- Vol-users - volatilityfoundation.org

Issue interfacing with pyvmiaddressspace

by Michael Watson

Hello, I hope someone can help with this. I am attempting to perform live memory analysis on linux virtual machines using Xen, LibVMI and Volatility. The command I am attempting to run is: # python vol.py -l vmi://ubuntu-pvm-01 --profile=Linuxubuntux64 linux_psaux I created the profile Linuxubuntux64 using the instructions on the Volatility linux plugin page I have included the pyvmiaddressspace.py file below: # Volatility # # Copyright 2011 Sandia Corporation. Under the terms of Contract # DE-AC04-94AL85000 with Sandia Corporation, the U.S. Government # retains certain rights in this software. # # Authors: # bdpayne(a)acm.org (Bryan D. Payne) # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # import volatility.addrspace as addrspace import urllib import pyvmi #pylint: disable-msg=C0111 class PyVmiAddressSpace(addrspace.BaseAddressSpace): """ This address space can be used in conjunction with LibVMI and the Python bindings for LibVMI. The end result is that you can connect Volatility to view the memory of a running virtual machine from any virtualization platform that LibVMI supports. For this AS to be instantiated, we need the VM name to connect to. """ print "pyvmiaddressspace loaded" order = 90 def __init__(self, base, config, layered = False, **kwargs): print "__init__" addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) self.as_assert(base == None or layered, "Must be first Address Space") self.as_assert(config.LOCATION.startswith("vmi://"), "Location doesn't start with vmi://") self.name = urllib.url2pathname(config.LOCATION[6:]) self.vmi = pyvmi.init(self.name, "partial") self.as_assert(not self.vmi is None, "VM not found") self.dtb = self.get_cr3() def read(self, addr, length): print "read" return self.zread(addr, length) # assert addr < self.vmi.get_memsize(), "addr too big" # # end = addr+length # # if end > self.vmi.get_memsize(): # memory = None # else: # try: # memory = self.vmi.read_pa(addr, length) # except: # memory = None # # return memory # account for holes in physical mem def zread(self, addr, length): print "zread" assert addr < self.vmi.get_memsize(), "addr too big" end = addr+length if end > self.vmi.get_memsize(): memory = None else: memory = self.vmi.zread_pa(addr, length) assert memory != None, "memory is None" print memory return memory def is_valid_address(self, addr): print "is_valid_address" if addr == None: return False return 4096 < addr < self.vmi.get_memsize() - 1 def write(self, addr, data): print "write" nbytes = self.vmi.write_pa(addr, data) if nbytes != len(data): return False return True def get_cr3(self): print "get_cr3" cr3 = self.vmi.get_vcpureg("cr3", 0); return cr3 def get_available_addresses(self): print "get_available_addresses" yield (4096, self.vmi.get_memsize() - 1) return I have added the print statements myself in order to help with debugging and the output is as follows: root@xenbox:~/downloads/volatility-2.2# python vol.py -l vmi://ubuntu-pvm-01 --profile=Linuxubuntux64 linux_psaux Volatile Systems Volatility Framework 2.2 pyvmiaddressspace loaded Pid Uid Arguments __init__ get_cr3 read zread read zread g�g�g02c�1c�c� g�gP� 'pH�'�H�g -g� g- read zread g� read zread g@� read zread read zread g� read zread g@� read zread __init__ read zread g- read zread root@xenbox:~/downloads/volatility-2.2# I added the print statements to see if the addressspace plugin was obtaining any information at all, because without them the only output was: Volatile Systems Volatility Framework 2.2 Pid Uid Arguments I am only just getting to grips with using Volatility so any advice as to how to debug this issue would be much appreciated. Thanks, Mike

12 years, 2 months

1
0
0 0

Android memory image

by Mike Lambert

I am looking for an Android memory image to use Volatility on. Does anyone have (or know where I and get) a memory image I can look at? If you are imaging Androids, can you reply offlist? Thanks! Have a good week!

12 years, 2 months

3
5
0 0

Profile (ZIP) for Android 4.0.3

by Mike Lambert

Has anyone made a profile for Android 4.0.3 yet? (per profile creation here, http://code.google.com/p/volatility/wiki/LinuxMemoryForensics) I think I am barking at the right tree, I just can't climb it yet. <g> Thanks, Mike

12 years, 2 months

1
0
0 0

RE: [Vol-users] IAT hook question

by Mike Lambert

I've put together a package for you, http://michael-lambert.us/Rocra_130115b.zip In it is the memory image, 130115b.w32. Infection time is approx 1637 CST on 15 Jan. svchost.exe PID is 464, parent is msmx21.exe PID 1404 Also included is the DOC file that drops and runs msmx21.exe which drops and runs svchost.exe Thanks for looking at it. Is anyone else looking at Red October? Mike Date: Fri, 18 Jan 2013 07:45:25 -0500 Subject: Re: [Vol-users] IAT hook question From: michael.hale(a)gmail.com To: dragonforen(a)hotmail.com I got the exe from your website, thanks. Do you happen to have the original malware sample, or an md5 of the sample. There are a few things I'd like to check out that may be easier if I had a full memory dump. Thanks, talk to you soon. MHL On Thu, Jan 17, 2013 at 3:49 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote: MHL, I've tried sending twice, 2nd time passworded. Rejected both times. I've not seen anything on the Vol-list either. May be a size problem. ---- Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com Received-From-MTA: dns;SNT118-W46 Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800 Final-Recipient: rfc822;michael.hale(a)gmail.com Action: failed Status: 5.5.0 Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on your message. Please 552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to 552 5.7.0 review our attachment guidelines. m1si2744262obl.114 ---- I have put it here. PW is Rocra http://michael-lambert.us/Rocra_svchost-exe_464_exe-dump.zip Let me know when you receive the .exe successfully. Thanks, Mike From: postmaster(a)mail.hotmail.com To: dragonforen(a)hotmail.com Date: Thu, 17 Jan 2013 12:26:58 -0800 Subject: Delivery Status Notification (Failure) This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. michael.hale(a)gmail.com --Forwarded Message Attachment-- From: dragonforen(a)hotmail.com To: michael.hale(a)gmail.com CC: vol-users(a)volatilityfoundation.org Subject: RE: [Vol-users] IAT hook question Date: Thu, 17 Jan 2013 14:26:31 -0600 First email was bounced by gmail. I've added a pw to the zip. PW is Rocra Let me know when you have the .exe ok. Thanks Date: Thu, 17 Jan 2013 14:48:06 -0500 Subject: Re: [Vol-users] IAT hook question From: michael.hale(a)gmail.com To: dragonforen(a)hotmail.com CC: vol-users(a)volatilityfoundation.org Hmm sorry, I must be reading the GMER log incorrectly: dragonforen(a)hotmail.com> wrote: MHL, Thank you very much. Attached is a ZIP. (Rocra is the short name) I used Volatility 2.1 C:\Python27\volatility-2.1>vol.py dlldump -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 -D E:\Tests\130115b\Vol\dlldump > E:\Tests\130115b\Vol\dlldump.txt Volatile Systems Volatility Framework 2.1 C:\Python27\volatility-2.1> Have a good day, Mike Date: Thu, 17 Jan 2013 12:47:54 -0500 Subject: Re: [Vol-users] IAT hook question From: michael.hale(a)gmail.com To: dragonforen(a)hotmail.com CC: vol-users(a)volatilityfoundation.org Mike, if you could use dlldump and extract kernel32.dll from pid 464 and send it to me, I'll take a look. The necessary pages of the PE file may just not be memory resident. MHL On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote: I am looking at a Red October infection. The malware is svchost PID 464, C:\Program Files\Windows NT\svchost.exe GMER tells me that the IAT is hooked. See attached. I wanted to see this with Volatility per the apihooks documentation here http://code.google.com/p/volatility/wiki/CommandReferenceMal22 "As of Volatility 2.1, apihooks also detects hooked winsock procedure tables, includes an easier to read output format, supports multiple hop disassembly, and can optionally scan quicker through memory by ignoring non-critical processes and DLLs. Here is an example of detecting IAT hooks installed by Coreflood. The hooking module is unknown because there is no module (DLL) associated with the memory in which the rootkit code exists. If you want to extract the code containing the hooks, you have a few options: " I tried apihooks in Volatility 2.1 and 2.2, below is the result C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 apihooks Volatile Systems Volatility Framework 2.1 C:\Python27\volatility-2.1> ------------------------- C:\Python27\volatility-2.2>vol.py apihooks -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 Volatile Systems Volatility Framework 2.2 C:\Python27\volatility-2.2> ========================= My question is, "what am I doing wrong?" It is probably something simple. Thanks for the help, Mike _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

12 years, 3 months

2
3
0 0

[OT} ZIPs (was: Re: [Vol-users] IAT hook question)

by Darren Spruell

On Thu, Jan 17, 2013 at 1:49 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote: > MHL, > > I've tried sending twice, 2nd time passworded. Rejected both times. I've not > seen anything on the Vol-list either. May be a size problem. > > ---- > Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com > Received-From-MTA: dns;SNT118-W46 > Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800 > Final-Recipient: rfc822;michael.hale(a)gmail.com > Action: failed > Status: 5.5.0 > Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on > your message. Please > 552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to > 552 5.7.0 review our attachment guidelines. m1si2744262obl.114 Gmail does pretty deep inspection of attachments, in this case noticing a .exe file in the header of the ZIP archive: $ zipinfo Rocra_svchost-exe_464_exe-dump.zip Archive: Rocra_svchost-exe_464_exe-dump.zip 29582 bytes 2 files -rwxa-- 2.0 fat 60928 Bl defN 16-Jan-13 14:44 svchost_executable.464.exe -rw-a-- 2.0 fat 10543 Tl defN 16-Jan-13 14:46 130115b.w32_suspect_PID_464_volatility20_info.txt 2 files, 71471 bytes uncompressed, 29202 bytes compressed: 59.1% I tend to strip extensions and send in encrypted zips when dealing with Google services. Fantastic for everything except threat sharing. :) -- Darren Spruell phatbuckett(a)gmail.com

12 years, 3 months

4
5
0 0

Re: [Vol-users] IAT hook question

by Mike Lambert

MHL, I've tried sending twice, 2nd time passworded. Rejected both times. I've not seen anything on the Vol-list either. May be a size problem. ---- Reporting-MTA: dns;snt0-omc2-s18.snt0.hotmail.com Received-From-MTA: dns;SNT118-W46 Arrival-Date: Thu, 17 Jan 2013 12:18:41 -0800 Final-Recipient: rfc822;michael.hale(a)gmail.com Action: failed Status: 5.5.0 Diagnostic-Code: smtp;552-5.7.0 Our system detected an illegal attachment on your message. Please 552-5.7.0 visit http://support.google.com/mail/bin/answer.py?answer=6590 to 552 5.7.0 review our attachment guidelines. m1si2744262obl.114 ---- I have put it here. PW is Rocra http://michael-lambert.us/Rocra_svchost-exe_464_exe-dump.zip Let me know when you receive the .exe successfully. Thanks, Mike From: postmaster(a)mail.hotmail.com To: dragonforen(a)hotmail.com Date: Thu, 17 Jan 2013 12:26:58 -0800 Subject: Delivery Status Notification (Failure) This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. michael.hale(a)gmail.com --Forwarded Message Attachment-- From: dragonforen(a)hotmail.com To: michael.hale(a)gmail.com CC: vol-users(a)volatilityfoundation.org Subject: RE: [Vol-users] IAT hook question Date: Thu, 17 Jan 2013 14:26:31 -0600 First email was bounced by gmail. I've added a pw to the zip. PW is Rocra Let me know when you have the .exe ok. Thanks Date: Thu, 17 Jan 2013 14:48:06 -0500 Subject: Re: [Vol-users] IAT hook question From: michael.hale(a)gmail.com To: dragonforen(a)hotmail.com CC: vol-users(a)volatilityfoundation.org Hmm sorry, I must be reading the GMER log incorrectly: dragonforen(a)hotmail.com> wrote: MHL, Thank you very much. Attached is a ZIP. (Rocra is the short name) I used Volatility 2.1 C:\Python27\volatility-2.1>vol.py dlldump -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 -D E:\Tests\130115b\Vol\dlldump > E:\Tests\130115b\Vol\dlldump.txt Volatile Systems Volatility Framework 2.1 C:\Python27\volatility-2.1> Have a good day, Mike Date: Thu, 17 Jan 2013 12:47:54 -0500 Subject: Re: [Vol-users] IAT hook question From: michael.hale(a)gmail.com To: dragonforen(a)hotmail.com CC: vol-users(a)volatilityfoundation.org Mike, if you could use dlldump and extract kernel32.dll from pid 464 and send it to me, I'll take a look. The necessary pages of the PE file may just not be memory resident. MHL On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote: I am looking at a Red October infection. The malware is svchost PID 464, C:\Program Files\Windows NT\svchost.exe GMER tells me that the IAT is hooked. See attached. I wanted to see this with Volatility per the apihooks documentation here http://code.google.com/p/volatility/wiki/CommandReferenceMal22 "As of Volatility 2.1, apihooks also detects hooked winsock procedure tables, includes an easier to read output format, supports multiple hop disassembly, and can optionally scan quicker through memory by ignoring non-critical processes and DLLs. Here is an example of detecting IAT hooks installed by Coreflood. The hooking module is unknown because there is no module (DLL) associated with the memory in which the rootkit code exists. If you want to extract the code containing the hooks, you have a few options: " I tried apihooks in Volatility 2.1 and 2.2, below is the result C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 apihooks Volatile Systems Volatility Framework 2.1 C:\Python27\volatility-2.1> ------------------------- C:\Python27\volatility-2.2>vol.py apihooks -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 Volatile Systems Volatility Framework 2.2 C:\Python27\volatility-2.2> ========================= My question is, "what am I doing wrong?" It is probably something simple. Thanks for the help, Mike _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

