aosp/soju-grk39f-factory-5ab09c98.tgz [3] https://dl.google.com/dl/android/aosp/soju-imm76d-factory-ca4ae9ee.tgz [4] https://dl.google.com/dl/android/aosp/soju-jzo54k-factory-36602333.tgz [5] http://techerrata.com/file/twrp2/crespo/openrecovery-twrp-2.7.1.0-crespo.img [6] http://download.chainfire.eu/supersu [7] https://android.googlesource.com/kernel/samsung.git [8] https://android.googlesource.com/platform/manifest [9] http://lime-forensics.googlecode.com/svn/trunk/ [10] https://volatility.googlecode.com/svn/trunk/

10 years, 8 months

4
7
0 0

Announcing trainings in Austin, San Francisco, and Brazil!

by Andrew Case

Amidst the release of The Art of Memory Forensics and our upcoming events at Black Hat, we also have scheduled several training courses for the end of this year and early next year: http://volatility-labs.blogspot.com/2014/07/announcing-windows-malware-and-… Based on demand for trainings before the book's release and the amazing pace of sales of the book (currently #1084 on Amazon), we imagine that these classes will fill quickly. Please contact us ASAP if you would like to attend. Also, we reserve a small number of deeply discounted seats in each class for full time college students studying in related fields. We offer this to give students performing research access to the most advanced topics in the field and also to help prepare the next wave of investigators. If you are a college professor with students who may be interested or a student yourself then please contact us. -- Thanks, Andrew (@attrc)

10 years, 8 months

1
0
0 0

Security Weekly podcast on the Art of Memory Forensics

by Andrew Case

Tonight, myself, MHL, and Jamie will be on the Security Weekly (formerly PaulDotCom) podcast discussing the new book: http://securityweekly.com/2014/07/join-us-for-episode-380-with-andrew-case-… If you cannot catch it live then they always post the recording within a few days of the show. Also, we are hearing that many people are getting their pre-order shipping notifications for next week, and that the Kindle version is already being sent to people's devices! If you are going to be at Black Hat be sure to stop by on Thursday during the book signing! -- Thanks, Andrew (@attrc)

10 years, 9 months

3
2
0 0

Volatility at Black Hat USA & DFRWS!

by Andrew Case

It has been a busy year for the Volatility team, and we are inviting you to celebrate the success with us at Black Hat and DFRWS. We have a number of events happening across these conferences and have listed them all in the following blog post: http://volatility-labs.blogspot.com/2014/07/volatility-at-black-hat-usa-dfr… We hope to see you all in Vegas and be sure to check out Dr. Golden's talk if you will be at DFRWS! -- Thanks, Andrew (@attrc)

10 years, 9 months

1
0
0 0

The table of contents & preview for the Art of Memory Forensics is now online!

by Andrew Case

We are very happy to announce that you can now see the table of contents and search through the Art of Memory Forensics on Amazon! http://amzn.to/1o3ACn7 This book, written by the core Volatility developers, is over 900 pages of memory forensics and malware analysis across Windows, Mac, and Linux. It will be officially released at Blackhat and around this time it will also be available through Amazon and other retailers. It will be available in both hard copy and digital formats. If you have any questions about the book please let us know, and we will have more information about the release at Blackhat as it gets closer. -- Thanks, Andrew (@attrc)

10 years, 9 months

1
0
0 0

OSDFC submission, Blackhat Arsenal, & LinkedIn Group!

by Andrew Case

We wanted to give everyone a quick update on some recent events in the Volatility community. First, the submissions for the Open Source Digital Forensics Conference are available for voting. This conference's talk selection works by posting each CFP submission in anonymized form and choosing talks based on voting feedback from the community. All of the talks can be found here: http://www.basistech.com/osdfcon/osdfcon-vote-for-presentations The submission from the Volatility Team is 'Next Generation Memory Forensics'. If it sounds interesting to you then please give it a +1! Second, our submission to Blackhat Arsenal was accepted! https://www.blackhat.com/us-14/arsenal.html#Ligh At this event we will be releasing the highly anticipated Volatility 2.4 that includes support for Windows 8, 8.1, 2012, 2012 R2 as well as new plugins for Truecrypt, Linux, and Mac. As Blackhat gets closer we will have more information on other events there including a book signing and release party. Finally, we now have a LinkedIn group for the Volatility and memory forensics community: https://www.linkedin.com/groups?mostRecent=&gid=8128809 This group is meant to allow analysts and researchers to ask questions, learn from each other, and network. The group is open to all but marked private to (hopefully) avoid spam. -- Thanks, Andrew (@attrc)

10 years, 10 months

1
0
0 0

Process hollowing

by Carlos Angeles

Hello all, I'm analyzing a malware sample that is doing process hollowing. While doing dynamic analysis, with Process Explorer open, I can see the legitimate EXE (that appears to get hollowed) get started by the malware, and is then orphaned as the malware terminates itself. A few seconds later I see network communication starting. The malfind plugin identifies the process as malware but when I try to dump process from memory, the strings on the dumped process look the same as the strings of the legitimate file in the System32 folder. Using the yarascan plugin (following the example on the wiki) I'm able to locate some strings (domain name, IP address, file requested by GET) that are associated with the PID of the suspected hollowed process. Oh, and the malware is packed so I assume the unpacked code is being placed into the address space of the legitimate file in memory. The capture is a .vmem from a VM snapshot. Any thoughts on how I can locate the unpacked code in memory? Shouldn't dumping the PID with procexedump contain the unpacked code? I've dumped the process by PID and physical offset (from psscan). Thanks, Carlos

10 years, 10 months

2
6
0 0

LiME in real world Android forensics

by masdif

Hi all, Android Memory acquisition will be part of a paper I have to write. So far I have no problem to follow the description for an AVD on https://code.google.com/p/volatility/wiki/AndroidMemoryForensic Please excuse this noob question (and my bad English) but I'm going crazy figuring this out: Can LiME be used in real life Android forensics that is Android memory is acquired without having to reboot the Android device beforehand? Let's say: I get an running Android mobile phone and for some lucky reason it is both rooted and the user interface unlocked. (Are there any statistics available how often this is the case?) My task is to acquire its RAM. As far as I understood in order to use Lime for RAM acquisition I have to a) get the Android kernel's source code from the manufacturer, b) cross compile a new kernel with some settings for later being able to insmod the LiME kernel module, c) flash the compiled kernel onto the phone and d) reboot the phone to get the new kernel running, which e) destroys all the RAM I wanted to acquire, before I can f) insmod LiME. Please be patient and give me a hint where I'm going wrong?! All papers I found so far used prepared phones. Thanks a lot and have a nice weekend, Philipp

10 years, 10 months

4
6
0 0

Many exciting updates in the world of Volatility!

by Andrew Case

There are many new developments in the world of Volatility that we are now happy to announce. - The 2014 Volatility Plugin Contest has started - We will be hosting a public training in Austin in December - We have partnered with GMG Systems to provide our students access to what we consider to be the most accurate and reliable memory acquisition tool available - The Volatility Foundation website is now live For complete information on these and more, please see the following blog post: http://volatility-labs.blogspot.com/2014/05/volatility-update-all-things.ht… -- Thanks, Andrew (@attrc)

10 years, 11 months

1
0
0 0

CentOS 5.8 profile not working

by Toan. Pham Van

Dear sir, Currently we doing investigate an security breach, our server is CentOS 5.8. After dump memory raw, we can not processing with Volatility. We have read the topic : http://lists.volatilityfoundation.org/pipermail/vol-users/2013-February/000… After edit to that DTB we found it work on LIME profile but doesn't work on Raw memory dump. Can we have some instruction how to convert Raw memory to LIME? Or how to debug to find correct DTB in raw memory only? Btw, we trying to brute force like your advise but it very long since the range is from -0x200000 -> 0x200000. Regards,

10 years, 11 months

1
0
0 0

Is there a public github branch for the osx 9.2 compatibility layer?

by Shannon Freude

I'm looking for a patch-set that gets OSX 9.2 dumps from OSXPmem at least marginally working. I know it's supposed to be in the upcoming vol-2.4 release, but I'ld really like to see the progress/use volatility instead of having to beat volafox in to shape to get 9.2 dumps to work.

10 years, 11 months

2
1
0 0

VAD nodes: Private memory, but Prototype PTEs?!

by Bridgey

Hi all, I'm trying to understand what I've misunderstood. Consider this entry from a run of vadinfo: VAD node @ 0x84f1f3b0 Start 0x7ffde000 End 0x7ffdefff Tag Vadl Flags: CommitCharge: 1, MemCommit: 1, NoChange: 1, PrivateMemory: 1, Protection: 4 Protection: PAGE_READWRITE Vad Type: VadNone First prototype PTE: 94181720 Last contiguous PTE: 94181728 This node represents a range which is private (PrivateMemory: 1). If it's private, i.e. not shareable, why are there Prototype PTEs? I though prototype PTEs were only used when a range was shareable? I have a few Vadl nodes like this. The VadS nodes in the output with 'PrivateMemory: 1' don't show any prototype PTEs. Any pointers greatly appreciated.

10 years, 11 months

1
0
0 0

USN Parser for volatility

by Spencer, Tom

Hello all, Just wanted to let people know I have released a USN Journal record parser plugin for volatility. https://github.com/tomspencer/volatility/tree/master/usnparser For anyone who wants a refresher on the USN journal and its forensic significance, I recommend these <http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html> sites <http://securitybraindump.blogspot.com/2011/07/dear-diary-today-i-was-infect…> . The USN journal has been very useful to us in a variety of circumstances, so I highly recommend including it in your work/timelining flow if you dont already. Ive even seen situations where journal records from external NTFS volumes persist in memory even after the device is removed, but those results have been inconsistent. This plugin should work on any version of Windows that does USN journaling (Vista/2008 and up, XP SP3 if you specifically turn it on), and it should play well with Unicode file names including calling out special Unicode characters like directional changes. For an example of calling out direction changes: 2014-04-16 20:51:23.116,0x257L,0x3L,0x14de3L,0x3L,0x4806360L,"utf-canary.<RLO>txt.scr",RENAME_NEW_NAME & CLOSE,ARCHIVE The <RLO> indicates a Unicode Right-To-Left Override character. This means that although the actual filename extension was txt.scr, a screen saver filetype which is expected to be an executable, it would have appeared to the user as utf-canary.rcs.txt which most users would expect to be a text file they could safely click. This is my first volatility plugin so Id love any feedback/suggestions/questions. Based on some feedback from MHL I'll be doing some testing to see if I should turn on timestamp validation by default, but I'm open to other changes/additions people would like to see. Basic notes on the plugin are below. Enjoy! Thanks, Tom A note on USN record versions. The literature I can find seems to suggest that starting with Windows NT 6.2 families (8/2012) the OS should be using version 3 records, and this plugin does support these records. That said, testing has shown that at least in memory, these OSs still seem to use v2 records. As such, unless otherwise specified with the -R3 flag, this plugin will always assume v2 records. In my testing there has been a significant number of duplicates in memory, so piping to sort u can be effective. Invocation example: CSV output $ vol.py --profile Win7SP1x64 -f Windows7SP1x64.vmem usnparser --output=csv Volatility Foundation Volatility Framework 2.3.1 timestamp,MFTEntry,MFTEntryUSN,Parent,ParentUSN,usn#,"Filename",Reason,Attributes 2014-01-26 09:01:19.079,0x5056L,0x1L,0x7beL,0x1L,0x10f35c0L,"ngen_service.log",EXTEND & CLOSE,ARCHIVE 2014-01-26 09:01:19.079,0x7d8L,0x86L,0x7beL,0x1L,0x10f3620L,"ngen_service.lock",CREATE & DELETE & CLOSE,ARCHIVE 2014-01-26 09:01:19.142,0x7d8L,0x89L,0x28eL,0x1L,0x10f39d8L,"GACLock.dat",CREATE,ARCHIVE & TEMPORARY 2014-01-26 09:01:19.142,0x7d8L,0x89L,0x28eL,0x1L,0x10f3a30L,"GACLock.dat",CREATE & DELETE & CLOSE,ARCHIVE & TEMPORARY .... BODY output, suitable for using with mactime $ vol.py --profile Win7SP1x64 -f Windows7SP1x64.vmem usnparser --output=body | head Volatility Foundation Volatility Framework 2.3.1 0|[USN JOURNAL] ngen_service.log EXTEND & CLOSE/USN: 17774016/PARENT MFT: 1982|20566|---a-----------|0|0|0|1390726879|1390726879|1390726879|1390726879 0|[USN JOURNAL] ngen_service.lock CREATE & DELETE & CLOSE/USN: 17774112/PARENT MFT: 1982|2008|---a-----------|0|0|0|1390726879|1390726879|1390726879|1390726879 0|[USN JOURNAL] GACLock.dat CREATE/USN: 17775064/PARENT MFT: 654|2008|---a--t--------|0|0|0|1390726879|1390726879|1390726879|1390726879 0|[USN JOURNAL] GACLock.dat CREATE & DELETE & CLOSE/USN: 17775152/PARENT MFT: 654|2008|---a--t--------|0|0|0|1390726879|1390726879|1390726879|1390726879 The current version's help output (flags specific to usnparser start at "-T, --timestamp"): $ vol.py usnparser -h Volatility Foundation Volatility Framework 2.3.1 Usage: Volatility - A memory forensics analysis platform. Options: -h, --help list all available options and their default values. Default values may be set in the configuration file (/etc/volatilityrc) --conf-file=/home/vol/.volatilityrc User based configuration file -d, --debug Debug volatility --plugins=PLUGINS Additional plugin directories to use (colon separated) --info Print information about all registered objects --cache-directory=/home/vol/.cache/volatility Directory where cache files are stored --cache Use caching --tz=TZ Sets the timezone for displaying timestamps -f FILENAME, --filename=FILENAME Filename to use when opening an image --profile=WinXPSP2x86 Name of the profile to load -l LOCATION, --location=LOCATION A URN location from which to load an address space -w, --write Enable write support --dtb=DTB DTB Address --output=text Output in this format (format support is module specific) --output-file=OUTPUT_FILE write output in this file -v, --verbose Verbose information --shift=SHIFT Mac KASLR shift address -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address -k KPCR, --kpcr=KPCR Specify a specific KPCR address -T, --timestamp Print timestamps instead of human-readable dates -E, --unixtime Use Unix Epoch 32-bit timestamps instead of native Windows 64-bit timestamps (loses subsecond accuracy). DOES NOT imply -T above. -C, --checktime Don't show entries with timestamps outside of unix epoch range to reduce corrupt entries -S, --strict Enable stricter checks on record integrity to further reduce corrupt entries -O, --offset Show the physical offset for each record -R RECORDTYPE, --recordtype=RECORDTYPE Force version of USN record (2 or 3) to search for. In testing so far all OS's seem to use version 2 records in memory (even 8.1/2012r2 which purport to use R3). As such, default is R2. -U, --unicode Show unicode (utf-8) filenames. Be aware that due to corrupted records there will likely be strange characters in some places. Using -C and -S can help cut this down. --------------------------------- Module USNParser --------------------------------- Scans for and parses USN journal records

10 years, 11 months

1
0
0 0

Volatility issue #383: Linux 'tmpfs' extraction on multiple CPU sytems

by Torres, Geoff (Global Cyber Security)

Hi, According to Volatility issue #383 'tmpfs' extraction doesn't work because Volatility doesn't support NUMA systems. Question 1 - Is it on the roadmap for future versions? I deal primarily with Multi-CPU cloud systems so this is definitely a desired feature. Question 2- Is it reasonably feasible to manually extract tmpfs from a system RAM dump? Following the 'linux_tmpfs' module through the debugger showed that it was able to locate the /dev/shm tmpfs file system (replicating 2 levels in my output directory), it just croaked when it came time to retrieve the actual file data. I figure that if I can manually determine whatever offset it needs then I can set the proper variable in a debug session. Any thoughts? Thanks, Geoff ============================== Geoff Torres HP Global Cyber Security 8000 Foothills Blvd. Roseville, CA. 95747 916-785-3323 ==============================

10 years, 11 months

1
0
0 0

TrueCrypt File Found in Handles extraction, but can't replicate results

by Robert Merriott

Hello I've been testing volatility and looking through the results. In particular, within the Handles extraction, I found the following line... 0xfffffa8009648800 3544 0x1a78 0x120089 File \Device\TrueCryptVolumeK\Test.txt This is a file that I had stored in a hidden volume. I attempted to re-create this type of entry with 3 further memory dumps with no such success (No files within TrueCrypt volume). Can anyone advise why this filename "Test.txt" was found? I see that a lot of files can be found in the Handles extraction, but haven't been able to find any documentation on how files are included in this section. I ran the following command on an 8GB Memory dump which was captured via FTK Imager... vol.exe -f memdump.mem --profile=Win7SP1x64 --output=text --output-file=handles-files.txt handles -t File This result was a total surprise to find. In further testing, I attempted to do the following within the hidden volume... - Create new files - Copy files into the volume - Leave files open while closing the volume within TrueCrypt Thanks, R

10 years, 12 months

2
2
0 0

Unexpected results

by Lay, James

Hey all, So...Win 7 SP1 64 bit..here's what I got: vol.py -f bleh-20140421-203458.raw imageinfo Volatility Foundation Volatility Framework 2.3.1 Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/home/bleh/bleh-20140421-203458.raw) PAE type : No PAE DTB : 0x187000L vol.py --profile Win7SP1x64 -f bleh-20140421-203458.raw pslist Volatility Foundation Volatility Framework 2.3.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa80066b8040 5??b 32...4 79...2 14...6 -------- ------ 1 3302-11-11 21:17:40 UTC+0000 And that's it. This was dumped using DumpIt. Is there something I'm missing? My process: wget latest volatility python setup.py build sudo python setup.py install then the above commands. Thanks for any assistance. James

11 years

2
3
0 0

Issues reading Android memory dump using Volatility 2.3.1

by Tora, Hamidullah

I’ve followed the LiME documentation to cross compile the kernel and create a loadable kernel module to dump the volatile memory off a Google Glass XE12 running Linux version 3.0.31-23935-g01ccedd (android-build(a)vpba28.mtv.corp.google.com) (gcc version 4.4.3 (GCC)). Initial attempts to install the loadable kernel module for LiME would error with: dmesg output: … lime: disagrees about version of symbol sock_create_kern lime: Unkonwn symbol sock_create_kern (err –22) lime: disagrees about version of symbol sock_setsockopt lime: Unknown symbol sock_setsockopt (err –22) lime: disagrees about version of symbol sock_sendmsg lime: Unkonwn symbol sock_sendmsg (err –22) … Likely due to the version of symbols in the functions implemented in tcp.h in the LiME package. After modifying LiME source code (main.c) to ignore all tcp construct and to write directly to the /sdcard, we were able to get a ~1 GB (raw, padded, and lime formatted) memory dumps. Here is the command we issued to get the memory dump: insmod limed.ko "path=/sdcard/mem.lime format=lime” insmod limed.ko "path=/sdcard/mem.raw format=raw" insmod limed.ko "path=/sdcard/mem.padded format=padded" Next we followed the documentation on Volatility AndroidMemoryForensics Wiki to create a profile using the Google Glass source code (omap) and dwarfdump. Here is the Makefile we used: obj-m += module.o KDIR := /home/htora/Development/omap CCPATH := /home/htora/Development/adt-bundle-linux-x86_64-20140321/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin DWARFDUMP := /usr/bin/dwarfdump -include version.mk all: dwarf dwarf: module.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules $(DWARFDUMP) -di module.ko > module.dwarf Here are the results from running the make file: make ARCH=arm CROSS_COMPILE=/home/htora/Development/adt-bundle-linux-x86_64-20140321/ndk/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin/arm-linux-androideabi- -C /home/htora/Development/omap CONFIG_DEBUG_INFO=y M=/home/htora/install/volatility-2.3.1/tools/linux modules make[1]: Entering directory `/home/htora/Development/omap' CC [M] /home/htora/install/volatility-2.3.1/tools/linux/module.o Building modules, stage 2. MODPOST 1 modules CC /home/htora/install/volatility-2.3.1/tools/linux/module.mod.o LD [M] /home/htora/install/volatility-2.3.1/tools/linux/module.ko make[1]: Leaving directory `/home/htora/Development/omap' /usr/bin/dwarfdump -di module.ko > module.dwarf As documented, we copied over the created module.dwarf file and the System.map file to the Volatility plugins directory and confirmed the profile exists. root@ubuntu:/home/vol/Desktop/volatility/volatility_2.3.1.3543# ./vol.py --info | grep Linux Volatility Foundation Volatility Framework 2.3.1.3543(T) LinuxomapARM - A Profile for Linux omap ARM linux_banner - Prints the Linux banner information linux_yarascan - A shell in the Linux memory image However, using Volatility 2.3.1.3543 we are unable to parse the memory dump, here are the results from running volatility against the memory dump: root@ubuntu:/home/vol/Desktop/volatility/volatility_2.3.1.3543# ./vol.py --profile=LinuxomapARM -f /home/vol/Development/mem.lime linux_pslist Volatility Foundation Volatility Framework 2.3.1.3543(T) WARNING : volatility.obj : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_TABLE not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_TABLE not present in vtypes Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ————— Here is the debug output: root@ubuntu:/home/vol/Desktop/volatility/volatility_2.3.1.3543# ./vol.py -d --profile=LinuxomapARM -f /home/vol/Development/mem.lime linux_pstree Volatility Foundation Volatility Framework 2.3.1.3543(T) DEBUG : volatility.plugins.overlays.linux.linux: omap: Found dwarf file tmp/System.map with 458 symbols DEBUG : volatility.plugins.overlays.linux.linux: omap: Found system file tmp/System.map with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from PoolTrackTagOverlay WARNING : volatility.obj : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_TABLE not present in vtypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay Name Pid Uid DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.plugins.overlays.linux.linux: omap: Found dwarf file tmp/System.map with 458 symbols DEBUG : volatility.plugins.overlays.linux.linux: omap: Found system file tmp/System.map with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from PoolTrackTagOverlay WARNING : volatility.obj : Overlay structure _POOL_TRACKER_BIG_PAGES not present in vtypes WARNING : volatility.obj : Overlay structure _POOL_TRACKER_TABLE not present in vtypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0xacf38ac> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0xacf38ec> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0xc4fb96c> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> Appreciate any guidance and help in this matter. Thanks -- Hamidullah Tora Neustar, Inc. / Sr. Security Engineer – NeuCIRT 46000 Center Oak Plaza Sterling, VA 20166 Office: +1.571.434.3410 Mobile: +1.571.527.7859 Pager: +1.571.247.1684 Fax: +1.571.434.5606 / hamidullah.tora(a)neustar.biz<mailto:hamidullah.tora@neustar.biz> / www.neustar.biz<http://www.neustar.biz/>

11 years

1
0
0 0

Extracting document files from hiberfil.sys

by Andy Bellman

Hello again, So, now that I am using the right profile, the plug ins seem to work. My goal is recovering unsaved notepad files from hibernation. I have a hiberfil.sys from a Win 7 SP1 64 bit system. My next step seemed to be using pslist to get the PIDs, and putting those into one of the built in plugins. I've tried dumpfiles, vaddump, memdump, and some others. It looks like I should be able to piece something together between the results of dumpfiles with a PID switch, and of vaddump with a PID switch. I haven't figured that out yet. I'm wondering if there is a more specific switch. They both seem to produce a lot more files than I need. Is there a better way to use volatility's built in tools to pull out files from notepad? Is there an add on that I can download which will pull out something more quickly and cleanly? Thanks, andybellman(a)outlook.com

11 years

3
4
0 0

Trouble using certain commands on Win7SP1x64 memory dump

by Jon Q

Good afternoon, I'm having a bit of trouble using Volatility for memory forensics with the goal of malware detection. I've captured a memory dump of a Windows 7 SP1 x64 machine using winpmem_1.5.5.exe and am using the 2.3.1 standalone variant of Volatility on a Windows 7 SP1 x64 machine. When i issue commands such as 'connections' , 'connscan' , 'sockets' i get the error "This command does not support the profile Win7SP1x64." I've also tried Volatility Standalone 2.3 and 2.2. Any explanation would be greatly appreciated. Thanks!

11 years

4
3
0 0

MFT Parser 64 Bit

by markus neis

Hi, is anybody else also running into issues when using mftparser on Win7 64 Bit? I get the following: WARNING : volatility.obj : Cant find object NullString in profile <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0xb4fc44c>? Which results in entries like: (FN) 0x184000|None\None\None\None\None\None\None|153380|---a-----------|0|0|480|1336379877|1336379877|1336379877|1336379877 Thanks, Markus

11 years

3
2
0 0

PSXView Problems.

by Michael Certini

I am having problems with my PSXView. On multiple occasions I have started this command and left it running overnight and by the next morning there has been no reported data. The command appears to be stalled. I am not sure where to look for the exact problem. I have looked into the Python address space with WinDbg and have noted, with !VAD, a segment of memory that is EXECUTE_READWRITE that is not listed as a process. It is identified as "Private". When peering into the segment of memory, I have noted a number of locations where there is an "MZ" prefix that designates a Windows PE. This is followed by "This program cannot......" so I know that this block contains executable code. When analyzing the code further there is a number of these programs, I have found headers designating that these are DLLs. Should this code block be present? With my limited training, I understand that all DLLs should be loaded by the loader and reflected in the address space with a VAD not burried in a segment of code. Has anyone else experienced this problem? Is my PSXView problem related to something else? Is there a way to isolate the issue further from here? I did a dump of Python using Procexedump but have not reviewed the IAT of the file or attempted to disassemble the file. I am new to reverse engineering so I am looking for the closest rope to grab onto.

11 years

2
1
0 0

Unable to parse memory on ARMv6.1 with linux 2.6.31.14 + grsec+pax

by Roberto Martelloni

Hi all, I've followed the documentation to first dump the memory device cross compiling lime and then creating the profile for a linux device on arm. Unfortunately I wasn't able to use volatility on the memory dump. I'm using volatility 2.3.1, the kernel is a linux vanilla 2.6.31.14 + a custom grsecurity+pax configuration. Below some output from the commands, any suggestion on next step to troubleshoot where is the problem ? boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py --info | grep Profile | grep Linux Volatility Foundation Volatility Framework 2.3.1 LinuxTESTARM - A Profile for Linux TEST ARM $ python vol.py -f /home/boos/arm-mem-image imageinfo Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with LinuxUbuntu1204x64) AS Layer1 : LimeAddressSpace (Unnamed AS) AS Layer2 : FileAddressSpace (/home/boos/arm-mem-image) PAE type : No PAE DTB : 0x1c0d000L Traceback (most recent call last): File "vol.py", line 184, in <module> main() File "vol.py", line 175, in main command.execute() File "/home/boos/Downloads/volatility-2.3.1/volatility/commands.py", line 122, in execute func(outfd, data) File "/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py", line 36, in render_text for k, v in data: File "/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py", line 93, in calculate kdbgoffset = volmagic.KDBG.v() File "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line 737, in __getattr__ return self.m(attr) File "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line 719, in m raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) AttributeError: Struct VOLATILITY_MAGIC has no member KDBG boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py --profile LinuxTESTARM -f /home/boos/arm-mem-image linux_dmesg Volatility Foundation Volatility Framework 2.3.1 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile LinuxTESTARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check -- Roberto Martelloni boos @ http://boos.core-dumped.info

11 years

4
5
0 0

Retrieving files from Linux page cache

by Sebastian Biedermann

Hi guys, I would like to extract the files which are temporary cached by the Linux page cache from an Ubuntu memory image. When I read a file in Linux for the first time, it gets read from the hard drive but gets also cached. A second read of the same file then goes faster. Same for writing. /proc/sys/vm/dirty_expire_centiseconds defines how long data remains in the page cache until it is written to disk. First I thought I could use Linux_find_file command of volatility, however this command is only targeting the tmpfs, right? Is there another way of extracting files from the Linux page cache? Thank you! Sebastian

11 years

2
1
0 0

Building a Decoder for the CVE-2014-0502 Shellcode

by Andrew Case

Hello All, I have published a new blog post analyzing the encrypted shellcode from the main CVE-2014-0502 attack: http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0… It goes through some functionality of the malicious Flash file followed by analysis of the shellcode used within the encrypted GIF. This attack's particular use of a malicious Flash file along with an "encrypted" GIF shows some of the complexity of modern attacks, and highlights the diverse set of skills needed to analyze the attacks (Flash reversing, binary shellcode reversing, and understanding exploitation techniques, such as ROP, ALSR bypass, etc.). This particular attack was also noticeable because of how many different companies published public research on it (I have references in the blog). I hope that you enjoy the blog post and potentially learn something from it. I am happy that my anonymous friend allowed me to publish the research. -- Thanks, Andrew (@attrc)

11 years

2
1
0 0

Re: [Vol-users] KDBG errors

by Michael Ligh

Ah, the good old “here’s a partial memory dump for you to analyze” Sadly, this happens quite often. Thanks for the update! Michael -------------------------------------------------- Michael Ligh (@iMHLv2) GPG: http://mnin.org/gpg.pubkey.txt Blog: http://volatility-labs.blogspot.com Training: http://memoryanalysis.net On Apr 7, 2014, at 4:45 PM, Carlos Angeles <cangeles(a)gmail.com> wrote: > Andrew, Michael, > > The person that captured the image hasn't been in the office for a > while and I was finally able to ask him about the capture. He used > FTK Imager, but he doesn't know the exact version but it's 3.1.x. I > now know what the problem was/is with image. He told me that he was > only able to capture 4GB because of a limitation of the tool. Kind of > wish that information was passed on to me before I started working on > it. ;-D > > Also, Michael, your suggestion to use psscan did reveal some > processes. It looked rather small, and now I know why. > > Thanks for your help! > Carlos > > > On Sun, Apr 6, 2014 at 1:18 PM, Michael Ligh <michael.ligh(a)mnin.org> wrote: >> Hi Carlos, >> >> There are a few things going on. First, there's a bug in imageinfo which causes Volatility to crash when parsing the CPU addresses - I'll send you a fix for that separately, but it won't affect the rest of your analysis. >> >> When a KDBG structure can be found, but there are 0 processes and 0 modules, it almost always indicates a corrupt memory dump. In particular, the acquisition tool probably didn't acquire *all* physical memory ranges (or it failed to align them in the output file properly). Recently, I looked at a similar case where the virtual address of PsActiveProcessHead translated to a physical offset that was higher than the number of bytes in the memory dump (thus the memory dump file was truncated and missing some data). >> >> I'd be interested if psscan shows you a partial list of processes. If so, you may be able to perform limited analysis, by passing the physical offsets of the _EPROCESS structures to plugins like handles, dlllist, vaddump, etc (the -o/--offset option). >> >> Talk to you soon, >> MHL >> >> -------------------------------------------------- >> Michael Ligh (@iMHLv2) >> GPG: http://mnin.org/gpg.pubkey.txt >> Blog: http://volatility-labs.blogspot.com >> Training: http://memoryanalysis.net >> >> On Apr 6, 2014, at 2:29 PM, Andrew Case <atcuno(a)gmail.com> wrote: >> >>> Hello, >>> >>> Do you know which tool was used to acquire memory? Also, how much RAM >>> does the system have? >>> >>> Thanks, >>> Andrew (@attrc) >>> >>> On 4/2/2014 4:45 PM, Carlos Angeles wrote: >>>> Hello, >>>> >>>> I'm getting some KDBG errors when examining a Windows Server 2008 R2 >>>> server memory image. I saw a similar post to this list back in August >>>> 2012 (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-August/00056…) >>>> >>>> Here's the output from a few plugins. It was captured by another >>>> person and I don't know what tool or version he used. >>>> >>>> Does it look like the memory image is corrupted? >>>> >>>> Thanks, >>>> Carlos >>>> >>>> >>>> $ vol.py -f memdump.mem imageinfo >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Determining profile based on KDBG search... >>>> >>>> Suggested Profile(s) : Win7SP0x64, Win7SP1x64, >>>> Win2008R2SP0x64, Win2008R2SP1x64 >>>> AS Layer1 : AMD64PagedMemory (Kernel AS) >>>> AS Layer2 : FileAddressSpace (memdump.mem) >>>> PAE type : No PAE >>>> DTB : 0x187000L >>>> KDBG : 0xf80001def0a0 >>>> Number of Processors : 8 >>>> Image Type (Service Pack) : 1 >>>> KPCR for CPU 0 : 0xfffff80001df0d00L >>>> Traceback (most recent call last): >>>> File "/usr/local/bin/vol.py", line 5, in <module> >>>> pkg_resources.run_script('volatility==2.3.1', 'vol.py') >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 183, in <module> >>>> main() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 174, in main >>>> command.execute() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", >>>> line 121, in execute >>>> func(outfd, data) >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", >>>> line 35, in render_text >>>> for k, v in data: >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", >>>> line 100, in calculate >>>> yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), >>>> hex(kpcr.obj_offset)) >>>> TypeError: hex() argument can't be converted to hex >>>> $ >>>> $ >>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 pslist >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Offset(V) Name PID PPID Thds Hnds >>>> Sess Wow64 Start Exit >>>> ------------------ -------------------- ------ ------ ------ -------- >>>> ------ ------ ------------------------------ >>>> ------------------------------ >>>> Traceback (most recent call last): >>>> File "/usr/local/bin/vol.py", line 5, in <module> >>>> pkg_resources.run_script('volatility==2.3.1', 'vol.py') >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 183, in <module> >>>> main() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 174, in main >>>> command.execute() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", >>>> line 121, in execute >>>> func(outfd, data) >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/taskmods.py", >>>> line 140, in render_text >>>> for task in data: >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", >>>> line 70, in pslist >>>> for p in get_kdbg(addr_space).processes(): >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", >>>> line 42, in processes >>>> raise AttributeError("Could not list tasks, please verify your >>>> --profile with kdbgscan") >>>> AttributeError: Could not list tasks, please verify your --profile with kdbgscan >>>> $ >>>> $ >>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 kdbgscan >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> ************************************************** >>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>>> Offset (V) : 0xf80001def0a0 >>>> Offset (P) : 0x1def0a0 >>>> KDBG owner tag check : True >>>> Profile suggestion (KDBGHeader): Win7SP1x64 >>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>>> Service Pack (CmNtCSDVersion) : 1 >>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>>> Major (OptionalHeader) : 6 >>>> Minor (OptionalHeader) : 1 >>>> KPCR : 0xfffff80001df0d00 (CPU 0) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> >>>> ************************************************** >>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>>> Offset (V) : 0xf80001def0a0 >>>> Offset (P) : 0x1def0a0 >>>> KDBG owner tag check : True >>>> Profile suggestion (KDBGHeader): Win2008R2SP1x64 >>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>>> Service Pack (CmNtCSDVersion) : 1 >>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>>> Major (OptionalHeader) : 6 >>>> Minor (OptionalHeader) : 1 >>>> KPCR : 0xfffff80001df0d00 (CPU 0) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> >>>> ************************************************** >>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>>> Offset (V) : 0xf80001def0a0 >>>> Offset (P) : 0x1def0a0 >>>> KDBG owner tag check : True >>>> Profile suggestion (KDBGHeader): Win2008R2SP0x64 >>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>>> Service Pack (CmNtCSDVersion) : 1 >>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>>> Major (OptionalHeader) : 6 >>>> Minor (OptionalHeader) : 1 >>>> KPCR : 0xfffff80001df0d00 (CPU 0) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> >>>> ************************************************** >>>> Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) >>>> Offset (V) : 0xf80001def0a0 >>>> Offset (P) : 0x1def0a0 >>>> KDBG owner tag check : True >>>> Profile suggestion (KDBGHeader): Win7SP0x64 >>>> Version64 : 0xf80001def068 (Major: 15, Minor: 7601) >>>> Service Pack (CmNtCSDVersion) : 1 >>>> Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. >>>> PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) >>>> PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) >>>> KernelBase : 0xfffff80001c00000 (Matches MZ: True) >>>> Major (OptionalHeader) : 6 >>>> Minor (OptionalHeader) : 1 >>>> KPCR : 0xfffff80001df0d00 (CPU 0) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> KPCR : - (CPU -) >>>> $ >>>> $ >>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 hivescan >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Offset(P) >>>> ------------------ >>>> 0x0000000000431010 >>>> 0x00000000051a4010 >>>> 0x000000000f1d7010 >>>> 0x0000000013e15410 >>>> 0x0000000015875410 >>>> 0x000000005a517410 >>>> 0x000000006e434410 >>>> 0x000000007ddce410 >>>> 0x00000000a143e410 >>>> 0x00000000a7f8c410 >>>> 0x00000000c3b83010 >>>> 0x00000000cbb17410 >>>> 0x00000000d0768410 >>>> $ >>>> $ >>>> $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 svcscan >>>> Volatility Foundation Volatility Framework 2.3.1 >>>> Traceback (most recent call last): >>>> File "/usr/local/bin/vol.py", line 5, in <module> >>>> pkg_resources.run_script('volatility==2.3.1', 'vol.py') >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script >>>> File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 183, in <module> >>>> main() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", >>>> line 174, in main >>>> command.execute() >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", >>>> line 121, in execute >>>> func(outfd, data) >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", >>>> line 360, in render_text >>>> for rec in data: >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", >>>> line 275, in calculate >>>> for task in tasks.pslist(addr_space): >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", >>>> line 70, in pslist >>>> for p in get_kdbg(addr_space).processes(): >>>> File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", >>>> line 42, in processes >>>> raise AttributeError("Could not list tasks, please verify your >>>> --profile with kdbgscan") >>>> AttributeError: Could not list tasks, please verify your --profile with kdbgscan >>>> _______________________________________________ >>>> Vol-users mailing list >>>> Vol-users(a)volatilityfoundation.org >>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>>> >>> _______________________________________________ >>> Vol-users mailing list >>> Vol-users(a)volatilityfoundation.org >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>