12 years, 3 months

1
0
0 0

Re: [Vol-users] IAT hook question

by Michael Hale Ligh

Hmm sorry, I must be reading the GMER log incorrectly: IAT C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program Files\Windows NT\svchost.exe [KERNEL32.dll!GetFileType] E80C244C I thought that was saying functions in kernel32.dll's IAT were hooked, but I think its saying the IAT entries in svchost.exe for kernel32 APIs are hooked. So in that case I'd need you to use procexedump -p 464 and send the extracted svchost.exe. Also if that number at the end (E80C244C) is the address of the hook, something is seriously wrong because that's an address in kernel space. Hooray for log files with no meaningful labels ;-) MHL On Thu, Jan 17, 2013 at 1:09 PM, Mike Lambert <dragonforen(a)hotmail.com>wrote: > MHL, > > Thank you very much. Attached is a ZIP. (Rocra is the short name) I used > Volatility 2.1 > > C:\Python27\volatility-2.1>vol.py dlldump -f > E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 -D > E:\Tests\130115b\Vol\dlldump > E:\Tests\130115b\Vol\dlldump.txt > > Volatile Systems Volatility Framework 2.1 > > C:\Python27\volatility-2.1> > > Have a good day, > Mike > > ------------------------------ > Date: Thu, 17 Jan 2013 12:47:54 -0500 > Subject: Re: [Vol-users] IAT hook question > From: michael.hale(a)gmail.com > To: dragonforen(a)hotmail.com > CC: vol-users(a)volatilityfoundation.org > > > Mike, if you could use dlldump and extract kernel32.dll from pid 464 and > send it to me, I'll take a look. The necessary pages of the PE file may > just not be memory resident. > > MHL > > > On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen(a)hotmail.com>wrote: > > I am looking at a Red October infection. The malware is svchost PID 464, > C:\Program Files\Windows NT\svchost.exe > > GMER tells me that the IAT is hooked. See attached. > > I wanted to see this with Volatility per the apihooks documentation here > http://code.google.com/p/volatility/wiki/CommandReferenceMal22 > > "As of Volatility 2.1, apihooks also detects hooked winsock procedure > tables, includes an easier to read output format, supports multiple hop > disassembly, and can optionally scan quicker through memory by ignoring > non-critical processes and DLLs. > > Here is an example of detecting IAT hooks installed by Coreflood. The > hooking module is unknown because there is no module (DLL) associated with > the memory in which the rootkit code exists. If you want to extract the > code containing the hooks, you have a few options: " > > > I tried apihooks in Volatility 2.1 and 2.2, below is the result > > C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32 > --profile=WinXPSP3x86 -p 464 apihooks > Volatile Systems Volatility Framework 2.1 > > C:\Python27\volatility-2.1> > > ------------------------- > > C:\Python27\volatility-2.2>vol.py apihooks -f > E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 > Volatile Systems Volatility Framework 2.2 > > C:\Python27\volatility-2.2> > > ========================= > > My question is, "what am I doing wrong?" It is probably something simple. > > Thanks for the help, > Mike > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > >

12 years, 3 months

2
1
0 0

IAT hook question

by Mike Lambert

I am looking at a Red October infection. The malware is svchost PID 464, C:\Program Files\Windows NT\svchost.exe GMER tells me that the IAT is hooked. See attached. I wanted to see this with Volatility per the apihooks documentation here http://code.google.com/p/volatility/wiki/CommandReferenceMal22 "As of Volatility 2.1, apihooks also detects hooked winsock procedure tables, includes an easier to read output format, supports multiple hop disassembly, and can optionally scan quicker through memory by ignoring non-critical processes and DLLs. Here is an example of detecting IAT hooks installed by Coreflood. The hooking module is unknown because there is no module (DLL) associated with the memory in which the rootkit code exists. If you want to extract the code containing the hooks, you have a few options: " I tried apihooks in Volatility 2.1 and 2.2, below is the result C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 apihooks Volatile Systems Volatility Framework 2.1 C:\Python27\volatility-2.1> ------------------------- C:\Python27\volatility-2.2>vol.py apihooks -f E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 Volatile Systems Volatility Framework 2.2 C:\Python27\volatility-2.2> ========================= My question is, "what am I doing wrong?" It is probably something simple. Thanks for the help, Mike

12 years, 3 months

2
1
0 0

Announcing the First Annual Volatility Framework Plugin Contest

by Andrew Case

Hello All, We were writing to announce the first annual Volatility framework plugin writing contest: http://volatility-labs.blogspot.com/2013/01/the-1st-annual-volatility-frame… This contest is modeled after the well-known Hex-Rays plugin contest, and we hope to attract the same level of high-quality submissions as seen in the IDA contests. To the winners we offer a variety of cash prizes, recognition, and a chance to speak at our yearly conference. If you have any questions or comments please contact me directly or use the contact information listed in the blog post. Thanks, Andrew

12 years, 3 months

1
0
0 0

Tool Testing (re:Dementia thread)

by Tom Yarrish

All, So over the course or Luka's thread on his research the subject of testing your acquisition tools came up. I know this topic has been mentioned before (in one of my own past posts), but what is the requirement for memory acquisition tools to be working "properly"? Especially since each time you run the test against a memory image that image has changed. What steps, at a minimum, should you be making sure that the tool you are using/evaluating is doing what it should be doing? Listing processes correctly? Showing the correct artifacts if I have Zeus on the image? The topic always seems to come up (even with physical devices) that you have to test your tools, with no one ever saying what checkmarks you have to make sure the tools does. Thanks, Tom

12 years, 3 months

2
1
0 0

compile list of malware that can defeat memory acquisition as of Jan 2013

by Mike Lambert

I think it would be a good idea to compile a list of the malware that can defeat *any* memory forensics acquisition tool as of January 2013. Of course the tool should be identified, the technique used to defeat it, and the curent malware that has the capability. Not all tools would be vulnerable to each technique. Does anyone think this is not a good idea? Best, Mike

12 years, 3 months

1
0
0 0

29c3 defeating windows memory forensics

by Luka Milkovic

Hi George, and everyone else on the list. I don't know if you watched/skimmed through the presentation or the talk, but I want to emphasize that I really like Volatility and that my work is not a research against Volatility (or any other tool in particular) in any way. Volatility is my primary choice when doing memory analysis both because of speed, abundance of features and plugins and openness of the tool. I do however mention Volatility in couple of places, for example, I suggest creating a plugin for scanning handle table allocations (Obtb) as an alternative to currently used method. > It is nice to see someone looking critically at the subject matter, even > if in an over-simplistic manner. The gist of the article is that you > can easily scrub evidence from a memory dump as it is being written (in > plain text) to disk or to the net. Duh! Thanks for your support. Although I agree some things were over-simplified, I don't agree that my research in whole is over-simplistic. The idea is simple and well known enough, still, it is not that commonly being taken into consideration when performing forensic analysis, at least from my experience. > A few comments on the author's conclusions: Too bad you pulled out the conclusions since this slide is by far the weakest in the whole presentation;) > 1. Acquisition tools should utilize drivers correctly! > Duh! I didn't quite understand if you meant that ironically or not. However, almost all tested acquisition tools utilize drivers incorrectly, meaning that they transfer the pages back to UM and then write them to dump (usually with completely inadequate permissions). > 2. Use hardware acquisition tools, e.g. firewire. > However, hardware-based acquisition also can be defeated. At a minimum > you can program an upper limit on the memory address that the firewire > is allowed to access and then place your rootkit above that address. > Most new computer systems have more than 4 GiB of memory nowadays. I didn't say that hardware acquisition methods are infallible. You're absolutely right regarding the 4 GB limit. But from an attacker's perspective, this method cannot be used for hiding arbitrary object, and it might be difficult to "relocate" the driver, allocations and all resources above the specified limit. I'm evaluating some additional weaknesses of the firewire acquisition and methods of hiding arbitrary objects, but so far, my research showed no progress... And yes, I am definitely aware of other alternatives (cold boot etc.), but I think they are highly impractical so I didn't mention them in my presentation. > 3. Use crash dumps (native!) instead of raw dumps. > Should maybe introduce the author to all those rootkits (e.g. Sinowal) > that remove themselves from crashdump as it is being written. I thought that I have a very good knowledge of rootkits and low level malware, but I don't recall Torpig/Sinowal doing anything about removing itself from the crash-dump. In fact, I cannot remember any rootkit or malware removing its artifacts from the crash-dump, so please introduce me to all such rootkits:) There are some KeBugCheckEx() tampering "malware" variants, but they are mostly related to PatchGuard bypass. Crash dump mechanism is fairly complex, involves couple of checksums and does not use the underlying file system - it writes the dump to raw disk sectors. The weakest link in this process from my perspective is the process of booting the machine and calling of SmpCheckForCrashDump() function - this is the point when malware can finally see the resulting crash dump and remove the artifacts from it. This is far from being trivial, however. > 4. Perform anti-rootkit scanning before acquisition? > Easier said than done. Just ask A/V industry. This is a stupid conclusion on my side. No, really, I said that during the talk:) > 5. Live forensic is inherently insecure! > Duh! Real question is not whether or not you can cheat memory > acquisition software. It is whether you can cheat memory acquisition > software and have no one know about it. Knowing that a system is > infected is 90% of the battle even if you don't know how. Once I know > that a system is infected I will find the rootkit. My talk was all about cheating the memory acquisition software and have no one know about it:) It's not that my tool is invisible - the truth is actually totally opposite ON PURPOSE. I didn't want to add advanced self-hiding features, because I'm not trying to create a tool that bad guys can use in the wild. I just wanted to raise awareness and present my research. And again, it depends on what you are trying to find:) If you're trying to find _traces_ of malware (mostly orphaned or invalid resources, such as locks, mutants etc.), you will most certainly succeed in this, because by theory it is impossible to hide everything (the malware executes, therefore it is present and visible). If your goal is to find some more valuable artifacts (processes, memory allocations, files, etc.), you might fail even if you are certain in rootkit existance, simply because the rootkit (or my tool in this case) has deleted such artifacts from the dump. In the end, I really don't want to be perceived as a guy wearing a wrong hat. My research is not aimed against any particular product, or the memory forensics field in general. My research is not a revolutionary new anti-forensic method. It's an implementation of well known anti-forensic techniques and proof of concept for removing arbitrary artifacts from the memory dump with the intention of raising the awareness and creating better memory forensics software. Best regards, Luka -- Luka Milković Information security consultant e-mail: luka.milkovic(a)infigo.hr INFIGO IS d.o.o. Horvatovac 20, 10000 Zagreb www: http://www.infigo.hr

12 years, 3 months

6
14
0 0

Announcing the next public offering of malware and memory forensics training by Volatility developers

by Andrew Case

Hello, We were writing to announce that the next public offering of Windows malware and memory forensics training by Volatility developers has been set for March 18-22rd in Chicago. Full details can be found here: http://volatility-labs.blogspot.com/2013/01/windows-malware-and-memory-fore… If you have any questions or comments then please contact me directly or use the information listed on the blog post. Thanks, Andrew (@attrc)