11 years

1
0
0 0

Linux Memory Grabber/Volatility Linux Profile Builder

by Gibson, Ryan

Sorry for the SPAM if you already knew about this. https://github.com/halpomeranz/lmg Ryan Gibson CISSP, GCFA, GCIH, Security + Office: 858-651-1689 Mobile: 619-804-8736 Senior IT Security Engineer

11 years

1
0
0 0

Syscan 2014 presentations are now out

by Andrew Case

Syscan 2014 was last week, and they have now released the slides and white papers from each speaker: http://syscan.org/index.php/download Reading through these presentations will be well worth your time no matter which role(s) you might play in security/forensics. -- Thanks, Andrew (@attrc)

11 years

1
0
0 0

aquire RAM from Mac OSX 10.9?

by Thomas

Hi, which tool can be used to aquire a RAM dump from Mac OSX 10.9.x Mavericks? OSXPmem doesn't work. Thanks. Thomas

11 years

2
1
0 0

KDBG errors

by Carlos Angeles

Hello, I'm getting some KDBG errors when examining a Windows Server 2008 R2 server memory image. I saw a similar post to this list back in August 2012 (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-August/00056…) Here's the output from a few plugins. It was captured by another person and I don't know what tool or version he used. Does it look like the memory image is corrupted? Thanks, Carlos $ vol.py -f memdump.mem imageinfo Volatility Foundation Volatility Framework 2.3.1 Determining profile based on KDBG search... Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (memdump.mem) PAE type : No PAE DTB : 0x187000L KDBG : 0xf80001def0a0 Number of Processors : 8 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80001df0d00L Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in <module> pkg_resources.run_script('volatility==2.3.1', 'vol.py') File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 174, in main command.execute() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", line 121, in execute func(outfd, data) File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", line 35, in render_text for k, v in data: File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/imageinfo.py", line 100, in calculate yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset)) TypeError: hex() argument can't be converted to hex $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 pslist Volatility Foundation Volatility Framework 2.3.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in <module> pkg_resources.run_script('volatility==2.3.1', 'vol.py') File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 174, in main command.execute() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", line 121, in execute func(outfd, data) File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/taskmods.py", line 140, in render_text for task in data: File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", line 70, in pslist for p in get_kdbg(addr_space).processes(): File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", line 42, in processes raise AttributeError("Could not list tasks, please verify your --profile with kdbgscan") AttributeError: Could not list tasks, please verify your --profile with kdbgscan $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 kdbgscan Volatility Foundation Volatility Framework 2.3.1 ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP0x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001def0a0 Offset (P) : 0x1def0a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP0x64 Version64 : 0xf80001def068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.18247.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xfffff80001e253d0 (0 processes) PsLoadedModuleList : 0xfffff80001e436d0 (0 modules) KernelBase : 0xfffff80001c00000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001df0d00 (CPU 0) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) KPCR : - (CPU -) $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 hivescan Volatility Foundation Volatility Framework 2.3.1 Offset(P) ------------------ 0x0000000000431010 0x00000000051a4010 0x000000000f1d7010 0x0000000013e15410 0x0000000015875410 0x000000005a517410 0x000000006e434410 0x000000007ddce410 0x00000000a143e410 0x00000000a7f8c410 0x00000000c3b83010 0x00000000cbb17410 0x00000000d0768410 $ $ $ vol.py -f memdump.mem --profile=Win2008R2SP1x64 svcscan Volatility Foundation Volatility Framework 2.3.1 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 5, in <module> pkg_resources.run_script('volatility==2.3.1', 'vol.py') File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 488, in run_script File "build/bdist.linux-x86_64/egg/pkg_resources.py", line 1354, in run_script File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in <module> main() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 174, in main command.execute() File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/commands.py", line 121, in execute func(outfd, data) File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", line 360, in render_text for rec in data: File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/malware/svcscan.py", line 275, in calculate for task in tasks.pslist(addr_space): File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/win32/tasks.py", line 70, in pslist for p in get_kdbg(addr_space).processes(): File "/usr/local/lib/python2.7/site-packages/volatility-2.3.1-py2.7.egg/volatility/plugins/overlays/windows/kdbg_vtypes.py", line 42, in processes raise AttributeError("Could not list tasks, please verify your --profile with kdbgscan") AttributeError: Could not list tasks, please verify your --profile with kdbgscan

11 years

3
2
0 0

Pid=1260 not founded through any plugin

by Nouman Zia

Hey, In images (tigger.vmem, sality.vmem and black energy) the connscan plugin gives an output which shows these images are making connection with some IP and also tells the PID of process which are making such connections but when I used PSLIST, PSSCAN and PSXVIEW plugins then none of them shows the process which is having such PID(which is making connection). P.S: In all the above mentioned images the process id is same i.e. PID=1260 So the problem is why its not showing any detail about PID=1260???

11 years

3
2
0 0

help to investigate

by mediomen27

Hi, gmer has found something of suspicious. I have a screenshot of partial logs, here: http://postimg.org/image/bgx0u5xt9/ Now the server looks mysteriously clean thus the only clues I have are that screenshot and the vmware snapshot. Anyone could help me to investigate more deeply ? The following is what I have done alone: # vol pslist|grep logon Volatility Foundation Volatility Framework 2.3.1 0x8967d158 winlogon.exe 412 332 18 535 0 0 2013-06-26 09:16:14 UTC+0000 0x88ea0918 winlogon.exe 9088 332 19 258 1 0 2013-10-30 14:33:34 UTC+0000 # vol dlllist -p 412|grep -i klogon 0x10000000 0x36000 0x1 C:\WINDOWS\system32\klogon.dll klogon looks a kaspersky logon module # vol dlldump -b 0x10000000 -D /root/dumpprocess/ and the dumped dll looks really something about kaspersky.. # vol filescan|grep VC80 Volatility Foundation Volatility Framework 2.3.1 0x08d295d8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x08e684f0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x08f0b920 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0905a530 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x090822d0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09175a90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09181e50 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09496250 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09509cc8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09555808 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll 0x0958f860 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x095cd168 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x095f76a0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x0960b668 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0961d9d8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0961e6c8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096cda10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096f1db0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x096f2d10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x097c52d0 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x097fbb10 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09809e90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09836350 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09843c68 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0985aa50 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09872738 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x0987b340 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09a0fea8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09a3ada8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09a82f90 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09bf9ef8 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86 0x09d95428 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 0x09dadd18 1 1 R--rw- \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_449d3952 Thanks for any help.

11 years

2
3
0 0

Memory forensics training by the Volatility Team is going to Australia!

by Andrew Case

We are happy to announce that we will be bringing our memory forensics and malware analysis training to Australia in August: http://www.memoryanalysis.net/#!New-Event-in-Canberra-AU-August-24th---29th… For information on the course please see: http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n You can also find a number of past reviews of the course here: http://www.memoryanalysis.net/#!testimonials/c1dos This is the only time we will be in Australia until at least 2015, and we have already received significant interest in this offering so please contact us as soon as possible if you would like to attend. Thanks, Andrew (@attrc)

11 years

1
0
0 0

windows 8 ?

by mediomen27

Hi, where can I download volatility 2.4 for windows 8 ? Thank you very much.

11 years

2
1
0 0

Volatility pleads ignorance (aka "Nope, that window's not there")

by Bridgey

Hi all, I have an interesting scenario where Volatility seems to be telling me a process isn't there. Using Volatility 2.3.1, memory sample is from Win7SP1x86 (in a virtualbox VM) with pagefile turned off and 512MB RAM. Win7SP1x86.png (attached) clearly shows the Win7 desktop with notepad open and DumpIt.exe running. Output from pslist shows: $ python volatility-read-only/vol.py -f memdumps/MEMTEST-PC-20140331-131312/*.raw --profile=Win7SP1x86 pslist Volatility Foundation Volatility Framework 2.3.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x839afa20 System 4 0 79 437 ------ 0 2014-03-31 13:12:08 UTC+0000 0x84836278 smss.exe 268 4 2 29 ------ 0 2014-03-31 13:12:08 UTC+0000 0x84f1b5c0 csrss.exe 344 336 8 333 0 0 2014-03-31 13:12:12 UTC+0000 0x84ef7d40 wininit.exe 380 336 4 79 0 0 2014-03-31 13:12:12 UTC+0000 0x84ef67a0 csrss.exe 392 372 7 187 1 0 2014-03-31 13:12:12 UTC+0000 0x84f04030 winlogon.exe 432 372 5 115 1 0 2014-03-31 13:12:13 UTC+0000 0x84e5fa80 services.exe 460 380 15 183 0 0 2014-03-31 13:12:13 UTC+0000 0x84f4d818 lsass.exe 468 380 7 444 0 0 2014-03-31 13:12:13 UTC+0000 0x84f4e7f8 lsm.exe 476 380 10 142 0 0 2014-03-31 13:12:13 UTC+0000 0x84fd6bc0 svchost.exe 596 460 14 353 0 0 2014-03-31 13:12:15 UTC+0000 0x84fe2af0 VBoxService.ex 660 460 11 107 0 0 2014-03-31 13:12:16 UTC+0000 0x84ff7bb0 svchost.exe 712 460 11 229 0 0 2014-03-31 13:12:16 UTC+0000 0x85127858 svchost.exe 760 460 16 341 0 0 2014-03-31 13:12:17 UTC+0000 0x85197cc8 svchost.exe 888 460 21 433 0 0 2014-03-31 13:12:19 UTC+0000 0x851cf510 svchost.exe 936 460 45 796 0 0 2014-03-31 13:12:20 UTC+0000 0x847fe030 svchost.exe 1036 460 16 244 0 0 2014-03-31 13:12:21 UTC+0000 0x8511b388 svchost.exe 1128 460 17 350 0 0 2014-03-31 13:12:22 UTC+0000 0x851fe390 spoolsv.exe 1232 460 12 287 0 0 2014-03-31 13:12:23 UTC+0000 0x85212c30 svchost.exe 1268 460 24 316 0 0 2014-03-31 13:12:23 UTC+0000 0x852e3030 taskhost.exe 1744 460 10 173 1 0 2014-03-31 13:12:29 UTC+0000 0x852f2bc8 dwm.exe 1816 888 5 73 1 0 2014-03-31 13:12:30 UTC+0000 0x852f39d0 explorer.exe 1828 1788 34 876 1 0 2014-03-31 13:12:30 UTC+0000 0x84fe16d0 VBoxTray.exe 1940 1828 11 94 1 0 2014-03-31 13:12:32 UTC+0000 0x85335a48 GrooveMonitor. 1948 1828 4 96 1 0 2014-03-31 13:12:32 UTC+0000 0x84f34030 SearchIndexer. 1092 460 14 683 0 0 2014-03-31 13:12:40 UTC+0000 0x8537ad40 notepad.exe 1164 1828 1 64 1 0 2014-03-31 13:12:42 UTC+0000 0x8527fd40 SearchProtocol 1848 1092 8 275 0 0 2014-03-31 13:12:43 UTC+0000 0x853a08a0 SearchFilterHo 1780 1092 5 80 0 0 2014-03-31 13:12:43 UTC+0000 0x84eed030 DumpIt.exe 1844 1828 2 37 1 0 2014-03-31 13:13:12 UTC+0000 0x85104638 conhost.exe 540 392 2 58 1 0 2014-03-31 13:13:12 UTC+0000 notepad.exe can be seen: PID = 1164. Parent process is explorer and session is 1 - just as I'd expect. However, when I ran the windows plugin there was no sign of notepad in the output (windows.txt attached). Further, using the screenshot plugin it shows exactly what I'd expect except the notepad process is missing! (session_1.WinSta0.Default.png attached). If anybody has any ideas as to why this situation occurs I'd be really interested. A 7z'd version of the dump is only 82MB and it doesn't contain anything sensitive so I can make it available if needs be.

11 years

2
3
0 0

linux syscall table

by mediomen27

Hi, I am trying to make some check on a linux server with kernel 2.6.18. I am not a kernel developer so I don't know if what I am going to say is wrong...anyway. # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall Volatility Foundation Volatility Framework 2.3.1 Table Name Index Address Symbol ---------- ---------- ---------- ------------------------------ 32bit 0x0 0xc0430543 sys_restart_syscall 32bit 0x1 0xc0428888 sys_exit 32bit 0x2 0xc0403190 sys_fork 32bit 0x3 0xc0478826 sys_read ..... SNIP 32bit 0xe 0xc04872bf sys_mknod 32bit 0xf 0xc0476cb8 sys_chmod 32bit 0x10 0xc043cef7 sys_lchown16 32bit 0x11 0xc0437304 compat_sys_futex 32bit 0x12 0xc04808e0 sys_stat 32bit 0x13 0xc047873f sys_lseek 32bit 0x14 0xc042e69f sys_getpid ..... SNIP 32bit 0x13f 0xc0437304 compat_sys_futex 32bit 0x140 0xc0437304 compat_sys_futex 32bit 0x141 0xc0437304 compat_sys_futex 32bit 0x142 0xc0437304 compat_sys_futex 32bit 0x143 0xc049e91f sys_eventfd 32bit 0x144 0xc047691d sys_fallocate 32bit 0x145 0xc0437304 compat_sys_futex 32bit 0x146 0xc0437304 compat_sys_futex 32bit 0x147 0xc0437304 compat_sys_futex 32bit 0x148 0xc0437304 compat_sys_futex 32bit 0x149 0xc0437304 compat_sys_futex 32bit 0x14a 0xc0437304 compat_sys_futex 32bit 0x14b 0xc0437304 compat_sys_futex 32bit 0x14c 0xc0437304 compat_sys_futex 32bit 0x14d 0xc0437304 compat_sys_futex 32bit 0x14e 0xc0437304 compat_sys_futex 32bit 0x14f 0xc0437304 compat_sys_futex 32bit 0x150 0xc0437304 compat_sys_futex 32bit 0x151 0xc05be378 sys_recvmmsg What is this compat_sys_futex ??? I don't find anything like that on kernel source linux-2.6.18/arch/i386/kernelsyscall_table.S compat_sys_futex 32bit 0xf 0xc0476cb8 sys_chmod 32bit 0x10 0xc043cef7 sys_lchown16 32bit 0x11 0xc0437304 compat_sys_futex 32bit 0x12 0xc04808e0 sys_stat 32bit 0x13 0xc047873f sys_lseek should be sys_ni_syscallall .long sys_chmod /* 15 */ .long sys_lchown16 .long sys_ni_syscall /* old break syscall holder */ .long sys_stat .long sys_lseek but... # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_syscall | grep compat_sys_futex | wc -l Volatility Foundation Volatility Framework 2.3.1 41 # and $ grep sys_ni_syscall syscall_table.S | wc -l 21 ?!?!? Anyone have enough patience to explain me this anomaly ? Or this is a syscall hijacking ? An other question... Is it normal that in the idt is missing "double fault" ?? # ./vol.py -f /root/image_mem/AAA.lime --profile=LinuxAAAx86 linux_check_idt Volatility Foundation Volatility Framework 2.3.1 Index Address Symbol ---------- ---------- ------------------------------ 0x0 0xc0405a7c divide_error 0x1 0xc0625498 debug 0x2 0xc0405b14 nmi 0x3 0xc06254dc int3 0x4 0xc0405c04 overflow 0x5 0xc0405c10 bounds 0x6 0xc0405c1c invalid_op 0x7 0xc0405adc device_not_available 0x9 0xc0405c28 coprocessor_segment_overrun 0xa 0xc0405c34 invalid_TSS 0xb 0xc0405c40 segment_not_present 0xc 0xc0405c4c stack_segment 0xd 0xc0625500 general_protection 0xe 0xc062550c page_fault 0xf 0xc0405c74 spurious_interrupt_bug 0x10 0xc0405ac4 coprocessor_error 0x11 0xc0405c58 alignment_check 0x12 0xc0405c64 machine_check 0x13 0xc0405ad0 simd_coprocessor_error 0x80 0xc0404f04 system_call where is 0x8 ? Thank you very much.

11 years, 1 month

2
2
0 0

Output from windows/wintree plugins - what does it mean?

by Bridgey

Hi all, In my continuing exploration of Windows memory and Volatility I'm current looking at Windows, literally, the GUI. Looking at a notepad process, wintree shows me: .Untitled - Notepad (visible) notepad.exe:100 Notepad ..#20128 notepad.exe:100 6.0.7601.17514!msctls_statusbar32 ..#20126 (visible) notepad.exe:100 6.0.7601.17514!Edit .Default IME notepad.exe:100 IME .MSCTFIME UI notepad.exe:100 MSCTFIME UI So, I'm assuming #20128 is the status bar at the bottom of the Notepad window, and #20126 is the edit control, that is, the textarea into which the user types. This is the corresponding output from the windows plugin for the edit control: Window Handle: #20126 at 0xfea0dc70, Name: ClassAtom: 0xc119, Class: 6.0.7601.17514!Edit SuperClassAtom: 0xc018, SuperClass: Edit pti: 0xfe2a4008, Tid: 1692 at 0x8550d368 ppi: 0xffa95550, Process: notepad.exe, Pid: 100 Visible: Yes Left: 10, Top: 52, Bottom: 485, Right: 701 Style Flags: WS_VSCROLL,WS_CHILD,WS_OVERLAPPED,WS_VISIBLE,WS_HSCROLL ExStyle Flags: WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT Window procedure: 0x744399d0 Question 1: Window Handle: #20126 at 0xfea0dc70 - what is the offset? Physical, virtual? Of what? The Edit control object? (I'm guessing: physical, yes, of the edit control object.) Question 2: I can see that it's Window-esque properties (X, Y, width, height, style flags, et al) are all clearly present., but where can I find information specific to this control (in this instance, an 'Edit'). For example, maybe the text it contains? (I'm guessing, take a look at 0xfea0dc70 and there'll be some kind of structure to parse.) As always, many thanks. (This is all going towards a plugin that I'm hoping to write!) Also as always, if I could've found this information on my own, please let me know where to look. I've read the Command Reference and the associated MoVP posts. Adam

11 years, 1 month

3
6
0 0

Can not use Volatility through Firewire

by Sebastian Biedermann

Hello guys, I'm trying to use Volatility through Firewire, but actually it's not working. My investigator PC runs Ubuntu Linux Ubuntu 12.04 I'm using the New (JuJu) Firewire stack compiled into kernel and I also installed forensic1394. My Firewire Bus is up and connected to a Firewire Bus on a target win7 system (4GB memory), I can successfully dump the memory with another tool called 'inception'. However, output only says: vol# python vol.py -l firewire://forensic1394/0 --profile=Win7SP1x64 modules Volatility Foundation Volatility Framework 2.3.1 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space FileAddressSpace: Location is not of file scheme ArmAddressSpace: No base Address Space What I am doing wrong? Thank you! -- Sebastian

11 years, 1 month

2
3
0 0

dumping registry hives from memory images

by Roger

Hello Jamie, Apologies for delayed response. Had a short break with family. I tried using dumpfiles plugins as per your adviced. it turned out working against winxp, but seems not against win7sp1x86. is this a known limitation? Thanks again mate. Regards, Roger On Feb 18, 2014, at 5:00 AM, vol-users-request(a)volatilityfoundation.org wrote: > Send Vol-users mailing list submissions to > vol-users(a)volatilityfoundation.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > or, via email, send a message with subject or body 'help' to > vol-users-request(a)volatilityfoundation.org > > You can reach the person managing the list at > vol-users-owner(a)volatilityfoundation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Vol-users digest..." > > > Today's Topics: > > 1. dumping registry hive(s) from memory image (Roger) > 2. Re: dumping registry hive(s) from memory image (Jamie Levy) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 17 Feb 2014 16:53:01 +1100 > From: Roger <roger.franklin67(a)gmail.com> > Subject: [Vol-users] dumping registry hive(s) from memory image > To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org> > Message-ID: <98444CAC-D5F0-473B-88EB-75CC983F2869(a)gmail.com> > Content-Type: text/plain; charset=us-ascii > > I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files. > > Has any one found a way of doing it? > > Thank you very much in advance. > > Kind regards, > Roger > > ------------------------------ > > Message: 2 > Date: Mon, 17 Feb 2014 10:22:32 -0500 > From: Jamie Levy <jamie.levy(a)gmail.com> > Subject: Re: [Vol-users] dumping registry hive(s) from memory image > To: vol-users(a)volatilityfoundation.org > Message-ID: <53022938.4040302(a)gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Roger, > > Try using the dumpfiles plugin: > > http://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles > > You can use an example similar to the event logs one in order to dump > the registry file. Let me know if you need help. > > All the best, > > -Jamie > > > > On 2/17/2014 12:53 AM, Roger wrote: >> I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files. >> >> Has any one found a way of doing it? >> >> Thank you very much in advance. >> >> Kind regards, >> Roger_______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > -- > Jamie Levy (@gleeda) > Blog: http://volatility-labs.blogspot.com/ > GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92 > Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 > > > ------------------------------ > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > End of Vol-users Digest, Vol 68, Issue 6 > ****************************************

11 years, 1 month

2
1
0 0

Are Volatility's Win7 profiles correct for Home Premium 32 bit?

by Andy Bellman

Michael and Jamie, Thanks. I've I found I made a couple of stupid mistakes. The second was sending the below message to the wrong email when I figured out the first late yesterday evening. My apologies, I've figured out that it was 64 bit, and I was completely mistaken about it being 32 bit. I assumed that it was 32 bit, because the the 64 bit profiles took much longer to run, and I'd assumed they were hanging. I think I used a slow computer, and suspect that having everything on usb also slowed things down. I decided I ought to check my work better, and let imageinfo run for the three hours it needed. In hindsight, I think I should have run hibinfo instead, as that seems to have indicated the right profile much faster. I think I can figure the rest out. Thank you, andybellman(a)outlook.com

11 years, 1 month

2
1
0 0

Issue with 'linux_pslist'

by Torres, Geoff (Global Cyber Security)

Hi All, This is an FYI to the maintainers of the Volatility code. I don't need immediate help on this issue but I thought somebody might be interested. I ran into a problem where the 'linux_pslist' command in volatility is hanging on an Ubuntu 13.04 memory dump. All the other 'ps' related commands seem to run just fine. I'm running Volatility 2.3.1 and I can supply any other details you need (including the memory dump). I've attached the debug output (I let it run for over 30 minutes on a 1GB dump). I'm happy to try any suggestions you may have. Thanks for a great product, Geoff ============================== Geoff Torres - HP ==============================

11 years, 1 month

2
1
0 0

Are Volatility's Win7 profiles correct for Home Premium 32 bit?

by Andy Bellman

Members of the list, I have been attempting to recover some unsaved files from a hiberfil.sys from a Windows 7 system. It is from a laptop, I'm pretty sure running Home Premium 32 bit. I use an XP system to run the standalone version of Volatility. Using 'volatility -f hiberfil.sys --profile=Win7SP0x86 imageinfo' I get: ' Suggested Profile(s) : No suggestion (Instantiated with Win7SP0x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS) AS Layer3 : FileAddressSpace (I:\hfr\hiberfil.sys) PAE type : PAE DTB : 0x0L KUSER_SHARED_DATA : 0xffdf0000L' Using 'volatility -f hiberfil.sys --profile=Win7SP1x86 hibinfo' I get: 'Volatility Foundation Volatility Framework 2.3.1 PO_MEMORY_IMAGE: Signature: HIBR SystemTime: 1970-01-01 00:00:00 UTC+0000 Control registers flags CR0: 00000000 CR0[PAGING]: 0 CR3: 00000000 CR4: 00000000 CR4[PSE]: 0 CR4[PAE]: 0 Windows Version is -.- (-)' Other modules seem to hang, or produce no results. I thought I must have a bad file, but I got it from the right place, and changing the name or location doesn't seem easy enough that an OEM would do it. I thought I might be using the tool wrong, but it seems I can get it working better with four out of the five NIST samples linked from the code.google.com/p/volatility/wiki website. I'm wondering if trying to do something volatility doesn't support yet, or if I am simply making a mistake. Thanks, andybellman(a)outlook.com

11 years, 1 month

3
2
0 0

Recovering OpenVPN credentials

by Philip Huppert

Hi, as part of a university course I've developed a Volatility plugin to extract user credentials cached in an OpenVPN process. Currently the extraction is limited to OpenVPN 2.2.2 on Windows. Still, maybe this is useful to someone else. Code is here: https://github.com/Phaeilo/vol-openvpn Philip

11 years, 1 month

3
3
0 0

RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64

by Smelkovs, Konrads (London)

Hello Aaron and Michael, This is a machine with a very interesting file corruption case which is most likely malware. I used moonsol's DumpIt to acquire the image from a Win7 64bit SP1 machine with 8 gigs of ram. Here's the output of bin2dmp: bin2dmp - 1.0.20100405 - (Professional Edition - Single User Licence) Convert raw memory dump images into Microsoft crash dump files. Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net> Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com> User , () Initializing memory descriptors... Done. Looking for kernel variables... Done. Loading file... Done. Rewritting CONTEXT for Windbg... -> Context->SegCs at physical address 0x0000000006017F78 modified from 00 in o 10 -> Context->SegDs at physical address 0x0000000006017F7A modified from 00 in o 2b -> Context->SegEs at physical address 0x0000000006017F7C modified from 00 in o 2b -> Context->SegFs at physical address 0x0000000006017F7E modified from 00 in [0x000000021E600000 of 0x000000021E600000] MD5 = 2DF9C04AB34D820ACA56B201B1382A880x0000000006017F80 is already equal to 00 Total time for the conversion: 9 minutes 49 seconds.6017F82 modified from 00 in o 18 And here I tried loading the dump file in windbg 64 Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\ xxxx.dmp] Kernel Complete Dump File: Full address space is available Comment: 'Hibernation file converted with MoonSols Memory Toolkit' Symbol search path is: C:\windows\symbols;SRV*C:\windows\symbols*http://msdl.microsoft.com/downloa… Executable search path is: Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. *** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540 *** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540 Debugger can not determine kernel base address Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.18229.amd64fre.win7sp1_gdr.130801-1533 Machine Name: Kernel base = 0xfffff800`02e1b000 PsLoadedModuleList = 0xfffff800`0305e6d0 Debug session time: Sun Mar 2 21:08:59.275 2014 (UTC + 0:00) System Uptime: 0 days 7:22:16.509 Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. *** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540 *** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540 Debugger can not determine kernel base address Loading Kernel Symbols Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. .Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 Image path too long, possible corrupt data. Loading unloaded module list ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. ..Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. . WARNING: .reload failed, module list may be incomplete GetContextState failed, 0xD0000147 CS descriptor lookup failed GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get program counter GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 4D415454, {1, 2, 3, 4} GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 ***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057. Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 WARNING: .reload failed, module list may be incomplete GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 WARNING: .reload failed, module list may be incomplete Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 WARNING: .reload failed, module list may be incomplete Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE ) Followup: MachineOwner --------- GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 -----Original Message----- From: AAron Walters [mailto:awalters@4tphi.net] Sent: 02 March 2014 20:50 To: Smelkovs, Konrads (London) Cc: Michael Ligh Subject: RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64 Hi Konrads, Nice to meet you. Thank for joining the mailing list. Is the machine you are trying to analyze part of an investigation or a test machine? A physical machine or a virtual machine? Does it have any unusual devices connected to it? If you convert the sample to windbg format using the MoolSols tools, will it load in windows debugger? Thanks, AAron Walters The Volatility Foundation On Sun, 2 Mar 2014, Smelkovs, Konrads (London) wrote: > Hi, > > Hangs on both Linux and Windows. I used MoonSol's memory acquisition tools. What tools would you suggest to use instead? > > > -----Original Message----- > From: Michael Ligh [mailto:michael.ligh@mnin.org] > Sent: 02 March 2014 16:25 > To: Smelkovs, Konrads (London) > Cc: vol-users(a)volatilityfoundation.org > Subject: Re: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64 > > Hi Konrads, > > Thanks for the output. At the moment, its looks like the page table is corrupt (based on the errors trying to read physical addresses in the range 0xf8b4c0575d000, which is way outside the size of your file). Whether the acquisition tool or Volatility's address space parser is to blame, I'm not currently sure. Can you answer a few additional questions, please: > > * Does it also hang on Linux also, or does it complete sometime after printing those "None object instantiated: Unable to read_long_long_phys" messages? > * What tool did you acquire memory with? Is it possible to re-acquire in a different format, such as a Windows crash dump? > > Thanks, > Michael > > > This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it. > This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it. > Any communications made with KPMG may be monitored and a record may be kept of any communication. > Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter. > A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office. > KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL. > This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it. This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it. Any communications made with KPMG may be monitored and a record may be kept of any communication. Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter. A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office. KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.

11 years, 1 month

3
3
0 0

Chasing evil or my tail?

by shorejsi2＠mmm.com

Working on a system that has been beaconing out to bad places and noticed this in the 'pstree' output (abbreviated): Name Pid PPid -------------------------------------------------- ------ ------ 0x894ca030:csrss.exe 580 484 ... 0x8f25b5b0:wininit.exe 632 484 ... . 0x8f379d40:services.exe 692 632 ... .. 0xb12484c0:FireSvc.exe 2064 692 ... .. 0xaecc6d40:svchost.exe 3332 692 ... ... .. 0xb3eeb030:svchost.exe 3780 692 ... .. 0x85e518e8:msdtc.exe 5332 692 ... ... 0x82651d40:explorer.exe 5400 5332 ... .... 0x85dcc3b0:pmcs.exe 1608 5400 ... .... 0x85dc9240:EpePcMonitor.e 6108 5400 ... .... 0x85c92030:BTTray.exe 4744 5400 ... .... 0x8652c928:iexplore.exe 7028 5400 ... ..... 0x86721030:iexplore.exe 7364 7028 ... ...... 0x866f2030:jp2launcher.ex 5356 7364 ... ....... 0x8678c408:java.exe 7700 5356 ... ... Is it just me or is msdtc.exe a very odd parent for explorer.exe? I would normally expect userinit.exe to start explorer and then exit, leaving it with no visible parent. Any input appreciated... -=[ Steve ]=-

11 years, 1 month

2
3
0 0

Volatility never finishes on 8 gig Win7SP1x64

by Smelkovs, Konrads (London)

Hello, C:\ >volatility-2.3.1.standalone.exe -f C:\image.raw kdbgscan --profile=Win7SP1x64 Volatility Foundation Volatility Framework 2.3.1 ..... Never finishes - analysing 8 gig dump, CPU max. Help? This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it. This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it. Any communications made with KPMG may be monitored and a record may be kept of any communication. Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter. A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office. KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.

11 years, 1 month

3
5
0 0

FW: Memory-mapped file and shared pages

by Joshua Davies

Hi list, I'm currently doing some memory analysis, and I'm using Notepad on Windows 7 x64 as an example. My question is this: is there any way to link a _FILE_OBJECT back to the process that generated it, without a valid handle, or an entry in the VAD tree. This article discusses it: http://computer.forensikblog.de/en/2009/04/linking-file-objects-to-processe… - however, this approach only works if there is a valid handle for the open file. Here's an example: I open notepad, and open a simple text file that contains "This is the contents of the file". Performing a scan over the memory dump reveals this data in two locations: 1 - 0x1448f000 - This is the contents of the file found through the _FILE_OBJECT->SectionObjectPointers->DataSectionObject. This points to a control area, and through that I can locate the Subsection-BasePTE which shows that the page is in transition and has a PFN of 0x1448f. So this allows me to the find the data through the _FILE_OBJECT 2 - 0x39d336b0 - This address is currently part of Notepad's private heap, which is where the data has been mapped into. So examining the two pages through WinDbg gives me this information: lkd> !pfn 1448f PFN 0001448F at address FFFFFA80003CDAD0 flink 00015B8F blink / share count 00013ED5 pteaddress FFFFF8A0008AD010 reference count 0000 used entry count 0000 Cached color 0 Priority 5 restore pte FA800325553004C0 containing page 00ABBA Standby P Shared lkd> !pte FFFFF8A0008AD010 1 VA fffff8a0008ad010PXE at FFFFF8A0008AD010 PPE at FFFFF8A0008AD010 PDE at FFFFF8A0008AD010 PTE at FFFFF8A0008AD010contains 000000001448F8C0not valid Transition: 1448f Protect: 6 - ReadWriteExecute As can be seen, the page containing the original data is shared, is on the standby list, and points to a prototype PTE. lkd> !pfn 39d33 PFN 00039D33 at address FFFFFA8000AD7990 flink 00039D88 blink / share count 00039D1E pteaddress FFFFF6800001CAC8 reference count 0000 used entry count 0000 Cached color 0 Priority 3 restore pte 1635500000080 containing page 0274B8 Standby lkd> !pte FFFFF6800001CAC8 1 VA fffff6800001cac8PXE at FFFFF6800001CAC8 PPE at FFFFF6800001CAC8 PDE at FFFFF6800001CAC8 PTE at FFFFF6800001CAC8contains 0000000000000000not valid The PTE within Notepad's heap is marked as not valid, but also shows that the page is on the standby list. As the page located through the FILE_OBJECT is marked as shared, and points to a prototype PTE, is there anyway of locating this prototype PTE, and using it to track back to Notepad? So for instance, would it be possible to locate the PPTE by searching memory for the 'MmSt' tag, and then parse the PPTE to gain any information. Or does the PPTE not track backwards in that way? Essentially, if the page containing the data found through the _FILE_OBJECT is shared, what is it shared with, and is it possible to track this information, using either the PFN database, prototype PTE entries, or something else I haven't thought of. Any input or advice would be appreciated. Thanks Josh.

11 years, 1 month

1
0
0 0

Volatility & Mac Malware Analysis at RSA

by Andrew Case

Hello All, I was writing to let everyone know that I will be speaking Friday at RSA on investigating Mac malware with Volatility and Volatility's Mac support in general. If you are going to the conference you should check out the talk and come say 'hi' after: http://www.rsaconference.com/speakers/andrew-case -- Thanks, Andrew (@attrc)

11 years, 1 month

1
0
0 0

Broke something =:o(

by shorejsi2＠mmm.com

C:\Volatility>python vol.py timeliner -f \CSATLCL\W0137018\W0137018-RAM.dd4.001 --profile=Win7SP1x86 Volatility Foundation Volatility Framework 2.3.1 Traceback (most recent call last): File "vol.py", line 184, in <module> main() File "vol.py", line 175, in main command.execute() File "C:\Volatility\volatility\commands.py", line 122, in execute func(outfd, data) File "C:\Volatility\volatility\plugins\timeliner.py", line 88, in render_text for line in data: File "C:\Volatility\volatility\plugins\timeliner.py", line 312, in calculate o) UnicodeEncodeError: 'ascii' codec can't encode character u'\xae' in position 156: ordinal not in range(128) Looks like I may have a martian character in a string somewhere... -=[ Steve ]=-

11 years, 2 months

1
0
0 0

Volatility Memory Forensics & Malware Analysis training now available on three continents!

by Andrew Case

Hello All, We are writing to announce that we now have public trainings scheduled in Australia, London, New York, and Virginia! The New York and London trainings will be selling out soon so we suggest contacting us ASAP if you wish to attend either of those. We have also already received significant interest in the Australia course and have a large notification list for it. Please contact us if you would like to be added. Finally, the team is happy to announce that we now have a dedicated website for training at http://www.memoryanalysis.net. For full information on each training and the new website, please see our recent blog post: http://volatility-labs.blogspot.com/2014/02/training-by-volatility-project-… If you want to to learn memory forensics skills from the researchers and developers behind Volatility then you should consider signing up for one of our courses. Not only will you leave being an expert in Volatility and Windows internals, but you will also be able to perform malware analysis and incident response along side the best in the industry. -- Thanks, Andrew (@attrc)

11 years, 2 months

1
0
0 0

dumping registry hive(s) from memory image

by Roger

I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files. Has any one found a way of doing it? Thank you very much in advance. Kind regards, Roger

11 years, 2 months

2
1
0 0

Duqu Image

by Gibson, Ryan

Does anyone have one? Is there a writeup somewhere like there was for Stuxnet? Ryan Gibson GCFA, GCIH, Security + Office: 858-651-1689 Mobile: 619-804-8736 Senior IT Security Engineer

11 years, 2 months

2
2
0 0

Re: [Vol-users] Difficulty creating CentOS profiles

by Andrew Case

So was the fix just to switch to lime format or did you also need the patch? This will help us keep better documentation for future bug reports. Also, is there a reason you need the raw sample? If you are looking for a sample without any metadata, the best version would be 'padded' since it zero fills the offsets between RAM sections, but note that you can get a HUGE file, especially on 64 bit systems. The raw version of LiME simply concatantes regions together (does not pad), which make offsets found from virtual address translation off. This is why Volatility (and other tools) cannot process most raw Lime dumps. On 2/6/2014 10:45 AM, Torres, Geoff (Global Cyber Security) wrote: > OK, we're making progress... > > Michael Ligh also suggested that article. I had dismissed it as not applicable because it was regarding CentOS 5.3 and the earliest I've been attempting is 5.8. My apologies for not trying it sooner. > > It did work for the Lime format, but not the Raw format which is ultimately what I need. Would different offsets work for the raw format? Is it possible to convert a raw format image into Lime format? > > Also, does this mean that I need different volatility code for different kernels? > > My role is to perform forensic analysis on compromised systems. I can conceivably get any type of system and I get them in large enough volume that I've been developing scripts to automate these sort of tasks. > > Thanks for all your help so far, > > Geoff > > > -----Original Message----- > From: Andrew Case [mailto:atcuno@gmail.com] > Sent: Thursday, February 06, 2014 7:32 AM > To: Torres, Geoff (Global Cyber Security); 'vol-users(a)volatilityfoundation.org' > Subject: Re: [Vol-users] Difficulty creating CentOS profiles > > Hello, > > I believe you are having the same issues that we diagnosed here: > > http://lists.volatilityfoundation.org/pipermail/vol-users/2013-February/000… > > Could you please edit your code as MHL explains to account for the shift? It only requires two small changes to the existing code. Note that the line numbers may be different since the code has been update since then but if you search for the 0xffffffff80000000 number in each file you will be able to find it. > > Also we would recommend acquiring in the lime format "format=lime" > instead of acquiring in the raw one. > > Let me know how it goes. > > Thanks, > Andrew (@attrc) > > > On 2/5/2014 5:26 PM, Torres, Geoff (Global Cyber Security) wrote: >> Hi, >> >> >> >> I've been unable to create a working Linux profile for any version of >> CentOS. It compiles fine but gives a 'No suitable address space >> mapping found' error when ran against the memory image. >> >> >> >> I've been successful creating various Debian and Ubuntu profiles, but >> CentOS has yet to work. I'm sure it's something simple but I can't >> figure it out. I'm certain that I'm matching kernel versions >> correctly and that the build process is the same as I use for the Ubuntu versions. >> >> >> >> I've attached the details of my most recent attempt. It's a vanilla >> CentOS 5.10 install on VmWare. The memory image is available (250Mb >> zip) if necessary. >> >> >> >> Any ideas? None of the solutions I found in Google seem to address my >> issue. >> >> >> >> Thanks, >> >> >> >> Geoff >> >> >> >> BTW - I'm not a kernel programmer so please be detailed if there's >> something you'd like me to try. >> >> >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> >

11 years, 2 months

2
1
0 0

Difficulty creating CentOS profiles

by Torres, Geoff (Global Cyber Security)

Hi, I've been unable to create a working Linux profile for any version of CentOS. It compiles fine but gives a 'No suitable address space mapping found' error when ran against the memory image. I've been successful creating various Debian and Ubuntu profiles, but CentOS has yet to work. I'm sure it's something simple but I can't figure it out. I'm certain that I'm matching kernel versions correctly and that the build process is the same as I use for the Ubuntu versions. I've attached the details of my most recent attempt. It's a vanilla CentOS 5.10 install on VmWare. The memory image is available (250Mb zip) if necessary. Any ideas? None of the solutions I found in Google seem to address my issue. Thanks, Geoff BTW - I'm not a kernel programmer so please be detailed if there's something you'd like me to try.

11 years, 2 months

2
1
0 0

Windows 7 _FILE_OBJECT allocations

by Joshua Davies

Hello list! I'm currently looking into the way in which _FILE_OBJECTS are created and handled by Windows 7, and I'm a little bit confused over something I've observed. When using notepad.exe to open a file, a file handle to the opened file never seems to get added to the object table within the _EPROCESS structure (monitored using SystemInternal's ProcExplorer). I believe this is because notepad does not leave the handle open, it simply opens the file, reads in the data, and then closes the file, without adding the file object to the handle table. However, after opening the file, if I dump the memory of the system (this is being performed on a VM), and use Volaility's filescan to scan for all _FILE_OBJECTS, I see that there is indeed still a _FILE_OBJECT associated with the file I opened. However it's handle count is zero. This makes sense, as with a handle count of zero, it shouldn't be listed in any of the handle tables for any processes. However, it's pointer, or reference count is still valid, often having 16 pointers. My question is this, if the handle count is zero, but the pointer/reference count is still valid, where is this _FILE_OBJECT actually being stored? Is there some kind of kernel-based list/table that holds these open references? Or is this _FILE_OBJECT just floating around in some kind of cache, waiting to be destroyed? Any input or advice would be greatly appreciated. Thanks

11 years, 2 months

2
1
0 0

Red Hat snapshot

by Katarzyna Olejnik

Hi everyone, I've got a snapshot from a Red Hat VM that I'd like to analyze. I've noticed that imagecopy is in the Windows section of the documentation. Is imagecopy supported for Linux snapshots? Thanks, Kasia Olejnik

11 years, 2 months

2
1
0 0

http://blog.handlerdiaries.com/?p=363

by jack crook

I case anyone is interested I wrote a blog post of the memory analysis I did on Jake Williams ADD tool he presented at Shmoocon. It can be found here http://blog.handlerdiaries.com/?p=363 Thanks, Jack Crook

11 years, 2 months

2
1
0 0

New Subreddit for Memory Forensics

by Gibson, Ryan

Hello All, I was poking around the reddits the other day and to my shock and utter dismay, I found no memory forensics subreddit. Soooooooo, I took it upon myself to create one. Volatility all the thingz! http://www.reddit.com/r/memoryforensics/ Ryan Gibson GCFA, GCIH, Security + Office: 858-651-1689 Mobile: 619-804-8736 Senior IT Security Engineer

11 years, 2 months

3
2
0 0

zeusscan2

by shorejsi2＠mmm.com

I'm dealing with what appears to be a new Zeus variant and on a whim I tried to run zeusscan2 under a copy of Volatility 2.0 I still hang onto. Perhaps not surprisingly, it ends unhappily Volatile Systems Volatility Framework 2.0 Traceback (most recent call last): File "vol.py", line 135, in <module> main() File "vol.py", line 126, in main command.execute() File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/commands.py", line 101, in execute func(outfd, data) File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", line 330, in render_text for p, start, url, config_key, creds_key, decoded_config, decoded_magic in data: File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", line 221, in calculate data = malware.get_vad_data(ps_ad, start, end) File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/malware.py", line 856, in get_vad_data return ''.join(pages_one) OverflowError: join() result is too long for a Python string Now I strongly suspect that the new variant is just enough different that it messes with the parsing and results in a runaway, but I just wanted to make sure I'm not leaving something on the table here... Should this work? -=[ Steve ]=-

11 years, 2 months

3
6
0 0

Re: [Vol-users] zeusscan2

by shorejsi2＠mmm.com

Stefan; Soon as I get my hands on the disk image I will gladly do so. -=[ Steve ]=- >> Are you willing/able to share the md5 of that Zeus variant, please? >> Cheers, >> Stefan.

11 years, 2 months

1
0
0 0

Create Linux Profile

by Chris

All, in the wiki [1] is described howto build a Linux profile. Why is a machine with the corresponding kernel / distribution required? Why aren't the kernel headers enough? - Chris [1] https://code.google.com/p/volatility/wiki/LinuxMemoryForensics

11 years, 3 months

2
1
0 0

Malfind and impscan questions

by Kathy Simmons

I have a memory dump of a Windows XP box with a piece of malware running in it. In the course of running malfind on the image, there are eight responses, two of which are below (A and B). After the malfind command, I run the impscan command to look at the imports: python vol.py impscan -p 820 -b 0x1f00000 python vol.py impscan -p 820 -b 0x01f50010 The response to the first impscan command is what I expected (see C below). The response to the second impscan command (see D below) is not what I expected at all - no imports? I also ran impscan on the address 0x01f50012 based on the results from the malfind command (see D below) as I figured that I wanted to dump the dll starting on the beginning of the MZ header. But neither address produced any imports - I'm not sure where to go from here. I'm very new at this; any help would be greatly appreciated. My end goal is to take this piece of malware, which looks to have injected several dll's into a process, dump out each dll, then have them reverse engineered. Thanks- A. Process: xxxxxx.exe Pid: 820 Address: 0x1f00000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 9, PrivateMemory: 1, Protection: 6 0x01f00000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x01f00010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x01f00020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x01f00030 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 ................ 0x1f00000 4d DEC EBP 0x1f00001 5a POP EDX 0x1f00002 90 NOP 0x1f00003 0003 ADD [EBX], AL 0x1f00005 0000 ADD [EAX], AL 0x1f00007 000400 ADD [EAX+EAX], AL 0x1f0000a 0000 ADD [EAX], AL 0x1f0000c ff DB 0xff 0x1f0000d ff00 INC DWORD [EAX] 0x1f0000f 00b800000000 ADD [EAX+0x0], BH 0x1f00015 0000 ADD [EAX], AL 0x1f00017 004000 ADD [EAX+0x0], AL 0x1f0001a 0000 ADD [EAX], AL 0x1f0001c 0000 ADD [EAX], AL 0x1f0001e 0000 ADD [EAX], AL 0x1f00020 0000 ADD [EAX], AL 0x1f00022 0000 ADD [EAX], AL 0x1f00024 0000 ADD [EAX], AL 0x1f00026 0000 ADD [EAX], AL 0x1f00028 0000 ADD [EAX], AL 0x1f0002a 0000 ADD [EAX], AL 0x1f0002c 0000 ADD [EAX], AL 0x1f0002e 0000 ADD [EAX], AL 0x1f00030 0000 ADD [EAX], AL 0x1f00032 0000 ADD [EAX], AL 0x1f00034 0000 ADD [EAX], AL 0x1f00036 0000 ADD [EAX], AL 0x1f00038 0000 ADD [EAX], AL 0x1f0003a 0000 ADD [EAX], AL 0x1f0003c c8000000 ENTER 0x0, 0x0 B. Process: XXXXXX.exe Pid: 820 Address: 0x1f50000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 59, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x01f50000 4c 1b cd 25 00 00 09 e8 16 4f 9e 7e cd 25 00 00 L..%.....O.~.%.. 0x01f50010 00 00 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff ..MZ............ 0x01f50020 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 ..........@..... 0x01f50030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x1f50000 4c DEC ESP 0x1f50001 1bcd SBB ECX, EBP 0x1f50003 25000009e8 AND EAX, 0xe8090000 0x1f50008 16 PUSH SS 0x1f50009 4f DEC EDI 0x1f5000a 9e SAHF 0x1f5000b 7ecd JLE 0x1f4ffda 0x1f5000d 2500000000 AND EAX, 0x0 *0x1f50012 4d DEC EBP0x1f50013 5a POP EDX* 0x1f50014 90 NOP 0x1f50015 0003 ADD [EBX], AL 0x1f50017 0000 ADD [EAX], AL 0x1f50019 000400 ADD [EAX+EAX], AL 0x1f5001c 0000 ADD [EAX], AL 0x1f5001e ff DB 0xff 0x1f5001f ff00 INC DWORD [EAX] 0x1f50021 00b800000000 ADD [EAX+0x0], BH 0x1f50027 0000 ADD [EAX], AL 0x1f50029 004000 ADD [EAX+0x0], AL 0x1f5002c 0000 ADD [EAX], AL ................. ................ C. python vol.py impscan -p 9820 -b 0x01f00000 Volatility Foundation Volatility Framework 2.3.1 IAT Call Module Function ------------------ ------------------ -------------------- -------- 0x0000000001f07d10 0x0000000076cf2c70 kernel32.dll HeapFree 0x0000000001f07d18 0x0000000076cf2d60 kernel32.dll GetProcessHeap 0x0000000001f07d20 0x0000000076e41b70 kernel32.dll HeapAlloc D. python vol.py impscan -p 820 -b 0x01f50010 Volatility Foundation Volatility Framework 2.3.1 IAT Call Module Function ------------------ ------------------ -------------------- -------- E. python vol.py impscan -p 820 -b 0x01f50012 Volatility Foundation Volatility Framework 2.3.1 IAT Call Module Function ------------------ ------------------ -------------------- --------

11 years, 3 months

2
1
0 0

Plugin ethscan problem

by Thomas

Hi, Happy New Year! :) I tried to explore the contest plugin ethscan (latest release) on a few different memory samples containing Mac OSX and Linux OS without success. Each time I got an error message like: ERROR : volatility.commands : This command does not support the profile MacMountainLion_10_8_3_AMDx64 I'm using the correct OS profile, downloaded from the Volatility site (MacProfilesAll.zip) and https://github.com/KDPryor/LinuxVolProfiles. Other Volatility commands like mac_dmesg or linux_netstat does work correctly, so the Profile should really match. Volatility: current SVN revision 3573. Memory samples from: Mac OSX 10.8.3 x64 from Volatility download page OSX 10.7.5 (not 10.7.3) from osxreverser, found on Twitter: https://twitter.com/osxreverser/status/344521006288891905 Ubuntu 10.04 http://files.sempersecurus.org/dumps/memory/pexit.zip found on this interesting blog: http://sempersecurus.blogspot.de/2013/12/a-forensic-overview-of-linux- perlbot.html ethscan does work correctly when using different Windows dumps. How can I fix this problem and get ethscan work also on OSX and Linux dumps? Thanks! Thomas

11 years, 3 months

1
0
0 0

Additional assist with hidden PID's

by James Lay

Hey all, Here's what I have: Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x26004da0 UPS_Label_23052 396 False True False False False False False 0x260f7da0 UPS_Label_23052 396 False True False False False False False Offset(P) Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x27808020 explorer.exe 1480 1412 0x0a440200 2013-05-23 17:44:24 UTC+0000 0x26004da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09 UTC+0000 0x260f7da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09 UTC+0000 I'm attempting to find and extract the running UPS_Label_23052, but having difficulty extracting the exe from it. Procmemdump and procexedump fail to find the pid, so I'm kind of lost. Any info would help...thank you. James

11 years, 4 months

2
2
0 0

OSX 10.9 memory acquisition

by Sebastien Bourdon-Richard

Hey all, Is there any tools available to acquire OSX 10.9 memory? Mac memory reader does not work on 10.9. Thanks in advance, Sebastien

11 years, 4 months

3
4
0 0

Extracting a running dll from a process

by James Lay

So here's what I got...regsvr32.exe was run as soon below: Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x893614e0 regsvr32.exe 3100 2564 5 97 0 0 2013-12-06 18:28:51 UTC+0000 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x093614e0 regsvr32.exe 3100 True True False True True True False regsvr32.exe pid: 3100 Command line : regsvr32.exe "C:\Documents and Settings\user\Local Settings\Application Data\YrqdPack\normalPaddlg.dll" Service Pack 3 Base Size LoadCount Path ---------- ---------- ---------- ---- 0x10000000 0x9000 0x1 C:\Documents and Settings\user\Local Settings\Application Data\YrqdPack\normalPaddlg.dll I'm dumped pid 3100 to a dmp file with procmemdump. I strings 3100.dmp and I see what I'm looking for (domain names that match a packet capture). I'm trying to extract that running dll from the 3100.dmp file, which is around 200 megs. Any help would be awesome..thank you. James

11 years, 4 months

2
4
0 0

Re: [Vol-users] Help to add new plugin

by Jamie Levy

Oh, also if you copied the ethscan plugin to your volatility/plugins directory, don't use the --plugins option -----Original Message----- From: David <eterno.comandante(a)gmail.com> Date: Thu, 14 Nov 2013 13:53:05 To: Jamie Levy<jamie.levy(a)gmail.com> Cc: Volatility List<vol-users(a)volatilesystems.com> Subject: Re: [Vol-users] Help to add new plugin Hi Jamie Thanks again... I executed "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan” And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1) Do you know if has anybody a similar problem with ethscan plugin? Traceback (most recent call last): File "/usr/local/bin/vol.py", line 186, in <module> main() File "/usr/local/bin/vol.py", line 143, in main registry.register_global_options(config, commands.Command) File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options for m in get_plugin_classes(cls, True).values(): File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes raise Exception("Object {0} has already been defined by {1}".format(name, plugin)) Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'> Best regards El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió: > Try: > > sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan > > First: --plugins takes in either a directory or a zipfile, not a plugin > > Second: You didn't specify which plugin to run (ethscan) > From: David <eterno.comandante(a)gmail.com> > Date: Thu, 14 Nov 2013 10:41:47 +0100 > To: Jamie Levy<jamie.levy(a)gmail.com> > Cc: Volatility List<vol-users(a)volatilesystems.com> > Subject: Re: [Vol-users] Help to add new plugin > > > Sorry I had a typo i didn´t write --profile=Win7SP1x64 > > >> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 > > > > I have the same error of ever :( > >> Volatility Foundation Volatility Framework 2.3.1 >> ERROR : __main__ : You must specify something to do (try -h) > > > Thanks!! > > El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió: > >> Hi @Jamie and list >> >> Thanks very much for your support ;) >> >> I’ve same errors when i’m executing: :( >> >> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img >> >> The error: >> >> Volatility Foundation Volatility Framework 2.3.1 >> ERROR : __main__ : You must specify something to do (try -h) >> >> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about? >> >> On the other hand, i found a brief tutorial about ethscan: >> >> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t… >> >> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S >> >> The execution of the vol.py command is different……. :( >> >> He does not the flag —-plugin= >> >> Thanks for all!! >> >> Ps: My apologies for my level of english >> >> >> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió: >> >>> Hi David, >>> >>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py: >>> >>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit… >>> >>> Let me know if you have any other questions. >>> >>> All the best, >>> >>> -gleeda >>> >>> >>> >>> >>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote: >>> Hello list, >>> >>> Please, I need some help about for add/use new plugins in volatility 2.3.1. >>> >>> Can I use the flag "--plugins=contrib/plugins"? o is there any method? >>> >>> The plugin that I want for add/use is: >>> >>> https://code.google.com/p/jamaal-re-tools/source/checkout >>> >>> Thanks for your support!! >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Vol-users mailing list >>> Vol-users(a)volatilesystems.com >>> http://lists.volatilesystems.com/mailman/listinfo/vol-users >>> >>> >>> >>> >>> -- >>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 >> >

11 years, 4 months

2
6
0 0

How do I enable Mac profiles

by linux stuff

Hey Gang I'm a total noob with eForensics so I'm on the learning curve. I can get volitility to work on Windows memory images but not with Mac memory images. I've downloaded the Mac profiles, unzipped it and moves the files to the location indicated in the article, but when I run the info command the profiles aren't listed. Is there another step in the enable process? TIA Marty Sent from my iPad

11 years, 5 months

2
1
0 0

Re: [Vol-users] Help to add new plugin

by Jamie Levy

Type at the prompt: sudo make clean and try again -----Original Message----- From: David <eterno.comandante(a)gmail.com> Date: Thu, 14 Nov 2013 13:53:05 To: Jamie Levy<jamie.levy(a)gmail.com> Cc: Volatility List<vol-users(a)volatilesystems.com> Subject: Re: [Vol-users] Help to add new plugin Hi Jamie Thanks again... I executed "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan” And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1) Do you know if has anybody a similar problem with ethscan plugin? Traceback (most recent call last): File "/usr/local/bin/vol.py", line 186, in <module> main() File "/usr/local/bin/vol.py", line 143, in main registry.register_global_options(config, commands.Command) File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options for m in get_plugin_classes(cls, True).values(): File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes raise Exception("Object {0} has already been defined by {1}".format(name, plugin)) Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'> Best regards El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió: > Try: > > sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan > > First: --plugins takes in either a directory or a zipfile, not a plugin > > Second: You didn't specify which plugin to run (ethscan) > From: David <eterno.comandante(a)gmail.com> > Date: Thu, 14 Nov 2013 10:41:47 +0100 > To: Jamie Levy<jamie.levy(a)gmail.com> > Cc: Volatility List<vol-users(a)volatilesystems.com> > Subject: Re: [Vol-users] Help to add new plugin > > > Sorry I had a typo i didn´t write --profile=Win7SP1x64 > > >> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 > > > > I have the same error of ever :( > >> Volatility Foundation Volatility Framework 2.3.1 >> ERROR : __main__ : You must specify something to do (try -h) > > > Thanks!! > > El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió: > >> Hi @Jamie and list >> >> Thanks very much for your support ;) >> >> I’ve same errors when i’m executing: :( >> >> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img >> >> The error: >> >> Volatility Foundation Volatility Framework 2.3.1 >> ERROR : __main__ : You must specify something to do (try -h) >> >> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about? >> >> On the other hand, i found a brief tutorial about ethscan: >> >> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t… >> >> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S >> >> The execution of the vol.py command is different……. :( >> >> He does not the flag —-plugin= >> >> Thanks for all!! >> >> Ps: My apologies for my level of english >> >> >> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió: >> >>> Hi David, >>> >>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py: >>> >>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit… >>> >>> Let me know if you have any other questions. >>> >>> All the best, >>> >>> -gleeda >>> >>> >>> >>> >>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote: >>> Hello list, >>> >>> Please, I need some help about for add/use new plugins in volatility 2.3.1. >>> >>> Can I use the flag "--plugins=contrib/plugins"? o is there any method? >>> >>> The plugin that I want for add/use is: >>> >>> https://code.google.com/p/jamaal-re-tools/source/checkout >>> >>> Thanks for your support!! >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Vol-users mailing list >>> Vol-users(a)volatilesystems.com >>> http://lists.volatilesystems.com/mailman/listinfo/vol-users >>> >>> >>> >>> >>> -- >>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 >> >

11 years, 5 months

1
0
0 0

Re: [Vol-users] Help to add new plugin

by Jamie Levy

Try: sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan First: --plugins takes in either a directory or a zipfile, not a plugin Second: You didn't specify which plugin to run (ethscan) -----Original Message----- From: David <eterno.comandante(a)gmail.com> Date: Thu, 14 Nov 2013 10:41:47 To: Jamie Levy<jamie.levy(a)gmail.com> Cc: Volatility List<vol-users(a)volatilesystems.com> Subject: Re: [Vol-users] Help to add new plugin Sorry I had a typo i didn´t write --profile=Win7SP1x64 > sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 I have the same error of ever :( > Volatility Foundation Volatility Framework 2.3.1 > ERROR : __main__ : You must specify something to do (try -h) Thanks!! El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió: > Hi @Jamie and list > > Thanks very much for your support ;) > > I’ve same errors when i’m executing: :( > > sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img > > The error: > > Volatility Foundation Volatility Framework 2.3.1 > ERROR : __main__ : You must specify something to do (try -h) > > Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about? > > On the other hand, i found a brief tutorial about ethscan: > > https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t… > > vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S > > The execution of the vol.py command is different……. :( > > He does not the flag —-plugin= > > Thanks for all!! > > Ps: My apologies for my level of english > > > El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió: > >> Hi David, >> >> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py: >> >> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit… >> >> Let me know if you have any other questions. >> >> All the best, >> >> -gleeda >> >> >> >> >> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote: >> Hello list, >> >> Please, I need some help about for add/use new plugins in volatility 2.3.1. >> >> Can I use the flag "--plugins=contrib/plugins"? o is there any method? >> >> The plugin that I want for add/use is: >> >> https://code.google.com/p/jamaal-re-tools/source/checkout >> >> Thanks for your support!! >> >> >> >> >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilesystems.com >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> >> >> >> >> -- >> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 >

11 years, 5 months

1
0
0 0

Lookup Process Name by Memory Address on Windows XP

by Matthew Wong

Hello All, I'm new to Volatility. Say I found the string "password=hello world" somewhere in the memory, is there anyway for me to know which process that memory block is currently allocated to? -- matt

11 years, 5 months

4
4
0 0

Help to add new plugin

by David Martin

Hello list, Please, I need some help about for add/use new plugins in volatility 2.3.1. Can I use the flag "--plugins=contrib/plugins"? o is there any method? The plugin that I want for add/use is: https://code.google.com/p/jamaal-re-tools/source/checkout Thanks for your support!!

11 years, 5 months

2
1
0 0

problem using winpmem tool

by Nouman Zia

Hi, I am using winpmem 1.3.1 for imaging in volatility but whenever I tried to use any of feature of winpmem it gives error: "Cannot open SCM? Are you administrator" Where as I don't have any administrative passwords... So how can I solve this issue...???

11 years, 5 months

3
2
0 0

diagnose problematic ram dump?

by Dewhirst, Rob

I have a Win7SP1x64 image with the following issues: imageinfo never completes (this is as far as it gets) Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/data/8564/8564.raw) PAE type : No PAE DTB : 0x187000L pslist shows no processes netscan shows no connections. I am using Volatility 2.3.1 on linux, but I have tried the standalone windows exe with the same results. Image was collected with winpmem 1.4.1, and I watched the capture. I did not see any errors and it seemed to take about the right amount of time. What would be my next steps to troubleshoot?

11 years, 5 months

5
6
0 0

Three 2014 Volatility & Memory Forensics trainings are now scheduled

by Andrew Case

As we previously sent to the list, the Volatility team will be holding training sessions in San Diego in January and London in June: http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensi… We have now also finalized plans for a training in NYC in May: http://volatility-labs.blogspot.com/2013/10/2014-malware-and-memory-forensi… These will be the only public trainings through August of next year, and we have already received substantial interest in each one. If you plan to attend do not wait until the last minute to contact us as for our last several trainings we have had to turn away people once the classroom fills. If your company is interested in a private training or hosting a public training in exchange for a few free seats then please let us know ASAP as these opportunities for 2014 will likely be taken by other companies over the next month or two. Finally, the Volatility team would like to thank everyone who came out to OMFW and to those of you who attended our OSDFC talk and showed support for the project. Over the next couple weeks we will be sending out slides and updates from OMFW, and please reach out to us if you have questions for any of the speakers that you did not get to ask in person. Thanks, Andrew (@attrc)

11 years, 5 months

1
0
0 0

timeliner and 64-bit image?

by Thomas

Hi, currently I'm preparing a Volatility Workshop ... and writing the docs I did run several plugins. My test case contains a Win7SP1x64 image. Everything is fine, except the contrib/malware plugins (poisonivy, zeus) did complain about: This command does not support the profile Win7SP1x64 No I get this error message also for timeliner!? But timeliner did work correctly past weekend, using the _same_ Win7SPx64 image! Using a different image containing WinXP timeliner does work correctly. I'm using Revision 3532. What did happen with timeliner? Regards, Thomas

11 years, 6 months

2
3
0 0

Volatility 2.3 Released! (Official Mac OS X and Android Support)

by AAron Walters

https://code.google.com/p/volatility/ The Volatility Foundation is thrilled to announce the official release of Volatility 2.3! While the main goal of this release was Mac OS X (x86, x64) and Android Arm support, we also included a number of other exciting new capabilities! Highlights of this release include: Mac OS X: * New MachO address space for 32-bit and 64-bit Mac memory samples * Over 30+ plugins for Mac memory forensics Linux/Android: * New ARM address space to support memory dumps from Linux and Android devices on ARM hardware * Plugins to scan Linux process and kernel memory with yara signatures, dump LKMs to disk, and check TTY devices for rootkit hooks * Plugins to check the ARM system call and exception vector tables for hooks Windows: * New plugins: - Parse IE history/index.dat URLs - Recover shellbags data - Dump cached files (exe/pdf/doc/etc) - Extract the MBR and MFT records - Explore recently unloaded kernel modules - Dump SSL private and public keys/certs - Display details on process privileges - Detect poison ivy infections - Find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan 1.3.4.5 * Plugin Enhancements: - Apihooks detects duqu style instruction modifications - Crashinfo displays uptime, systemtime, and dump type - Psxview plugin adds two new sources of process listings from the GUI APIs - Screenshots plugin shows text for window titles - Svcscan automatically queries the cached registry for service dlls - Dlllist shows load count to distinguish between static and dynamic loaded dlls New Address Spaces: * VirtualBox ELF64 core dumps * VMware saved state (vmss) * VMware snapshot (vmsn) files * FDPro's non-standard HPAK format * New plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract We also wanted to take this opportunity to recognize those on the development team who's continued dedication to open source forensics and the Volatility community has made this release possible: Mike Auty, Andrew Case, Michael Hale Ligh, Jamie Levy, and AAron Walters. These people volunteer their time and skills to bring you the most advanced and innovative memory forensics framework in the world! If you appreciate the hard work they put into Volatility, I encourage you help defend the rights of open source developers and support developer endorsed events! Finally, shoutz to the Volatility Community for their continued support and feedback! In particular, the following members of the Volatility community made significant contributions to this release: - Cem Gurkok for his work on the privileges plugin for Windows - Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project) - @osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit) - @osxreverser of reverse.put.as for his help with OSX memory analysis - Carl Pulley for numerous bug reports, example patches, and plugin testing - Andreas Schuster for his work on poison ivy plugins for Windows - Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities - Philippe Teuwen for his work on the virtual box address space - Santiago Vicente for his work on the citadel plugins for Windows If you want to learn more about Volatility 2.3 or just hang out with the Volatility development team, I encourage you to register for the Open Memory Forensics Workshop 2013. Please register quickly, we will be ending registration by COB Friday, October 25 (Today). There have been a couple last minute cancellations, so you may still have a chance to reserve a seat!