12 years, 3 months

1
0
0 0

Howdy

by Julian Brown

Please forgive my noobness. I am new to Volatility and just viewed a discussion on memory acquisition problems and the malware removing itself from the memory before it was written to file for later analysis. Does malware such as Rustock.C leave any traces behind such as portions of the program used to "remove" itself from memory but cannot completely remove itself? Of if not, how do the researchers know it was present? Did they do a controlled infection and watch it remove itself by other means? Thanx Julian

12 years, 3 months

2
1
0 0

Volatility 2.1/2.2 connscan/sockets/sockscan not supported for profile Win7SP1x86

by Mike Lambert

I have found that in Volatility 2.1 and 2.2 connscan is not supported for profile Win7SP1x86. Volatility 2.0 does not produce any results. (??) I see that sockets and sockscan are also not supported in Volatility 2.2. See below. pslist does work, so some commands are supported. Is this a known issue? ----------------cut-here------------------- C:\Python27\volatility-2.2>vol.py imageinfo -f g:\victim1.w32 Volatile Systems Volatility Framework 2.2 Determining profile based on KDBG search... Suggested Profile(s) : Win7SP0x86, Win7SP1x86 AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (G:\victim1.w32) PAE type : PAE DTB : 0x185000L KDBG : 0x82761be8L Number of Processors : 2 Image Type (Service Pack) : 0 KPCR for CPU 0 : 0x82762c00L KPCR for CPU 1 : 0x807c0000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2013-01-04 20:41:23 UTC+0000 Image local date and time : 2013-01-04 14:41:23 -0600 C:\Python27\volatility-2.0>vol.py connscan -f h:\victim1.img --profile=Win7SP1x86 Volatile Systems Volatility Framework 2.0 Offset Local Address Remote Address Pid ---------- ------------------------- ------------------------- ------ C:\Python27\volatility-2.1>vol.py connscan -f h:\victim1.img --profile=Win7SP1x86 Volatile Systems Volatility Framework 2.1 Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- ERROR : volatility.plugins.connscan: This command does not support the selected profile. C:\Python27\volatility-2.2>vol.py connscan -f g:\victim1.w32 --profile=Win7SP1x86 Volatile Systems Volatility Framework 2.2 Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- ERROR : volatility.plugins.connscan: This command does not support the selected profile. C:\Python27\volatility-2.2>vol.py sockets -f g:\victim1.w32 --profile=Win7SP1x86 Volatile Systems Volatility Framework 2.2 ERROR : volatility.plugins.sockets: This command does not support the selected profile. C:\Python27\volatility-2.2>vol.py sockscan -f g:\victim1.w32 --profile=Win7SP1x86 Volatile Systems Volatility Framework 2.2 Offset(P) PID Port Proto Protocol Address Create Time ---------- ------ ------ ------ --------------- --------------- ----------- ERROR : volatility.plugins.sockscan: This command does not support the selected profile.

12 years, 3 months

2
3
0 0

Parsing prefetch files

by David Nardoni

Has anyone done any research about parsing prefetch files out of memory images? I was working with the latest version of volatility 2.3 and found the mftparser plugin very helpful. I was looking specifically at prefetch files and looking to possibly parse the prefetch files if they exist in memory to see what files may have been accessed by specific executables. Just wondering if anyone has looked at this or thought about developing a plugin around this? Dave

12 years, 3 months

5
6
0 0

malfind and diff versions

by Mike Lambert

I noticed that the text output and dumped files for the malfind plugin changed from Vol 2.0 to 2.1. Vol 2.2 looks the same as Vol 2.1. Is this to be expected? (especially the naming convention of the dump files) Thanks, Mike

12 years, 3 months

2
1
0 0

Windows 8

by Adam Bridge

Hi all, I was wondering if support for Windows 8 is on the Volatility roadmap? And if there's anything I can do to help? I'm certain I'll be of no programming help, but I could certainly provide Windows 8 memory dumps and testing. Thanks all, Bridgey the Geek

12 years, 3 months

3
2
0 0

Analyzing Malware in Memory Webinar Tonight

by Andrew Case

Hello, Sorry for the late notice, but tonight I will be giving a webinar on analyzing malware in memory with Volatility. This presentation will showcase many of Volatility's advanced capabilities related to detecting and analyzing Windows malware. Its free to attend, but you must pre-register: http://www.thehackeracademy.com/tha-deep-dive-analyzing-malware-in-memory/ If you have any questions feel free to contact me directly. Thanks, Andrew

12 years, 3 months

5
7
0 0

Newb and procexedump

by James Lay

Hey all. So..I have a couple questions (clearly) about procexedump and another one about hidden processes. First, procexedump. Here's the info of the memdump: Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- -------------------- 0x8925a808 exp3.tmp.exe 3336 1628 0 -------- 0 0 2012-12-13 15:22:46 2012-12-13 15:25:22 Offset(P) Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- -------------------- -------------------- 0x0925a808 exp3.tmp.exe 3336 1628 0x0a440480 2012-12-13 15:22:46 2012-12-13 15:25:22 I'm attempting to dump this to an exe file, but here's what I'm getting: Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x8925a808 ---------- exp3.tmp.exe Error: PEB at 0x7ffdf000 is paged I won't lie in saying I don't really have a handle on the entire memory structure of Windows XPSP3. What exactly can I do, if anything, to get this as a sample? Next up, hidden processes: Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x09046008 192.168.0.2:1066 x.x.x.106:443 1448 0x0912f878 192.168.0.2:1071 x.x.x.8:443 1448 0x091bfa70 192.168.0.2:1069 x.x.x.106:443 1448 0x09231478 192.168.0.2:1065 x.x.x.106:443 1448 pslist, psscan, and psxview do not show this PID. How do I figure out what and where this PID is? Thanks for any help you can provide. James

12 years, 4 months

2
2
0 0

vadinfo question

by Kathy Simm

I've got a memory dump of a clean system and a memory dump of a system infected with a piece of malware that I believe has been injected into services.exe. When I use the vadinfo command, there are 93 memory segments associated with services.exe in the clean dump, and 234 segments in the infected dump. Is this difference in the number of segments enough to warrant further review of services.exe? If so, is the next step to dump the extra memory segments that are in the infected dump using the vaddump command and review each of those dumps? Thanks - any info is appreciated.

12 years, 4 months

2
1
0 0

using volshell in volatility 2.3

by Kathy Simm

I'm a noob with Volatility, so please be patient. I am working through some samples I found online. I've identified where I think malware was injected into a process by following this tutorial: http://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison-ivys… My question: once in volshell I get many errors in my python code. How do I enter a "tab" in volshell? Since Python is so dependent on indentation, I cannot follow the rest of the tutorial as I cannot get past the "for addr in addrs" line.. Thanks.

12 years, 4 months

2
1
0 0

Re: Vol-users Digest, Vol 54, Issue 1

by wyatt roersma

David Kovar, I have used FTK dozens of times with images as large as 80 GB of ram. I haven't had any strange storage issues though. I have also used mdd.exe and .vsem files in analysis and had similar results with less issues with larger images. What version of FTK imager did you use? Regards , Wyatt Roersma On Dec 4, 2012 8:02 PM, <vol-users-request(a)volatilityfoundation.org> wrote: > Send Vol-users mailing list submissions to > vol-users(a)volatilityfoundation.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > or, via email, send a message with subject or body 'help' to > vol-users-request(a)volatilityfoundation.org > > You can reach the person managing the list at > vol-users-owner(a)volatilityfoundation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Vol-users digest..." > > > Today's Topics: > > 1. FTK Imager as RAM dumping tool? (David Kovar) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 4 Dec 2012 16:53:00 -0600 > From: David Kovar <dkovar(a)gmail.com> > Subject: [Vol-users] FTK Imager as RAM dumping tool? > To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org> > Message-ID: <0186FBD7-BB31-4380-9B4D-4F0342BE19B1(a)gmail.com> > Content-Type: text/plain; charset=us-ascii > > Good afternoon, > > I was just looking at a memory dump that, when compressed, went from 4GB > to about 20MB. Something is odd here, I say. Most of the file is nulls. > > The dump was collected with FTK Imager. Does anyone have any opinions on > its reliability as a memory acquisition tool? > > Thanks. > > -David > > > > ------------------------------ > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > End of Vol-users Digest, Vol 54, Issue 1 > **************************************** >

12 years, 4 months

4
4
0 0

FTK Imager as RAM dumping tool?

by David Kovar

Good afternoon, I was just looking at a memory dump that, when compressed, went from 4GB to about 20MB. Something is odd here, I say. Most of the file is nulls. The dump was collected with FTK Imager. Does anyone have any opinions on its reliability as a memory acquisition tool? Thanks. -David

12 years, 4 months

1
0
0 0

Linux keyword search?

by Scott Ehrlich

A review of the Linux-capable version of volatility doesn't seem to indicate any option of performing a keyword search of captured memory. Is this correct? Also, I don't recall seeing an option in pmem.ko for capturing virtual/shared memory versus physical memory. Am I missing something? Thanks. Scott

12 years, 4 months

2
1
0 0

Problem solved

by Scott Ehrlich

Through some more research and several email responses, I discovered the following: I needed to create a profile and compile the volatility-2.2/tools/linux modules: http://code.google.com/p/volatility/wiki/LinuxMemoryForensics but first, using Ubuntu that I had, needed to fix a known bug - http://code.google.com/p/volatility/issues/detail?id=351 Once that compiled and I followed the rest of the steps for a Linux-specific profile, magical results with no limitations. Thanks to all. Scott

12 years, 5 months

1
0
0 0

Help with Volatility on Linux

by Scott Ehrlich

My final assignment for a digital forensics class has me exploring the capabilities of Volatility for memory review of a Linux system. I have since learned about lime (Linux Memory Extractor) and about Volatility's own kernel module, pmem.ko, which appears to provide faster memory capture than lime. The assignment initially had us visiting volatilityfoundation.org web page which only had through version 2.1. Additional searching revealed active work on code.google.com, which also says linux support is part of 2.2. So, I obtained version 2.2, and am getting very mixed results. I am using an out-of-box version of Ubuntu 10.04 32-bit with some updates to bring python up-to-date in a VMware Player 4.0.4 VM. In my trials thus far, I can get some results from: python ./vol.py connscan -f /path/to/memory.img I've pretty much gone through many of the options provided by python ./vol.py -h and usually end up with the error: "No suitable address space mapping found Tried to open image as:" Various google searches, and in reading the volatility page, really seems to indicate the code is still very Windows-oriented. Am I missing something? I'd like to get some decent results, if possible. I also tried an svn update, but that most recent version yielded an immediate python error on vol.py. Thanks for any insights. Scott

12 years, 5 months

2
1
0 0

Guidance

by Thilaknath Ashokkumar

Hi I am currently using volatility to retrieve truecrypt keys stored in memory, by accessing a ram dump. Can you please help me out on how to map the exact location of keys using volatility as i am able to list the process running while the image was taken, and hence forth i am not able to narrow down my search criteria , please help me out. Thank you Thilaknath

12 years, 5 months

4
4
0 0

Announcing memory forensics training directly from Volatility developers!

by Andrew Case

Hello, We are writing to announce the public offering of our Windows Memory Forensics for Analysts training course. This course is taught directly by Volatility developers, and will provide intense training in memory forensics for incident response, malware analysis, and digital forensic investigation. Full details can be found here: http://volatility-labs.blogspot.com/2012/11/windows-memory-forensics-traini… Please write or comment on the post if you have any questions or comments. Thanks, Andrew (@attrc)

12 years, 5 months

1
0
0 0

procexedump Error: Cannot acquire process AS

by Dewhirst, Rob

Have never seen this error when trying to dump a process. Any suggestions? tried -u as well with the same results. vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684 Volatile Systems Volatility Framework 2.2 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process AS