11 years, 6 months

1
0
0 0

Re: [Vol-users] (win7x64) : creating images for volatility

by Boudewijn Ector

On 23-10-13 17:28, david nardoni wrote: > Also I would try netscan instead of connscan for win7. But it sounds like a problem with the > memory dump > Yeah I suppose the memorydump is *****ed... but wanted to make sure since I heard some rumours about having problems with *large* dumps on x64. And indeed I meant netscan, instead of connscan. My bad. @MHL: Thanks. indeed, old svn version... I'm using too many machines I guess. Just updated and reinstalled from trunk. On 23-10-13 17:37, Jamie Levy wrote: > You must have admin in order to acquire memory... How did you manage > to get a sample without having admin? If you have a virtualized > environment then you can acquire the memory from outside the machine > without having admin privileges on the acquired machine, however > (vmsn/vmss on esx for example). Actually, I do not know. I wasn't involved in the actual incident until some other guys decided to ask me. It's a bare metal box, so no hypervisor involved. Furthermore, they might have had admin but I'll probably create some new memory samples tomorrow and getting admin in a timely manner is quite hard. Currently the box is next to me so I can take some time to create a good sample. On 23-10-13 17:30, Andrew Case wrote: > Nice to hear from someone from our class =) Nice to see all three teachers reply on-list. Hope you enjoyed teaching the class as much as I did attending it. > > A few things about your post... > > 8GB on x64 is where several acquisition tools seem to break, so it is > may be that and your output seems to indicate so. Since the box is actually idling, I might remove a DIMM and thereby create a nice 4GB environment. The reason for keeping the 8gigs in is that it will improve my chances of having trace still in memory instead of having those swapped/overwritten. Is there a fast way to tell the image is bad? (yup I think my current one is bad, but I'm going to need to test again by tomorrow) And, is the slowness being indicative of having a bad image? > Also, you are using Volatility 2.2 which is quite old at this point. I > would recommend using the latest through SVN. Not only is there many > bugfixes, but also new plugins, such as iehist Yup. That's the plugin I was looking for. Guess I downloaded the release version of volatility on this box, instead of getting it from SVN. Fixed it, thanks! > Also, we have full support for networking information on Windows 7 > x64, you just have to use the netscan plugin and not the others > (sockets, sockscan, etc.). Indeed. > Do you have any other acquisition tools you can use or are your > machines virtualized? I can use whatever free tools I like, and am probably allowed to spend a moderate amount of money in order to buy stuff. Buying tools will take time though (boss has to acknowledge the order etc etc etc) so getting free stuff is preferred. The infected machines are not virtualised and the malware is probably virtualisation-aware, so that's not an option I'm afraid. Anybody got some more useful stuff? I used volatility quite a couple of times but never created my own images on hardware (used either somebody else's samples or VMs). Cheers, Boudewijn Ector

11 years, 6 months

2
2
0 0

(win7x64) : creating images for volatility

by Boudewijn Ector

Hi guys, Currently I've got a sample of an infected win7 machine with enough memory (8gb) which is not being used by anything except for 'the malware' (no running office etc) so quite a lot of stuff should not have been swapped out of memory yet. Strangely, I can't dump the process: ; vol.py -f dump.raw --profile=Win7SP1x64 procexedump -p 4932 --dump-dir results/4932.bin Volatile Systems Volatility Framework 2.2 Process(V) ImageBase Name Result ------------------ ------------------ -------------------- ------ Okay so it might be not in memory anymore... fine. So let's scan for network activity using connscan. This does not yield any results either.... just like svcscan. Also the image is very very slow... on a regular machine (core i5 2400, 20gb mem) running imageinfo on the 8gb images takes about 10 minutes. Also malfind mentions : WARNING : volatility.obj : NoneObject as string: Invalid Address 0x05140000, instantiating _MMADDRESS_NODE WARNING : volatility.obj : NoneObject as string: Invalid Address 0x05140000, instantiating _MMADDRESS_NODE WARNING : volatility.obj : NoneObject as string: Invalid Address 0x21A4C320A, instantiating _MMADDRESS_NODE WARNING : volatility.obj : NoneObject as string: Invalid Address 0x21A4C320A, instantiating _MMADDRESS_NODE Psxview says al processes are like this: 0x000000021a841060 <PROCESSNAME> 6640 False True False False False Isn't that just weird? (yes it's because psscan is the only module being able to retrieve data from memory... but isn't that strange) This makes me presume my memory images are broken. My collaegue probably (!) used winpmem -f for doing this. What's the best way to create a memory image on a windows7 x64 box without having admin? (these boxes are remotely managed and it takes a looooot of time to make sure an admin will do something). Or is this just perfectly normal behaviour and is win7x64 just being badly supported by volatility? (I know the networkbased plugins don't work but that's okay... it's being mentioned in the docs) Furthermore: during our recent volatility training (in amsterdam), we used a plugin for getting data from internet explorer history. I had a look online and didn't find it, is it non-public? Cheers, Boudewijn Ector

11 years, 6 months

4
3
0 0

How to create Linux Profile?

by chris-2012＠arcor.de

Dear all, I tried to create a Linux profile according to [1]. Which packages are needed for an Ubuntu profile? I downloaded linux-headers-2.6.32-41_2.6.32-41.91_all.deb, extracted the file on a CentOS machine and pointed the Makefile to the header's path. The error message was: /tmp/header/usr/src/linux-headers-2.6.32-41/lib/modules/2.6.32-41/build was not found. 1. Do I have to download any other packages? 2. Is it possible to compile module.c on another distribution or do I need a running Ubuntu 10? Thank you in advance! Chris [1] http://code.google.com/p/volatility/wiki/LinuxMemoryForensics

11 years, 6 months

2
2
0 0

New plugins: Filelist and Virustotal

by Sebastien Bourdon-Richard

Hi, Based on the work AAron and the Volatility team have done for the dumpfiles plugin (thanks for the plugin btw), I have wrote two new plugins for Volatility. I have coded those plugins to learn more about the new dumpfiles plugin. I'm sharing them hoping they will be useful for someone else. The first plugin is filelist. It is used to list files that can be extracted by the dumpfiles plugin. The second plugin is virustotal and it is used to query/submit cached memory files to virustotal. Both plugins can be downloaded here [1]. Here's some examples on how to use the filelist plugin. Memory sample [2] was used for the examples. List exe files in the memory dump: C:\Volatility>python vol.py -f Bob.vmem filelist -r \.exe Volatility Foundation Volatility Framework 2.3 Offset PID Present Type File Name ------------ ----- ------- -------------------- ----------------------------------------------------------------------------------- 0x81dd28d0 548 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\smss.exe 0x822741c8 612 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\csrss.exe 0x82264028 644 Yes DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\sdra64.exe 0x81d45b00 644 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe 0x81d45b00 644 No DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe 0x822ec7f8 688 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\services.exe 0x81e5c028 700 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\lsass.exe 0x8226ba70 852 Yes ImageSectionObject \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmacthlp.exe 0x81d476d8 880 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe 0x81d476d8 880 No DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe 0x822dfbd0 1460 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe 0x82113220 1628 Yes ImageSectionObject \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmtoolsd.exe 0x81d163f8 1836 Yes ImageSectionObject \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe 0x81cf83a0 2024 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\alg.exe 0x81e584c0 1756 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\explorer.exe 0x81e584c0 1756 Yes DataSectionObject \Device\HarddiskVolume1\WINDOWS\explorer.exe 0x81ca9028 1108 Yes ImageSectionObject \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\VMwareTray.exe 0x81ca9028 1108 No DataSectionObject \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\VMwareTray.exe 0x820cdbd8 1116 Yes ImageSectionObject \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\VMwareUser.exe 0x820a83a8 1132 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\wscntfy.exe 0x81cbdd18 244 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\msiexec.exe 0x81cbdd18 244 Yes DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\msiexec.exe 0x820c3298 440 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\wuauclt.exe 0x820c3298 440 No DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\wuauclt.exe 0x81dc2e90 888 Yes ImageSectionObject \Device\HarddiskVolume1\Program Files\Mozilla Firefox\firefox.exe 0x81dc2e90 888 Yes DataSectionObject \Device\HarddiskVolume1\Program Files\Mozilla Firefox\firefox.exe 0x82077868 1752 Yes ImageSectionObject \Device\HarddiskVolume1\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe 0x82077868 1752 Yes DataSectionObject \Device\HarddiskVolume1\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe List all files opened by PID 644 (i.e: winlogon.exe with Zeus/Zbot injected): C:\Volatility>python vol.py -f Bob.vmem filelist -p 644 Volatility Foundation Volatility Framework 2.3 Offset PID Present Type File Name ------------ ----- ------- -------------------- ------------------------------------------------------------------------------------- 0x82264028 644 Yes DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\sdra64.exe 0x81ebe598 644 Yes DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\lowsec\user.ds 0x822e3ea0 644 Yes DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\lowsec\local.ds 0x81f14590 644 No DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\unicode.nls 0x81ebe028 644 No DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\sortkey.nls 0x81e4f4b0 644 No DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\locale.nls 0x822a4210 644 No DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\sorttbls.nls 0x822da598 644 No DataSectionObject \Device\HarddiskVolume1\WINDOWS\system32\ctype.nls 0x81d45b00 644 Yes ImageSectionObject \Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe […] List DataSectionObject files listed in the HandleTable for the AcroRd32.exe process (PID 1752): C:\Volatility>python vol.py -f Bob.vmem filelist -p 1752 -F DataSectionObject,HandleTable Volatility Foundation Volatility Framework 2.3 Offset PID Present Type File Name ------------ ----- ------- -------------------- ----------------------------------------------------------------------------------------------- 0x81c8c8e8 1752 Yes DataSectionObject \Device\HarddiskVolume1\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr107.tmp 0x8206f028 1752 Yes DataSectionObject \Device\HarddiskVolume1\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr106.tmp 0x81dfadf0 1752 Yes DataSectionObject \Device\HarddiskVolume1\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp\PDF.php 0x81ec1960 1752 Yes DataSectionObject \Device\HarddiskVolume1\Program Files\Adobe\Acrobat 6.0\Reader\Messages\ENU\RdrMsgENU.pdf 0x81ec8f90 1752 Yes DataSectionObject \Device\HarddiskVolume1\Documents and Settings...Temporary Internet Files\Content.IE5\index.dat 0x820da3d8 1752 Yes DataSectionObject \Device\HarddiskVolume1\Documents and Settings\Administrator\Cookies\index.dat 0x820da470 1752 Yes DataSectionObject \Device\HarddiskVolume1\Documents and Settings...r\Local Settings\History\History.IE5\index.dat Here's some examples on how to use the virustotal plugin. Please note that Virustotal plugin does not submit any files to VT by default. To use this plugin, edit virustotal.py and enter your VT API Key. By default, the plugin operate in public mode (i.e: maximum 4 requests per minute to VT). However, if you have a private key, it's possible to adjust the delay between queries with the --delay option. Query Virustotal for the file sdra64.exe present in memory: C:\Volatility>python vol.py -f Bob.vmem virustotal -r sdra64\.exe Volatility Foundation Volatility Framework 2.3 ************************************************************************ File: \Device\HarddiskVolume1\WINDOWS\system32\sdra64.exe Cache file type: DataSectionObject PID: 644 MD5: b3e40cb29a3125ac862570ed5b5212a5 Detection ratio: 38/41 Analysis date: 2010-05-23 00:22:26 Antivirus Result Update ------------------------- ---------------------------------------- ------------ nProtect Trojan.Generic.KD.387 20100522 CAT-QuickHeal Win32.Packed.Krap.ao.4 20100521 McAfee PWS-Zbot.gen.ak 20100523 TheHacker Trojan/Kryptik.cqz 20100522 VirusBuster Trojan.Kryptik.IBE 20100522 NOD32 a variant of Win32/Kryptik.CQZ 20100522 F-Prot W32/Agent.FG.gen!Eldorado 20100523 Symantec Packed.Generic.292 20100522 Norman W32/Zbot.PFX 20100522 TrendMicro-HouseCall TROJ_ZBOT.AZR 20100523 Avast Win32:Crypt-FWN 20100522 eSafe None 20100520 ClamAV Trojan.Zbot-8228 20100522 Kaspersky Packed.Win32.Krap.ao 20100522 BitDefender Trojan.Generic.KD.387 20100523 Comodo TrojWare.Win32.TrojanSpy.Zbot.Gen 20100522 F-Secure Trojan.Generic.KD.387 20100522 DrWeb Trojan.Winlock.1115 20100522 AntiVir TR/Agent.AO.177 20100521 TrendMicro TROJ_ZBOT.AZR 20100522 McAfee-GW-Edition PWS-Zbot.gen.ak 20100522 Sophos Mal/FakeAV-BW 20100522 eTrust-Vet Win32/FakeAV!generic 20100521 Authentium W32/Agent.FG.gen!Eldorado 20100522 Jiangmin Packed.Krap.cfls 20100522 Antiy-AVL Packed/Win32.Krap.gen 20100521 a-squared Packed.Win32.Krap!IK 20100510 Microsoft Trojan:Win32/Malagent 20100522 ViRobot None 20100522 Prevx Medium Risk Malware 20100523 GData Trojan.Generic.KD.387 20100522 AhnLab-V3 Win-Trojan/Burnix.Gen 20100522 VBA32 Trojan.Win32.Inject.anij 20100522 Sunbelt Trojan-Spy.Win32.Zbot.gen (v) 20100522 PCTools HeurEngine.MaliciousPacker 20100522 Rising Trojan.Win32.Generic.51FFF748 20100522 Ikarus Packed.Win32.Krap 20100522 Fortinet None 20100522 AVG Cryptic.BL 20100523 Panda Trj/Krap.Y 20100522 Avast5 Win32:Crypt-FWN 20100522 Query DataSectionObject files listed in the HandleTable for the AcroRd32.exe process (PID 1752): C:\Volatility>python vol.py -f Bob.vmem virustotal -p 1752 -F DataSectionObject,HandleTable Volatility Foundation Volatility Framework 2.3 ************************************************************************ File: \Device\HarddiskVolume1\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr107.tmp Cache file type: DataSectionObject PID: 1752 MD5: aeb2581f6c99b4434fb8ed96aeb3e43d Detection ratio: 0/42 Analysis date: 2010-04-04 15:04:31 ************************************************************************ File: \Device\HarddiskVolume1\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Acr106.tmp Cache file type: DataSectionObject PID: 1752 MD5: c6ea3ec108b4610831883617dc877f4b Detection ratio: 0/42 Analysis date: 2010-04-04 15:04:05 ************************************************************************ File: \Device\HarddiskVolume1\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp\PDF.php Cache file type: DataSectionObject PID: 1752 MD5: cb5bfbeaa27248ca8218414c61da9a56 Detection ratio: 13/41 Analysis date: 2010-05-13 13:08:49 Antivirus Result Update ------------------------- ---------------------------------------- ------------ nProtect Exploit.PDF-Name.Gen 20100513 CAT-QuickHeal None 20100513 McAfee None 20100513 TheHacker None 20100513 VirusBuster None 20100512 NOD32 None 20100513 F-Prot None 20100513 Symantec Bloodhound.PDF.8 20100513 Norman None 20100513 TrendMicro-HouseCall None 20100513 Avast JS:Pdfka-gen 20100513 eSafe None 20100511 ClamAV None 20100513 Kaspersky None 20100513 BitDefender Exploit.PDF-Name.Gen 20100513 Comodo UnclassifiedMalware 20100513 F-Secure Exploit.PDF-Name.Gen 20100513 DrWeb None 20100513 AntiVir None 20100512 TrendMicro None 20100513 McAfee-GW-Edition None 20100513 Sophos Mal/PDFEx-D 20100513 eTrust-Vet None 20100513 Authentium None 20100513 Jiangmin None 20100513 Antiy-AVL None 20100513 a-squared Exploit.Win32.Pdfjsc!IK 20100510 Microsoft Exploit:Win32/Pdfjsc.EF 20100513 ViRobot None 20100513 Prevx None 20100513 GData Exploit.PDF-Name.Gen 20100513 AhnLab-V3 None 20100513 VBA32 None 20100513 Sunbelt None 20100513 PCTools HeurEngine.PDF 20100513 Rising None 20100513 Ikarus Exploit.Win32.Pdfjsc 20100513 Fortinet None 20100513 AVG None 20100513 Panda None 201005 Avast5 JS:Pdfka-gen 20100513 ************************************************************************ File: \Device\HarddiskVolume1\Program Files\Adobe\Acrobat 6.0\Reader\Messages\ENU\RdrMsgENU.pdf Cache file type: DataSectionObject PID: 1752 MD5: cd3c38c9c0e910bf1fe722871039cf3d Detection ratio: 0/42 Analysis date: 2010-04-04 18:36:07 ************************************************************************ File: \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Cache file type: DataSectionObject PID: 1752 MD5: 1b6e92d96236f8d2307412283c7666cb File not present on VirusTotal ************************************************************************ File: \Device\HarddiskVolume1\Documents and Settings\Administrator\Cookies\index.dat Cache file type: DataSectionObject PID: 1752 MD5: 7b00dbeb59f8fc8e70f291731bd36811 File not present on VirusTotal ************************************************************************ File: \Device\HarddiskVolume1\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Cache file type: DataSectionObject PID: 1752 MD5: b995dc0123737ae13a70f71c88657daf File not present on VirusTotal * Query all pdf.php files in memory (ignore case) and upload any file that is unknown to VirusTotal:* C:\Volatility>python vol.py -f Bob.vmem virustotal -r pdf.php -i --submit Volatility Foundation Volatility Framework 2.3 *********************************************************************** File: \Device\HarddiskVolume1\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp\PDF.php Cache file type: DataSectionObject PID: 1752 MD5: cb5bfbeaa27248ca8218414c61da9a56 Detection ratio: 13/41 Analysis date: 2010-05-13 13:08:49 Antivirus Result Update ------------------------- ---------------------------------------- ------------ nProtect Exploit.PDF-Name.Gen 20100513 CAT-QuickHeal None 20100513 McAfee None 20100513 TheHacker None 20100513 VirusBuster None 20100512 NOD32 None 20100513 F-Prot None 20100513 Symantec Bloodhound.PDF.8 20100513 Norman None 20100513 TrendMicro-HouseCall None 20100513 Avast JS:Pdfka-gen 20100513 eSafe None 20100511 ClamAV None 20100513 Kaspersky None 20100513 BitDefender Exploit.PDF-Name.Gen 20100513 Comodo UnclassifiedMalware 20100513 F-Secure Exploit.PDF-Name.Gen 20100513 DrWeb None 20100513 AntiVir None 20100512 TrendMicro None 20100513 McAfee-GW-Edition None 20100513 Sophos Mal/PDFEx-D 20100513 eTrust-Vet None 20100513 Authentium None 20100513 Jiangmin None 20100513 Antiy-AVL None 20100513 a-squared Exploit.Win32.Pdfjsc!IK 20100510 Microsoft Exploit:Win32/Pdfjsc.EF 20100513 ViRobot None 20100513 Prevx None 20100513 GData Exploit.PDF-Name.Gen 20100513 AhnLab-V3 None 20100513 VBA32 None 20100513 Sunbelt None 20100513 PCTools HeurEngine.PDF 20100513 Rising None 20100513 Ikarus Exploit.Win32.Pdfjsc 20100513 Fortinet None 20100513 AVG None 20100513 Panda None 20100512 Avast5 JS:Pdfka-gen 20100513 ************************************************************************ File: \Device\HarddiskVolume1\DOCUME~1\ADMINI~1\LOCALS~1\Temp\plugtmp\PDF.php Cache file type: SharedCacheMap PID: 1752 MD5: ef6f0c1e573d6fbfa9c5b0d77cfbe2cd File not present on VirusTotal. Uploading file... Scan request successfully queued, come back later for the report Requested item is still queued for analysis...waiting 60 seconds Requested item is still queued for analysis...waiting 60 seconds Detection ratio: 17/40 Analysis date: 2013-10-14 19:35:44 Antivirus Result Update ------------------------- ---------------------------------------- ------------ MicroWorld-eScan Exploit.PDF-Name.Gen 20131014 nProtect Exploit.PDF-Name.Gen 20131014 CAT-QuickHeal None 20131014 McAfee None 20131014 Malwarebytes None 20131014 K7AntiVirus None 20131014 K7GW None 20131014 TheHacker None 20131014 NANO-Antivirus Exploit.Script.Pdfka.lcgj 20131014 F-Prot None 20131014 Symantec Bloodhound.PDF.8 20131014 Norman Obfuscated.JS 20131014 ByteHero None 20130923 Avast JS:Pdfka-gen [Expl] 20131014 ClamAV Heuristics.PDF.ObfuscatedNameObject 20131013 Kaspersky None 20131014 BitDefender Exploit.PDF-Name.Gen 20131012 Agnitum None 20131014 ViRobot None 20131014 Emsisoft Exploit.PDF-Name.Gen (B) 20131014 Comodo None 20131014 DrWeb SCRIPT.Virus 20131014 AntiVir EXP/Pidief.OR 20131014 McAfee-GW-Edition None 20131014 Sophos Mal/PdfEx-C 20131014 Jiangmin None 20131014 Panda None 20131014 Antiy-AVL None 20131014 Kingsoft None 20130829 Microsoft Exploit:Win32/Pdfjsc.EF 20131014 SUPERAntiSpyware None 20131014 GData Exploit.PDF-Name.Gen 20131014 Commtouch PDF/Obfusc.G!Camelot 20131014 TotalDefense None 20131011 VBA32 None 20131014 PCTools HeurEngine.PDF 20131002 ESET-NOD32 None 20131014 Ikarus Exploit.JS.Pdfka 20131014 Fortinet None 20131014 Baidu-International None 20131014 Hope this help! Regards, Sebastien [1]: https://github.com/sebastienbr/Volatility/tree/master/plugins [2]: https://www.honeynet.org/challenges/2010_3_banking_troubles

11 years, 6 months

2
1
0 0

yarascan failing to find libyara, I think

by David Kovar

Greetings, Vol 2.3 built from svn. Yara built from yara-project. OS is OS X 10.8.5. I tore out all the old copies of volatility while trying to get this to work. praha:mem kovar$ vol.py -f xp-base-44f9a302.vmem --profile WinXPSP3x86 yarascan -Y 'foo' Volatility Foundation Volatility Framework 2.3 ERROR : volatility.plugins.malware.malfind: Please install Yara from code.google.com/p/yara-project praha:mem kovar$ yara -v yara 2.0 (rev:223) bash-3.2# ls -l /usr/local/lib/libyara* lrwxr-xr-x 1 root admin 15 Oct 12 12:36 /usr/local/lib/libyara.0.0.0.dylib -> libyara.0.dylib -rwxr-xr-x 1 root admin 113736 Oct 12 12:36 /usr/local/lib/libyara.0.dylib -rw-r--r-- 1 root admin 393560 Oct 12 12:36 /usr/local/lib/libyara.a lrwxr-xr-x 1 root admin 15 Oct 12 12:36 /usr/local/lib/libyara.dylib -> libyara.0.dylib -rwxr-xr-x 1 root admin 938 Oct 12 12:36 /usr/local/lib/libyara.la -David

11 years, 6 months

1
1
0 0

Re: [Vol-users] yarascan failing to find libyara, I think

by David Kovar

Greetings, I had the 1.6 version installed. I tore it out and tried to build 1.7 but that is failing: bash-3.2# python setup.py build running build running build_ext building 'yara' extension cc -fno-strict-aliasing -fno-common -dynamic -I/usr/local/include -I/usr/local/opt/sqlite/include -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -I/usr/local/include -I/usr/local/Cellar/python/2.7.3/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c yara-python.c -o build/temp.macosx-10.8-x86_64-2.7/yara-python.o yara-python.c:259: error: expected specifier-qualifier-list before ‘YARA_CONTEXT’ yara-python.c:321: error: expected declaration specifiers or ‘...’ before ‘YARA_CONTEXT’ yara-python.c: In function ‘process_externals’: yara-python.c:338: warning: implicit declaration of function ‘yr_define_integer_variable’ yara-python.c:338: error: ‘context’ undeclared (first use in this function) yara-python.c:338: error: (Each undeclared identifier is reported only once yara-python.c:338: error: for each function it appears in.) yara-python.c:342: warning: implicit declaration of function ‘yr_define_boolean_variable’ yara-python.c:346: warning: implicit declaration of function ‘yr_define_string_variable’ yara-python.c: At top level: yara-python.c:358: error: expected declaration specifiers or ‘...’ before ‘YARA_CONTEXT’ yara-python.c: In function ‘Rules_new_from_file’: Shall see if I can figure that out and then come back to Volatility. -David On Oct 12, 2013, at 12:43 PM, Lorenzo Cantoni <lorenzo.cantoni86(a)gmail.com> wrote: > Did you installed also the python bindings? (yarapython) > > Il 12/ott/2013 19:37 "David Kovar" <dkovar(a)gmail.com> ha scritto: > Greetings, > > Vol 2.3 built from svn. Yara built from yara-project. OS is OS X 10.8.5. I tore out all the old copies of volatility while trying to get this to work. > > praha:mem kovar$ vol.py -f xp-base-44f9a302.vmem --profile WinXPSP3x86 yarascan -Y 'foo' > Volatility Foundation Volatility Framework 2.3 > ERROR : volatility.plugins.malware.malfind: Please install Yara from code.google.com/p/yara-project > > praha:mem kovar$ yara -v > yara 2.0 (rev:223) > > bash-3.2# ls -l /usr/local/lib/libyara* > lrwxr-xr-x 1 root admin 15 Oct 12 12:36 /usr/local/lib/libyara.0.0.0.dylib -> libyara.0.dylib > -rwxr-xr-x 1 root admin 113736 Oct 12 12:36 /usr/local/lib/libyara.0.dylib > -rw-r--r-- 1 root admin 393560 Oct 12 12:36 /usr/local/lib/libyara.a > lrwxr-xr-x 1 root admin 15 Oct 12 12:36 /usr/local/lib/libyara.dylib -> libyara.0.dylib > -rwxr-xr-x 1 root admin 938 Oct 12 12:36 /usr/local/lib/libyara.la > > -David > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

11 years, 6 months

1
0
0 0

How long should it take to run 'wndscan' on 32+G Win7 64bit memory dump?

by Todd A

Hi List, Running volatility-2.2.standalone.exe on Win7 Pro 64bit AMD with 32GB of RAM. I'm new to volatility and I'm attempting to use it to troubleshoot apps that don't play nice with the Windows clipboard. I'm using the steps here: http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-C… I changed my registry to force a complete memory dump by setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled to be 1. (http://support.microsoft.com/kb/969028) I used System Internal's NotMyFault tool with the /crash switch to create the dump. (https://code.google.com/p/volatility/wiki/CrashAddressSpace) The resulting c:\windows\memory.dmp file is about 34GB in size. When I launch volatility, this is as far as it gets: C:\Users\taa\Downloads>volatility-2.2.standalone.exe -f c:\windows\memory.dmp --profile=Win7SP1x64 wndscan Volatile Systems Volatility Framework 2.2 It has been showing this for close to 3.75 hours. Task Manager shows two instances of volatility-2.2.standalone.exe running, one at a constant 1,144K RAM usage, and the other instance with RAM usage constantly changing in the range of 58MB to 73MB, averaging 13% CPU utilization. To mean this indicates it is doing /something/ even if it is caught in an infinite loop. If it's reasonable for volatility to run this long and longer, I'll just be patient, though it would be helpful if someone could give me an idea of how long it might take. If this is taking too long, what can I do to troubleshoot what it's doing? Kind regards, Todd

11 years, 6 months

2
2
0 0

Aw: Re: [Vol-users] KVM and Memory Dump

by chris-2012＠arcor.de

Hi Guanglin, thank you for your reply! I'm absolutely newbie, so my questions are probably a bit tedious. > > Libvmi seems a bit complicated to install, at least compared to the > > vboxmanage debugvm command. Is libvmi required for KVM or is it possible > to > > use virsh dump? > > > You should use LibVMI just for "online live" forensics over a virtual > machine. > > If you merely need an offline memory dump of a KVM virtual machine, feel > free to use virsh dump without LibVMI. I'm not sure, if I understand the difference. When I run the victim in a VM, I can hit virsh dump in another host terminal window and get a snapshot of the VM at this point in time? When I tried this a little while ago with an Windows 7 x64 SP0 image, it didn't work. So I thought this method is not suitable... The image format respective profile was recognized with imageinfo correctly. The host is CentOS 6.4. With libvmi I would get continuous updates? Chris

11 years, 6 months

5
6
0 0

Android Memory Forensics without System.map

by Quentin Chaki Cha

Hi guys, i'm working on a project to analyze memory dumps of Android devices with Volatility. But it seems that it isn't possible to do so if the source code does not provide me with the System.map file. I can't compile my own System.map file using commands like "make ARCH=arm CROSS_COMPILE=$CCOMPILER" (this would give me inaccurate addresses) nor can i use the /proc/kallsyms (this does not have symbols required for volatility to prepare) file from the Android device itself. I just wanna verify, is it actually still possible for me to use volatility to analyze this memory dump if the System.map file wasn't distributed with the headers/source? Thanks.

11 years, 6 months

2
1
0 0

KVM and Memory Dump

by chris-2012＠arcor.de

Dear all, sorry, I'm using webmail only and couldn't set an in reply-to header to my last message. Libvmi seems a bit complicated to install, at least compared to the vboxmanage debugvm command. Is libvmi required for KVM or is it possible to use virsh dump? Thank you in advance. - Chris

11 years, 6 months

2
1
0 0

Help building a volatility profile for android

by Tareq Hanaysha

Hi,I am trying to build a volatility 2.3p profile using a mac os host 10.8.5 and a 4.3 android goldfish guest custom kernel.edited my make file under tools/linux/ to: "obj-m += module.oKDIR := ~/goldfish-ksemulator/ CCPATH := ~/android-ndk/toolchains/arm-linux-androideabi-4.7/prebuilt/darwin-x86_64/bin/DWARFDUMP := /Users/Hanaysha/dwarf/dwarfdump/dwarfdump-include version.mkall: dwarfdwarf: module.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules$(DWARFDUMP) -di module.ko > module.dwarf "I am awarded with the follwing errors :"Hanayshas-MacBook-Pro:linux Hanaysha$ makemake -C ~/goldfish-ksemulator//lib/modules/12.5.0/build CONFIG_DEBUG_INFO=y M=/Users/Hanaysha/android-volatility/tools/linux modulesmake: *** /Users/Hanaysha/goldfish-ksemulator//lib/modules/12.5.0/build: No such file or directory. Stop.make: *** [dwarf] Error 2Hanayshas-MacBook-Pro:linux Hanaysha$ makemake ARCH=arm CROSS_COMPILE=~/android-ndk/toolchains/arm-linux-androideabi-4.7/prebuilt/darwin-x86_64/bin//arm-linux-androideabi- -C ~/goldfish-ksemulator/ CONFIG_DEBUG_INFO=y M=/Users/Hanaysha/android-volatility/tools/linux modulesBuilding modules, stage 2.MODPOST 1 modulesCC /Users/Hanaysha/android-volatility/tools/linux/module.mod.o/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:8:1: error: variable '__this_module' has initializer but incomplete type/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: error: unknown field 'name' specified in initializer/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: warning: excess elements in struct initializer [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: warning: (near initialization for '__this_module') [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: error: unknown field 'arch' specified in initializer/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:10: error: 'MODULE_ARCH_INIT' undeclared here (not in a function)/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: warning: excess elements in struct initializer [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: warning: (near initialization for '__this_module') [enabled by default]make[2]: *** [/Users/Hanaysha/android-volatility/tools/linux/module.mod.o] Error 1make[1]: *** [modules] Error 2make: *** [dwarf] Error 2"Any ideas !? your help is appreciated

11 years, 6 months

2
1
0 0

stack & heap

by Sebastian Biedermann

Hi guys, I'm trying to find out the addresses of the memory pages of a target process that are used as stack and heap on Linux. (Precisely, I would like to have the output which can be seen in /proc/<pid>/maps for a target process) Unfortunately, the command linux_proc_maps is not working, I always get a segmentation fault, although I tried different kernels as well as Linux setups (Ubuntu) - it's just not working. Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps command works? Or give me a hint how I could figure out these addresses on another way? Thank you!

11 years, 6 months

3
5
0 0

Locating performance overhead of apihooks

by Guanglin Xu

Hi everyone, I ran apihook command in Volatility with the very fast pyvmi address space. However, I didn't see significant performance improvement in terms of the total runtime as it still ran for 5 mins - 6 mins. Although I have got profiling report of apihooks by cProfile and have been aware that __read_bytes(), the acquisittion of memory content, just consumed a very small part, which is 7 secs, of the total 5~6 mins, and that the overhead may be categorized in apihook algorithm, memory acquisition as well as Python runtime, I can hardly go further in figuring out which part of the apihook cost the most. I attach the profiling report here, and hope anyone help analysis. Thank you so much. Guanglin

11 years, 6 months

1
0
0 0

Volatility Installation

by Sajawal Ghani

We are working volatility. Firstly we installed python, then its dependencies i.e. pycrpto, yara, distorm Min gw. After installing all this to our system, out volatility 2.1 software is not working, or we are not able to use it. Need help in this regard.

11 years, 6 months

1
0
0 0

First two 2014 Volatility & Memory Forensics trainings announced

by Andrew Case

We wrote a blog post today that announced our first two trainings of 2014: http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensi… We will be in San Diego, CA in January as well as London in June. Once we confirm our other trainings that are currently in the works we will post them as well. At least one of these trainings will be on the east coast. Also, as a reminder, we still have a few spots left in our November training in Reston, so please contact us ASAP if you would like to attend. Thanks, Andrew (@attrc)

11 years, 6 months

1
0
0 0

Linux Virtualization KVM or VirtualBox?

by chris-2012＠arcor.de

Hi, what's the preferred virtualization method to create memory dumps? Is it possible to acquire the guest memory without guest modifications? Linux and Windows guests are used. Regards, Chris

11 years, 6 months

4
3
0 0

Samsung Galaxy Nexus RAM Analysis Issue

by Quentin Chaki Cha

Hi People, so over here i have used LiME to extract RAM information out of my Samsung Galaxy Nexus, but I'm currently facing some issues in terms of analyzing as shown below: root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f /root/majorProject/Nexus.lime --profile LinuxNexusARM linux_pslist Volatile Systems Volatility Framework 2.3_beta Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- Regardless of the volatility plugin i use (linux_pslist, linux_lsof), im always getting empty data. I ran the same command with the -dd flag as shown below. Any advice/help in this area would be greatly appreciated thank you :) root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f /root/majorProject/Nexus.lime --profile LinuxNexusARM -dd linux_pslist Volatile Systems Volatility Framework 2.3_beta DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found dwarf file root/majorProject/omap/System.map with 453 symbols DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found system file root/majorProject/omap/System.map with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x605bad0> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x2C800040, instantiating lime_header DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x605ba90> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: 0x81ed DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxNexusARM selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x605be50> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000, instantiating HPAK_HEADER DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000, instantiating _VMWARE_HEADER DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: - DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxNexusARM selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Can not stack over another paging address space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Can not stack over another paging address space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Can not stack over another paging address space DEBUG1 : volatility.obj : None object instantiated: Pointer next invalid

11 years, 7 months

2
2
0 0

Re: [Vol-users] Experimenting with notepad.exe

by Adam Bridge

HaHa! Thanks Jesse! Thank you for the hints - I'm just trying to get my head around walking the VAD tree at the moment. I'll be sure to ask you if I need some more assistance. Hopefully down the line I'll write a mini-tutorial around this to share with the list. Adam On 21/09/13 19:25, Jesse Kornblum wrote: > Hi Adam, > > Two hints, in progressive levels of practicality: > > 1. I when I tried to do this, I ended up falling down in a Heap. > > 2. Memory allocated by a program is stored in the VADs. > > If you're stuck, write back and I'll show you exactly how to do it! > > Good luck, -- Have you sent me your PGP Public Key yet?

11 years, 7 months

2
2
0 0

Experimenting with notepad.exe

by Adam Bridge

Hi all, I'm hoping for some suggestions around how to find the answer for myself, rather than the actual answer. I'm experimenting with notepad to try and learn more about Windows memory management. Currently I'm trying to see if I can reliably locate what has been typed into a notepad window from a memory capture taken when the notepad window was still open. I can prove my text is present like so: $ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 pslist | grep notepad Volatile Systems Volatility Framework 2.3_beta 0x84f08030 notepad.exe 292 1664 2 59 1 0 2013-08-28 20:50:36 UTC+0000 $ python vol.py -f ~/memtest/win7.raw --profile=Win7SP1x86 memdump --dump-dir=~/memtest/ -p 292 Volatile Systems Volatility Framework 2.3_beta ************************************************************************ Writing notepad.exe [ 292] to 292.dmp $ strings -e l ~/memtest/292.dmp | grep "i-typed-" i-typed-this-into-notepad (The "-e l" switch is because notepad stores its text in 16-bit little-endian.) Combining the output of memdump and memmap I can see where in physical and virtual memory my string is located. Of course this relies on me knowing the string ahead of time. Do I need to go down the route of disassembling/debugging notepad.exe in order to determine how/when it writes the contents to memory? Or is there another approach that I simply haven't though of? Comments greatly appreciated! Thanks, Adam -- Have you sent me your PGP Public Key yet?