12 years, 5 months

4
7
0 0

Re: [Vol-users] procexedump Error: Cannot acquire process AS

by Dewhirst, Rob

I am aware of the tech preview tools (that I learned about sitting in scudette's class no less!) but I haven't had enough "stick time" with them to trust a remote user running a dump for me with them. On Tue, Oct 30, 2012 at 7:47 PM, alex pease <alex.pease(a)gmail.com> wrote: > > http://volatility.googlecode.com/files/volatility-3.0-tp2.zip > > Not that I am saying use a different imager. > > I know scudette didn't write that all you need to do is run his tool. If I > remember write it is winpmem.exe -o file.mem, and you have a raw memory > dump. > > Dumpit likes to deadlock systems. > > > On Tuesday, October 30, 2012, Dewhirst, Rob wrote: >> >> I know I have the right profile but hearing something like this makes >> me question the image. I took a new image with a different tool and >> can now dump the process without error. >> >> FWIW I used Dumpit for the first image and FTK Imager for the second. >> >> On Tue, Oct 30, 2012 at 11:47 AM, Michael Cohen <scudette(a)gmail.com> >> wrote: >> > Rob, >> > According to the psscan output you posted the PDB (Process directory >> > base) is 0xcf3392c0. This is clearly an invalid address since a DTB is >> > always aligned on page boundaries. >> > >> > Can you dump other processes from this image? Is it possible that you >> > dont have the correct profile chosen for your image? >> > >> > Michael. >> > >> > On 30 October 2012 17:07, Dewhirst, Rob <robdewhirst(a)gmail.com> wrote: >> >> The process doesn't appear to have exited based on pslist (and it was >> >> still generating network traffic while I dumped ram) >> >> >> >> Offset(V) Name PID PPID Thds Hnds Sess >> >> Wow64 Start Exit >> >> ---------- -------------------- ------ ------ ------ -------- ------ >> >> ------ -------------------- -------------------- >> >> 0x8b3802a8 System 4 0 127 -------- ------ >> >> 0 >> >> 0x89be3290 smss.exe 312 4 2 -------- ------ >> >> 0 2012-10-26 02:29:26 >> >> [...] >> >> 0x89b1e020 redactedxx.e 1684 432 15 -------- ------ >> >> 0 2012-10-26 02:29:39 >> >> >> >> Don't know if this helps >> >> >> >> psxview >> >> >> >> Volatile Systems Volatility Framework 2.2 >> >> Offset(P) Name PID pslist psscan thrdproc pspcdid >> >> csrss >> >> ---------- -------------------- ------ ------ ------ -------- ------- >> >> ----- >> >> 0x09b17b70 svchost.exe 2632 True True False False >> >> False >> >> [...] >> >> 0x09b1e020 redactedxx.e 1684 True True False False >> >> False >> >> >> >> psscan >> >> >> >> sansforensics@SIFT-Workstation:~/Desktop$ vol.py -f >> >> ~/Desktop/image.raw --profile Win2003SP2x86 psscan >> >> Volatile Systems Volatility Framework 2.2 >> >> Offset(P) Name PID PPID PDB Time created >> >> Time exited >> >> ---------- ---------------- ------ ------ ---------- >> >> -------------------- -------------------- >> >> 0x09b1e020 redactedxx.e 1684 432 0xcf3392c0 2012-10-26 02:29:39 >> >> >> >> >> >> On Mon, Oct 29, 2012 at 6:44 PM, Michael Hale Ligh >> >> <michael.hale(a)gmail.com> wrote: >> >>> This means that the DTB (page directory) for the process doesn't >> >>> appear >> >>> valid, which is typically because the process has exited (although the >> >>> _EPROCESS structure itself may still exist, its page tables can be >> >>> corrupt). >> >>> Can you check the exit time for this process with pslist or psscan? >> >>> >> >>> MHL >> >>> >> >>> On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <robdewhirst(a)gmail.com> >> >>> wrote: >> >>>> >> >>>> Have never seen this error when trying to dump a process. Any >> >>>> suggestions? tried -u as well with the same results. >> >>>> >> >>>> vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p >> >>>> 1684 >> >>>> Volatile Systems Volatility Framework 2.2 >> >>>> Process(V) ImageBase Name Result >> >>>> ---------- ---------- -------------------- ------ >> >>>> 0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire >> >>>> process >> >>>> AS >> >>>> _______________________________________________ >> >>>> Vol-users mailing list >> >>>> Vol-users(a)volatilityfoundation.org

12 years, 5 months

1
0
0 0

Create a profile for Android

by Tad Bauer

Hello All, I'm trying to create a profile for Android. First, I changed Makefile, and then executed make command. but, make command was failed. So, Could someone check the Makefile ? error message --- ubuntu:~/volatility-2.2/tools/linux$ make make ARCH=arm CROSS_COMPILE=~/android-ndk-r8/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C ~/goldfish CONFIG_DEBUG_INFO=y M=/home/td/volatility-2.2/tools/linux modules make[1]: Entering directory `/home/td/goldfish' CC [M] /home/td/volatility-2.2/tools/linux/module.o /home/td/volatility-2.2/tools/linux/module.c:212:5: warning: "STATS" is not defined /home/td/volatility-2.2/tools/linux/module.c:228:5: warning: "DEBUG" is not defined CC [M] /home/td/volatility-2.2/tools/linux/pmem.o In file included from /home/td/volatility-2.2/tools/linux/pmem.c:51: /home/td/goldfish/arch/arm/include/asm/mmzone.h:21:1: warning: "NODE_DATA" redefined In file included from include/linux/gfp.h:4, from include/linux/kmod.h:22, <snip> /home/td/volatility-2.2/tools/linux/pmem.c: In function 'pmem_read_partial': /home/td/volatility-2.2/tools/linux/pmem.c:142: warning: comparison of distinct pointer types lacks a cast make[2]: *** [/home/td/volatility-2.2/tools/linux/pmem.o] Error 1 make[1]: *** [_module_/home/td/volatility-2.2/tools/linux] Error 2 make[1]: Leaving directory `/home/td/goldfish' make: *** [dwarf] Error 2 --- Makefile --- obj-m += module.o obj-m += pmem.o KDIR := ~/goldfish CCPATH := ~/android-ndk-r8/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin -include version.mk all: dwarf pmem pmem: pmem.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR) M=$(PWD) modules dwarf: module.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules dwarfdump -di module.ko > module.dwarf $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR) M=$(PWD) clean clean: $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR) M=$(PWD) clean rm module.dwarf --- Thanks, Tad

12 years, 6 months

2
2
0 0

Last week of MoVP, OMFW 2012 slides, and the GrrCon network forensics challenge

by Andrew Case

Hello All, We are writing to announce a few new things related to Volatility and memory forensics. First, we have posted the last week of the Month of Volatility plugins: Post 1: Detecting Malware with GDI Timers and Callbacks This posts covers analyzing malware samples that use timer callbacks to schedule actions. http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-… Post 2: Taking Screenshots from Memory Dumps This posts covers the data structures and algorithms required to recreate the state of the screen (a screenshot) at the time of the memory capture. http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from… Post 3: Recovering Master Boot Records (MBRs) from Memory This post covers recovering the MBR from memory and detecting bootkits. http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-… Post 4: Cache Rules Everything Around Me(mory) This post covers a new plugin that can recover in-tact files from the Windows Cache Manager. http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-… Post 5: Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit This post covers analyzing the Phalax2 rootkit with Volatility and other reversing tools. http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volati… Second, slides from the 2012 Open Memory Forensics Workshop are being put online: Datalore: Android Memory Analysis: http://volatility-labs.blogspot.com/2012/10/omfw-2012-datalore-android-memo… Malware In the Windows GUI Subsystem: http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gu… Reconstructing the MBR and MFT from Memory: http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-an… Analyzing Linux Kernel Rootkits with Volatility: http://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kerne… Finally, we have posted our writeup on solving the GrrCon network forensics challenge using only memory analysis: http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensic… If you have any questions or comments please either comment on the respective blog post or reply to the list. Thanks, Andrew

12 years, 6 months

3
2
0 0

Live memory acquisition with a limited user account on Windows XP?

by Minh Triet Pham Tran

I have a memory acquisition case which I don't know how to solve it: If a limited user account on Windows XP SP3 is infected by malware, how could I acquire a live memory dump from his account? Could you help me please, thank you a lot.

12 years, 6 months

1
0
0 0

Android Plugin: Missing gDvm type definition

by Dario Schwab

Hi We are trying to reproduce the steps to access application specific informations from Android phones as Andrew Case demonstrated here: http://digitalforensicssolutions.com/papers/android-memory-analysis.pdf (Page 17 and following) We already have a Android Profile for our Goldfish kernel and are able to run the existing plugins (e.g. linux_pslist) against the memory dump acquired from the emulator. Now we are writing our own Volatility Plugin according to Andrews presentation. But so far we could not instantiate a DvmGlobals object as Volatility does not know this specific type. A snippet from our plugin: gDvm = obj.Object("DvmGlobals", vm = self.addr_space, offset = gDvm_addr) When run, Volatility prints the following warning: WARNING : volatility.obj : Cant find object DvmGlobals in profile <volatility.plugins.overlays.linux.linux.LinuxAndroid_Goldfishx86 object at 0x3a57910>? How can we get Volatility to know this object type? We pulled libdvm.so from our emulator and disassembled it using arm-linux-androideabi-objdump and found the following: *000aa1a8 *<gDvm>: This lines up with the DWARF informations from libdvm.so we compiled ourselves: <1><0x12484><DW_TAG_variable> DW_AT_name<"gDvm"> DW_AT_decl_file<0x00000001 dalvik/vm/Init.cpp> DW_AT_decl_line<0x00000032> DW_AT_type<<0x0000c3b8>> DW_AT_external<yes(1)> DW_AT_location<DW_OP_addr *0x000aa1a8*> We aren't sure if this address actually is what we are looking for, that is the offset of gDvm in the memory dump. Can you confirm this? Thanks for any help Alex & Dario

12 years, 6 months

1
0
0 0

dwarfdump ERROR: can't open module.ko

by Jason Link

I've tried this on SuSE Linux 11.1 32-bit and 64-bit with the same results. Following linux instructions for creating a profile, dwarfdump is unable to locate module.ko. https://code.google.com/p/volatility/wiki/LinuxMemoryForensics user@linux:~> cat /etc/SuSE-release SUSE Linux Enterprise Server 11 (i586) VERSION = 11 PATCHLEVEL = 1 user@linux:~> uname -r 2.6.32.12-0.7-pae user@linux:~> wget https://volatility.googlecode.com/files/volatility-2.2.tar.gz user@linux:~> tar -xzf volatility-2.2.tar.gz user@linux:~> cd volatility-2.2/tools/linux user@linux:~/volatility-2.2/tools/linux> sudo make .... wait a very long time on first run .... WARNING: modpost: Found 6 section mismatch(es). To see full details build your kernel with: 'make CONFIG_DEBUG_SECTION_MISMATCH=y' make[1]: Leaving directory `/usr/src/linux-2.6.32.12-0.7-obj/i386/pae' dwarfdump -di module.ko > module.dwarf dwarfdump ERROR: can't open module.ko make: *** [dwarf] Error 1 user@linux:~/volatility-2.2/tools/linux> sudo make CONFIG_DEBUG_SECTION_MISMATCH=y .... make[1]: Leaving directory `/usr/src/linux-2.6.32.12-0.7-obj/i386/pae' dwarfdump -di module.ko > module.dwarf dwarfdump ERROR: can't open module.ko make: *** [dwarf] Error 1 user@linux:~/volatility-2.2/tools/linux> dwarfdump -V Tue Apr 10 11:43:32 PDT 2012 What am I missing?