11 years, 7 months

1
0
0 0

Volatility Cannot Analyze Samsung Galaxy Nexus RAM (LiME)

by Quentin Chaki Cha

Hi people, Currently I'm trying to use Volatility to analyze a memory image that i have acquired from my Samsung Galaxy Nexus using LiME. I saw somewhere on this forum(?) that the System.map file pulled out from /proc/kallsyms is unusable due to those lines that contain "[lime]" but can be addressed by removing those lines. I managed to built the profile and verified it against the following command: # python vol.py --info | grep ProfileVolatile Systems Volatility Framework 2.3_beta Profiles Linuxsamsungx86 - A Profile for Linux samsung x86 VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x86 - A Profile for Windows 7 SP1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86 However, when i run the command: #python vol.py --profile=Linuxsamsungx86 -f /root/majorProject/ram.lime linux_pslist I get the following error: Volatile Systems Volatility Framework 2.3_beta WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x81ed WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile Linuxsamsungx86 selected IA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'int' IA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'int' FileAddressSpace: Must be first Address Space ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'int' It's the same regardless of the volatility plugin i'm using. Any idea where i'm wrong over here? Anyway attached is zip folder that contains the System.map file as well as my module.dwarf file. Any help or advise in this area would be greatly appreciated thank you very much :) Oh yes, do let me know if there's any other information required that might help solve this issue, i'm quite desperate over here =P

11 years, 7 months

2
1
0 0

custom Android profile: No suitable address space mapping found

by Antonios Broumas

Good day, As the title suggests I am working with a custom Android installation and I have encountered the "No suitable address space mapping found". I have not cross-compiled lime.ko and module.ko with exactly the same compiler that I used to build the rest of my installation but I have carried out the build pointing to the same kernel directories and lime.ko can successfully be used to get a memory dump. Can this be the reason for the inconsistency? Here is what I did: 1. I have downloaded lime from svn: URL: http://lime-forensics.googlecode.com/svn/trunk/src Repository Root: http://lime-forensics.googlecode.com/svn Repository UUID: e105e084-e930-c66b-6cfa-9f740464420f Revision: 17 Node Kind: directory Schedule: normal Last Changed Author: Joe.Sylve(a)gmail.com Last Changed Rev: 15 Last Changed Date: 2013-03-19 08:10:00 -0700 (Tue, 19 Mar 2013) 2. I have downloaded volatility from svn: URL: https://volatility.googlecode.com/svn/trunk Repository Root: https://volatility.googlecode.com/svn Repository UUID: 8d5d6628-2090-11de-9909-f37ff7dbbc12 Revision: 3444 Node Kind: directory Schedule: normal Last Changed Author: michael.hale(a)gmail.com Last Changed Rev: 3440 Last Changed Date: 2013-06-18 10:08:37 -0700 (Tue, 18 Jun 2013) 3. I have cross-compiled lime for a custom android installation and produced a kernel module and with it I have successfully retrieved a memory dump of size a little less than 2GB. 1951400096 Jun 25 14:50 mem.dump 4. I have also created a profile pointing to the same custom android installatin: *** note that pmem is not visited and pmem.c is not compiled *** cd volatility/tools/linux edit Makefile and cross-compile module.c and produce module.ko dwarfdump -di module.ko > module.dwarf head module.dwarf .debug_info <0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.6.x-google 20120106 (prerelease)"> DW_AT_language<DW_LANG_C89> DW_AT_name<"/home/antonios/dev/tools/volatility/tools/linux/module.c"> DW_AT_comp_dir<"/media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/out/target/product/jflteatt/obj/KERNEL_OBJ"> DW_AT_low_pc<0x00000000> DW_AT_high_pc<0x00000000> DW_AT_stmt_list<0x00000000> <Unknown AT value 0x2134><0> <Unknown AT value 0x2135><0> <1><0x2d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001 /media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/kernel/include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013> DW_AT_type<<0x00000038>> <1><0x38><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char"> <1><0x3f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001 /media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/kernel/include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014> DW_AT_type<<0x0000004a>> <1><0x4a><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char"> <1><0x51><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001 /media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/kernel/include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000005c>> <1><0x5c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int"> zip volatility/volatility/plugins/overlays/linux/mylinux.zip module.dwarf System.map adding: home/antonios/dev/tools/volatility/tools/linux/module.dwarf (deflated 92%) adding: media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/out/target/product/jflteatt/obj/KERNEL_OBJ/System.map (deflated 74%) 5. python vol.py --info LinuxmylinuxARM - A Profile for Linux mylinux ARM 6. however python vol.py --profile=LinuxmylinuxARM -f mem.dump linux_pslist results in: Volatile Systems Volatility Framework 2.3_beta Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile LinuxmylinuxARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check I have not cross-compiled lime.ko and module.ko with exactly the same compiler that I used to build the rest of my installation but I have carried out the build pointing to the same kernel directories and lime.ko can successfully be used to get a memory dump. Can this be the reason for the inconsistency? Antonios

11 years, 7 months

3
3
0 0

Linux process DTB

by Sebastian Biedermann

Hi guys, I found out that version 2.3 of volatility shows an additional DTB address value for each process in the linux_pslist command. Can anyone tell me what this address exactly is and how it can be useful? Thank you! -- Sebastian

11 years, 7 months

2
1
0 0

OMFW 2013

by AAron Walters

vol-users, The official registration invitations for OMFW 2013 went out this week. If you are still planning to attend, I recommend sending a request soon. There are less than 10 spots remaining! https://www.volatilityfoundation.org/default/omfw Reserve your seat by contacting: info [at] volatilesystems [dot] com. Thanks, The Volatility Foundation

11 years, 7 months

1
0
0 0

Problems with Server 2003 vmss image

by David Kovar

Good evening, I have what purports to be a Windows Server 2003 vmss file from an ESXi server. Volatile Systems Volatility Framework 2.2 Determining profile based on KDBG search... Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86 AS Layer1 : FileAddressSpace (E:\memory.vmss) PAE type : No PAE DTB : 0xe02000L KDBG : 0x89e3e0 Number of Processors : 32 Image Type (Service Pack) : 8388479 KPCR for CPU 1 : 0xb4428734L KPCR for CPU 105 : 0x6ab88836 KPCR for CPU 187 : 0xbbb081feL KPCR for CPU 217 : 0xd26666cfL KPCR for CPU 244 : 0xf6396926L KPCR for CPU 43 : 0xdb784fe4L KPCR for CPU 0 : 0xbfcc7b14L KPCR for CPU 144 : 0xfdce5831L KPCR for CPU 163 : 0xe645d2edL KPCR for CPU 240 : 0xe641b395L KPCR for CPU 0 : 0x54430b95 KPCR for CPU 121 : 0xe647cb92L KPCR for CPU 156 : 0x11fcab95 KPCR for CPU 88 : 0x7e5a9411 KPCR for CPU 0 : 0x3a144ddb KPCR for CPU 0 : 0xad8d25f2L KPCR for CPU 167 : 0x6a05fdd2 KPCR for CPU 149 : 0x9623d84aL KPCR for CPU 116 : 0x4d5a811c KPCR for CPU 0 : 0x770a23f1 KPCR for CPU 0 : 0x62485716 KPCR for CPU 47 : 0xb52572fcL KPCR for CPU 0 : 0x1449293a KPCR for CPU 46 : 0x4997edb2 KPCR for CPU 0 : 0x95971adeL KPCR for CPU 0 : 0x95bcc716L KPCR for CPU 53 : 0x55851105 KPCR for CPU 0 : 0x55bcc700 KPCR for CPU 0 : 0xd5893716L KPCR for CPU 169 : 0x4a21113d KPCR for CPU 1 : 0x88f33d8dL KPCR for CPU 0 : 0xa3d2de22L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 1970-01-01 00:00:00 UTC+0000 Traceback (most recent call last): File "vol.py", line 186, in <module> main() File "vol.py", line 177, in main command.execute() File "E:\Tools\volatility-2.2\volatility\commands.py", line 111, in execute func(outfd, data) File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 34, in re nder_text for k, v in data: File "E:\Tools\volatility-2.2\volatility\plugins\imageinfo.py", line 109, in c alculate yield ('Image local date and time', timefmt.display_datetime(data['ImageDate time'].as_datetime(), data['ImageTz'])) File "E:\Tools\volatility-2.2\volatility\timefmt.py", line 82, in display_date time dt = dt.astimezone(custom_tz) ValueError: tzinfo.utcoffset() returned 1440; must be in -1439 .. 1439 Or, maybe it isn't. Anyhow, I converted it with imagecopy and while imageinfo returns the same information, none of the other commands will work: E:\Tools\volatility-2.2>python vol.py -f E:\RAM\memory.raw --profile=Win2003SP2x86 connections Volatile Systems Volatility Framework 2.2 No suitable address space mapping found Tried to open image as: LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space JKIA32PagedMemoryPae: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: No xpress signature found WindowsCrashDumpSpace64: Header signature invalid WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile Win2003SP2x86 selected JKIA32PagedMemory: Failed valid Address Space check JKIA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space Any thoughts on how to work with this image would be most welcome. -David

11 years, 7 months

2
2
0 0

Volatility and BAP

by Carl Pulley

As part of some recent work, I was looking at integrating CMU's Binary Analysis Platform (BAP)[1] with the Volatility framework. The (partly hacky) result of this work can be found at: https://bitbucket.org/carlpulley/libbap If nothing else, it provides some idea as to what can be done with such integrations. Hopefully, it will be of interest to others within the RE/Memory forensics communities? All the best, Carl. [1] http://bap.ece.cmu.edu/

11 years, 7 months

1
0
0 0

Re: [Vol-users] custom Android profile: No suitable address space

by Andrew Case

1) There are missing symbols required for plugins to run that kallsyms does not have. I suspect you can get a partial listing of these if you run Volatility with -dd and look for errors about symbol resolution errors. 2) It seems you built a kernel using the sources of the phone, but that it is not actually the kernel running on the phone? If you are going to use the System.map from the kernel then the phone needs to actually run that kernel. Otherwise, you need the System.map from when the vendor compiled the kernel. Did the distributed sources you use have a System.map file with them and/or a debug kernel (vmlinux)? On Wed, Aug 28, 2013 at 5:52 AM, Winston Siauw (DT) <winston(a)holmes.nl>wrote: > Hi Andrew,**** > > ** ** > > Thanks again for your reply.**** > > I have manage to build the kernel, retrieve the System.map file and build > a profile with it.**** > > However, volatility does not give any output nor error as can be seen > below:**** > > ** ** > > $ python vol.py --profile=LinuxprofileHtcOneV-IcsARM -f /dump.lime > linux_pslist**** > > Volatile Systems Volatility Framework 2.3_beta**** > > WARNING : volatility.obj : Overlay structure tty_struct not present > in vtypes**** > > Offset Name Pid Uid Gid > DTB Start Time**** > > ---------- -------------------- --------------- --------------- ------ > ---------- ----------**** > > ( empty )**** > > ** ** > > As indicated in your last mail, the build System.map and the device > Kallsyms are not equal. **** > > However, besides not having the same symbols as System.map the memory > addresses also differ. **** > > Is this expected or is this because I have done something wrong?**** > > I.e.:**** > > ** ** > > System.map (builded kernel):**** > > c0008200 t set_reset_devices**** > > c0008224 t debug_kernel**** > > c000824c t quiet_kernel**** > > ** ** > > Kallsyms (from device):**** > > c0008200 t set_reset_devices**** > > c0008218 t debug_kernel**** > > c0008230 t quiet_kernel**** > > ** ** > > ** ** > > Moreover, is it known which symbols are exactly missing in the Kallsyms > file that are noted in the System.map and can I implement a work around for > this? **** > > Furthermore, in another post ( > http://lists.volatilityfoundation.org/pipermail/vol-users/2013-February/000…) > Michael Hale Ligh* *indicated: **** > > “Only as a last resort use /proc/kallsyms and even in that case, delete > the lines related to lime so**** > > it doesn't raise ValueError”. Thus if I delete all lime related lines in > the kallsyms then it would work?**** > > ** ** > > ** ** > > Best regards,**** > > ** ** > > Winston**** > > ** ** > > ** ** > > ** ** > > ** ** > > *From:* Andrew Case [mailto:atcuno@gmail.com] > *Sent:* Wednesday, August 14, 2013 7:58 PM > *To:* Winston Siauw (DT) > *Cc:* vol-users(a)volatilityfoundation.org > *Subject:* Re: [Vol-users] custom Android profile: No suitable address > space**** > > ** ** > > Hello, > > We are working on new documentation for this issue and actually hope to > develop a workaround if at all possible. The issue is that kallsyms, while > having a different file format as you noticed, does not contain all of the > same symbols as System.map and because of this Volatility cannot use a > profile that has kallsyms output. There are symbols in System.map that are > currently required for Volatility to operate and these symbols are not > contained in kallsyms. **** > > If you can obtain the System.map file for the kernel you wish to analyze > then please use that and incorporate it into the profile. > > Thanks, > Andrew**** > > ** ** > > On Wed, Aug 14, 2013 at 3:28 AM, Winston Siauw (DT) <winston(a)holmes.nl> > wrote:**** > > Hi All,**** > > **** > > Currently, I am using Volatility to analyze a lime dump of an Android > device and I have the same error message as the post of the ”no suitable > address space mapping found” ( > http://lists.volatilityfoundation.org/pipermail/vol-users/2013-July/000942.… > ).**** > > **** > > I have followed the steps as indicated in the Volatility Android memory > forensic instructions ( > https://code.google.com/p/volatility/wiki/AndroidMemoryForensics) and > listed them below the dotted line in this mail. **** > > However, the error “No suitable address space mapping found ” is showing. > **** > > **** > > Anybody have any idea what is going / I am doing wrong ? (please see the > steps I have performed below)**** > > **** > > **** > > Winston **** > > **** > > ********************************************* > > Steps I followed:**** > > **** > > Memory research of Device : HTC One V**** > > kernel device primou-ics-crc-3.0.16-133e482**** > > Android : 4.0.3**** > > Host system for Volatility: Ubuntu 13.04**** > > Python 2.7.4 (default, Apr 19 2013, 18:32:33) **** > > [GCC 4.7.3] on linux2**** > > **** > > **** > > Steps as followed from > https://code.google.com/p/volatility/wiki/AndroidMemoryForensics except > for the emulator steps:**** > > **** > > 1. Downloaded lime, cross compiled lime and build a *.ko file and > created a lime.dump (format=lime) file**** > > 2. Downloaded Volatility, created a zip profile **** > > a. System.map retrieved from the device at /proc/kallsyms**** > > b. Module.dwarf **** > > $ head module.dwarf **** > > **** > > .debug_info**** > > **** > > <0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.7"> > DW_AT_language<DW_LANG_C89> > DW_AT_name<"/android/volatility-2.2/tools/linux/module.c"> > DW_AT_comp_dir<"/home/winston/htc/primou-ics-crc-3.0.16-133e482"> > DW_AT_stmt_list<0x00000000>**** > > <1><0x1d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001 > include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013> > DW_AT_type<<0x00000028>>**** > > <1><0x28><DW_TAG_base_type> DW_AT_byte_size<0x00000001> > DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char">**** > > <1><0x2f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001 > include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014> > DW_AT_type<<0x0000003a>>**** > > <1><0x3a><DW_TAG_base_type> DW_AT_byte_size<0x00000001> > DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char">**** > > <1><0x41><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001 > include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> > DW_AT_type<<0x0000004c>>**** > > <1><0x4c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> > DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int">**** > > **** > > 3. Using Volatility 2.2 and I have tried volatility > 2.3-development and the latest volatility from svn co > https://volatility.googlecode.com/svn/trunk (latest check out at 9th of > august 2013)**** > > a. $ python vol.py –info **** > > LinuxprofileHTCOneV2x86 - A Profile for Linux profileHTCOneV2 x86**** > > b. Note, I implemented a work around since my system.map / > proc/kallsyms sometimes contained four columns instead of 3. **** > > Part of my system.map file:**** > > c0682d70 A _etext**** > > bf005000 t dhd_sleep_pm_callback [bcmdhd]**** > > Error: **** > > File > "/android/volatility-2.2/volatility/plugins/overlays/linux/linux.py", line > 86, in parse_system_map**** > > (str_addr, symbol_type, symbol) = line.strip().split()**** > > ValueError: too many values to unpack**** > > Work around :**** > > Added in > /android/volatility-2.2/volatility/plugins/overlays/linux/linux.py, line 87: > **** > > (str_addr, symbol_type, symbol) = line.strip().split()[0:3] > //added work around **** > > #(str_addr, symbol_type, symbol) = line.strip().split() > // original**** > > c. $ python vol.py --profile=LinuxprofileHTCOneV2x86 -f > /android/resultfiles/HTVOneV/lime7-31-13_1317.lime linux_pslist**** > > Volatile Systems Volatility Framework 2.3_alpha**** > > WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present > in vtypes**** > > Offset Name Pid Uid Start Time > **** > > ---------- -------------------- --------------- --------------- ---------- > **** > > No suitable address space mapping found**** > > Tried to open image as:**** > > MachOAddressSpace: mac: need base**** > > LimeAddressSpace: lime: need base**** > > WindowsHiberFileSpace32: No base Address Space**** > > WindowsCrashDumpSpace64: No base Address Space**** > > WindowsCrashDumpSpace32: No base Address Space**** > > JKIA32PagedMemoryPae: No base Address Space**** > > AMD64PagedMemory: No base Address Space**** > > JKIA32PagedMemory: No base Address Space**** > > IA32PagedMemoryPae: Module disabled**** > > IA32PagedMemory: Module disabled**** > > MachOAddressSpace: MachO Header signature invalid**** > > MachOAddressSpace: MachO Header signature invalid**** > > LimeAddressSpace: Invalid Lime header signature**** > > WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile**** > > WindowsCrashDumpSpace64: Header signature invalid**** > > WindowsCrashDumpSpace32: Header signature invalid**** > > JKIA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: > 'NoneType' and 'long'**** > > AMD64PagedMemory: Incompatible profile LinuxprofileHTCOneV2x86 selected*** > * > > JKIA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: > 'NoneType' and 'long'**** > > IA32PagedMemoryPae: Module disabled**** > > IA32PagedMemory: Module disabled**** > > FileAddressSpace: Must be first Address Space**** > > ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' > and 'long'**** > > **** > > **** > > **** > > **** > > **** > > **** > > **** > > **** > > **** > > **** > > **** > > **** > > **** > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users**** > > ** ** >

11 years, 7 months

1
0
0 0

Re: [Vol-users] Understanding memmap output

by Adam Bridge

Thanks again Michael. I shall take some time to digest the links you've sent me. I'm much happier with virtual memory now. Thank you, Adam On 31/08/13 00:32, Michael Cohen wrote: > Hi Adam, > "Where is this virtual memory being stored" does not really make > sense - the virtual memory is virtualized - meaning it does not exist > in reality and hence needs no storage. As the process accesses > addresses in the virtual memory space, the kernel pages this memory in > on demand from either the pagefile, or regular files on disk. Whilst > you may disable page files, the OS will always be able to use the > files on disk. Therefore, it is very possible (in fact likely) that > not all the addressable memory for a process will be available in the > memory image. > > The most common effect of this is when you try to dump out a process > executable, e.g. with pedump, dlldump, etc. You may find pages which > are not resident and hence can not be dumped from the memory image > alone. > > Some references to help explain this: > https://volatility.googlecode.com/svn/branches/scudette/docs/references.html > http://www.youtube.com/watch?v=9aC7yIYwvAY > > And more information about memory layout: > http://dfrws.org/2013/proceedings/DFRWS2013-13.pdf > > Michael. > > On 31 August 2013 00:33, Adam Bridge <adam.bridge(a)yahoo.com> wrote: >> Hi Michael, >> >> Thank you again - I really can't thank you enough for your willingness >> to help! >> So, I shall definitely make this my last clarifying questions... :) >> >> Given "Any process running under 32 bit Windows versions gets a set of >> virtual memory addresses going from 0 to 4 GB, no matter how much RAM is >> actually installed on the computer."[1], if, as in my example, the >> pagefile has been disabled, "where" is this virtual memory being stored? >> Or is it that if the pagefile.sys is turned off, it can only commit to >> 512MB, so after 512MB of allocation the system will basically fall over? >> The virtual 4GB becomes irrelevant and unobtainable? >> >> [1] >> http://members.shaw.ca/bsanders/WindowsGeneralWeb/RAMVirtualMemoryPageFileE… >> (I kinda put this in to demonstrate that I am trying to find the answers >> myself - I'm not just relying on your kindness!) >> >> Adam >> >> On 30/08/13 22:55, Michael Cohen wrote: >>> Hi Adam, >>> that depends by what you mean by "all the memory the process is >>> using". If you mean "All addressable virtual memory" then the answer >>> is no. Processes usually map files into memory in such a way that if >>> the process accesses the mapped region of memory, a page fault occurs >>> and the page is read from disk into memory - so the process thinks >>> that the file is all mapped into memory at the same time. But since >>> the file does not exist in the physical memory until its needed, then >>> you wont see that in the capture. This process is kind of similar to >>> paging to the page file, except that when mapping files from disk, the >>> kernel does not need to write the data into the pagefile since it can >>> just re-read it from the filesystem if it is needed again. >>> >>> Michael. >>> >>> >>> >>> On 30 August 2013 23:47, Adam Bridge <adam.bridge(a)yahoo.com> wrote: >>>> Michael, >>>> >>>> Thanks again - that really helps, and makes sense! >>>> >>>> For clarity, given this is a Win7SP1x86 machine where I have disabled >>>> PAE and disabled pagefile, is it correct to conclude that ALL of the >>>> memory that this process is using is in the capture? (I gave it 512MB >>>> RAM and captured all the RAM.) >>>> >>>> Adam >>>> >>>> On 30/08/13 22:27, Michael Cohen wrote: >>>>> Adam, >>>>> Virtual memory is not contiguous. memmap will show you the regions >>>>> which are mapped to physical memory and the offset in the virtual >>>>> address space where they are mapped into. The simple answer is that >>>>> the process's virtual address range from 0x00000000-0x00010000 does >>>>> not exist - all this means is that if the process was to reference >>>>> addresses in that range, the processor will issue a page fault, and be >>>>> killed. >>>>> >>>>> Note also that for 64 bit processes, the address space is much larger >>>>> than 4GB (2^^48 actually). >>>>> >>>>> Michael. >>>>> >>>>> On 30 August 2013 22:50, Adam Bridge <adam.bridge(a)yahoo.com> wrote: >>>>>> Hi all, >>>>>> >>>>>> Hoping for some more newbie assistance! >>>>>> >>>>>> I have a sample from Win7SP1x86. >>>>>> When I took the capture I had notepad.exe running. >>>>>> >>>>>> Using pslist(1) I identified the pid and used this with memmap(2). >>>>>> (1) python vol.py -f win7.raw --profile=Win7SP1x86 pslist >>>>>> (2) python vol.py -f win7.raw --profile=Win7SP1x86 memmap -p 1260 >>>>>> >>>>>> So really two questions: >>>>>> >>>>>> 1> Why does the first entry show a virtual offset of 0x00010000? Why >>>>>> isn't it 0x00000000? Where are the first 0x00010000 bytes of this >>>>>> process's virtual memory? >>>>>> >>>>>> 2> (and I know this is gonna be a face palm moment) Why aren't the >>>>>> virtual memory offsets contiguous? If this is a dump of the process's >>>>>> virtual memory shouldn't it be one big lump of 4GB? What's the obvious >>>>>> thing I'm missing? (Is it simply that notepad.exe isn't using all 4GB so >>>>>> the empty pages have been ignored?) >>>>>> >>>>>> Thank you! >>>>>> >>>>>> Adam >>>>>> >>>>>> -- >>>>>> Have you sent me your PGP Public Key yet? >>>>>> >>>>>> _______________________________________________ >>>>>> Vol-users mailing list >>>>>> Vol-users(a)volatilityfoundation.org >>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>>> -- >>>> Have you sent me your PGP Public Key yet? >>>> >> -- >> Have you sent me your PGP Public Key yet? >> -- Have you sent me your PGP Public Key yet?

11 years, 7 months

1
0
0 0

Re: [Vol-users] Understanding memmap output

by Adam Bridge

Hi Michael, Thank you again - I really can't thank you enough for your willingness to help! So, I shall definitely make this my last clarifying questions... :) Given "Any process running under 32 bit Windows versions gets a set of virtual memory addresses going from 0 to 4 GB, no matter how much RAM is actually installed on the computer."[1], if, as in my example, the pagefile has been disabled, "where" is this virtual memory being stored? Or is it that if the pagefile.sys is turned off, it can only commit to 512MB, so after 512MB of allocation the system will basically fall over? The virtual 4GB becomes irrelevant and unobtainable? [1] http://members.shaw.ca/bsanders/WindowsGeneralWeb/RAMVirtualMemoryPageFileE… (I kinda put this in to demonstrate that I am trying to find the answers myself - I'm not just relying on your kindness!) Adam On 30/08/13 22:55, Michael Cohen wrote: > Hi Adam, > that depends by what you mean by "all the memory the process is > using". If you mean "All addressable virtual memory" then the answer > is no. Processes usually map files into memory in such a way that if > the process accesses the mapped region of memory, a page fault occurs > and the page is read from disk into memory - so the process thinks > that the file is all mapped into memory at the same time. But since > the file does not exist in the physical memory until its needed, then > you wont see that in the capture. This process is kind of similar to > paging to the page file, except that when mapping files from disk, the > kernel does not need to write the data into the pagefile since it can > just re-read it from the filesystem if it is needed again. > > Michael. > > > > On 30 August 2013 23:47, Adam Bridge <adam.bridge(a)yahoo.com> wrote: >> Michael, >> >> Thanks again - that really helps, and makes sense! >> >> For clarity, given this is a Win7SP1x86 machine where I have disabled >> PAE and disabled pagefile, is it correct to conclude that ALL of the >> memory that this process is using is in the capture? (I gave it 512MB >> RAM and captured all the RAM.) >> >> Adam >> >> On 30/08/13 22:27, Michael Cohen wrote: >>> Adam, >>> Virtual memory is not contiguous. memmap will show you the regions >>> which are mapped to physical memory and the offset in the virtual >>> address space where they are mapped into. The simple answer is that >>> the process's virtual address range from 0x00000000-0x00010000 does >>> not exist - all this means is that if the process was to reference >>> addresses in that range, the processor will issue a page fault, and be >>> killed. >>> >>> Note also that for 64 bit processes, the address space is much larger >>> than 4GB (2^^48 actually). >>> >>> Michael. >>> >>> On 30 August 2013 22:50, Adam Bridge <adam.bridge(a)yahoo.com> wrote: >>>> Hi all, >>>> >>>> Hoping for some more newbie assistance! >>>> >>>> I have a sample from Win7SP1x86. >>>> When I took the capture I had notepad.exe running. >>>> >>>> Using pslist(1) I identified the pid and used this with memmap(2). >>>> (1) python vol.py -f win7.raw --profile=Win7SP1x86 pslist >>>> (2) python vol.py -f win7.raw --profile=Win7SP1x86 memmap -p 1260 >>>> >>>> So really two questions: >>>> >>>> 1> Why does the first entry show a virtual offset of 0x00010000? Why >>>> isn't it 0x00000000? Where are the first 0x00010000 bytes of this >>>> process's virtual memory? >>>> >>>> 2> (and I know this is gonna be a face palm moment) Why aren't the >>>> virtual memory offsets contiguous? If this is a dump of the process's >>>> virtual memory shouldn't it be one big lump of 4GB? What's the obvious >>>> thing I'm missing? (Is it simply that notepad.exe isn't using all 4GB so >>>> the empty pages have been ignored?) >>>> >>>> Thank you! >>>> >>>> Adam >>>> >>>> -- >>>> Have you sent me your PGP Public Key yet? >>>> >>>> _______________________________________________ >>>> Vol-users mailing list >>>> Vol-users(a)volatilityfoundation.org >>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> -- >> Have you sent me your PGP Public Key yet? >> -- Have you sent me your PGP Public Key yet?

11 years, 7 months

1
0
0 0

Re: [Vol-users] Understanding memmap output

by Adam Bridge

Michael, Thanks again - that really helps, and makes sense! For clarity, given this is a Win7SP1x86 machine where I have disabled PAE and disabled pagefile, is it correct to conclude that ALL of the memory that this process is using is in the capture? (I gave it 512MB RAM and captured all the RAM.) Adam On 30/08/13 22:27, Michael Cohen wrote: > Adam, > Virtual memory is not contiguous. memmap will show you the regions > which are mapped to physical memory and the offset in the virtual > address space where they are mapped into. The simple answer is that > the process's virtual address range from 0x00000000-0x00010000 does > not exist - all this means is that if the process was to reference > addresses in that range, the processor will issue a page fault, and be > killed. > > Note also that for 64 bit processes, the address space is much larger > than 4GB (2^^48 actually). > > Michael. > > On 30 August 2013 22:50, Adam Bridge <adam.bridge(a)yahoo.com> wrote: >> Hi all, >> >> Hoping for some more newbie assistance! >> >> I have a sample from Win7SP1x86. >> When I took the capture I had notepad.exe running. >> >> Using pslist(1) I identified the pid and used this with memmap(2). >> (1) python vol.py -f win7.raw --profile=Win7SP1x86 pslist >> (2) python vol.py -f win7.raw --profile=Win7SP1x86 memmap -p 1260 >> >> So really two questions: >> >> 1> Why does the first entry show a virtual offset of 0x00010000? Why >> isn't it 0x00000000? Where are the first 0x00010000 bytes of this >> process's virtual memory? >> >> 2> (and I know this is gonna be a face palm moment) Why aren't the >> virtual memory offsets contiguous? If this is a dump of the process's >> virtual memory shouldn't it be one big lump of 4GB? What's the obvious >> thing I'm missing? (Is it simply that notepad.exe isn't using all 4GB so >> the empty pages have been ignored?) >> >> Thank you! >> >> Adam >> >> -- >> Have you sent me your PGP Public Key yet? >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users -- Have you sent me your PGP Public Key yet?

11 years, 7 months

1
0
0 0

Understanding memmap output

by Adam Bridge

Hi all, Hoping for some more newbie assistance! I have a sample from Win7SP1x86. When I took the capture I had notepad.exe running. Using pslist(1) I identified the pid and used this with memmap(2). (1) python vol.py -f win7.raw --profile=Win7SP1x86 pslist (2) python vol.py -f win7.raw --profile=Win7SP1x86 memmap -p 1260 So really two questions: 1> Why does the first entry show a virtual offset of 0x00010000? Why isn't it 0x00000000? Where are the first 0x00010000 bytes of this process's virtual memory? 2> (and I know this is gonna be a face palm moment) Why aren't the virtual memory offsets contiguous? If this is a dump of the process's virtual memory shouldn't it be one big lump of 4GB? What's the obvious thing I'm missing? (Is it simply that notepad.exe isn't using all 4GB so the empty pages have been ignored?) Thank you! Adam -- Have you sent me your PGP Public Key yet?

11 years, 7 months

1
0
0 0

[Vol-users] Newbie Question: How did 512MB become 4GB? (no pagefile, no pae)

by Adam Bridge

Hi all, I'm definitely still learning with memory forensics, but I can't get my head around this one. I created a Virtualbox VM of Win7SP1x86 with 512MB RAM. I disabled the pagefile - confirmed with reboot that pagefile.sys disappeared. I disabled pae - confirmed with reboot followed by: wcim os get PAEEnabled, returned FALSE. I then used: vboxmanage debugvm "Win7" dumpguestcore --filename test.elf to grab the ELF64 dump. This file is: 569.5MB I then used: python vol.py -f test.elf --profile=Win7SP1x86 imagecopy -O test.raw test.raw is: 4.0GB Given that pae is off and pagefile.sys is off, where has the extra data come from?! I get that in 32-bit, we can represent up to 0xFFFFFFFF (2^32) = 4GB, but where has the extra data come from? Is it all going to be 0-padded or have I done something wrong somewhere?! Any clues, tips, links to read, and flames welcome. Adam -- If you like, we could go PGP..?

11 years, 7 months

2
3
0 0

custom Android profile: No suitable address space

by Winston Siauw (DT)

Hi All, Currently, I am using Volatility to analyze a lime dump of an Android device and I have the same error message as the post of the no suitable address space mapping found (http://lists.volatilityfoundation.org/pipermail/vol-users/2013-July/000942.…) I have followed the steps as indicated in the Volatility Android memory forensic instructions (https://code.google.com/p/volatility/wiki/AndroidMemoryForensics) and listed them below the dotted line in this mail. However, the error No suitable address space mapping found is showing. Anybody have any idea what is going / I am doing wrong ? (please see the steps I have performed below) Winston ***************************************** Steps I followed: Memory research of Device : HTC One V kernel device primou-ics-crc-3.0.16-133e482 Android : 4.0.3 Host system for Volatility: Ubuntu 13.04 Python 2.7.4 (default, Apr 19 2013, 18:32:33) [GCC 4.7.3] on linux2 Steps as followed from https://code.google.com/p/volatility/wiki/AndroidMemoryForensics except for the emulator steps: 1. Downloaded lime, cross compiled lime and build a *.ko file and created a lime.dump (format=lime) file 2. Downloaded Volatility, created a zip profile a. System.map retrieved from the device at /proc/kallsyms b. Module.dwarf $ head module.dwarf .debug_info <0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.7"> DW_AT_language<DW_LANG_C89> DW_AT_name<"/android/volatility-2.2/tools/linux/module.c"> DW_AT_comp_dir<"/home/winston/htc/primou-ics-crc-3.0.16-133e482"> DW_AT_stmt_list<0x00000000> <1><0x1d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013> DW_AT_type<<0x00000028>> <1><0x28><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char"> <1><0x2f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014> DW_AT_type<<0x0000003a>> <1><0x3a><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char"> <1><0x41><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000004c>> <1><0x4c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int"> 3. Using Volatility 2.2 and I have tried volatility 2.3-development and the latest volatility from svn co https://volatility.googlecode.com/svn/trunk (latest check out at 9th of august 2013) a. $ python vol.py info LinuxprofileHTCOneV2x86 - A Profile for Linux profileHTCOneV2 x86 b. Note, I implemented a work around since my system.map / proc/kallsyms sometimes contained four columns instead of 3. Part of my system.map file: c0682d70 A _etext bf005000 t dhd_sleep_pm_callback [bcmdhd] Error: File "/android/volatility-2.2/volatility/plugins/overlays/linux/linux.py", line 86, in parse_system_map (str_addr, symbol_type, symbol) = line.strip().split() ValueError: too many values to unpack Work around : Added in /android/volatility-2.2/volatility/plugins/overlays/linux/linux.py, line 87: (str_addr, symbol_type, symbol) = line.strip().split()[0:3] //added work around #(str_addr, symbol_type, symbol) = line.strip().split() // original c. $ python vol.py --profile=LinuxprofileHTCOneV2x86 -f /android/resultfiles/HTVOneV/lime7-31-13_1317.lime linux_pslist Volatile Systems Volatility Framework 2.3_alpha WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes Offset Name Pid Uid Start Time ---------- -------------------- --------------- --------------- ---------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid WindowsCrashDumpSpace32: Header signature invalid JKIA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long' AMD64PagedMemory: Incompatible profile LinuxprofileHTCOneV2x86 selected JKIA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long' IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'

11 years, 7 months

2
2
0 0

linux swap structs

by Edwin Smulders

Hey all, A while ago I did some experiments with finding the swap_info_structs for linux swap files/devices. Since I don't have time to finish any work on that (this was the easy part) I've uploaded it to my github: https://github.com/Dutchy-/volatility-plugins/blob/master/linux/swap.py Do with it as you wish :D note that a proper swap implementation would likely need modification in volatility itself, not just a plugin. Cheers, Edwin PS. I've also added all the plugins from my submission to the plugin contest.