12 years, 6 months

1
0
0 0

Understanding 'sessions'

by Brett Cunningham

I RDP'ed into another VM, opened notepad, regedit and cmd in order to reenact the sessions plugin. I didn't get the expected output as was on the blog post ( http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processe…) It shows up under the main RDP console ID. I'm guessing that this is because I'm using WinXP and it doesn't support multiple logins. Is this the reason? $ vol.py sessions -f ~/vmware/VD/VD.vmem --profile=WinXPSP2x86 Volatile Systems Volatility Framework 2.2_rc2 ************************************************** Session(V): f7b0f000 ID: 0 Processes: 27 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff Process: 656 csrss.exe 2012-09-27 01:15:38 Process: 680 winlogon.exe 2012-09-27 01:15:38 Process: 724 services.exe 2012-09-27 01:15:38 Process: 736 lsass.exe 2012-09-27 01:15:38 Process: 888 vmacthlp.exe 2012-09-27 01:15:39 Process: 900 svchost.exe 2012-09-27 01:15:39 Process: 984 svchost.exe 2012-09-27 01:15:39 Process: 1076 svchost.exe 2012-09-27 01:15:39 Process: 1120 svchost.exe 2012-09-27 01:15:39 Process: 1196 svchost.exe 2012-09-27 01:15:40 Process: 1412 spoolsv.exe 2012-09-27 01:15:41 Process: 1544 svchost.exe 2012-09-27 01:15:50 Process: 1616 jqs.exe 2012-09-27 01:15:50 Process: 1652 PortReporter.ex 2012-09-27 01:15:50 Process: 1820 vmtoolsd.exe 2012-09-27 01:15:53 Process: 1880 VMUpgradeHelper 2012-09-27 01:15:53 Process: 508 alg.exe 2012-09-27 01:16:01 Process: 1512 explorer.exe 2012-09-27 18:39:34 Process: 1156 wscntfy.exe 2012-09-27 18:39:35 Process: 1472 VMwareTray.exe 2012-09-27 18:39:58 Process: 628 jusched.exe 2012-09-27 18:39:59 Process: 1312 cmd.exe 2012-09-27 18:51:10 Process: 2040 jucheck.exe 2012-09-27 18:51:17 Process: 252 wuauclt.exe 2012-09-29 17:28:35 Process: 824 rdpclip.exe 2012-09-29 17:28:43 Process: 388 notepad.exe 2012-10-04 22:24:31 Process: 268 regedit.exe 2012-10-04 22:24:34 Image: 0x829596a0, Address bf800000, Name: win32k.sys Image: 0x82abc2d8, Address bf000000, Name: dxg.sys Image: 0x829d66e0, Address bffa0000, Name: ATMFD.DLL Image: 0x82955e20, Address bff60000, Name: RDPDD.dll Image: 0xbeff009c, Address c07bd878, Name: ************************************************** Session(V): f7b6f000 ID: 3 Processes: 2 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff Process: 1032 csrss.exe 2012-09-29 17:28:42 Process: 2004 winlogon.exe 2012-09-29 17:28:42 Image: 0x82b83788, Address bf800000, Name: win32k.sys Image: 0x8299eb70, Address bf000000, Name: dxg.sys Image: 0x82b9de80, Address bf012000, Name: vmx_fb.dll Image: 0x82a084c8, Address bffa0000, Name: ATMFD.DLL Image: 0xbeff009c, Address c07bdb78, Name: ************************************************** Session(V): f7b43000 ID: 1 Processes: 0 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff

12 years, 6 months

2
2
0 0

linux_bash plugin: problem getting needed offset

by neofito

Hi, I have troubles getting the offset from an x86 Ubuntu system. Using GDB is not showing the needed address: # gdb --quiet /bin/bash Leyendo simbolos desde /bin/bash...(no se encontraron simbolos de depuracion)hecho. (gdb) disassemble history_list Dump of assembler code for function history_list: 0x080eb0c0 <+0>: push %ebp 0x080eb0c1 <+1>: mov 0x81159fc,%eax 0x080eb0c6 <+6>: mov %esp,%ebp 0x080eb0c8 <+8>: pop %ebp 0x080eb0c9 <+9>: ret End of assembler dump. (gdb) Thoughts? Thanks in advance!!

12 years, 6 months

1
0
0 0

Unable to get working profile - Vol 2.2, OS X 10.8.2

by David Kovar

Greetings, I am unable to get a viable profile for two different images. I built V2.2 on a MacBook Pro running 10.8.2. This one may be a bad image: <kdbgscan returns silently> DawnTreader:Mem Analysis kovar$ vol.py -f *dmp kdbgscan Volatile Systems Volatility Framework 2.2 DawnTreader:Mem Analysis kovar$ vol.py -f *dmp imageinfo Volatile Systems Volatility Framework 2.2 Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with no profile) AS Layer1 : FileAddressSpace (/Users/kovar/Mem Analysis/redacted-27-09-2012-10-47-50.dmp) PAE type : No PAE ---------------- But this one loads in Mandiant Redline but Volatility will not produce any valid results. I've tried all three profiles with no success. DawnTreader:Mem Analysis kovar$ vol.py -f *mem imageinfo Volatile Systems Volatility Framework 2.2 Determining profile based on KDBG search... Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86 AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/Users/kovar/Mem Analysis/redacted_memdump.mem) PAE type : PAE DTB : 0x1595000L KDBG : 0x808943e0 Number of Processors : 2 Image Type (Service Pack) : 2 KPCR for CPU 0 : 0xffdff000 KPCR for CPU 1 : 0xf772f000 KUSER_SHARED_DATA : 0xffdf0000 Image date and time : 2012-10-01 19:31:06 UTC+0000 Image local date and time : 2012-10-01 13:31:06 -0600 DawnTreader:Mem Analysis kovar$ vol.py -f *mem kdbgscan Volatile Systems Volatility Framework 2.2 ************************************************** Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789 32bit) Offset (P) : 0x8943e0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2003SP1x86 Version64 : 0x8943b8 (Major: 15, Minor: 3790) PsActiveProcessHead : 0x808ad0c8 PsLoadedModuleList : 0x808a6ea8 KernelBase : 0x80800000 ************************************************** Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789 32bit) Offset (P) : 0x8943e0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2003SP2x86 Version64 : 0x8943b8 (Major: 15, Minor: 3790) PsActiveProcessHead : 0x808ad0c8 PsLoadedModuleList : 0x808a6ea8 KernelBase : 0x80800000 ************************************************** Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789 32bit) Offset (P) : 0x8943e0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2003SP0x86 Version64 : 0x8943b8 (Major: 15, Minor: 3790) PsActiveProcessHead : 0x808ad0c8 PsLoadedModuleList : 0x808a6ea8 KernelBase : 0x80800000 DawnTreader:Mem Analysis kovar$ vol.py -f *mem --profile=Win2003SP0x86 pslist Volatile Systems Volatility Framework 2.2 No suitable address space mapping found Tried to open image as: LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled JKIA32PagedMemoryPae: No base Address Space IA32PagedMemory: Module disabled LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: No xpress signature found WindowsCrashDumpSpace64: Header signature invalid WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile Win2003SP0x86 selected JKIA32PagedMemory: No valid DTB found IA32PagedMemoryPae: Module disabled JKIA32PagedMemoryPae: No valid DTB found IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ----- Thanks for any help you might be able to offer. -David

12 years, 6 months

3
16
0 0

Attributing a string to a program

by David Bramer

Hi, Have a memory dump which I have obtained via DumpIt, I'm then pretty happy and can use Volatility to find out some of the answers to my questions. However when I have run Strings on the memory dump I find a string of great interest. I would like to figure out a means by which I could find out what created this string. So far I've created a basic Yara rule and used malfind to no avail. Is there anything else I could try? Cheers David

12 years, 7 months

3
2
0 0

Fw: Re: Fwd: [Vol-users] problem with linux_check_afinfo and others rootkit plugins

by bellissimopython＠email.it

> 1) Where did you gert the Ubuntu profile? It says its missing the > tcp_seq_afino structure. # uname -a Linux luigi-Vostro-3500 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:54:40 UTC 2012 i686 i686 i386 GNU/Linux # zip volatility/plugins/overlays/linux/Ubuntu1204.zip tools/linux/module.dwarf /boot/System.map-3.2.0-30-generic But I copied the tools/linux directory from 2.2_alpha > Thanks, > Andrew > Thanks Luigi -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Approfitta della speciale offerta 7 giorni al prezzo di 6 all'Hotel Cala Rosa di Stintino a due passi dall'Asinara dal 10 Settembre al 30 Settembre.Bambini 0-6 anni gratuiti Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12632&d=20120914 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: In forma con il Nordic Walking! Offerte hotel per il Festival Nordic Walking di Riccione e Misano del 7/8/9 settembre. Contattaci per maggiori info 0541607636 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12612&d=14-9

12 years, 7 months

1
0
0 0

Fwd: [Vol-users] problem with linux_check_afinfo and others rootkit plugins

by Andrew Case

Replying to the list this time ;) ---------- Forwarded message ---------- From: Andrew Case <atcuno(a)gmail.com> Date: Thu, Sep 13, 2012 at 12:22 PM Subject: Re: [Vol-users] problem with linux_check_afinfo and others rootkit plugins To: bellissimopython(a)email.it Hello, 1) Where did you gert the Ubuntu profile? It says its missing the tcp_seq_afino structure. 2) Yes, no output means nothing was detected 3) For check_idt and check_syscall, the output will say HOOKED instead of the symbol name if an entry is hooked. Write back if you have anymore questions. Thanks, Andrew On Thu, Sep 13, 2012 at 12:13 PM, <bellissimopython(a)email.it> wrote: > Hi, > I have the folloing problem: > > # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 > linux_check_afinfo > Volatile Systems Volatility Framework 2.2_rc1 > Symbol Name Member > Address > ------------------------------------------ ------------------------------ > ---------- > WARNING : volatility.obj : Cant find object tcp_seq_afinfo in profile > <volatility.plugins.overlays.linux.linux.LinuxUbuntu1204x86 object at > 0x9bbc5ac>? > Traceback (most recent call last): > File "vol.py", line 186, in <module> > main() > File "vol.py", line 177, in main > command.execute() > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/common.py", > line 51, in execute > commands.Command.execute(self, *args, **kwargs) > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/commands.py", > line 111, in execute > func(outfd, data) > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", > line 82, in render_text > for (what, member, address) in data: > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", > line 73, in calculate > for (name, member, address) in self.check_afinfo(global_var_name, > global_var, op_members, seq_members, modules): > File > "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", > line 41, in check_afinfo > for (hooked_member, hook_address) in self.check_members(var.seq_fops, > var_name, op_members, modules): > AttributeError: 'NoneType' object has no attribute 'seq_fops' > > > Also I want report that the volatility-2.2-rc1 package does not have the > tools/linux folder. So that it is not possible build dwarf module. Anyway I > have copied it from the git/alpha release. > > And finally I want ask something about rootkit detection plugins. For > example the following means that everything is ok ? > > # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 > linux_check_creds > Volatile Systems Volatility Framework 2.2_rc1 > PIDs > -------- > # > > > and the following: > > # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 > linux_check_idt > Volatile Systems Volatility Framework 2.2_rc1 > Index Address Symbol > ---------- ---------- ------------------------------ > 0x0 0xc1575024 divide_error > 0x1 0xc15750bc debug > 0x2 0xc1575114 nmi > 0x3 0xc1575234 int3 > 0x4 0xc1574fd4 overflow > 0x5 0xc1574fe0 bounds > 0x6 0xc1574fec invalid_op > 0x7 0xc1574fc0 device_not_available > 0x8 0x00000000 VDSO32_PRELINK > 0x9 0xc1574ff8 coprocessor_segment_overrun > 0xa 0xc1575004 invalid_TSS > 0xb 0xc157500c segment_not_present > 0xc 0xc1575014 stack_segment > 0xd 0xc157526c general_protection > 0xe 0xc1575048 page_fault > 0xf 0xc157503c spurious_interrupt_bug > 0x10 0xc1574fa8 coprocessor_error > 0x11 0xc157501c alignment_check > 0x12 0xc1575030 machine_check > 0x13 0xc1574fb4 simd_coprocessor_error > 0x80 0xc15749b8 system_call > # > > Thanks very much > luigi > > -- > Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP > autenticato? GRATIS solo con Email.it: http://www.email.it/f > > Sponsor: > Speciale Settembre all'hotel Gigliola di Rimini, 7 giorni di pensione > completa, 2 adulti Euro 420, all inclusive Euro 560 > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12638&d=20120913 > > > > > -- > Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f > > Sponsor: > Tour culturali nell'entroterra romagnolo con le proposte tutto compreso di Costahotels. Alla scoperta dei borghi medievali e delle tipicita' gastronomiche della zona > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12622&d=13-9 > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