11 years, 8 months

1
0
0 0

An evaluation platform for forensic memory acquisition software.

by George M. Garner Jr.

This post is not specifically about Volatility; however, I know that the topic will be of interest to many list members. Reliable memory analysis depends on reliable memory acquisition. No matter how good an analysis tool is, it can only analyze what is in the memory "dump." If the memory acquisition tool produces an incomplete or erroneous memory dump the analysis will also fail or be misleading. It is thus with pleasure that I note the progress that is being made toward developing a critical framework for evaluating and testing memory acquisition tools. The latest contribution is by Stefan Vömel and Johannes Stüttgen whose paper, "An evaluation platform for forensic memory acquisition software" was presented at the recent DFRWS conference and may be downloaded from the following link: http://www.dfrws.org/2013/proceedings/DFRWS2013-11.pdf. The authors adopt an approach which they call "white-box testing" whereby the authors modify the source code for various open source tools (win32dd, mdd, winpmem) to insert hypercalls at various locations in the acquisition process. The hypercalls inform the test platform of various important system events and operations and inspect the state of the subject system at the moment of the hypercall. The state as recorded by the hypercalls is then used as a metric to evaluate the reliability (i.e. "correctness") of the tool which is under test. The approach has a number of significant limitations which the authors acknowledge, the most significant of which is that they require the source code which must be modified in order to perform the test. Most commercial tool vendors do not provide the source code to their memory acquisition tools. Even one of the open source tools tested by Vömel and Stüttgen, win32dd, is an old version of the current closed-source Moonsols tool which contains many bug fixes which are not in the open source precursor. As far as I am aware the MDD tool is no longer supported or under active development. Michael Cohen's winpmem is the only currently supported tool that the authors were able to test. Another significant limitation is that the test platform is tied to a highly customized version of the Bochs x86 PC emulator. The test platform is restricted to 32-bit versions of Windows with not more than 2 GiB of memory. The acquisition of physical memory from systems equipped with more than 4 GiB of memory and from 64-bit versions of Microsoft Windows are areas where memory acquisition tool vendors have stumbled in the past. Possibly all contemporary memory acquisition tools handle 64-bit systems and systems with more than 4 GiB of memory correctly; however, we would like to be able to test this and not rely solely on faith. One limitation which the authors do not discuss is the impact of restricting the test platform to a particular VM (i.e. Bochs). In our experience VMs provide a much more highly predictable and stable environment than real hardware and may not be a good indication of how a memory acquisition tool will perform on real hardware. In addition, as was mentioned previously on this list, different VM manufacturers have chosen to emulate very different PC designs. How a tool performs on VMWare may not be a good indicator of how the same tool will perform on Microsoft Hyper-V or VirtualBox or KVM. Also, the authors do not acknowledge the possibility that memory acquisition tools may perform differently on different versions of the Microsoft operating system. Each new version of the Microsoft operating system has brought changes to the Windows memory manager, in some cases significant changes. Currently, we are (out of necessity) using acquisition methods that differ in varying degrees on Microsoft Windows XP, Windows 2003 SP1 and later, Windows Vista, Windows 7 and Windows 8. For Windows 8.1 Preview we have found it necessary to invent new methods that are different from all of the methods which we previously employed. Finally, the authors do not articulate the theoretical framework for forensic volatile memory acquisition which serves as the basis for their notion of "correctness." Historically, computer forensic experts have evaluated the acquisition of volatile memory as an "imaging" process. Most computer forensic experts were familiar with the imaging of "dead" hard drives. It was natural to assume memory acquisition was doing much the same thing. The problem is that a running computer system is by nature a stochastic process (more precisely, it is a "continuous time stochastic process") which cannot be "imaged." It can only be sampled. Sampling is a common technique in forensic science, other than in computer forensics. Computer forensics is somewhat unique among forensic "sciences" in its almost exclusive reliance upon "imaging" as a standard of reliability. It is difficult not to note the severe tension which exists between this theoretic framework and the reality of modern computer design. Not only is "live" imaging of hard drives now commonplace for practical reasons (which equally aren't true images) but also, as we now know, a hard drive is an embedded computer system which may alter the physical layout of data on the disks any time power is applied to the drive. The theoretical approach which we have advocated (see, e.g. Garner, Maut Design Document (unpublished manuscript, 2011), is to view volatile memory acquisition as a process of sampling the state of a continuous-time stochastic process. We further propose to use the structural elements created by the operating system and the hardware as a metric to evaluate the reliability of the sampling process. We believe that these structural elements may be used for this purpose because they possess the Markhov property. Their future state is predictable, depending entirely on their present state and is conditionally independent of the past. A sample is said to be reliable when it is "representative" of the entire population. In other words, a sample is reliable with respect to a specific issue of material fact if an inference drawn upon the basis of the sample will arrive at the same conclusion as if the inference were drawn upon the basis of the entire population. The authors appear to assume the tradition "imaging" framework for volatile computer memory acquisition, however, this assumption should be stated since the entire rest of the paper depends on it. In conclusion, this paper makes an important contribution to a topic that is important for the future of computer forensics. However, the authors need to better articulate their assumptions. Development of a professional memory forensic tool testing platform will require the development of a test enviroment which overcomes the current limitations. Regards, George M. Garner Jr. President GMG Systems, Inc.

11 years, 8 months

5
9
0 0

Analyzing large KVM/libvrt dumps

by Juerg Haefliger

Hi all, I wrote a little tool to convert a KVM/libvirt dump to a raw memory file (https://github.com/juergh/lqs2mem) Volatility seems to be able to handle the resulting file just fine for small dumps but not so much the larger they get. Specifically, things start to break when the memory size of the VM approaches 4 GB. I double and triple checked my code and can't find anything obviously wrong (like using a 32bit variable for a 64bit address or pointer). I also don't think that Volatility has a problem with larger dumps since it can handle a 8 GB memory dump that I obtained using some other means. I'm just running out of ideas and am looking for some help or suggestions on how to debug this further. In my testing with Win 2008 R2 SP1 x64 I found that (see full outputs below): 1) imageinfo and pslist return the correct output for VMs with less than 3588 MB 2) pslist only returns a single task (System) for VMs larger than 3587 MB 3) imageinfo shows only 1 processor (when there are actually two) for VMs larger than 3712 MB (give or take) Any help is greatly appreciated. Thanks ...Juerg VM memory size: 3584 MB: Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/var/lib/libvirt/qemu/save/win-3584.ram) PAE type : PAE DTB : 0x187000L KDBG : 0xf800017fb0a0 Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff800017fcd00L KPCR for CPU 1 : 0xfffff880009b8000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2013-07-16 12:24:50 UTC+0000 Image local date and time : 2013-07-16 12:24:50 +0000 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa8002a7cb30 System 4 0 70 396 ------ 0 2013-07-16 12:24:33 UTC+0000 0xfffffa80030f09d0 smss.exe 220 4 4 31 ------ 0 2013-07-16 12:24:33 UTC+0000 0xfffffa80034574d0 csrss.exe 300 292 9 339 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003465b30 wininit.exe 352 292 7 93 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003469b30 csrss.exe 368 344 8 76 1 0 2013-07-16 12:24:34 UTC+0000 0xfffffa800349c280 winlogon.exe 412 344 5 83 1 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80034a7160 services.exe 448 352 17 215 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80034b4b30 lsass.exe 464 352 9 458 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80034b64f0 lsm.exe 472 352 12 194 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa800350cb30 svchost.exe 584 448 17 355 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003522060 svchost.exe 664 448 13 221 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003547060 svchost.exe 724 448 16 312 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003552b30 LogonUI.exe 744 412 8 157 1 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003572b30 svchost.exe 812 448 43 782 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003594b30 svchost.exe 856 448 14 234 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa800359b9b0 svchost.exe 900 448 8 128 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80035b3060 svchost.exe 940 448 19 361 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80035fcb30 svchost.exe 372 448 16 259 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa80035f6b30 spoolsv.exe 1048 448 8 89 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa8003679650 blnsvr.exe 1076 448 7 100 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa80035e5450 svchost.exe 1116 448 4 50 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa8003732b30 WmiPrvSE.exe 1364 584 15 294 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa8003767250 svchost.exe 1484 448 12 241 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa80037df620 WmiApSrv.exe 1684 448 7 112 0 0 2013-07-16 12:24:36 UTC+0000 0xfffffa80037a56c0 WmiPrvSE.exe 1716 584 7 105 0 0 2013-07-16 12:24:36 UTC+0000 0xfffffa8003763270 WmiPrvSE.exe 1764 584 7 175 0 0 2013-07-16 12:24:38 UTC+0000 VM memory size: 3588 MB Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/var/lib/libvirt/qemu/save/win-3588.ram) PAE type : PAE DTB : 0x187000L KDBG : 0xf8000180e0a0 Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff8000180fd00L KPCR for CPU 1 : 0xfffff880009b8000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2013-07-16 12:50:59 UTC+0000 Image local date and time : 2013-07-16 12:50:59 +0000 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa800308d9e0 System 4 0 68 275 ------ 0 2013-07-16 12:50:55 UTC+0000 VM memory size: 3840 MB Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/var/lib/libvirt/qemu/save/win-3840.ram) PAE type : PAE DTB : 0x187000L KDBG : 0xf800018400a0 Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80001841d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2013-07-16 12:28:55 UTC+0000 Image local date and time : 2013-07-16 12:28:55 +0000 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa80033849e0 System 4 0 72 -------- ------ 0 2013-07-16 12:28:47 UTC+0000

11 years, 8 months

5
8
0 0

Extracting Memory Mapped/Cached Files

by AAron Walters

vol-users, During last year's OMFW, I gave a presentation on a new Volatility plugin called dumpfiles[1]. This plugin automates the process of extracting both memory mapped and cached files. While we have distributed early versions of the plugin in the Volatility training classes, we are in the final stages of testing for its inclusion in the upcoming 2.3 release. If you have some cycles and interest in helping us test, please send me a note off-list. Thanks, AW PS: Special thanks to Ikelos, MHL, Gleeda, attc, and Carl Pulley for their help with earlier versions! [1] http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-…

11 years, 8 months

1
0
0 0

Amsterdam class sold out, next public training is in Reston, VA in November

by Andrew Case

We are writing to announce that our upcoming Amsterdam class is completely sold out and that our next public training will be in Reston, VA in November. We have a blog post on the Reston training here: http://volatility-labs.blogspot.com/2013/06/memory-forensics-training-resto… This will be our last public training of 2013 and we are actively planning 2014 trainings. These will be announced when they are ready. Our last Reston class sold out a full month in advance so please contact us ASAP if you would like to attend.

11 years, 8 months

1
0
0 0

Reminder: OMFW 2013

by AAron Walters

Volatility Community, If you are planning to attend the Open Memory Forensics Workshop 2013, I would suggest registering soon. We only have a limited number of seats remaining: https://www.volatilityfoundation.org/default/omfw PS: The only way to reserve a seat is by emailing: info [at] volatilesystems [dot] com Thanks, AAron Walters The Volatility Foundation

11 years, 8 months

1
0
0 0

Re: [Vol-users] Analyzing large KVM/libvrt dumps

by Sebastien Bourdon-Richard

Juerg, *Or are you saying that I need to shift everything resulting in a file that is bigger than the actual physical RAM size of the VM?* Yes. Physical address space is always bigger than physical RAM because it contains device memory ( http://blogs.technet.com/blogfiles/markrussinovich/WindowsLiveWriter/Pushin… ). *In my testing with Win 2008 R2 SP1 x64 I found that (see full outputs below):* *1) imageinfo and pslist return the correct output for VMs with less than 3588 MB 2) pslist only returns a single task (System) for VMs larger than 3587 MB* I think important structure used by pslist are usually map over 0x100000000 on Windows 7/2008 with more that 3.5GB (approximately, depending on the hardware installed). During my (limited) tests, I was not able to run pslist on those OS without the proper padding of my vmem files: https://volatility.googlecode.com/issues/attachment?aid=2720017001&name=Vme… Sebastien On Wed, Aug 7, 2013 at 12:06 PM, Juerg Haefliger <juergh(a)gmail.com> wrote: > Hi Sebastien, > > > > Hello Juerg, > > > > Your issues seems to be similar to the one I had with VmWare > Workstation. To > > solve the problem, I have wrote a vmem address space that use vmss > metadata > > to pad the hardware range: > > > > https://code.google.com/p/volatility/issues/detail?id=272#c17 > > I read through that email chain but don't claim to understand it all. > > > > Maybe you need to do something similar with KVM. > > > > It depends on the hardware installed on your PC, but most of the time > (on my > > PCs), the range to pad was between 0xC0000000 - 0x100000000 > > Hmm... The KVM file contains page addresses that I use to seek in the > output file. If there are no pages for the 0xc000000 - 0x10000000 > range than that part of the output file will just contain garbage. Or > are you saying that I need to shift everything resulting in a file > that is bigger than the actual physical RAM size of the VM? > > ...Juerg > > > > Sebastien > > > > On Wed, Aug 7, 2013 at 7:20 AM, Juerg Haefliger <juergh(a)gmail.com> > wrote: > >> > >> Hi all, > >> > >> I wrote a little tool to convert a KVM/libvirt dump to a raw memory > >> file (https://github.com/juergh/lqs2mem) Volatility seems to be able > >> to handle the resulting file just fine for small dumps but not so much > >> the larger they get. Specifically, things start to break when the > >> memory size of the VM approaches 4 GB. I double and triple checked my > >> code and can't find anything obviously wrong (like using a 32bit > >> variable for a 64bit address or pointer). I also don't think that > >> Volatility has a problem with larger dumps since it can handle a 8 GB > >> memory dump that I obtained using some other means. I'm just running > >> out of ideas and am looking for some help or suggestions on how to > >> debug this further. > >> > >> In my testing with Win 2008 R2 SP1 x64 I found that (see full outputs > >> below): > >> > >> 1) imageinfo and pslist return the correct output for VMs with less than > >> 3588 MB > >> 2) pslist only returns a single task (System) for VMs larger than 3587 > MB > >> 3) imageinfo shows only 1 processor (when there are actually two) for > >> VMs larger than 3712 MB (give or take) > >> > >> Any help is greatly appreciated. > >> > >> Thanks > >> ...Juerg > >> > >> > >> > >> > >> VM memory size: 3584 MB: > >> > >> Determining profile based on KDBG search... > >> > >> Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, > >> Win7SP0x64, Win2008R2SP1x64 > >> AS Layer1 : AMD64PagedMemory (Kernel AS) > >> AS Layer2 : FileAddressSpace > >> (/var/lib/libvirt/qemu/save/win-3584.ram) > >> PAE type : PAE > >> DTB : 0x187000L > >> KDBG : 0xf800017fb0a0 > >> Number of Processors : 2 > >> Image Type (Service Pack) : 1 > >> KPCR for CPU 0 : 0xfffff800017fcd00L > >> KPCR for CPU 1 : 0xfffff880009b8000L > >> KUSER_SHARED_DATA : 0xfffff78000000000L > >> Image date and time : 2013-07-16 12:24:50 UTC+0000 > >> Image local date and time : 2013-07-16 12:24:50 +0000 > >> > >> Offset(V) Name PID PPID Thds Hnds > >> Sess Wow64 Start Exit > >> ------------------ -------------------- ------ ------ ------ -------- > >> ------ ------ ------------------------------ > >> ------------------------------ > >> 0xfffffa8002a7cb30 System 4 0 70 396 > >> ------ 0 2013-07-16 12:24:33 UTC+0000 > >> 0xfffffa80030f09d0 smss.exe 220 4 4 31 > >> ------ 0 2013-07-16 12:24:33 UTC+0000 > >> 0xfffffa80034574d0 csrss.exe 300 292 9 339 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa8003465b30 wininit.exe 352 292 7 93 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa8003469b30 csrss.exe 368 344 8 76 > >> 1 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa800349c280 winlogon.exe 412 344 5 83 > >> 1 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa80034a7160 services.exe 448 352 17 215 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa80034b4b30 lsass.exe 464 352 9 458 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa80034b64f0 lsm.exe 472 352 12 194 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa800350cb30 svchost.exe 584 448 17 355 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa8003522060 svchost.exe 664 448 13 221 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa8003547060 svchost.exe 724 448 16 312 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa8003552b30 LogonUI.exe 744 412 8 157 > >> 1 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa8003572b30 svchost.exe 812 448 43 782 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa8003594b30 svchost.exe 856 448 14 234 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa800359b9b0 svchost.exe 900 448 8 128 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa80035b3060 svchost.exe 940 448 19 361 > >> 0 0 2013-07-16 12:24:34 UTC+0000 > >> 0xfffffa80035fcb30 svchost.exe 372 448 16 259 > >> 0 0 2013-07-16 12:24:35 UTC+0000 > >> 0xfffffa80035f6b30 spoolsv.exe 1048 448 8 89 > >> 0 0 2013-07-16 12:24:35 UTC+0000 > >> 0xfffffa8003679650 blnsvr.exe 1076 448 7 100 > >> 0 0 2013-07-16 12:24:35 UTC+0000 > >> 0xfffffa80035e5450 svchost.exe 1116 448 4 50 > >> 0 0 2013-07-16 12:24:35 UTC+0000 > >> 0xfffffa8003732b30 WmiPrvSE.exe 1364 584 15 294 > >> 0 0 2013-07-16 12:24:35 UTC+0000 > >> 0xfffffa8003767250 svchost.exe 1484 448 12 241 > >> 0 0 2013-07-16 12:24:35 UTC+0000 > >> 0xfffffa80037df620 WmiApSrv.exe 1684 448 7 112 > >> 0 0 2013-07-16 12:24:36 UTC+0000 > >> 0xfffffa80037a56c0 WmiPrvSE.exe 1716 584 7 105 > >> 0 0 2013-07-16 12:24:36 UTC+0000 > >> 0xfffffa8003763270 WmiPrvSE.exe 1764 584 7 175 > >> 0 0 2013-07-16 12:24:38 UTC+0000 > >> > >> > >> VM memory size: 3588 MB > >> > >> Determining profile based on KDBG search... > >> > >> Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, > >> Win7SP0x64, Win2008R2SP1x64 > >> AS Layer1 : AMD64PagedMemory (Kernel AS) > >> AS Layer2 : FileAddressSpace > >> (/var/lib/libvirt/qemu/save/win-3588.ram) > >> PAE type : PAE > >> DTB : 0x187000L > >> KDBG : 0xf8000180e0a0 > >> Number of Processors : 2 > >> Image Type (Service Pack) : 1 > >> KPCR for CPU 0 : 0xfffff8000180fd00L > >> KPCR for CPU 1 : 0xfffff880009b8000L > >> KUSER_SHARED_DATA : 0xfffff78000000000L > >> Image date and time : 2013-07-16 12:50:59 UTC+0000 > >> Image local date and time : 2013-07-16 12:50:59 +0000 > >> > >> Offset(V) Name PID PPID Thds Hnds > >> Sess Wow64 Start Exit > >> ------------------ -------------------- ------ ------ ------ -------- > >> ------ ------ ------------------------------ > >> ------------------------------ > >> 0xfffffa800308d9e0 System 4 0 68 275 > >> ------ 0 2013-07-16 12:50:55 UTC+0000 > >> > >> > >> VM memory size: 3840 MB > >> > >> Determining profile based on KDBG search... > >> > >> Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, > >> Win7SP0x64, Win2008R2SP1x64 > >> AS Layer1 : AMD64PagedMemory (Kernel AS) > >> AS Layer2 : FileAddressSpace > >> (/var/lib/libvirt/qemu/save/win-3840.ram) > >> PAE type : PAE > >> DTB : 0x187000L > >> KDBG : 0xf800018400a0 > >> Number of Processors : 1 > >> Image Type (Service Pack) : 1 > >> KPCR for CPU 0 : 0xfffff80001841d00L > >> KUSER_SHARED_DATA : 0xfffff78000000000L > >> Image date and time : 2013-07-16 12:28:55 UTC+0000 > >> Image local date and time : 2013-07-16 12:28:55 +0000 > >> > >> Offset(V) Name PID PPID Thds Hnds > >> Sess Wow64 Start Exit > >> ------------------ -------------------- ------ ------ ------ -------- > >> ------ ------ ------------------------------ > >> ------------------------------ > >> 0xfffffa80033849e0 System 4 0 72 -------- > >> ------ 0 2013-07-16 12:28:47 UTC+0000 > >> _______________________________________________ > >> Vol-users mailing list > >> Vol-users(a)volatilityfoundation.org > >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > > >

11 years, 8 months

1
0
0 0

Verify image signatures or similar functionality

by sockify

Hi All Apologies if this has been addressed already but can't find it in the archives. Is volatility able to verify image signatures similar to how process monitor can? Suspect the answer is no as it's not a live system and may not be running under windows. None of the plugins seem to be able to do this from what I can see, just want to check I'm not missing something. Cheers Ben

11 years, 8 months

2
3
0 0

Alternate Data Stream and Volatility

by FRANCIS PROVENCHER

Hi all, I'v have a memory dump has an evidence for a case. Volatility can help me to discover "Alternate data stream" file on the system? Thanks for your help!

11 years, 9 months

3
4
0 0

Linux profiles for pikewerks images

by Edwin Smulders

Hey all, Has anyone already made profiles for the memory dumps at http://secondlookforensics.com/linux-memory-images/ ? I'm interested in both the new ones (june 2013) and the old ones. I know how to make profiles, but you'd save me quite a lot of time if you already have some <3 Cheers, Edwin

11 years, 9 months

1
0
0 0

determining a system's ip address

by Don Raikes

Hello, As part of an assignment for a security and privacy class I am taking I need to determine the ip address of a windowsXP system whose memory dump I have. Actually, it is the zeus.vmem dump from the volatility dump images download page. I have done a lot of searching in google, but haven't been able to find much about hwo to get this information. I tried the technique outlined at: http://code.google.com/p/volatility/wiki/CommandReference in the area concerning strings. When I use the perl script provided the only obvious ip address is 172.16.176.143 which is a private network address. My assignment is to determine the country of origin of the ip address, but so far I see no addresses which are not private addresses. Does anyone have any suggestions on how to proceed with finding the system's ip address? -- Best Regards, Donald HYPERLINK "http://www.oracle.com/" \nOracle Donald raikes | Accessibility Specialist/ QA Engineer Phone: HYPERLINK "tel:+15202717608"+15202717608 | Mobile: HYPERLINK "tel:+15202717608"+15202717608 Oracle Quality Assurance | Tucson, Arizona HYPERLINK "http://www.oracle.com/commitment" \nGreen Oracle Oracle is committed to developing practices and products that help protect the environment

11 years, 9 months

3
2
0 0

Virtual Machine - RedHat

by Robert Miller

Is there a Linux profile for RedHat for the latest version of volatility? I am attempting to run pslist against a VM running Redhat. However, I am having no luck. I used imagecopy to convert a .vmss and a .vmsn file to a memory dump file. Neither file works with pslist. I used the CentOS profile and the results are below. If I don't specify a profile, you don't see the "invalid pde_value" lines. Any ideas? > python vol.py --profile=LinuxCentOS63x64 -f serverName_vmsn.raw linux_pslist Volatile Systems Volatility Framework 2.3_beta *** Failed to import volatility.plugins.addrspaces.legacyintel (AttributeError: 'module' object has no attribute 'AbstractWritablePagedMemory') WARNING : volatility.obj : Overlay structure tty_struct not present in vtypes Offset Name Pid Uid Gid DTB Start Time ------------------ -------------------- --------------- --------------- ------ ------------------ ---------- WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 65d70100 WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 65d70100 WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 65d70100 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxCentOS63x64 selected IA32PagedMemory: Incompatible profile LinuxCentOS63x64 selected FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check

11 years, 9 months

2
3
0 0

Registration for the Open Memory Forensics Workshop 2013

by AAron Walters

We are excited to announce that the registration for the 4th annual OMFW is officially open. The workshop will be held on November 4, 2013 and will coincide with the Open Source Digital Forensics Conference. OMFW is the single most important event for those who are interested in pushing the state of the art of digital forensics and incident response. If you are interested in getting involved or have an exciting memory related topic that you would like to share with the digital forensics community, please let the team know. For those interested in attending, please see the official website for details: https://www.volatilityfoundation.org/default/omfw Due to the overwhelming response in previous year, we were not able to fulfill all the registration requests, so please be sure to register early! Check out what previous attendees of OMFW have said: "The OMFW was well mind blowing for the most part. The amount of knowledge the Volatility guys (and girl) have is insane." Glenn P. Edwards Jr. "For the last four years the Open Source Memory Forensics Workshop (OMFW) has hosted a collective whos who of memory forensics and provided a forum in which to discuss the latest advances and tools." Mike Webber "AAron was able to bring together an outstanding group of folks interested in memory forensics" and there was some spirited discussion among the participants along with some really outstanding talks/demos. It was also great to be able to put faces to folks who until then had only been handles in IRC or names on e-mail/blog posts in the past." Jim Clausing "My first impression of the event was that the underground could have set digital forensics back 3-5 years if they had attacked our small conference room. Where else do you have Eoghan Casey, Brian Carrier, Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., Andreas Schuster, Aaron Walters, et al, in the same room? I thought Brian Dykstra framed the situation properly when asking the following: I know this is an easy question for all you beautiful minds, but"" Richard Bejtlich REMINDER: If you are planning to submit to the Volatility Framework Plugin Contest, please make sure your entry is submitted before August 1, 2013. It is a great platform for getting visibility and other people interested in your exciting memory analysis projects. AAron Walters Volatility Foundation

11 years, 9 months

1
0
0 0

Problem reading mapped ranges in linux address spaces

by Edwin Smulders

Hi all, I am having a problem reading certain values in an address space. I know for certain that the range I am trying to read is mapped, i.e. there is a vma for it. The specific range in this case is shown in the vma list as this: 1206 0x00007faf9d98f000 0x00007faf9db4d000 r-x 0x0 8 1 241 /lib/x86_64-linux-gnu/libc-2.17.so The offset in this range that I am trying to read is 0x21e9b = 0x7faf9d9b0e9b the call may look like this: proc_as.read(0x7faf9d9b0e9b, 10) and it will return None, meaning it could not read that address. Using the linux_dump_map I exported the whole range and there's a pretty big empty (inaccessible) chunk in the middle, which appears as 0-bytes in the export. I know for a fact that my libc does not have a big area of 0-bytes, so this is pretty weird. It also works just fine for other processes in the same dump (so using the same libc). For research purposes I make my memory dumps with virtualbox, so I don't think it's an issue with memory corruption; as far as i can tell, virtualbox makes complete snapshots. Does anyone know what might cause this problem? Cheers, Edwin

11 years, 9 months

4
7
0 0

the problem about create a profile for my android

by yutruth

Dear Everyone: I have a problem about analysing an android memory these days. I am new to android memory forensic,and i analyse the windows memory before.But i think analysing an android memory may more interesting and valuable. I have followed the url "https://code.google.com/p/volatility/wiki/AndroidMemoryForensics#Build_a_Vo…" ,and i have done successfully. Now, by useing lime i can get my android memory, my android is samsung9001, and the memory file is ram.lime (almost 400M size). But the problem is that: when i use volatility2.3_beta to analyse the android memory , volatility can't identify the profle that i created. The output is below： Volatile Systems Volatility Framework 2.3_beta Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile LinuxGolfishARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check and i use -dd option the output is: yutruth@ubuntu:~/yutruth-android/volatility$ python vol.py --profile=Linuxsamsung9001ARM -f ~/yutruth-android/ram.lime linux_pslist -dd Volatile Systems Volatility Framework 2.3_beta DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found dwarf file home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with 407 symbols DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found system file home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x6949190> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x18600040, instantiating lime_header DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x6949150> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: 0x0 DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile Linuxsamsung9001ARM selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: No suggestions available DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed valid Address Space check No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile Linuxsamsung9001ARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check Search the problem by google and i find some others have the same problem,but i can't find the solution. By the way, i know few people submit the problem last September and a week ago, and i know volatility can't support many Linux/android profile now, but i have create the profile for my android and just volatility can't identify:-( I do these things under the ubuntu10.04 on the vmware, and i don't download the newest dwarfdump, i just use " apt-get install dwarfdump" on the ubuntu10.04, and i am sure the CC_PATH and some PATH Variable is true. I may think the dwarf execute file is wrong. Thanks for your attention and sorry for my english. The attachment are my profile zip and dwarfdump execute file. Hope to get your apply soon ^_^( I may be mad for the problem) ------------------ best wishes yutruth

11 years, 9 months

1
0
0 0

the problem about create a profile for my android

by fan zhou

Dear everyone: I have a problem about analysing an android memory these days. I am new to android memory forensic,and i analyse the windows memory before.But i think analysing an android memory may more interesting and valuable. I have followed the url "https://code.google.com/p/volatility/wiki/ AndroidMemoryForensics#Build_a_Volatility_Profile" ,and i have done successfully. Now, by useing lime i can get my android memory, my android is samsung9001, and the memory file is ram.lime (almost 400M size). But the problem is that: when i use volatility2.3_beta to analyse the android memory , volatility can't identify the profle that i created. The output is below： Volatile Systems Volatility Framework 2.3_beta Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile LinuxGolfishARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check and i use -dd option the output is: yutruth@ubuntu:~/yutruth-android/volatility$ python vol.py --profile=Linuxsamsung9001ARM -f ~/yutruth-android/ram.lime linux_pslist -dd Volatile Systems Volatility Framework 2.3_beta DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found dwarf file home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with 407 symbols DEBUG : volatility.plugins.overlays.linux.linux: samsung9001: Found system file home/yutruth/yutruth-android/samsung9001-source/kernel/System.map with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x6949190> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x18600040, instantiating lime_header DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x6949150> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: 0x0 DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible profile Linuxsamsung9001ARM selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: No suggestions available DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed valid Address Space check No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile Linuxsamsung9001ARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check Search the problem by google and i find some others have the same problem,but i can't find the solution. By the way, i know few people submit the problem last September and a week ago, and i know volatility can't support many Linux/android profile now, but i have create the profile for my android and just volatility can't identify:-( I do these things under the ubuntu10.04 on the vmware, and i don't download the newest dwarfdump, i just use " apt-get install dwarfdump" on the ubuntu10.04, and i am sure the CC_PATH and some PATH Variable is true. I may think the dwarf execute file is wrong. Thinks for your attention and sorry for my english. The attachment are my profile zip and dwarfdump execute file. Hope to get your apply soon ^_^( I may be mad for the problem)

11 years, 9 months

1
0
0 0

DFIR interview on healthy paranoia

by Andrew Case

I was recently on the Healthy Paranoia podcast talking about memory forensics during DFIR and other related topics: http://packetpushers.net/healthy-paranoia-show-14-digital-forensics-and-inc… Would appreciate any feedback or comments! Thanks, Andrew (@attrc)

11 years, 9 months

1
0
0 0

Virtual Machine / Linux memory

by Lou LaRocca

Maybe a stupid question here but does Volatility currently support the analysis of linux memory from a Virtual Machine? I see that it supports VM's and Linux separately but not together? Thanks in advance Lou

11 years, 9 months

3
3
0 0

Memory Forensics Training by Volatility Developers is headed back to Reston!

by Andrew Case

After quickly selling out our recent course in Reston, we have now scheduled another training there in November: http://volatility-labs.blogspot.com/2013/06/memory-forensics-training-resto… This course is taught directly by Volatility developers, and provides intense training in memory forensics for incident response, malware analysis, and digital forensic investigation. We already have quite a few people signed up and had to turn away people last time, so please contact us ASAP if you are interested in taking it. Thanks, Andrew (@attrc)

11 years, 10 months

1
0
0 0

OT: Using netsh to set ip address of an interface on winfe/winpe 4.0.

by George M. Garner Jr.

This post is off-topic; however, there are a lot of bright people on this list so maybe someone will be able to help. I need to set a static ipv4 address on an interface in WinPE4.0/WinFE4.0. For example the following command works on Windows 8: netsh.exe interface ip set address Ethernet static 192.168.0.5 255.255.255.0 On WinPE 4.0 I am getting an error that the interface is not found which is odd since the interface appears in the list of interfaces. For example: netsh.exe interface ip show interfaces and netsh.exe interface ip show interface Ethernet both work as expected. I can also add a route on the interface in WinPE, e.g.: netsh.exe interface ip add route 192.168.0.0/24 Ethernet works. It is just adding the static ip address that doesn't work. I have also tried using the IF index instead of the interface name; still no joy. Unfortunately I can't use dhcp in some applications because the client broadcasts an announcement that I am present, which wouldn't be prudent. I am wondering if there isn't maybe some dependency that is missing from my winpe installation? Anyone have any thoughts? Regards, George.

11 years, 10 months

2
4
0 0

Problem using bitmaps in overlays

by Carl Pulley

Hi all, I'm currently attempting to code up a bitmap (within an overlay) that consists of an array of 4 ulongs. With (say) a single ulong, the following works great: profile.merge_overlay({ 'XXX': [ None, ['Flags', {'target': 'unsigned long', 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]] }) However, the obvious generalisation to 4 ulongs: profile.merge_overlay({ 'XXX': [ None, ['Flags', {'target': ['array', 4, ['unsigned long']], 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]] }) fails. Looking at the source, the profile.merge_overlay calls: obj.Object(['array', 4, ['unsigned long']], offset=0, ..) and this function in turn raises an exception (i.e. TypeError: unhashable type: 'list') when it calls: vm.profile.has_type(['array', 4, ['unsigned long']]) Attempts at using obj.Array instead also flounder. Does anyone have any hints or tips as to how best to deal with bitmaps that are arrays of bytes, ulongs or similar? Is it a case of having to extend the obj.Flags class so that such things can be handled? Many thanks, Carl.

11 years, 10 months

2
2
0 0

No shimcache data found

by Brian Keefer

I look at mostly Win7/64 systems and have always found shimcache data in memory images before. In the last several weeks only about 50% of the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have been all this time). While not strictly a Volatility issue, could someone explain under what circumstances the data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1 and part 2 on my bookshelf, waiting...) Thanks! -- chort

11 years, 10 months

3
5
0 0

Final Week of Month of Volatility Plugins II is posted

by Andrew Case

We are writing as the final week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new and updated plugins used to analyze Mac systems. The first post demonstrated leveraging process cross-view analysis for Mac rootkit detection: http://volatility-labs.blogspot.com/2013/06/movp-ii-41-leveraging-process-c… The second post covered dumping, scanning, and searching process memory: http://volatility-labs.blogspot.com/2013/06/movp-ii-42-dumping-scanning-and… The third post discussed how to recover networking information: http://volatility-labs.blogspot.com/2013/06/movp-ii-43-recovering-mac-os-x-… The fourth post showed a number of artifacts in Mac kernel memory: http://volatility-labs.blogspot.com/2013/06/movp-ii-44-whats-in-your-mac-os… The fifth post analyzed the Rubilyn kernel rootkit and detected it in a number of ways: http://volatility-labs.blogspot.com/2013/06/movp-ii-45-mac-volatility-vs-ru… We hope you have enjoyed this month's posts and will be trying 2.3 when its released! If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

11 years, 10 months

1
0
0 0

Mucho processes

by Glenn Edwards

Background: The user logged off (I know, I know) of the system (WinXP) and the first responder logged back in under a different user and took the memory dump. When running pslist against the memory dump there're 2,423 entries. I'm seeing a lot of entries where the process starts and exits - sometimes in a row: 0x89b3f868 userinit.exe 3808 548 0 -------- 0 0 2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+0000 0x89b89ad0 userinit.exe 3156 548 0 -------- 0 0 2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+0000 0x89b2a868 userinit.exe 3672 548 0 -------- 0 0 2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+0000 0x89afc020 userinit.exe 3388 548 0 -------- 0 0 2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+0000 0x89b49da0 userinit.exe 1336 548 0 -------- 0 0 2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000 and sometimes more spread out: 0x89c1da98 java.exe 4536 1368 0 -------- 0 0 2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+0000 0x89141020 cscript.exe 8608 4536 0 -------- 0 0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+0000 0x89142da0 wmiprvse.exe 3152 832 0 -------- 0 0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+0000 0x89144ac0 minituner.exe 1120 1368 0 -------- 0 0 2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+0000 0x8934d520 java.exe 9148 1368 0 -------- 0 0 2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+0000 0x8934e020 cscript.exe 7620 9148 0 -------- 0 0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+0000 0x895423b8 wmiprvse.exe 3664 832 0 -------- 0 0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+0000 0x895ce8a0 minituner.exe 9940 1368 0 -------- 0 0 2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+0000 0x893a3838 java.exe 4572 1368 0 -------- 0 0 2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000 Example of top processes by overall count of occurrence: $ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr 364 java.exe 362 minituner.exe 335 userinit.exe 301 wmiprvse.exe 219 cscript.exe 192 verclsid.exe 91 wuauclt.exe 37 regsvr32.exe 34 winlogon.exe 34 csrss.exe [snip] I've never come across this before so I'm wondering if this could be attributed to the first responder not letting the system fully log them on prior to taking the memory dump and therefore there was a lot of still loading processes observed? -- Glenn Edwards @hiddenillusion

11 years, 10 months

3
4
0 0

hive file dump

by Jaroslav Brtan

Hi everyone, I would like to ask you if it is possible to dump the hive file from a memory image. For some reason the printkey cmd does not return expected values. In my virtualbox Windows xp sp3 image contains vboxtray.exe in the RUN key, but I dont see it in the printkey -K "Software\Microsoft\Windows\CurrentVersion\Run" cmd output I am using volatility version 2.3 beta. I want to use Windows registry recovery tool to check if it is able to get the info I need. Thank you Jaro

11 years, 10 months

1
0
0 0

coldboot - usb, iso or distro - using LiME

by Filipe Bernardo

Hello all, First congrats on a great tool :) I'm looking for some iso/distro to be able to do some "coldboot" testing, and i was thinking on using LiME module. Does anyone have done anything related to this, like a really small kernel booting to usb, and dump the mem? What do you guys use to do memory dumps? (on "real" systems not vm's ?) Thanks

11 years, 10 months

4
5
0 0

Third Week of Month of Volatility Plugins II is posted

by Andrew Case

We are writing as the third week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new and updated plugins used to analyze Linux and Android systems. The first post covered two new methods to detect kernel-level keyloggers: http://volatility-labs.blogspot.com/2013/05/movp-ii-31-linux-checktty.html The second post covered using Python and Yara to help with Linux & Android memory analysis: http://volatility-labs.blogspot.com/2013/05/movp-ii-32-linuxandroid-memory.… The third post discussed the updated and now automated bash history scanner: http://volatility-labs.blogspot.com/2013/05/movp-ii-33-automated-linuxandro… The fourth post discussed checking the ARM (Android) system call table and exception vector table for signs of rootkits: http://volatility-labs.blogspot.com/2013/06/movp-ii-34-checking-arm-android… The fifth post discussed utilizing the kmem_cache on Android systems: http://volatility-labs.blogspot.com/2013/06/movp-ii-35-utilizing-kmemcache-… We hope you enjoy the posts, and the fourth and final week of posts will begin tomorrow and cover a number of new plugins to help analyze Mac samples. If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

11 years, 10 months

1
0
0 0

RE: [Vol-users] DPC procedure localization

by BRTAN Jaroslav

Thanks both of you for your help and advice. I will try to verify if the memory is allocated. I have to convert the memory image to the crash dmp. The --base switch works very well. I overlooked it in the help. Thanks Jaro Od: "Michael Hale Ligh" <michael.hale(a)gmail.com<mailto:michael.hale@gmail.com>> Datum: po, 6. 3, 2013 16:48 Předmět: [Vol-users] DPC procedure localization Komu: "George M. Garner Jr." <ggarner_online(a)gmgsystemsinc.com<mailto:ggarner_online@gmgsystemsinc.com>> Kopie: "vol-users" <vol-users(a)volatilesystems.com<mailto:vol-users@volatilesystems.com>> Thanks for the explanation George! Jaroslav - to answer your other question "how can I dump this using the offset 0x80013000?" you can use the moddump plugin with --base= 0x80013000. MHL On Mon, Jun 3, 2013 at 10:43 AM, George M. Garner Jr. < ggarner_online(a)gmgsystemsinc.com<mailto:ggarner_online@gmgsystemsinc.com>> wrote: > Jaroslav, > > Kernel timers come and go at a very high rate which leads to a significant > number of invalid or spurious timer artifacts which result from the fact > that the memory dump was acquired from the system while it was running. > Not that the last two timers are signaled and the periods are not > coherent. It is possible that the last two "timer" objects reside in > memory that once was a kernel timer object and has since been freed and > that some of the timer fields (e.g. the routine address) have been > overwritten with incoherent data. Try running the !pool command on the > last two timer addresses (0x863ead10 and 0x85e451e8) and see if that memory > is currently allocated. (I am assuming that you either have or can convert > your memory dump to MS crashdump format.) > > Regards, > > George. > > > On 6/3/2013 9:15 AM, BRTAN Jaroslav wrote: > >> Hi all, >> >> I'd like to ask you for your help with analysis. The timers module shows >> that there is a strange DPC at 0x8647e4e0. >> >> >> Timers module output: >> >> Offset(V) DueTime Period(ms) Signaled Routine >> Module >> ---------- ------------------------ ---------- ---------- ---------- >> ------ >> 0x873097d0 0x0000002f:0x2db9d0c3 0 - 0xa7386d8e >> arp1394.sys >> 0x85b9a2c8 0x8000002d:0x6d7d7c8e 0 - 0x80538a98 >> ntoskrnl.exe >> 0x8a332b20 0x0000002f:0x2ea5d991 0 - 0xb9ddef1a >> NDIS.sys >> 0x863ead10 0x00010014:0x863ead28 -205...072 Yes 0x8647e4e0 >> UNKNOWN >> 0x85e451e8 0x00010014:0x85e45200 -205...072 Yes 0x8647e4e0 >> UNKNOWN >> >> > ______________________________**_________________ > Vol-users mailing list > Vol-users(a)volatilesystems.com<mailto:Vol-users@volatilesystems.com> > http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lists.volatilesystems.com/mailman/listinfo/vol-users> > The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.

11 years, 10 months

1
0
0 0

DPC procedure localization

by BRTAN Jaroslav

Hi all, I'd like to ask you for your help with analysis. The timers module shows that there is a strange DPC at 0x8647e4e0. Timers module output: Offset(V) DueTime Period(ms) Signaled Routine Module ---------- ------------------------ ---------- ---------- ---------- ------ 0x873097d0 0x0000002f:0x2db9d0c3 0 - 0xa7386d8e arp1394.sys 0x85b9a2c8 0x8000002d:0x6d7d7c8e 0 - 0x80538a98 ntoskrnl.exe 0x8a332b20 0x0000002f:0x2ea5d991 0 - 0xb9ddef1a NDIS.sys 0x863ead10 0x00010014:0x863ead28 -205...072 Yes 0x8647e4e0 UNKNOWN 0x85e451e8 0x00010014:0x85e45200 -205...072 Yes 0x8647e4e0 UNKNOWN I am not able to identify where this procedure belongs to. I've been searching through Volatility documentation project for a hint, but with no luck so far. Volshell show me that: >>> dis(0x8647e4e0, length=32) 0x8647e4e0 e0e4 LOOPNZ 0x8647e4c6 0x8647e4e2 47 INC EDI 0x8647e4e3 86e0 XCHG AL, AH 0x8647e4e5 e447 IN AL, 0x47 0x8647e4e7 86e8 XCHG AL, CH 0x8647e4e9 e447 IN AL, 0x47 0x8647e4eb 86e8 XCHG AL, CH 0x8647e4ed e447 IN AL, 0x47 0x8647e4ef 8600 XCHG [EAX], AL 0x8647e4f1 803b99 CMP BYTE [EBX], 0x99 0x8647e4f4 00403b ADD [EAX+0x3b], AL 0x8647e4f7 99 CDQ 0x8647e4f8 00b0fd7f0000 ADD [EAX+0x7ffd], DH 0x8647e4fe 0000 ADD [EAX], AL ... ... 0x8647e4c6 0000 ADD [EAX], AL 0x8647e4c8 d00a ROR BYTE [EDX], 0x1 0x8647e4ca 93 XCHG EBX, EAX 0x8647e4cb 8a00 MOV AL, [EAX] 0x8647e4cd 0000 ADD [EAX], AL 0x8647e4cf 20c8 AND AL, CL 0x8647e4d1 db12 FIST DWORD [EDX] 0x8647e4d3 8726 XCHG [ESI], ESP 0x8647e4d5 ad LODSD 0x8647e4d6 74e1 JZ 0x8647e4b9 0x8647e4d8 06 PUSH ES 0x8647e4d9 007000 ADD [EAX+0x0], DH 0x8647e4dc 0000 ADD [EAX], AL 0x8647e4de 0000 ADD [EAX], AL 0x8647e4e0 e0e4 LOOPNZ 0x8647e4c6 0x8647e4e2 47 INC EDI 0x8647e4e3 86e0 XCHG AL, AH 0x8647e4e5 e447 IN AL, 0x47 0x8647e4e7 86e8 XCHG AL, CH 0x8647e4e9 e447 IN AL, 0x47 0x8647e4eb 86e8 XCHG AL, CH 0x8647e4ed e447 IN AL, 0x47 0x8647e4ef 8600 XCHG [EAX], AL 0x8647e4f1 803b99 CMP BYTE [EBX], 0x99 0x8647e4f4 00403b ADD [EAX+0x3b], AL 0x8647e4f7 99 CDQ 0x8647e4f8 00b0fd7f0000 ADD [EAX+0x7ffd], DH 0x8647e4fe 0000 ADD [EAX], AL 0x8647e500 60 PUSHA 0x8647e501 793b JNS 0x8647e53e >>> dis(0x8647e53e) 0x8647e53e 3e869ec7130008 XCHG [ESI+0x80013c7], BL 0x8647e545 1000 ADC [EAX], AL 0x8647e547 0410 ADD AL, 0x10 0x8647e549 b268 MOV DL, 0x68 0x8647e54b 8a10 MOV DL, [EAX] 0x8647e54d b268 MOV DL, 0x68 0x8647e54f 8ad8 MOV BL, AL So I looked around and found that at offset 0x80013000 is a executable file >>> db(0x80013000, length=512) 0x80013000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x80013010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x80013020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x80013030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................ 0x80013040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th 0x80013050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is.program.canno 0x80013060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t.be.run.in.DOS. 0x80013070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$....... 0x80013080 5d ed 0b 95 19 8c 65 c6 19 8c 65 c6 19 8c 65 c6 ].....e...e...e. 0x80013090 19 8c 64 c6 30 8c 65 c6 da 83 38 c6 1e 8c 65 c6 ..d.0.e...8...e. 0x800130a0 da 83 6a c6 1b 8c 65 c6 da 83 3b c6 18 8c 65 c6 ..j...e...;...e. 0x800130b0 da 83 3a c6 1c 8c 65 c6 da 83 3f c6 18 8c 65 c6 ..:...e...?...e. 0x800130c0 52 69 63 68 19 8c 65 c6 00 00 00 00 00 00 00 00 Rich..e......... 0x800130d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x800130e0 50 45 00 00 4c 01 07 00 b4 52 02 48 00 00 00 00 PE..L....R.H.... 0x800130f0 00 00 00 00 e0 00 0e 01 0b 01 07 0a 00 1d 00 00 ................ 0x80013100 00 08 00 00 00 00 00 00 d3 1c 00 00 00 03 00 00 ................ 0x80013110 00 0e 00 00 00 30 01 80 80 00 00 00 80 00 00 00 .....0.......... 0x80013120 05 00 01 00 05 00 01 00 01 00 0a 00 00 00 00 00 ................ 0x80013130 00 28 00 00 00 03 00 00 e6 f1 00 00 01 00 00 24 .(.............$ 0x80013140 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 ................ 0x80013150 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................ 0x80013160 1c 1d 00 00 50 00 00 00 00 22 00 00 f8 03 00 00 ....P...."...... 0x80013170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x80013180 00 26 00 00 1c 01 00 00 b0 0e 00 00 1c 00 00 00 .&.............. 0x80013190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x800131a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x800131b0 00 00 00 00 00 00 00 00 00 0e 00 00 ac 00 00 00 ................ 0x800131c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x800131d0 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 .........text... 0x800131e0 84 0a 00 00 00 03 00 00 00 0b 00 00 00 03 00 00 ................ 0x800131f0 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 ...............h , but this one seems to be battc.sys driver (how can I dump this using the offset 0x80013000?) 0x80015180 7a 65 44 65 76 69 63 65 00 00 42 41 54 54 43 2e zeDevice..BATTC. 0x80015190 53 59 53 00 46 ec 25 ff 00 3d 00 00 74 03 e9 03 SYS.F.%..=..t... I also tried to look around the offset 0x8647e4e0 for some strings 0x864716a0 00 00 00 00 00 00 00 00 00 00 00 00 43 3a 5c 50 ............C:\P 0x864716b0 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 57 61 76 rogram.Files\Wav 0x864716c0 65 20 53 79 73 74 65 6d 73 20 43 6f 72 70 5c 53 e.Systems.Corp\S 0x864716d0 65 72 76 69 63 65 73 20 4d 61 6e 61 67 65 72 5c ervices.Manager\ 0x864716e0 44 6f 63 4d 67 72 5c 62 69 6e 5c 64 6f 63 6d 67 DocMgr\bin\docmg 0x864716f0 72 2e 65 78 65 00 00 00 00 00 00 00 00 00 00 00 r.exe........... google: DocMgr from Wave Systems Corp. 0x86471890 00 00 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s 0x864718a0 74 73 79 73 74 72 61 2e 65 78 65 00 00 00 00 00 tsystra.exe..... google: Sigmatel Audio system tray application 0x86474ce0 00 00 00 00 00 00 00 00 00 f0 c1 9c 53 62 54 72 ............SbTr 0x86474cf0 61 79 4d 61 6e 61 67 65 72 2e 65 00 00 00 00 00 ayManager.e..... google: known as the Safe Boot Tray Manager software 0x8647db30 0d 00 04 0a 56 69 47 63 65 00 78 00 70 00 6c 00 ....ViGce.x.p.l. 0x8647db40 6f 00 72 00 65 00 72 00 2e 00 65 00 78 00 65 00 o.r.e.r...e.x.e. Could it be that the unknown timer was registered by the battc.sys? If anybody can push me the right direction, I'll be more than thankful. Thank you Jaro The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.

11 years, 10 months

4
3
0 0

Second Week of Month of Volatility Plugins II is posted

by Andrew Case

We are writing as the second week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new and updated plugins used to analyze Windows systems. The first post discussed recovering RSA Private Keys and SSL Certificates from memory: http://volatility-labs.blogspot.com/2013/05/movp-ii-21-rsa-private-keys-and… The second post discussed recovering information about unloaded kernel modules from memory: http://volatility-labs.blogspot.com/2013/05/movp-ii-22-unloaded-windows-ker… The third post showed how to create timelines with in-memory data using Volatility: http://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-w… The fourth post demonstrated how to recover MFT entries and utilize them during investigations: http://volatility-labs.blogspot.com/2013/05/movp-ii-24-reconstructing-maste… The last post highlighted a number of new and updated plugins that are very useful during investigations: http://volatility-labs.blogspot.com/2013/05/movp-ii-25-new-and-improved-win… We hope you enjoy the posts, and the third week of posts will begin tomorrow and cover a number of new plugins to help analyze Linux and Android samples. If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

11 years, 11 months

1
0
0 0

Automated Volatility Plugin Generation with Dalvik Inspector

by Joe Sylve

Hello, We wanted to take the opportunity to point you to a blog post which gives a preview of some of the research we've been working on at 504ENSICS Labs in the area of Android memory analysis. This time we are demoing a feature that will allow automatted volatility plugin generation with our Dalvik Inspector tool. We think our results will be of great interest to the DFIR community and look forward to your feed back. We plan on releasing the tool this year at Black Hat. The blog post can be found here: http://www.504ensics.com/automated-volatility-plugin-generation-with-dalvik… --- *Joe T. Sylve, M.S.* Co-Founder 504ENSICS Labs (504) 210-8270 (Office) http://www.504ensics.com PGP Key: http://www.504ensics.com/pgp_keys/joesylve.asc

11 years, 11 months

1
0
0 0

First week of Month of Volatility Plugins II is posted

by Andrew Case

Hello, We are writing as the first week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new address spaces we have added to support new hardware architectures and file formats. The first one is the MachO address space used to support Mac Memory Reader: http://volatility-labs.blogspot.com/2013/05/movp-ii-11-mach-o-address-space… The second is an address space used to support VirtualBox: http://volatility-labs.blogspot.com/2013/05/movp-ii-12-virtualbox-elf64-cor… The third address space allows for analysis of VMware snapshot files (.vmss and .vmsn): http://volatility-labs.blogspot.com/2013/05/movp-ii-13-vmware-snapshot-and-… The fourth address space supports the hpak format of the HBGary Fast Dump acquisition tool: http://volatility-labs.blogspot.com/2013/05/movp-ii-14-new-hpak-address-spa… The final address space discussed adds support for the ARM architecture. This is leveraged by Volatility's Android support: http://volatility-labs.blogspot.com/2013/05/movp-ii-15-arm-address-space-vo… We hope you enjoy the posts, and the second installment of posts will begin tomorrow and cover a number of new plugins to help analyzing Windows samples. If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

11 years, 11 months

1
0
0 0

netscan plugin question

by Lou LaRocca

Greetings I am looking at Win 7 x86 SP1 memory and I dont understand why I am seeing "established connections" but no PID or Process with it. 0x2d07480 TCPv4 10.22.41.40:58767 38.126.225.229:43405ESTABLISHED -------- -------------- 0x1367da70 TCPv4 10.22.41.40:59302 151.213.50.211:22031ESTABLISHED -------- -------------- In addition I am seeing stuff "listening" and it contains the PID and Process. 0xdb838178 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 996 svchost.exe 0xdb850ab0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 1440 spoolsv.exe 0xdb855e78 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 1440 spoolsv.exe So my question is why can I see the listening processes but im not getting the Process that are established? Thanks for the help Lou

11 years, 11 months

2
1
0 0

Nice semi-old writeup

by James Lay

Might help someone on this list out: http://blog.solutionary.com/blog/bid/92402/Hunting-Malware-with-Memory-Anal… James

11 years, 11 months

1
0
0 0

Volatility News

by Jamie Levy

For those of you interested in applying memory forensics to your malware analysis and rootkit detection efforts, we've just posted a new blog with some exciting news and updates: http://volatility-labs.blogspot.com/2013/05/whats-happening-in-world-of-vol… * Volatility 2.3 will enter beta this week and we'll introduce the new features over the next four weeks (Month of Volatility Plugins II). * There are three training courses open for registration (Reston in June, Netherlands in September, Vermont in November). Email voltraining(a)memoryanalysis.net for details. * The plugin contest submissions are starting to trickle in. Enter to win over $2250 in cash or a free seat at an upcoming training. * This year's Open Memory Forensics Workshop will be in Chantilly VA on November 4th, alongside OSDFC (Open Source Digital Forensics Conference). CFP to be announced soon. All the best, Jamie / @gleeda The Volatility Project -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

11 years, 11 months

1
0
0 0

Memory Forensics Training by Volatility Developers is coming to the Netherlands!

by Andrew Case

We are happy to announce that our memory forensics training course will be going to the Netherlands in September: http://volatility-labs.blogspot.com/2013/04/memory-forensics-training-nethe… This course is taught directly by Volatility developers, and will provide intense training in memory forensics for incident response, malware analysis, and digital forensic investigation. This will be our only course outside of the USA in 2013, and we have already had a number of people inquire about attending, so please contact us ASAP if you are interested in taking it. Thanks, Andrew (@attrc)

11 years, 12 months

1
0
0 0

Incorrect addresses in linux_proc_maps

by Edwin Smulders

Hi all, I've just created a profile for my Ubuntu 12.04 (3.5.0-25) and I've dumped the memory using virtualbox guestcoredump. Using the linux_proc_maps plugin I get the following output: http://paste.ubuntu.com/5576450/ I was expecting similar output to "cat /proc/<pid>/maps". As you can see, these "-0x4...000" addresses are obviously wrong. Is this I am doing wrong myself, or is this a bug? It happens for other processes as well. If this is a bug I'll make a new issue in the tracker with the steps I've followed to produce this. Cheers, Edwin

12 years

4
31
0 0

using vtop()

by kongo sec

HI, There was some talk on the #volatility irc channel.. Won't go into details, Basically, wondering how one can use vtop from volshell as it is not a plugin. thanks

12 years

2
1
0 0

NX/DEP Settings in Windows Memory

by Carl Pulley

Dear all, I was hoping that someone might be able to clear up a query I have wrt Windows memory and how it handles memory pages (specifically information regarding the pages executable permissions). I'm assuming that PAE is in use here. The idea is that we have some page (holding virtual address addr) within a processes address space and wish to know if that page is executable. Within user space, we can use the VADs and obtain executable information via vad.u.VadFlags.Protection - vadinfo.PROTECT_FLAGS allows the returned value (as an int) to be converted into a string representation. Within kernel space, we can use the PTE to determine information regarding the pages exec status - for example: def get_page_nx_bit(addrspace, addr): pdpte = addrspace.get_pdpte(addr) pde = addrspace.get_pde(addr, pdpte) pte = addrspace.get_pte(addr, pde) return pte >> 63 gets the NX bit for the PTE associated with a given page address. Now, in comparing bit 63 of the PTE entries against the VAD protection permissions in user space, I'm noticing the occasional difference. Naively, I'd expected the PTEs to agree with the protection information on the VADs (within user space). Any help or pointers to information resolving the above is very much appreciated. Many thanks, Carl.

12 years

2
1
0 0

Re: [Vol-users] Winpmem 1.4.1

by Ken Pryor

Thanks Michael. My whole purpose in this instance was to test the nbdserver project for my blog post. That's why I used this particular method. I'll follow up with Jeff and let him know what you came up with. Thanks! Ken On Mon, Apr 15, 2013 at 3:51 PM, Michael Cohen <scudette(a)gmail.com> wrote: > Ah that explains the crash then.... > > You can not read the entire physical address space from start to finish > because you will hit DMA regions which will cause your reads to activate > PCI devices and blue screen the box. You must skip the regions which are > reserved to PCI devices. > > The winpmem device driver allows you to read where ever you want (i.e. it > does not protect you from shooting yourself in the foot :-). The user space > application is supposed to figure out where its safe to read. From quickly > looking at the code for nbdserve > > https://github.com/jeffbryner/NBDServer/blob/master/main.cpp > > it does not seem to implement the correct algorithm for skipping the > reserved memory regions (it should make an IO control to the pmem driver > and ask it). There seems to be some code there to do it but it does not > seem complete to me. Maybe best ask the author? > > Anyway for the purpose of experimenting you could just manually write a > short bash script with dd involving the skip and seek parameters to skip > over the reserved regions and only image the available regions. This should > not crash. > > If you goal is just to obtain the image over the network, why not use > netcat like the example demonstrates? > > Thanks, > Michael. > > > > > > On 15 April 2013 22:34, Ken Pryor <kdpryor(a)gmail.com> wrote: > >> Hi Michael, >> >> Yes, I ran winpmem on the subject machine and allowed it to save an image >> file to that machine successfully. In my nbdserver test, I ran winpmem -l >> and verified the service was running. I went to the nbd Linux client and >> began the process of imaging pmem from the subject computer via the >> network. Running nbd-client on the Linux workstation, I assigned the pmem >> output coming over the network to /dev/nbd0. I used the following command >> line then to image: >> >> dd if=/dev/nbd0 of=./ramoutput.dd >> >> This has been successful on 32 bit XP machines, but it dies on the 64 bit >> machine. If this description doesn't make sense, I'll try to do a better >> description later this evening. >> >> Ken >> >> >> >> On Mon, Apr 15, 2013 at 12:16 PM, Michael Cohen <scudette(a)gmail.com>wrote: >> >>> Hi Ken, >>> I have not had a chance to play with nbdserver. Are you saying that >>> winpmem acquisition to the local disk completed ok? >>> >>> Did you manage to image with winpmem over a socket and netcat? Or are >>> you trying to image to a network share? >>> >>> Thanks, >>> Michael. >>> >>> >>> On 15 April 2013 18:25, Ken Pryor <kdpryor(a)gmail.com> wrote: >>> >>>> I recently used the latest version of winpmem in conjunction with Jeff >>>> Bryner's nbdserver to acquire ram for a couple different systems in support >>>> of a blog post I was writing. Acquisition of 1 gb memory from an XP 32 bit >>>> vm via the network worked perfectly. >>>> >>>> However, acquiring memory from a 64 bit Win 7 physical system with 12 >>>> GB ram failed. It would start okay, but would freeze up and reboot the Win >>>> 7 system at 3.5 GB every time when being acquired using nbdserver via the >>>> network. Using winpmem directly on the machine works successfully, but >>>> fails on the network. >>>> >>>> Any suggestions as to the problem? I can provide any data or follow up >>>> testing if needed. >>>> >>>> Ken >>>> >>>> _______________________________________________ >>>> Vol-users mailing list >>>> Vol-users(a)volatilityfoundation.org >>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>>> >>>> >>> >> >

12 years

1
0
0 0

Re: [Vol-users] Winpmem 1.4.1

by Ken Pryor

Hi Michael, Yes, I ran winpmem on the subject machine and allowed it to save an image file to that machine successfully. In my nbdserver test, I ran winpmem -l and verified the service was running. I went to the nbd Linux client and began the process of imaging pmem from the subject computer via the network. Running nbd-client on the Linux workstation, I assigned the pmem output coming over the network to /dev/nbd0. I used the following command line then to image: dd if=/dev/nbd0 of=./ramoutput.dd This has been successful on 32 bit XP machines, but it dies on the 64 bit machine. If this description doesn't make sense, I'll try to do a better description later this evening. Ken On Mon, Apr 15, 2013 at 12:16 PM, Michael Cohen <scudette(a)gmail.com> wrote: > Hi Ken, > I have not had a chance to play with nbdserver. Are you saying that > winpmem acquisition to the local disk completed ok? > > Did you manage to image with winpmem over a socket and netcat? Or are you > trying to image to a network share? > > Thanks, > Michael. > > > On 15 April 2013 18:25, Ken Pryor <kdpryor(a)gmail.com> wrote: > >> I recently used the latest version of winpmem in conjunction with Jeff >> Bryner's nbdserver to acquire ram for a couple different systems in support >> of a blog post I was writing. Acquisition of 1 gb memory from an XP 32 bit >> vm via the network worked perfectly. >> >> However, acquiring memory from a 64 bit Win 7 physical system with 12 GB >> ram failed. It would start okay, but would freeze up and reboot the Win 7 >> system at 3.5 GB every time when being acquired using nbdserver via the >> network. Using winpmem directly on the machine works successfully, but >> fails on the network. >> >> Any suggestions as to the problem? I can provide any data or follow up >> testing if needed. >> >> Ken >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> >> >

12 years

1
0
0 0

Technology Preview hivedump question

by James Lay

Hey all, So far I am unable to get hivedump to work specifying an offset in either interactive or non-interactive mode: Offset(V) Offset(P) Name 0xe1036b60 0x4948ab60 \Device\HarddiskVolume1\Windows\system32\config\SYSTEM @ 0xe1036b60 ./vol.py --profile=WinXPSP3x86 -f ../20130412-194645.raw hivedump -o 0xe1036b60 ************************************************** Hive - Last Written Key ------------------------ --- ERROR:root:Error: invalid literal for int() with base 10: 'x' ERROR:root:invalid literal for int() with base 10: 'x'. Try --debug for more information. Not specifying an offset works however: ./vol.py --profile=WinXPSP3x86 -f ../20130412-194645.raw hivedump ************************************************** Hive \Device\HarddiskVolume1\Documents and Settings\ACS\NTUSER.DAT @ 0xe1452b60 Last Written Key ------------------------ --- 2013-04-10 18:32:35+0000 CMILoadedHive-{D6ED518C-64C9-49F9-A016-8B8A7E2C051E}/AppEvents ... Any hints on what I could be doing wrong? Thank you. James

12 years

3
3
0 0

Winpmem 1.4.1

by Ken Pryor

I recently used the latest version of winpmem in conjunction with Jeff Bryner's nbdserver to acquire ram for a couple different systems in support of a blog post I was writing. Acquisition of 1 gb memory from an XP 32 bit vm via the network worked perfectly. However, acquiring memory from a 64 bit Win 7 physical system with 12 GB ram failed. It would start okay, but would freeze up and reboot the Win 7 system at 3.5 GB every time when being acquired using nbdserver via the network. Using winpmem directly on the machine works successfully, but fails on the network. Any suggestions as to the problem? I can provide any data or follow up testing if needed. Ken

12 years

1
0
0 0

Re: [Vol-users] Dump hives to diesk

by James Lay

On 2013-04-12 15:24, Carl Pulley wrote: > Hi James, > you'll be able to do this using the dumpfiles plugin (it > reconstructs the memory view of the on disk file system using the > shared cache). I understand that this will be released with the > Volatility 2.3 release. > > All the best, > > Carl. Ah...guess I am out of luck until then...thank you! James

12 years

2
2
0 0

Re: [Vol-users] Dump hives to diesk

by James Lay

On 2013-04-12 15:59, Michael Cohen wrote: > you can try to install pytz :-) > > for example on ubuntu the package is called python-tz: > > apt-get install python-tz > > on windows you need to get pip or easy install then > > pip install pytz > > Or you can try the windows binary from the downloads section because > it has no required dependencies. > > Michael. Heh..always so easy :) Thanks...it's flying now. Last thing I think I need is plugins...here's what the TP responds with: subcommands: The following plugins can be selected. Plugin dis Disassemble the given address space. dt Print a symbol. dump Hexdump an object or memory location. grep Search an address space for keywords. guess_profile Guess the exact windows profile using heuristics. imagecopy Copies a physical address space out as a raw DD image info Print information about various subsystems. load_as Load address spaces into the session if its not already loaded. null This plugin does absolutely nothing. peinfo Print information about a PE binary. is there a different spot do snag the plugins, or am I barking up the wrong tree? Thanks again for all your help on this. James

12 years

1
1
0 0

Re: [Vol-users] Dump hives to diesk

by James Lay

On 2013-04-12 15:44, Michael Cohen wrote: > Note that this actually is already available in the tech preview > edition using a slightly different mechanism (Its specific to > registry > hives instead of for generally cached files): > > > https://volatility.googlecode.com/svn/branches/scudette/docs/user_manual.ht… > [3] > > YMMV > Michael. Thanks Michael...I did give that a go but got: ImportError: No module named pytz Betting I'm missing something. Thanks again. James

12 years

1
0
0 0

Re: Fwd: [Vol-users] Dump hives to diesk

by James Lay

On 2013-04-12 15:43, david nardoni wrote: > Here is a blog post that may suit your needs > > http://mikemachnik.com/2013/02/16/memdumpcracking/ [3] > > Dave Nardoni > dnardoni(a)gmail.com [4] > > On Fri, Apr 12, 2013 at 2:18 PM, James Lay <jlay(a)slave-tothe-box.net > [5]> wrote: > >> Hey all, >> >> Topic says it...any way to dump a full registry hive to disk? My >> plan is to import the SYSTEM and SECURITY into Cain ;) Thank you. >> >> James Thank you for the info...very useful! James

12 years

1
0
0 0

Dump hives to diesk

by James Lay

Hey all, Topic says it...any way to dump a full registry hive to disk? My plan is to import the SYSTEM and SECURITY into Cain ;) Thank you. James

12 years

1
0
0 0

Yarascan error

by James Lay

Topic says it...here's what I'm looking at: Volatile Systems Volatility Framework 2.2 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 186, in <module> main() File "/usr/local/bin/vol.py", line 168, in main command = cmds[module](config) File "/opt/volatility-2.2/volatility/plugins/malware/malfind.py", line 347, in __init__ help = 'Match wide (unicode) strings') File "/opt/volatility-2.2/volatility/conf.py", line 364, in add_option self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args) File "/usr/lib/python2.7/optparse.py", line 1020, in add_option self._check_conflict(option) File "/usr/lib/python2.7/optparse.py", line 995, in _check_conflict option) optparse.OptionConflictError: option -W/--wide: conflicting option string(s): -W Any hints on how to get yarascan to run? Thank you. James

12 years

2
5
0 0

Re: [Vol-users] Troubleshooting vmsn image

by nir izraeli

Thanks, looking forward for your reply :) On Wed, Mar 20, 2013 at 3:18 PM, david nardoni <dnardoni(a)gmail.com> wrote: > I will get you all those details today, except the full snapshot. I can > not share that > > Happy to run whatever you need and provide output > > Sent from my iPhone > > On Mar 20, 2013, at 3:31 AM, nir izraeli <nirizr(a)gmail.com> wrote: > > Hi Dave, > > a few questions if you don't mind, > what's the VM version (vmware has numbered versions for their file > formats, you can usually look it up in the VM's properties)? > could you share the output of psscan? > what other plugins you've tried running? could you share the output? > will it be possible to upload the VMware snapshot somewhere so i could > look into it? > > Thanks, > - Nir. > > > > On Tue, Mar 19, 2013 at 2:31 AM, david nardoni <dnardoni(a)gmail.com> wrote: > >> I think I have some issues with a 8+gb VMware snapshot. I can get >> psscan and thrdscan output but no other output from other plugins. >> >> Any suggestions from the group on troubleshooting the image. >> >> Fyi I can see all the data when I view it in hbgary responder pro. >> >> Thanks >> >> Dave >> >> Sent from my iPhone >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> > >

12 years

3
5
0 0

Android Application (Dalvik) Memory Analysis & the Chuli Malware

by Joe Sylve

Hello, We wanted to take the opportunity to point you to a blog post which gives a preview of some of the research we've been working on at 504ENSICS Labs in the area of Android memory analysis. We think our results will be of great interest to the DFIR community and look forward to your feed back. The blog post can be found here: http://www.504ensics.com/android-application-dalvik-memory-analysis-the-chu… --- Joe T. Sylve, M.S. Co-Founder 504ENSICS Labs www.504ensics.com | (504) 210-8270

12 years

1
0
0 0

Any actual LiME and Android Memory analysis on REAL devices?