12 years, 7 months

1
0
0 0

problem with linux_check_afinfo and others rootkit plugins

by bellissimopython＠email.it

Hi, I have the folloing problem: # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 linux_check_afinfo Volatile Systems Volatility Framework 2.2_rc1 Symbol Name Member Address ------------------------------------------ ------------------------------ ---------- WARNING : volatility.obj : Cant find object tcp_seq_afinfo in profile <volatility.plugins.overlays.linux.linux.LinuxUbuntu1204x86 object at 0x9bbc5ac>? Traceback (most recent call last): File "vol.py", line 186, in <module> main() File "vol.py", line 177, in main command.execute() File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/common.py", line 51, in execute commands.Command.execute(self, *args, **kwargs) File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/commands.py", line 111, in execute func(outfd, data) File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", line 82, in render_text for (what, member, address) in data: File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", line 73, in calculate for (name, member, address) in self.check_afinfo(global_var_name, global_var, op_members, seq_members, modules): File "/home/luigi/SOURCES/volatilitux_new/volatility-2.2-rc1/volatility/plugins/linux/check_afinfo.py", line 41, in check_afinfo for (hooked_member, hook_address) in self.check_members(var.seq_fops, var_name, op_members, modules): AttributeError: 'NoneType' object has no attribute 'seq_fops' Also I want report that the volatility-2.2-rc1 package does not have the tools/linux folder. So that it is not possible build dwarf module. Anyway I have copied it from the git/alpha release. And finally I want ask something about rootkit detection plugins. For example the following means that everything is ok ? # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 linux_check_creds Volatile Systems Volatility Framework 2.2_rc1 PIDs -------- # and the following: # python vol.py -f ../DUMP_ram/DUMP_130912.lime --profile=LinuxUbuntu1204x86 linux_check_idt Volatile Systems Volatility Framework 2.2_rc1 Index Address Symbol ---------- ---------- ------------------------------ 0x0 0xc1575024 divide_error 0x1 0xc15750bc debug 0x2 0xc1575114 nmi 0x3 0xc1575234 int3 0x4 0xc1574fd4 overflow 0x5 0xc1574fe0 bounds 0x6 0xc1574fec invalid_op 0x7 0xc1574fc0 device_not_available 0x8 0x00000000 VDSO32_PRELINK 0x9 0xc1574ff8 coprocessor_segment_overrun 0xa 0xc1575004 invalid_TSS 0xb 0xc157500c segment_not_present 0xc 0xc1575014 stack_segment 0xd 0xc157526c general_protection 0xe 0xc1575048 page_fault 0xf 0xc157503c spurious_interrupt_bug 0x10 0xc1574fa8 coprocessor_error 0x11 0xc157501c alignment_check 0x12 0xc1575030 machine_check 0x13 0xc1574fb4 simd_coprocessor_error 0x80 0xc15749b8 system_call # Thanks very much luigi -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Speciale Settembre all'hotel Gigliola di Rimini, 7 giorni di pensione completa, 2 adulti Euro 420, all inclusive Euro 560 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12638&d=20120913 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Tour culturali nell'entroterra romagnolo con le proposte tutto compreso di Costahotels. Alla scoperta dei borghi medievali e delle tipicita' gastronomiche della zona Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12622&d=13-9

12 years, 7 months

1
0
0 0

Volatility 2.2 RC1 is available!

by Michael Hale Ligh

Volatility 2.2 RC1 is available for download! This release includes over 50 new plugins and the new LiME address space. About 35 plugins are for support of 32- and 64-bit Linux kernels 2.6.11 - 3.5 on distributions such as Ubuntu, CentOS, Fedora, OpenSuSE, and Mandriva. About 14 are for analyzing undocumented kernel data structures in win32k/GUI space on windows. As an added bonus, there are plugins to parse event records structures, calculate service SIDs from the registry, and maybe a few additional surprises before the release. If you haven't checked recently, we've also redone the wiki entirely for better organization and documentation. There are two pages specifically that you should know about for 2.2 - the main release page (with direct downloads to the code) and the linux tutorial: http://code.google.com/p/volatility/wiki/Release22 http://code.google.com/p/volatility/wiki/LinuxMemoryForensics Please note that the 2.2 command reference will remain unfinished until the proper 2.2 release. Enjoy!

12 years, 7 months

1
0
0 0

poison_ivy.py file

by Mike Lambert

Could someone please email me the poison_ivy.py file as an attachment please? My browser mangles it when I try to get it from Andreas Schuster's blog. (Thanks Andreas for the plugin!) Thanks for the assist, Mike

12 years, 7 months

1
0
0 0

Tracking The Volatility Project

by AAron Walters

If you are one of those people who likes to stay up to date on the latest happenings in the world of Volatility, there are a couple of new resources you should definitely check out: Volatility Labs: This blog will now be the official blog of The Volatility Project. To kickstart the new blog and celebrate the upcoming OMFW, we will also be hosting the Month of Volatility Plugins (MoVP). http://volatility-labs.blogspot.com/ @Volatility: For those who want to follow the Volatility Development Team and get the inside track on upcoming events (ie the exiting new training courses), you should check us out on Twitter. https://twitter.com/volatility Thanks, AAron Walters The Volatility Project

12 years, 7 months

1
0
0 0

How to generate a volatility profile for android? It's possible?

by neofito

I'm trying to generate a profile for my android device. This profile just included the System.map file, obtained from /proc/kallsyms. How to get a module.dwarf file? I make a new Makefile for the cross-compilation of module.c and pmem.c for Android but, obviously, is not working. Thanks in advance!

12 years, 7 months

2
3
0 0

reliability phisical memory

by bellissimopython＠email.it

Hi, my question is about the reliability of physical memory acquisition on a runtime system. I mean, it's theoretically possible hijack memory acquisition on an infected system ? If yes, could cold boot attack be useful ? Or are there any other solutions ? thanks -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Speciale agriturismo per gli amanti della natura. Offerte tutto compreso per scoprire l'entroterra romagnolo e le tradizioni locali con le proposte di Costahotels Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12620&d=20120904 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Vacanze di divertimento con le offerte hotel + parco Oltremare di Riccione. Cogli le proposte degli hotel per famiglie della riviera con ingresso al parco Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12611&d=4-9

12 years, 7 months

1
0
0 0

Re: [Vol-users] Win 2008 Enterprise Server SP1 Errors

by Jon Nelson

On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote: > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan > > and... > > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist > > On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> wrote: > >> Can you paste the command line invocation you are running Vol with? >> >> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote: >> > I am using the 2.1 Windows standalone exe. >> > >> > I have a dd image of memory from the subject operating system and when >> I try >> > to use pslist with the Win2008SP1x86 profile I get the following errors: >> > >> > Traceback (most recent call last): >> > File "<string>", line 185, in <module> >> > File "<string>", line 176, in main >> > File >> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", >> > line 111, in execute >> > File "C:\volatility\volatility\plugins\taskmods.py", line 138, in >> > render_text >> > File >> > >> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", >> > line 72, in pslist >> > File >> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", >> > line 40, in processes >> > AttributeError: Could not list tasks, please verify your --profile with >> > kdbgscan >> > >> > >> > When I try to verify my profile with kdbgscan I get the following for >> all >> > profiles: >> > >> > ************************************************** >> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) >> > Offset (V) : 0x8193ec90 >> > Offset (P) : 0x193ec90 >> > KDBG owner tag check : True >> > Profile suggestion (KDBGHeader): Win2008SP1x86 >> > Version64 : 0x8193ec68 (Major: 15, Minor: 6001) >> > Service Pack (CmNtCSDVersion) : 1 >> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 >> > PsActiveProcessHead : 0x81954990 (0 processes) >> > PsLoadedModuleList : 0x8195ec70 (0 modules) >> > KernelBase : 0x81847000 (Matches MZ: True) >> > Major (OptionalHeader) : 6 >> > Minor (OptionalHeader) : 0 >> > KPCR : 0x8193f800 (CPU 0) >> > KPCR : 0x803d1000 (CPU 1) >> > >> > Any help would be greatly appreciated. >> > >> > Jon >> > >> > _______________________________________________ >> > Vol-users mailing list >> > Vol-users(a)volatilityfoundation.org >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> > >> > >

12 years, 8 months

4
14
0 0

Re: [Vol-users] Win 2008 Enterprise Server SP1 Errors

by Jon Nelson

Here is imageinfo: C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd imageinfo Volatile Systems Volatility Framework 2.1 Determining profile based on KDBG search... Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86 AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd) PAE type : PAE DTB : 0x122000L KDBG : 0x8193ec90L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x8193f800L KPCR for CPU 1 : 0x803d1000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2010-10-26 18:35:11 UTC+0000 Image local date and time : 2010-10-26 14:35:11 -0400 Here is the complete output of kdbgscan: Offset (V) : 0x8193ec90 Offset (P) : 0x193ec90 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008SP1x86 Version64 : 0x8193ec68 (Major: 15, Minor: 6001) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 PsActiveProcessHead : 0x81954990 (0 processes) PsLoadedModuleList : 0x8195ec70 (0 modules) KernelBase : 0x81847000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 0 KPCR : 0x8193f800 (CPU 0) KPCR : 0x803d1000 (CPU 1) ************************************************** Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) Offset (V) : 0x8193ec90 Offset (P) : 0x193ec90 KDBG owner tag check : True Profile suggestion (KDBGHeader): VistaSP1x86 Version64 : 0x8193ec68 (Major: 15, Minor: 6001) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 PsActiveProcessHead : 0x81954990 (0 processes) PsLoadedModuleList : 0x8195ec70 (0 modules) KernelBase : 0x81847000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 0 KPCR : 0x8193f800 (CPU 0) KPCR : 0x803d1000 (CPU 1) ************************************************** Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) Offset (V) : 0x8193ec90 Offset (P) : 0x193ec90 KDBG owner tag check : True Profile suggestion (KDBGHeader): VistaSP2x86 Version64 : 0x8193ec68 (Major: 15, Minor: 6001) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 PsActiveProcessHead : 0x81954990 (0 processes) PsLoadedModuleList : 0x8195ec70 (0 modules) KernelBase : 0x81847000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 0 KPCR : 0x8193f800 (CPU 0) KPCR : 0x803d1000 (CPU 1) ************************************************** Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) Offset (V) : 0x8193ec90 Offset (P) : 0x193ec90 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008SP2x86 Version64 : 0x8193ec68 (Major: 15, Minor: 6001) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 PsActiveProcessHead : 0x81954990 (0 processes) PsLoadedModuleList : 0x8195ec70 (0 modules) KernelBase : 0x81847000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 0 KPCR : 0x8193f800 (CPU 0) KPCR : 0x803d1000 (CPU 1) I also tried providing the kdbg value on the command line and got: C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 --kdbg=0x8193ec90L pslist Volatile Systems Volatility Framework 2.1 Usage: Volatility - A memory forensics analysis platform. volatility-2.1.standalone.exe: error: option --kdbg: invalid integer value: '0x8193ec90L' Is that an indication of an invalid memory address? Thanks! On Wed, Aug 22, 2012 at 12:30 PM, Andrew Case <atcuno(a)gmail.com> wrote: > From your original post: > > PsActiveProcessHead : 0x81954990 (0 processes) > PsLoadedModuleList : 0x8195ec70 (0 modules) > > That is not good ... 0 processes off activeprocesshead > > Do you only get one result from kdbgscan? Can you try just running the > 'imageinfo' plugin on your image (don't give it --profile), and send > me the results? > > On Wed, Aug 22, 2012 at 11:27 AM, Jon Nelson <dotcop(a)gmail.com> wrote: > > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 > kdbgscan > > > > and... > > > > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist > > > > On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> wrote: > >> > >> Can you paste the command line invocation you are running Vol with? > >> > >> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote: > >> > I am using the 2.1 Windows standalone exe. > >> > > >> > I have a dd image of memory from the subject operating system and > when I > >> > try > >> > to use pslist with the Win2008SP1x86 profile I get the following > errors: > >> > > >> > Traceback (most recent call last): > >> > File "<string>", line 185, in <module> > >> > File "<string>", line 176, in main > >> > File > >> > > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", > >> > line 111, in execute > >> > File "C:\volatility\volatility\plugins\taskmods.py", line 138, in > >> > render_text > >> > File > >> > > >> > > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", > >> > line 72, in pslist > >> > File > >> > "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", > >> > line 40, in processes > >> > AttributeError: Could not list tasks, please verify your --profile > with > >> > kdbgscan > >> > > >> > > >> > When I try to verify my profile with kdbgscan I get the following for > >> > all > >> > profiles: > >> > > >> > ************************************************** > >> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) > >> > Offset (V) : 0x8193ec90 > >> > Offset (P) : 0x193ec90 > >> > KDBG owner tag check : True > >> > Profile suggestion (KDBGHeader): Win2008SP1x86 > >> > Version64 : 0x8193ec68 (Major: 15, Minor: 6001) > >> > Service Pack (CmNtCSDVersion) : 1 > >> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 > >> > PsActiveProcessHead : 0x81954990 (0 processes) > >> > PsLoadedModuleList : 0x8195ec70 (0 modules) > >> > KernelBase : 0x81847000 (Matches MZ: True) > >> > Major (OptionalHeader) : 6 > >> > Minor (OptionalHeader) : 0 > >> > KPCR : 0x8193f800 (CPU 0) > >> > KPCR : 0x803d1000 (CPU 1) > >> > > >> > Any help would be greatly appreciated. > >> > > >> > Jon > >> > > >> > _______________________________________________ > >> > Vol-users mailing list > >> > Vol-users(a)volatilityfoundation.org > >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >> > > > > > >

12 years, 8 months

2
2
0 0

Re: [Vol-users] Win 2008 Enterprise Server SP1 Errors

by Jon Nelson

That was before my time. This is for a class and some one else acquired it. >From other memory images for the same class I have seem mdd listed as a process at the time of IR, so I am assuming that is what was used. On Wed, Aug 22, 2012 at 12:51 PM, Andrew Case <atcuno(a)gmail.com> wrote: > how did you acquire the memory image? The 0 active processes is not a good > sign > > On Wed, Aug 22, 2012 at 11:44 AM, Jon Nelson <dotcop(a)gmail.com> wrote: > > Here is imageinfo: > > > > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd imageinfo > > > > Volatile Systems Volatility Framework 2.1 > > Determining profile based on KDBG search... > > > > Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, > Win2008SP2x86, > > VistaSP2x86 > > AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) > > AS Layer2 : FileAddressSpace > > (G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd) > > PAE type : PAE > > DTB : 0x122000L > > KDBG : 0x8193ec90L > > Number of Processors : 2 > > Image Type (Service Pack) : 1 > > KPCR for CPU 0 : 0x8193f800L > > KPCR for CPU 1 : 0x803d1000L > > KUSER_SHARED_DATA : 0xffdf0000L > > Image date and time : 2010-10-26 18:35:11 UTC+0000 > > Image local date and time : 2010-10-26 14:35:11 -0400 > > > > > > Here is the complete output of kdbgscan: > > > > Offset (V) : 0x8193ec90 > > Offset (P) : 0x193ec90 > > KDBG owner tag check : True > > Profile suggestion (KDBGHeader): Win2008SP1x86 > > Version64 : 0x8193ec68 (Major: 15, Minor: 6001) > > Service Pack (CmNtCSDVersion) : 1 > > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 > > PsActiveProcessHead : 0x81954990 (0 processes) > > PsLoadedModuleList : 0x8195ec70 (0 modules) > > KernelBase : 0x81847000 (Matches MZ: True) > > Major (OptionalHeader) : 6 > > Minor (OptionalHeader) : 0 > > KPCR : 0x8193f800 (CPU 0) > > KPCR : 0x803d1000 (CPU 1) > > > > ************************************************** > > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) > > Offset (V) : 0x8193ec90 > > Offset (P) : 0x193ec90 > > KDBG owner tag check : True > > Profile suggestion (KDBGHeader): VistaSP1x86 > > Version64 : 0x8193ec68 (Major: 15, Minor: 6001) > > Service Pack (CmNtCSDVersion) : 1 > > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 > > PsActiveProcessHead : 0x81954990 (0 processes) > > PsLoadedModuleList : 0x8195ec70 (0 modules) > > KernelBase : 0x81847000 (Matches MZ: True) > > Major (OptionalHeader) : 6 > > Minor (OptionalHeader) : 0 > > KPCR : 0x8193f800 (CPU 0) > > KPCR : 0x803d1000 (CPU 1) > > > > ************************************************** > > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) > > Offset (V) : 0x8193ec90 > > Offset (P) : 0x193ec90 > > KDBG owner tag check : True > > Profile suggestion (KDBGHeader): VistaSP2x86 > > Version64 : 0x8193ec68 (Major: 15, Minor: 6001) > > Service Pack (CmNtCSDVersion) : 1 > > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 > > PsActiveProcessHead : 0x81954990 (0 processes) > > PsLoadedModuleList : 0x8195ec70 (0 modules) > > KernelBase : 0x81847000 (Matches MZ: True) > > Major (OptionalHeader) : 6 > > Minor (OptionalHeader) : 0 > > KPCR : 0x8193f800 (CPU 0) > > KPCR : 0x803d1000 (CPU 1) > > > > ************************************************** > > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) > > Offset (V) : 0x8193ec90 > > Offset (P) : 0x193ec90 > > KDBG owner tag check : True > > Profile suggestion (KDBGHeader): Win2008SP2x86 > > Version64 : 0x8193ec68 (Major: 15, Minor: 6001) > > Service Pack (CmNtCSDVersion) : 1 > > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 > > PsActiveProcessHead : 0x81954990 (0 processes) > > PsLoadedModuleList : 0x8195ec70 (0 modules) > > KernelBase : 0x81847000 (Matches MZ: True) > > Major (OptionalHeader) : 6 > > Minor (OptionalHeader) : 0 > > KPCR : 0x8193f800 (CPU 0) > > KPCR : 0x803d1000 (CPU 1) > > > > I also tried providing the kdbg value on the command line and got: > > > > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 > > --kdbg=0x8193ec90L pslist > > Volatile Systems Volatility Framework 2.1 > > Usage: Volatility - A memory forensics analysis platform. > > > > volatility-2.1.standalone.exe: error: option --kdbg: invalid integer > value: > > '0x8193ec90L' > > > > Is that an indication of an invalid memory address? > > > > Thanks! > > > > Jon > > > > On Wed, Aug 22, 2012 at 12:30 PM, Andrew Case <atcuno(a)gmail.com> wrote: > >> > >> From your original post: > >> > >> PsActiveProcessHead : 0x81954990 (0 processes) > >> PsLoadedModuleList : 0x8195ec70 (0 modules) > >> > >> That is not good ... 0 processes off activeprocesshead > >> > >> Do you only get one result from kdbgscan? Can you try just running the > >> 'imageinfo' plugin on your image (don't give it --profile), and send > >> me the results? > >> > >> On Wed, Aug 22, 2012 at 11:27 AM, Jon Nelson <dotcop(a)gmail.com> wrote: > >> > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > >> > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 > >> > kdbgscan > >> > > >> > and... > >> > > >> > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > >> > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 > pslist > >> > > >> > On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> > wrote: > >> >> > >> >> Can you paste the command line invocation you are running Vol with? > >> >> > >> >> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> > wrote: > >> >> > I am using the 2.1 Windows standalone exe. > >> >> > > >> >> > I have a dd image of memory from the subject operating system and > >> >> > when I > >> >> > try > >> >> > to use pslist with the Win2008SP1x86 profile I get the following > >> >> > errors: > >> >> > > >> >> > Traceback (most recent call last): > >> >> > File "<string>", line 185, in <module> > >> >> > File "<string>", line 176, in main > >> >> > File > >> >> > > >> >> > > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", > >> >> > line 111, in execute > >> >> > File "C:\volatility\volatility\plugins\taskmods.py", line 138, in > >> >> > render_text > >> >> > File > >> >> > > >> >> > > >> >> > > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", > >> >> > line 72, in pslist > >> >> > File > >> >> > "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", > >> >> > line 40, in processes > >> >> > AttributeError: Could not list tasks, please verify your --profile > >> >> > with > >> >> > kdbgscan > >> >> > > >> >> > > >> >> > When I try to verify my profile with kdbgscan I get the following > for > >> >> > all > >> >> > profiles: > >> >> > > >> >> > ************************************************** > >> >> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) > >> >> > Offset (V) : 0x8193ec90 > >> >> > Offset (P) : 0x193ec90 > >> >> > KDBG owner tag check : True > >> >> > Profile suggestion (KDBGHeader): Win2008SP1x86 > >> >> > Version64 : 0x8193ec68 (Major: 15, Minor: 6001) > >> >> > Service Pack (CmNtCSDVersion) : 1 > >> >> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 > >> >> > PsActiveProcessHead : 0x81954990 (0 processes) > >> >> > PsLoadedModuleList : 0x8195ec70 (0 modules) > >> >> > KernelBase : 0x81847000 (Matches MZ: True) > >> >> > Major (OptionalHeader) : 6 > >> >> > Minor (OptionalHeader) : 0 > >> >> > KPCR : 0x8193f800 (CPU 0) > >> >> > KPCR : 0x803d1000 (CPU 1) > >> >> > > >> >> > Any help would be greatly appreciated. > >> >> > > >> >> > Jon > >> >> > > >> >> > _______________________________________________ > >> >> > Vol-users mailing list > >> >> > Vol-users(a)volatilityfoundation.org > >> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >> >> > > >> > > >> > > > > > >

12 years, 8 months

1
0
0 0

Win 2008 Enterprise Server SP1 Errors

by Jon Nelson

I am using the 2.1 Windows standalone exe. I have a dd image of memory from the subject operating system and when I try to use pslist with the Win2008SP1x86 profile I get the following errors: Traceback (most recent call last): File "<string>", line 185, in <module> File "<string>", line 176, in main File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", line 111, in execute File "C:\volatility\volatility\plugins\taskmods.py", line 138, in render_text File "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", line 72, in pslist File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line 40, in processes AttributeError: Could not list tasks, please verify your --profile with kdbgscan When I try to verify my profile with kdbgscan I get the following for all profiles: ************************************************** Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) Offset (V) : 0x8193ec90 Offset (P) : 0x193ec90 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008SP1x86 Version64 : 0x8193ec68 (Major: 15, Minor: 6001) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 PsActiveProcessHead : 0x81954990 (0 processes) PsLoadedModuleList : 0x8195ec70 (0 modules) KernelBase : 0x81847000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 0 KPCR : 0x8193f800 (CPU 0) KPCR : 0x803d1000 (CPU 1) Any help would be greatly appreciated. Jon

12 years, 8 months

2
1
0 0

Re: [Vol-users] Win 2008 Enterprise Server SP1 Errors

by Jon Nelson

Thanks for the reply! Just the header and then nothing. On Wed, Aug 22, 2012 at 11:17 AM, alex pease <alex.pease(a)gmail.com> wrote: > can you try a psscan, and see what that give you as output. > > On Wed, Aug 22, 2012 at 7:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote: > >> I am using the 2.1 Windows standalone exe. >> >> I have a dd image of memory from the subject operating system and when I >> try to use pslist with the Win2008SP1x86 profile I get the following errors: >> >> Traceback (most recent call last): >> File "<string>", line 185, in <module> >> File "<string>", line 176, in main >> File >> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands", >> line 111, in execute >> File "C:\volatility\volatility\plugins\taskmods.py", line 138, in >> render_text >> File >> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks", >> line 72, in pslist >> File >> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line >> 40, in processes >> AttributeError: Could not list tasks, please verify your --profile with >> kdbgscan >> >> >> When I try to verify my profile with kdbgscan I get the following for all >> profiles: >> >> ************************************************** >> Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) >> Offset (V) : 0x8193ec90 >> Offset (P) : 0x193ec90 >> KDBG owner tag check : True >> Profile suggestion (KDBGHeader): Win2008SP1x86 >> Version64 : 0x8193ec68 (Major: 15, Minor: 6001) >> Service Pack (CmNtCSDVersion) : 1 >> Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 >> PsActiveProcessHead : 0x81954990 (0 processes) >> PsLoadedModuleList : 0x8195ec70 (0 modules) >> KernelBase : 0x81847000 (Matches MZ: True) >> Major (OptionalHeader) : 6 >> Minor (OptionalHeader) : 0 >> KPCR : 0x8193f800 (CPU 0) >> KPCR : 0x803d1000 (CPU 1) >> >> Any help would be greatly appreciated. >> >> Jon >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> >> >

12 years, 8 months

1
0
0 0

Was a TrueCrypt volume mounted?

by Adam Bridge

Hello All, I'm new to Volatility but am a reasonably experienced forensic examiner. I'm working on a hiberfil.sys from a WIN7SP1x64 machine and am trying to determine whether a TrueCrypt volume was mounted and, for bonus points, the path to the TrueCrypt volume file. I've used devicetree and found: DRV 0x23ea15de0 \Driver\truecrypt ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN So a good start. Question: Does that tell me that there _IS_ a TrueCrypt volume mounted as the G drive or there _WAS_ a TrueCrypt volume mounted as the G drive, or that there's no way of knowing one way or the other? filescan shows two entries for \TrueCrypt.exe. The only difference between the two (besides a slight difference in #Ptr) is that one has access of: R--rwd and the other: R--r-d What should I be discerning from this? Why does one have a write permission that the other does not? And finally, pslist shows me that TrueCrypt.exe was started but has no exit time. I'm just not really sure where to go next? Can anybody suggest anything? More than happy for someone to tell me to go read X! Just can't find a helpful X to read. Thank you all, AB

12 years, 8 months

6
14
0 0

Re: [Vol-users] Was a TrueCrypt volume mounted?