by Pasquale Stirparo

Hi, I was wondering: did anyone ever managed to do an analysis with a real device? I know the answer is Yes. The thing is that I've seen around many nice examples and tutorials working... but all of them with the emulator. The only real device sample "in the wild" seems to be the Evo4GRodeo samples from DFWRS Challenge. This time I'm pretty sure I did (almost?) everything right. Although if it doesn't work, probably it's not. I've tried also with another smartphone other than the HTC One X, the Galaxy Nexus, getting the correct kernel version. No compilation errors, no module errors, no lime module crashing on the phone, no volatility profiles error, nothing. Everything (looks) right. But still, when trying to run volatility I still keep getting empty results like this: hydra:volatility-read-only paco$ python vol.py --profile=LinuxGalaxyNexus-3_0_1x86 -f ~/memdump/test-lime-4.7.lime linux_pslist Volatile Systems Volatility Framework 2.3_alpha WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- Now I start wondering two things: - Is it my lime dump the issue? the header looks fine, if I look inside with hexdump it seems reasonable, if I strings it I find my data. - Is it the volatility profile? Maybe, because I've event tried to dump the memory of my Galaxy Nexus with FROST (which uses LiME) and the result looks the same. So I started believing my problem is in the profile, although I cannot seem to find any other way to understand where the problem could be. So if anyone who successfully analyzed Android memory dumps from any real life device is willing to share his experience and/or Volatility profile, it would be great. Thanks P. -- Pasquale Stirparo, MEng GCFA, OPST, OWSE, ECCE

12 years

2
1
0 0

Re: [Vol-users] moddump Error: e_magic 8D4C is not a valid DOS signature.

by Michael Hale Ligh

Brian, You must be talking about Jesse's rawmoddump plugin. Its interesting to see how people go about solving problems. Rather than typing 3 lines into the existing volshell plugin, he re-implemented the same functionality into a 70 line file and then blogged about it as if it was some ground breaking new capability...lol. Anyway, there are a few possible explanations for finding a legitimate driver at an offset from the base address reported by modscan. One is that modscan found an _LDR_DATA_TABLE_ENTRY structure in physical memory that represents a driver that was once loaded at address XXXXXXXX but has since moved or unloaded. In that case, the kernel would be allowed to map another driver into that available space (starting at either the exact same or a nearby address). Another plausible scenario is that modscan found an _LDR_DATA_TABLE_ENTRY for a module that is still loaded at its original address (check with modlist which will show currently loaded modules). The driver has another driver embedded in its resources section that it installed or planned to install. In that case you would expect to find another PE file somewhere near the base of the first one. Hope this helps, MHL On Fri, Mar 22, 2013 at 12:28 AM, Brian Keefer <chort(a)effu.se> wrote: > Michael, > > Yes, modscan showed the file as being > from C:\Users\Bob\ApplicationData\dumpme.sys -like path. It's great to > learn this can be done via volshell, which is not something I've explored > yet. Someone else sent me a plugin off-list that essentially wraps that > functionality. > > It looks like the legitimate driver is at an offset from the base address > reported by modscan (is it typical for drivers to load from a user > directory?). I'm not sure what the padding is before it. Could it perhaps > be instructions, or maybe an XOR'd PE header? Not sure exactly. > > -- > chort > > > > On Mar 21, 2013, at 8:53 PM, Michael Hale Ligh wrote: > > Hey Brian, > > You can use volshell to extract an arbitrary region of memory from any > address space (in this case kernel memory if you're trying to acquire a > kernel module). However, what do you mean "reference a file in user's > AppData"? Is that the driver's path on disk (i.e. > C:\Users\Bob\ApplicationData\dumpme.sys)? > > You would use volshell like this: > > >>> data = self.addrspace.zread(assumed_base_address, assumed_module_size) > >>> with open('file.dmp', 'wb') as f: > ...... f.write(data) > >>> > > Cheers, > MHL > > > On Thu, Mar 21, 2013 at 5:32 PM, Brian Keefer <chort(a)effu.se> wrote: > >> Working with a ransomware infection, trying to dump one of the modules >> that looks suspicious (the only one to reference a file in user's AppData). >> I'm trying to dump it via the base address found through modscan, but >> getting: >> moddump Error: e_magic 8D4C is not a valid DOS signature. >> >> I tried -u. Is there any other way to dump it? >> >> -- >> chort >> >> >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> > > >

12 years, 1 month

2
2
0 0

Whither fixiat.py?

by shorejsi2＠mmm.com

My Malware Analysts Cookbook refers to this module and I found a couple of videos on how to use it; I just can't seem to locate the module itself. Has it perhaps been deprecated by some other plugin or process? Thanks! -=[ Steve ]=-

12 years, 1 month

2
1
0 0

Re: [Vol-users] problems with centos

by bellissimopython＠email.it

> Hello,It seems you have identified some issues while the rest of the output is explainable. 1) linux_check_afinfoBeing empty means that > nothing is hooked (this is good)2) linux_check_creds, linux_pidhashtable, linux_psxview > These are missing support for your kernel version. Can you please paste the output of uname -a on your machine along with the specific > version of centos that you are using? > 3) linux_check_evt_arm & linux_check_syscall_arm > These only support ARM based computers (e.g. Android) and I assume your memory sample is from an Intel based computer. We will soon > have a patch that allows plugins to check what architecture they are being run against and then these plugins will report they are ARM only instead of having exceptions. > 4) linux_check_ttyThis seems like a bug we will have to fix.Thank you for your report and please get us the kernel & centos version so > we can attempt to fix some of them.Thanks,Andrew (@attrc) > Hi Andrew, I am sorry but it's my mistake because the os is not real centos but a derived. The os is clearos (infact centos based) distro for firewalls. Anyway: # uname -a Linux fw2.mycompany.local 2.6.18-308.1.1.v5 #1 SMP Sun Mar 11 18:15:19 MDT 2012 i686 i686 i386 GNU/Linux # cat /etc/issue ClearOS Enterprise Edition release 5.2 # cat /etc/redhat-release CentOS release 5.4 (Final) Thanks very much and I am sorry for the mistake. -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Trascorri la Pasqua all'Hotel Maestri di Riccione a due passi dal mare, da Viale Ceccarini e dal nuovo lungomare pedonale. 2 giorni pensione completa a Euro 170 in doppia a persona, un bambino fino ai 6 anni in camera con due adulti gratuito Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12790&d=20130325 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Last minute giugno in all inclusive all'Hotel Fior di Loto di Rimini per due persone, una settimana, Euro 686 a coppia, pensione completa, bevande ai pasti, servizio spiaggia Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12774&d=25-3

12 years, 1 month

1
0
0 0

Re: [Vol-users] problems with centos

by bellissimopython＠email.it

> Hello,It seems you have identified some issues while the rest of the output is explainable. 1) linux_check_afinfoBeing empty means that > nothing is hooked (this is good)2) linux_check_creds, linux_pidhashtable, linux_psxview > These are missing support for your kernel version. Can you please paste the output of uname -a on your machine along with the specific > version of centos that you are using? > 3) linux_check_evt_arm & linux_check_syscall_arm > These only support ARM based computers (e.g. Android) and I assume your memory sample is from an Intel based computer. We will soon > have a patch that allows plugins to check what architecture they are being run against and then these plugins will report they are ARM only instead of having exceptions. > 4) linux_check_ttyThis seems like a bug we will have to fix.Thank you for your report and please get us the kernel & centos version so > we can attempt to fix some of them.Thanks,Andrew (@attrc) > Hi Andrew, I am sorry but it's my mistake because the os is not real centos but a derived. The os is clearos (infact centos based) distro for firewalls. Anyway: # uname -a Linux fw2.mycompany.local 2.6.18-308.1.1.v5 #1 SMP Sun Mar 11 18:15:19 MDT 2012 i686 i686 i386 GNU/Linux # cat /etc/issue ClearOS Enterprise Edition release 5.2 # cat /etc/redhat-release CentOS release 5.4 (Final) Thanks very much and I am sorry for the mistake. -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Pasqua all'hotel Stella di Riccione, pernottamento e colazione, 2 gg Euro 106 a persona in doppia, bimbo fino a 3 anni GRATIS. Biglietti per i parchi Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12791&d=20130325 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Riduzione del 10% sulle tariffe di pensione per le prenotazioni pervenute entro il 30 aprile 2013 all'Hotel Embassy di Pesaro Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12769&d=25-3

12 years, 1 month

1
0
0 0

problems with centos

by bellissimopython＠email.it

Hi, I am trying to analyze a memory dump from a Centos server but I have got some problems. ------ Plugin linux_check_afinfo ------ --------------------------------- Volatile Systems Volatility Framework 2.3_alpha Symbol Name Member Address ------------------------------------------ ------------------------------ ---------- ------ Plugin linux_check_creds ------ --------------------------------- Volatile Systems Volatility Framework 2.3_alpha PIDs -------- ERROR : volatility.plugins.linux.check_creds: This command is not supported in this profile. ------ Plugin linux_check_evt_arm ------ --------------------------------- Volatile Systems Volatility Framework 2.3_alpha Check PASS/FAIL Info ------------------------------ --------- ------------------------------ SWI Offset Instruction FAIL - ------ Plugin linux_check_syscall_arm ------ --------------------------------- Volatile Systems Volatility Framework 2.3_alpha Index Address Symbol ---------- ---------- ------------------------------ Traceback (most recent call last): File "vol.py", line 186, in <module> main() File "vol.py", line 177, in main command.execute() File "/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line 55, in execute commands.Command.execute(self, *args, **kwargs) File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111, in execute func(outfd, data) File "/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py", line 88, in render_text for (i, call_addr, hooked) in data: File "/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py", line 66, in calculate num_syscalls = self._get_syscall_table_size() File "/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py", line 38, in _get_syscall_table_size opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm = self.addr_space) File "/root/vltlt/volatility-read-only/volatility/obj.py", line 169, in Object offset = int(offset) TypeError: int() argument must be a string or a number, not 'NoneType' ------ Plugin linux_check_tty ------ --------------------------------- Volatile Systems Volatility Framework 2.3_alpha Name Address Symbol ---------------- ---------- ------------------------------ Traceback (most recent call last): File "vol.py", line 186, in <module> main() File "vol.py", line 177, in main command.execute() File "/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line 55, in execute commands.Command.execute(self, *args, **kwargs) File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111, in execute func(outfd, data) File "/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py", line 59, in render_text for name, call_addr in data: File "/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py", line 52, in calculate recv_buf = tty_dev.ldisc.ops.receive_buf File "/root/vltlt/volatility-read-only/volatility/obj.py", line 735, in __getattr__ return self.m(attr) File "/root/vltlt/volatility-read-only/volatility/obj.py", line 717, in m raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) AttributeError: Struct ldisc has no member ops ------ Plugin linux_pidhashtable ------ --------------------------------- Volatile Systems Volatility Framework 2.3_alpha ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile is currently unsupported by this plugin. Please file a bug report on our issue tracker to have supprot added. Offset Name Pid Uid Gid DTB Start Time ---------- -------------------- --------------- --------------- ------ ---------- ---------- ------ Plugin linux_psxview ------ --------------------------------- Volatile Systems Volatility Framework 2.3_alpha ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile is currently unsupported by this plugin. Please file a bug report on our issue tracker to have supprot added. Offset(V) Name PID pslist pid_hash kmem_cache ---------- -------------------- ------ ------ -------- ---------- The others plugins work fine. Bye. -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Una PASQUA in famiglia, in un hotel sul mare. L'Hotel Adelphi Riccione propone un'offerta con ingresso ai parchi inclusi e i bimbi gratis fino a tre anni. Piano famiglia a partire da 3 notti in mezza o pensione completa Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12777&d=20130322 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Last minute giugno in all inclusive all'Hotel Fior di Loto di Rimini per due persone, una settimana, Euro 686 a coppia, pensione completa, bevande ai pasti, servizio spiaggia Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12774&d=22-3

12 years, 1 month

2
1
0 0

moddump Error: e_magic 8D4C is not a valid DOS signature.

by Brian Keefer

Working with a ransomware infection, trying to dump one of the modules that looks suspicious (the only one to reference a file in user's AppData). I'm trying to dump it via the base address found through modscan, but getting: moddump Error: e_magic 8D4C is not a valid DOS signature. I tried -u. Is there any other way to dump it? -- chort

12 years, 1 month

2
1
0 0

Troubleshooting vmsn image

by david nardoni

I think I have some issues with a 8+gb VMware snapshot. I can get psscan and thrdscan output but no other output from other plugins. Any suggestions from the group on troubleshooting the image. Fyi I can see all the data when I view it in hbgary responder pro. Thanks Dave Sent from my iPhone

12 years, 1 month

2
1
0 0

Official Training by Volatility - Reston/VA, June 2013

by Jamie Levy

We are pleased to announce the next public Volatility training opportunity: the Windows Malware and Memory Forensics Training by The Volatility Project. This course will take place in Reston, VA from Monday, June 10th through Friday, June 14th 2013. For details, please see our blog: http://volatility-labs.blogspot.com/2013/03/official-training-by-volatility… or email us at: voltraining(a)memoryanalysis.net All the best, -gleeda -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

12 years, 1 month

1
0
0 0

Huge PID in psxview

by shorejsi2＠mmm.com

I'm digging through a memory image of a pretty thoroughly compromised system using Volatility and I've run across something new (to me anyway...). There's a rogue process in the image that lists a PID which exceeds the width allocated by Volatility: 0xdba0f9a8 cmd.exe 5004 True True False True False True False 0xda247250 chrome.exe 4764 True True False True False True False 0x6da39918 ☼ 42...2 False False False False False False True 0xdcd97610 SearchFilterHo 6956 False True False False False False False 0xdace4568 PrintIsolation 6312 False True False False False False False I'd dearly love to get my hands on that executable, but I don't see an easy way to get the PID. Any easy way forward on this? -=[ Steve ]=-

12 years, 1 month

3
3
0 0

Getting volatility to analyse a memory dump of an old ubuntu system

by Boudewijn Ector

Hi Guys, I've been messing around for about a week trying to get volatility to analyse a memory dump of some system. Since this is part of a puzzle I know I should be able to analyse it (although I'm not sure volatility can , but it seems to be my best option). The actual question is this: I assume that I have a dump of a box running kernel version 2.6.32-45.104-generic-pae . How should I correctly create a profile in volatility to analyse this dump? I can create a profile but I don't think it's correct... Because I do make some assumptions, I'd like to share my workflow below. Please feel free to comment! My current setup is: - Recent ubuntu box - On which KVM resides - A "memory.raw" image of the memory of this machine. No other information was provided. First I wanted to determine what OS the image is from, and I had a look by grepping the image like this: strings memory.raw | grep -i <keyword> I scanned for keywords like: - Windows - Ubuntu - Debian - Fedora - RHEL Looks like it's actually ubuntu: boudewijn@ubuntu:~$ strings memory.raw | grep -i ubuntu | wc -l 1668 Okay for determining the kernel version, I started having a look at the output of grepping ubuntu, and I found: Linux version 2.6.32-45-generic-pae (buildd@lamiak) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26) Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26 <5>[ 0.000000] Linux version 2.6.32-45-generic-pae (buildd@lamiak) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5.1) ) #104-Ubuntu SMP Tue Feb 19 21:36:53 UTC 2013 (Ubuntu 2.6.32-45.104-generic-pae 2.6.32.60+drm33.26) So I installed this kernel version 2.6.32-45.104-generic-pae, and rebooted (which is less work than changing the makefile etc.... I'm a lazy sod). Okay, make the profile: boudewijn@ubuntu:~/volatility/tools/linux$ make make -C //lib/modules/2.6.32-45-generic-pae/build CONFIG_DEBUG_INFO=y M=/home/boudewijn/volatility/tools/linux modules make[1]: Entering directory `/usr/src/linux-headers-2.6.32-45-generic-pae' CC [M] /home/boudewijn/volatility/tools/linux/module.o /home/boudewijn/volatility/tools/linux/module.c:70:33: error: linux/net_namespace.h: No such file or directory make[2]: *** [/home/boudewijn/volatility/tools/linux/module.o] Error 1 make[1]: *** [_module_/home/boudewijn/volatility/tools/linux] Error 2 make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-45-generic-pae' make: *** [dwarf] Error 2 Fix the include statement , to include /usr/src/linux-headers-2.6.32-45/include/net/net_namespace.h . make clean ;make followed... Created the overlay: boudewijn@ubuntu:~$ sudo zip volatility/volatility/plugins/overlays/linux/Ubuntu1004.zip volatility/tools/linux/module.dwarf /boot/System.map-2.6.32-45-generic-pae adding: volatility/tools/linux/module.dwarf (deflated 89%) adding: boot/System.map-2.6.32-45-generic-pae (deflated 74%) boudewijn@ubuntu:~$ Then I ran volatility with the newly created profile, and it crashed: boudewijn@ubuntu:~$ python volatility/vol.py -f memory.raw --profile LinuxUbuntu1004x86 imageinfo Volatile Systems Volatility Framework 2.2 Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with LinuxUbuntu1004x86) AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/home/boudewijn/memory.raw) PAE type : PAE DTB : 0x79b000L Traceback (most recent call last): File "volatility/vol.py", line 186, in <module> main() File "volatility/vol.py", line 177, in main command.execute() File "/home/boudewijn/volatility-2.2/volatility/commands.py", line 111, in execute func(outfd, data) File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py", line 34, in render_text for k, v in data: File "/home/boudewijn/volatility-2.2/volatility/plugins/imageinfo.py", line 91, in calculate kdbgoffset = volmagic.KDBG.v() File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 746, in __getattr__ return self.m(attr) File "/home/boudewijn/volatility-2.2/volatility/obj.py", line 728, in m raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) AttributeError: Struct VOLATILITY_MAGIC has no member KDBG I thought it might a an amd64 box, but grepping the output of strings memory.raw just renders +- 10 results. Way to few to be an amd64 box. Can anyone tell me what I'm actually doing wrong? Or is volatility just not the right tool for the job. Cheers, Boudewijn Ector

12 years, 1 month

2
3
0 0

Volatility Cheat Sheet

by Jamie Levy

Hello all, I thought I'd let you know that we've put together a cheat sheet that you might find useful when using Volatility in your investigations: http://volatility-labs.blogspot.com/2013/03/if-youre-going-to-cheat_15.html Also we plan to announce the next training opportunity for our Windows Malware and Memory Forensics Training Course on Monday, March 18th 2013 so stay tuned! All the best, -gleeda -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

12 years, 1 month

2
1
0 0

moddump related

by Corey Harrell

I apologize in advanced if I'm overlooking something. I'm using the Windows binary of Volatility 2.2 on a Windows 7 platform. Could someone tell me how I can extract a certain driver using the offset? I looked at the moddump help and the offset option is not listed. I tried to use -o anyway and got an error saying there is no such option (--offset=offset didn't work either). The Volatility command wiki doesn't show the moddump help but it does link to this post which shows the offset as an option: http://moyix.blogspot.com/2008/10/plugin-post-moddump.html I'm not that familiar with Python so looking at the plugin code wasn't that helpful for me. What I am trying to do is to extract a specific driver from a memory image. The moddump command works for extracting all drivers but it would be nice to extract only the one I need. Thanks for any help Corey Harrell "Journey into Incident Response" http://journeyintoir.blogspot.com

12 years, 1 month

2
2
0 0

Bug or documentation error - linux_dump_map

by Edwin Smulders

Hi, Yesterday during a challenge we had to use the linux_dump_map plugin to dump a process stack, and the documentation at https://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_pro… says it has the -p option to select a process. However, as far as I can tell looking in the svn history, this plugin never had the -p option. And it's definitely not working currently. I've heard a confirmation that the option was working in version 2.2-rc1, so maybe it was a global option? The reason I'm mailing this is because, if the -s is virtual memory, would you not get possible overlap in areas? How do you know it dumped the correct VMA? Note that every time I tried, I got the correct area. Cheers, Edwin

12 years, 1 month

2
3
0 0

Question

by Ayers, Robert

Anyone ever seen anything like this? It came out of a WinXPSP3x86 ram capture. PCSXView results; Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x0a074da0 X???E?P??(O'? 23...6 False True False False False False False PSSCan results; Offset(P) Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x0a074da0 X???E?P??(O'? 23...6 23...4 0x8a274dc0 Thanks, Robert Ayers,

12 years, 1 month

2
1
0 0

hibernation file - imagecopy

by kongo sec

Hi I am running - revision 3164 I get the following error when running: Ignore the import errors # python2.7 vol.py -f /opt/hiberfil.sys --profile=WinXPSP3x86 imagecopy -O /opt/winxp_sp3_2nd.raw Volatile Systems Volatility Framework 2.3_alpha *** Failed to import volatility.plugins.zeusscan1 (AttributeError: 'module' object has no attribute 'ImpScan') *** Failed to import volatility.plugins.zeusscan2 (AttributeError: 'module' object has no attribute 'ApiHooks') Writing data (5.00 MB chunks): |......................................................................................................................................................................................................................................................ERROR : volatility.plugins.imagecopy: Error when reading from address space I have tried coping over the .sys file twice. I generated a new .sys file and same error. It worked wonderfully on lastweek. I tried reverting back to revision 3159 and no dice. Also Oddly enough it works with an old version of volatility running on remnux. Not sure whats up. Also here is the output from imageinfo: Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS) AS Layer3 : FileAddressSpace (/opt/hiberfil.sys) PAE type : PAE DTB : 0x9300060L KDBG : 0x80545be0L Number of Processors : 1 Image Type (Service Pack) : 3 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2013-03-05 06:26:20 UTC+0000 Image local date and time : 2013-03-05 00:26:20 -0600 thanks in advance

12 years, 1 month

2
1
0 0

Arch Linux (3.7.9-2) profile building error

by Edwin Smulders

Hi, I am trying to build a profile for the Arch Linux kernel (3.7.9-2), but I am getting this error: http://paste.ubuntu.com/5584634/ Is this a problem with newer kernels or am I doing something wrong? Cheers, Edwin

12 years, 1 month

4
4
0 0

Creating profile for android

by Pasquale Stirparo

Hi All, I'm trying to make a profile for android device. I did a memory dump with LiME of an HTC One X (Android 4.0.3, HTC Sense 4.0, kernel 2.6.39.4-g6b459dc). Now, following the instruction here https://code.google.com/p/volatility/wiki/LinuxMemoryForensics , I was trying to understand how to modify the makefile under volatility/tools/linux/ , in order to point to my kernel source. The thing is that in from my kernel source folder I couldn't find a proper value for KDIR and KVER (although they should be pretty straightforward according to their name) that would fit with the path for make command as from the following source code: pmem: pmem.c $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) modules dwarf: module.c $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y M=$(PWD) modules dwarfdump -di module.ko > module.dwarf $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean Did anyone ever created an android profile? Any hint? I've seen in the mailing list archive a thread "Profile (ZIP) for Android 4.0.3" from Mike (in Cc), any news about that? Thank you P. -- Pasquale Stirparo, MEng GCFA, OPST, OWSE, ECCE European Commission - JRC Joint Research Centre Institute for the Protection and Security of the Citizen (IPSC) Digital Citizen Security Unit Via E. Fermi, 2749 - TP 361 21027 Ispra (VA) - Italy PGP Key: 0x4C589FB2 Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2 Disclaimer: The views expressed are purely those of the writer and may not in any circumstance be regarded as stating an official position of the European Commission.

12 years, 1 month

3
10
0 0

RE: [Vol-users] Finding injected code

by James Lay

On 2013-02-27 13:51, Ayers, Robert wrote: > By name alone I'd bet a beer that this is a malicious executable > > 0x89152020 qegyas.exe 2364 2236 0 -------- 0 > 0 2013-02-27 15:08:35 2013-02-27 15:08:44 Thanks for the quick response. I believe that qegyas.exe is the injector (according to my procmon at least). Also, that process has exited, so I'm out of luck for taking a peak at it (in memory at least...happily the malware left the file on the drive :)) James

12 years, 1 month

3
3
0 0

Finding injected code

by James Lay

Hey all. Got a naughty email sent with malicious links, so I ran it in my sendbox and got an image. I'm trying to locate the injected code: Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- -------------------- 0x89e23830 System 4 0 76 206 ------ 0 0x89c207e8 smss.exe 640 4 3 19 ------ 0 2013-02-27 22:05:55 0x89c093e0 csrss.exe 712 640 11 369 0 0 2013-02-27 22:05:59 0x89c0ab10 winlogon.exe 748 640 18 516 0 0 2013-02-27 22:06:04 0x89b72020 services.exe 792 748 16 277 0 0 2013-02-27 22:06:05 0x89bc9980 lsass.exe 804 748 18 370 0 0 2013-02-27 22:06:05 0x89d74da0 nvsvc32.exe 996 792 4 200 0 0 2013-02-27 22:06:05 0x89c067e8 svchost.exe 1056 792 19 199 0 0 2013-02-27 22:06:05 0x894dbda0 svchost.exe 1124 792 11 243 0 0 2013-02-27 22:06:05 0x894e8638 svchost.exe 1260 792 69 1188 0 0 2013-02-27 22:06:06 0x89d7a360 svchost.exe 1308 792 6 77 0 0 2013-02-27 22:06:06 0x894fa3e0 svchost.exe 1392 792 4 81 0 0 2013-02-27 22:06:06 0x89cd4c08 explorer.exe 1676 1632 23 529 0 0 2013-02-27 22:06:06 0x89af39e0 rundll32.exe 1760 1676 4 116 0 0 2013-02-27 22:06:06 0x89bdb1d0 Bootcamp.exe 1768 1676 5 246 0 0 2013-02-27 22:06:06 0x89ba7558 RTHDCPL.EXE 1788 1676 4 197 0 0 2013-02-27 22:06:06 0x89bf8c10 rundll32.exe 1800 1676 1 88 0 0 2013-02-27 22:06:06 0x89b78da0 ctfmon.exe 1828 1676 3 145 0 0 2013-02-27 22:06:06 0x89b8e620 svchost.exe 668 792 4 107 0 0 2013-02-27 22:06:17 0x89c0dc10 AppleOSSMgr.exe 716 792 3 39 0 0 2013-02-27 22:06:17 0x89ac32c8 AppleTimeSrv.ex 872 792 1 44 0 0 2013-02-27 22:06:17 0x89aca958 svchost.exe 1088 792 4 86 0 0 2013-02-27 22:06:17 0x89ad7c18 svchost.exe 1304 792 8 141 0 0 2013-02-27 22:06:17 0x89397918 wmiprvse.exe 1896 1056 6 140 0 0 2013-02-27 15:06:42 0x89152020 qegyas.exe 2364 2236 0 -------- 0 0 2013-02-27 15:08:35 2013-02-27 15:08:44 0x89160558 rundll32.exe 3032 1260 0 -------- 0 0 2013-02-27 15:08:49 2013-02-27 15:08:49 0x89399638 ntvdm.exe 3992 1676 0 -------- 0 0 2013-02-27 15:09:42 2013-02-27 15:09:43 0x8951f020 rundll32.exe 4016 1260 0 -------- 0 0 2013-02-27 15:13:51 2013-02-27 15:13:51 0x890fb648 DumpIt.exe 3720 1676 0 -------- 0 0 2013-02-27 15:13:59 2013-02-27 15:14:01 0x89124da0 DumpIt.exe 368 1676 2 68 0 0 2013-02-27 15:14:22 malfind shows the following: Process: csrss.exe Pid: 712 Address: 0x7f6f0000 Process: explorer.exe Pid: 1676 Address: 0x3d920000 Process: explorer.exe Pid: 1676 Address: 0x23f0000 Process: rundll32.exe Pid: 1760 Address: 0xb30000 Process: rundll32.exe Pid: 1760 Address: 0x3d920000 Process: Bootcamp.exe Pid: 1768 Address: 0x10c0000 Process: Bootcamp.exe Pid: 1768 Address: 0x3d920000 Process: RTHDCPL.EXE Pid: 1788 Address: 0x1bd0000 Process: RTHDCPL.EXE Pid: 1788 Address: 0x4af0000 Process: RTHDCPL.EXE Pid: 1788 Address: 0x3d920000 Process: rundll32.exe Pid: 1800 Address: 0xda0000 Process: rundll32.exe Pid: 1800 Address: 0x3d920000 Process: ctfmon.exe Pid: 1828 Address: 0xeb0000 Process: ctfmon.exe Pid: 1828 Address: 0x3d920000 Process: DumpIt.exe Pid: 368 Address: 0x130000 Process: DumpIt.exe Pid: 368 Address: 0x6fff0000 Just how would I go about seeing the injected code? Thanks for the assist. James

12 years, 1 month

1
0
0 0

Mac support vanished in latest alpha?

by David Kovar

Greetings, I was adding OS X support to my copy of Volatility per the instructions on https://code.google.com/p/volatility/wiki/MacMemoryForensics. It went well but I thought I'd pull the most recent version while I was at it. Mac support went away when I did so. setup.py is now missing: "volatility.plugins.overlays.mac", Even when I add that back, vol.py --info doesn't show the OS X profiles. Is this intentional? Is there a different version that I should be using? Thanks! -David

12 years, 1 month

3
9
0 0

Memory Collection on Windows NT

by Myerchin, Terrie A

Hi there We are looking to collect memory on an old Windows NT box. Of course, the tools we utilize are too recent to be compatible with Windows NT. Does anyone have any workaround suggestions or tools that may assist with this memory collection? Regards, Terrie

12 years, 2 months

2
1
0 0

Linux Profiles

by Kevin Marker

Group, I have a memory image file for a Red Hat 6.3 box with 2.6.32-279.el6.x86_x64 kernel. Is it ok to use the CentOS 6.3 x64 (2.6.32-279.el6.x86_x64) example profile, given it's for the same kernel, or do I need to build a new profile? Thanks for the help. Kevin Marker ACE, CCE, CISSP, EnCE

12 years, 2 months

2
1
0 0

Profile or kdbg incorrect

by David Kovar

Greetings, I'm unable to run scan tasks against a memory image and get "AttributeError: Could not list tasks, please verify your --profile with kdbgscan". I'm using 2.3_alpha updated just a moment ago. imageinfo: Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/usr/local/malware/XXXXXXX/XXXX-memdump.mem) PAE type : PAE DTB : 0x187000L KDBG : 0xf80002ff70a0 Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xf80002ff8d00 KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2013-02-01 17:40:54 UTC+0000 Image local date and time : 2013-02-01 09:40:54 -0800 kdbgscan: Praha:Memory Image kovar$ vol.py --profile=Win7SP1x64 kdbgscan -f *.mem Volatile Systems Volatility Framework 2.3_alpha ************************************************** Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80002ff70a0 Offset (P) : 0x2ff70a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64 Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xf8000302d370 (0 processes) PsLoadedModuleList : 0xf8000304b670 (0 modules) KernelBase : 0xfffff80002e07000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xf80002ff8d00 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80002ff70a0 Offset (P) : 0x2ff70a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP0x64 Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xf8000302d370 (0 processes) PsLoadedModuleList : 0xf8000304b670 (0 modules) KernelBase : 0xfffff80002e07000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xf80002ff8d00 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80002ff70a0 Offset (P) : 0x2ff70a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xf8000302d370 (0 processes) PsLoadedModuleList : 0xf8000304b670 (0 modules) KernelBase : 0xfffff80002e07000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xf80002ff8d00 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80002ff70a0 Offset (P) : 0x2ff70a0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP0x64 Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr. PsActiveProcessHead : 0xf8000302d370 (0 processes) PsLoadedModuleList : 0xf8000304b670 (0 modules) KernelBase : 0xfffff80002e07000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xf80002ff8d00 (CPU 0) Thanks for any help you might be able to offer. -David

12 years, 2 months

3
6
0 0

Re: Lime Forensics Question

by Sebastien Bourdon-Richard

Johnny, I will try to answer your question to the best of my knowledge. I have also put the volatility user's mailing list in CC to share your problem with other users and in case somebody have a better answer than mine ;-) *Do you know how to send the memory using a netcat session from machine A to machine B? I tied to do the below, but it did not work. * *Machine B (Start Netcat on BackTrack Server) ------------------------------------------------- root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd listening on [any] 4444 ... Machine A (On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107]) ------------------------------------------------- root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=raw" | nc 192.168.1.107 4444* Unlike dd, LiME operates in kernel mode so you can't pipe it to netcat in user mode. I think LiME was created to listen on the target OS (Machine A in your case) and memory acquisition needs to be started with netcat on the acquisition PC (Machine B in your case). I have not try it, but here's how I think it works: 1) insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime" 2) nc 192.168.1.107 -p 4444 > mem.lime Also, I suggest you to use the padded format or the lime format to dump memory because I think volatility will not be able to convert virtual to physical addresses with a raw dump and analysis will fail (unless you pad the dump manually). Hope this helps! Sebastien On Mon, Feb 18, 2013 at 5:41 PM, Johnny Shaieb <johnny.shaieb(a)gmail.com>wrote: > Sebastien, > > My name is Johnny. I am trying to figure out how to use Lime with > Volatility. > > My end goal it to take and analyze the memory of a Vulnerable 8.04 VM made > available by the Metasploitable Project. > + Reference Link: > http://sourceforge.net/projects/metasploitable/files/Metasploitable2/ > > I have been able to dump the memory (See Below) > > root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=/var/tmp/memory.dd format=raw" > > root@metasploitable:/var/tmp/LIME/src# ls -l /var/tmp/memory.dd > -r--r--r-- 1 root root 536410112 2013-02-18 14:53 /var/tmp/memory.dd > > > Do you know how to send the memory using a netcat session from machine A > to machine B? I tied to do the below, but it did not work. > > *Machine B* (Start Netcat on BackTrack Server) > ------------------------------------------------- > root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd > listening on [any] 4444 ... > *Machine A *(On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107]) > ------------------------------------------------- > root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=raw" | nc 192.168.1.107 4444 > > > Thank you for any guidance, > > Johnny > > -- > Johnny A. Shaieb > > http://www.computersecuritystudent.com > http://www.studentJD.com <http://www.studentjd.com/> > Education > BS: Management Information Systems (Oklahoma State University) > MS: Telecommunications (Oklahoma State University) > MS: Computer Science / Computer Security (University of Tulsa) > > NSTISSI Certified > 4011: Information Security Professional > 4012: Designated Approving Authority > 4013: Administration in Information Systems Security > 4014: Information Systems Security Officer >

12 years, 2 months

2
2
0 0

Memory Forensics / Volatility talk at RSA

by Andrew Case

On Wednesday of RSA I will be giving a talk titled: "Memory Forensics: Defeating Disk Encryption, Skilled Attackers and Malware" This talk will focus on three key points: 1) Showcasing the power and usefulness of memory forensics 2) Distinguishing memory forensics from disk forensics 3) Highlighting why live forensics should not be used and instead analysts should switch to using offline memory forensics Throughout the talk there will be many examples of powerful rootkits, techniques of advanced attackers, looking at Android, and defeating software-based disk encryption. If you are interested in the talk and plan on attending, please add it to your conference calendar: https://ae.rsaconference.com/US13/connect/sessionDetail.ww?SESSION_ID=1885 If you have any questions about the talk or or want to meet up at RSA then please contact me.

12 years, 2 months

2
1
0 0

Any word on Volatitily 2.3?

by Mahesh Maddury

Hi, I'm interested in parsing through the .vmsn files from VMware. Vol 2.3 is slated to have the support. Any word on release date? Has anyone tried using the plugins w/ vol 2.2? Any tips are greatly appreciated. TIA, Mahesh

12 years, 2 months

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users