by Adam Bridge

As promised, I have done my best to write up the process I went through to successfully identify the file behind the TC volume. Find it here: http://www.scribd.com/doc/103174530 Thanks, Adam On Fri, Aug 17, 2012 at 5:55 PM, Tom Yarrish <tom(a)yarrish.com> wrote: > Please let us know when it's up, I'd like to add it to my "notes" for > future reference. > > Tom > > On Fri, Aug 17, 2012 at 10:06 AM, Adam Bridge <adam.bridge(a)yahoo.com> > wrote: > > Ok, I'm delighted to say that I've solved it! > > > > I was able to work with the list of File objects from handles --pid=4 and > > really narrow it down to one likely file on a particular device. > > Went and dug that device out of the store and voila, there was the file > and > > it is indeed a TC volume. > > > > Chuffed to bits. Thanks everyone for your help. > > > > I shall do my best to write it up over the weekend and post it on the web > > somewhere. > > > > Thanks again! > > > > > > On Fri, Aug 17, 2012 at 3:45 PM, Jamie Levy <jamie.levy(a)gmail.com> > wrote: > >> > >> Try this filescan patch and see if it helps: > >> > >> http://code.google.com/p/volatility/issues/detail?id=325 > >> > >> > >> > >> On Fri, Aug 17, 2012 at 8:22 AM, Adam Bridge <adam.bridge(a)yahoo.com> > >> wrote: > >> > Today I've been able to work on the actual case rather than my test > >> > case. > >> > I've mainly been making use of handles and symlinkscan. > >> > Again, my goal is to try and find the "file" which is the TC volume. > >> > > >> > I've put my rough notes here: http://bridgey.co.uk/vty-tc.txt.html > >> > If I'm actually successful I shall write them up with a more > >> > tutorial-like > >> > approach. > >> > > >> > I'm pretty much at a point where I'm saying the TC volume is either > the > >> > entire attached Seagate device or at least a file on that device. > >> > If the latter, I have no idea which file! > >> > > >> > Any comments, suggestions, flames or mother-based insults welcome! > >> > > >> > > >> > On Fri, Aug 17, 2012 at 8:33 AM, Adam Bridge <adam.bridge(a)yahoo.com> > >> > wrote: > >> >> > >> >> Thanks again for all the comments all. I assume people are suggesting > >> >> Registry keys such as shellbags and MRUs to look for file from the > T:? > >> >> That > >> >> might give me some clue as to usage. > >> >> My primary goal here is to identify the file which is the TC volume. > >> >> > >> >> @MHL > >> >> You're absolutely right - the focus should be on > >> >> \Device\TrueCryptVolumeT > >> >> as I really only know bout \Device\HarddiskVolume10 because I > >> >> "cheatingly" > >> >> know the name of the TC volume (MyTrueCryptVolume). > >> >> In my real case, I don't know the name. The problem I've got is that > >> >> I've > >> >> run into a bit of a dead end with \Device\TrueCryptVolumeT with > respect > >> >> to > >> >> identifying the file behind it. > >> >> > >> >> Adam > >> >> > >> >> > >> >> On Thu, Aug 16, 2012 at 11:55 PM, Michael Hale Ligh > >> >> <michael.hale(a)gmail.com> wrote: > >> >>> > >> >>> Adam, > >> >>> > >> >>> Shouldn't you be looking for references to \Device\TrueCryptVolumeT\ > >> >>> instead of (or at least in addition to) > >> >>> \Device\HarddiskVolume10\MyTrueCryptVolume? The TrueCryptVolumeT > >> >>> location is > >> >>> what's actually mapped at T: as shown by symlinkscan. > >> >>> > >> >>> The fact that MyTrueCryptTextFile.txt doesn't show up in the > >> >>> notepad.exe > >> >>> handles output is normal. Basically what notepad does is opens the > >> >>> file, > >> >>> maps it into memory, displays the contents in the GUI, then closes > >> >>> handle > >> >>> (so as not to needlessly consume handles when they're not being > used). > >> >>> Thus > >> >>> by the time you acquire memory, the handle is already closed. When > you > >> >>> modify the text file and click Save, the process re-opens a handle, > >> >>> flushes > >> >>> the changes, and closes the handle again. > >> >>> > >> >>> If you want to test that, use Process Monitor and set up a filter > for > >> >>> notepad.exe. Then open your MyTrueCryptTextFile.txt file and review > >> >>> the APIs > >> >>> being called. You'll see CreateFile followed by CreateFileMapping, > and > >> >>> finally CloseHandle. This probably varies per application (for > example > >> >>> maybe > >> >>> Microsoft Word always retains an open handle to the document being > >> >>> modified). > >> >>> > >> >>> MHL > >> >>> > >> >>> On Thu, Aug 16, 2012 at 5:24 PM, Adam Bridge <adam.bridge(a)yahoo.com > > > >> >>> wrote: > >> >>>> > >> >>>> The only references to HarddiskVolume10 in the handles output are: > >> >>>> > >> >>>> 0xfffffa80021a63c0 4 0x2a1c 0x12019f > File > >> >>>> \Device\HarddiskVolume10\MyTrueCryptVolume > >> >>>> 0xfffffa8003992420 2700 0xba8 0x100081 > File > >> >>>> \Device\HarddiskVolume10\ > >> >>>> 0xfffffa8004672940 2700 0xd3c 0x100081 > File > >> >>>> \Device\HarddiskVolume10\ > >> >>>> > >> >>>> PID 4 being SYSTEM and 2700 being explorer. I'm assuming you only > >> >>>> knew > >> >>>> it was HarddiskVolume10 because of 'MyTrueCryptVolume'? > >> >>>> In my real case, I don't know the name of the T/C volume. > >> >>>> > >> >>>> Great thinking about userassist. In my test case I did indeed > >> >>>> double-click a txt file (MyTrueCryptTextFile.txt) which was within > >> >>>> the T/C > >> >>>> volume but sadly it doesn't appear in the userassist output > (entirely > >> >>>> unrelated to this T/C stuff, it's fascinating what does tho!) > >> >>>> Interestingly, > >> >>>> the txt file also doesn't appear in the handles output - even > though > >> >>>> it was > >> >>>> open at the time I captured the memory?! (On the test system it is > in > >> >>>> the > >> >>>> Notepad jump list.) > >> >>>> > >> >>>> Thanks so much for the comments all - I'm learning so much - it's > >> >>>> awesome! > >> >>>> > >> >>>> On Thu, Aug 16, 2012 at 10:10 PM, Jamie Levy <jamie.levy(a)gmail.com > > > >> >>>> wrote: > >> >>>>> > >> >>>>> Are there any files (from handles output) that are on > >> >>>>> \Device\HarddiskVolume10 ? In your output this is the location of > >> >>>>> the > >> >>>>> TrueCrypt volume. > >> >>>>> > >> >>>>> If they double clicked a document or something from that volume, > an > >> >>>>> entry for its LNK file might show up in the UserAssist key, you > can > >> >>>>> run the userassist plugin just to see what shows up in there. > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> On Thu, Aug 16, 2012 at 4:28 PM, Adam Bridge < > adam.bridge(a)yahoo.com> > >> >>>>> wrote: > >> >>>>> > Thanks so much for the email - extremely useful already. > >> >>>>> > I'm taking notes so that I can do my best at writing it up at > the > >> >>>>> > end. > >> >>>>> > > >> >>>>> > So, with pslist I found one instance of TrueCrypt.exe which had > a > >> >>>>> > PID > >> >>>>> > of > >> >>>>> > 4920. > >> >>>>> > > >> >>>>> > With handles --pid=4920 there was nothing useful - all very much > >> >>>>> > T/C > >> >>>>> > stuff. > >> >>>>> > So I did handles without the --pid. > >> >>>>> > Now, with my test data I of course know the name of the T/C > volume > >> >>>>> > file and > >> >>>>> > sure enough I could see it: > >> >>>>> > > >> >>>>> > Offset(V) Pid Handle Access > >> >>>>> > Type > >> >>>>> > Details > >> >>>>> > ------------------ ------ ------------------ ------------------ > >> >>>>> > ---------------- ------- > >> >>>>> > 0xfffffa8002193b30 4 0x269c 0x2a > >> >>>>> > Process > >> >>>>> > TrueCrypt.exe(4920) > >> >>>>> > 0xfffffa80021a63c0 4 0x2a1c 0x12019f > >> >>>>> > File > >> >>>>> > \Device\HarddiskVolume10\MyTrueCryptVolume # Here! > >> >>>>> > 0xfffffa8002193b30 796 0x6c0 0x1fffff > >> >>>>> > Process > >> >>>>> > TrueCrypt.exe(4920) > >> >>>>> > 0xfffffa8002193b30 836 0xc28 0x1478 > >> >>>>> > Process > >> >>>>> > TrueCrypt.exe(4920) > >> >>>>> > 0xfffffa8002193b30 1144 0xd4c 0x1478 > >> >>>>> > Process > >> >>>>> > TrueCrypt.exe(4920) > >> >>>>> > 0xfffffa8001b4f070 2700 0x1084 0x100081 > >> >>>>> > File > >> >>>>> > \Device\TrueCryptVolumeT\ > >> >>>>> > 0xfffffa8002c7d1c0 2700 0x1118 0x100081 > >> >>>>> > File > >> >>>>> > \Device\TrueCryptVolumeT\ > >> >>>>> > 0xfffffa8001e51f20 4920 0x324 0x100080 > >> >>>>> > File > >> >>>>> > \Device\TrueCrypt > >> >>>>> > 0xfffffa80038e4680 4920 0x330 0x1f0001 > >> >>>>> > Mutant > >> >>>>> > TrueCryptTaskBarIcon > >> >>>>> > 0xfffffa8004d5a8d0 3384 0xc 0x100020 > >> >>>>> > File > >> >>>>> > \Device\TrueCryptVolumeT\ > >> >>>>> > > >> >>>>> > In my real case I don't know the name of the file - so I > wouldn't > >> >>>>> > know it if > >> >>>>> > I saw it - especially if it had an innocent name like > >> >>>>> > "school_work.doc". > >> >>>>> > > >> >>>>> > I now know my T/C volume is mounted as T: > >> >>>>> > I notice that there are 2 PIDs accessing the T: > >> >>>>> > Look them up in the plist data and they're explorer and notepad > >> >>>>> > (which is > >> >>>>> > correct, I'd opened a txt file from the T/C volume). > >> >>>>> > > >> >>>>> > So, pretending I hadn't seen 'MyTrueCryptVolume' I tried > symlinks > >> >>>>> > and > >> >>>>> > grep'd > >> >>>>> > for TrueCrypt: > >> >>>>> > > >> >>>>> > > >> >>>>> > Offset(P) #Ptr #Hnd Creation time From > >> >>>>> > To > >> >>>>> > ------------------ ------ ------ ------------------------ > >> >>>>> > -------------------- > >> >>>>> > ------------------------------------------------------------ > >> >>>>> > 0x0000000026b33c80 1 0 2012-08-16 19:12:51 > >> >>>>> > Volume{3d...10a7e8a} \Device\TrueCryptVolumeT > >> >>>>> > 0x0000000037f51b10 1 0 2012-08-16 18:14:48 > >> >>>>> > TrueCrypt > >> >>>>> > \Device\TrueCrypt > >> >>>>> > 0x0000000052ececb0 1 0 2012-08-16 19:12:51 T: > >> >>>>> > \Device\TrueCryptVolumeT > >> >>>>> > 0x000000006131c9d0 1 0 2012-08-16 19:12:51 T: > >> >>>>> > \Device\TrueCryptVolumeT > >> >>>>> > > >> >>>>> > So, definitely T: then. > >> >>>>> > > >> >>>>> > So I know there's a T/C volume mounted, I know that it's mounted > >> >>>>> > as > >> >>>>> > the T: > >> >>>>> > and I know that explorer and notepad have both got handles to > it. > >> >>>>> > I've got one last hurdle to clear: how do I find out the file > >> >>>>> > which > >> >>>>> > is > >> >>>>> > behind \Device\TrueCryptVolumeT? > >> >>>>> > > >> >>>>> > I filtered handles for File objects from \Device\HarddiskVolume* > >> >>>>> > but > >> >>>>> > that > >> >>>>> > left me with ~130 files and without knowing the file name how > >> >>>>> > would I > >> >>>>> > identify it? > >> >>>>> > > >> >>>>> > Thanks again for all the suggestions so far! > >> >>>>> > > >> >>>>> > > >> >>>>> > On Thu, Aug 16, 2012 at 8:04 PM, Andrew Case <atcuno(a)gmail.com> > >> >>>>> > wrote: > >> >>>>> >> > >> >>>>> >> Hello, > >> >>>>> >> > >> >>>>> >> So I will assume you are using the latest release of > Volatility, > >> >>>>> >> which > >> >>>>> >> means the 2.1 command reference will give you information about > >> >>>>> >> every > >> >>>>> >> plugin we have: > >> >>>>> >> > >> >>>>> >> http://code.google.com/p/volatility/wiki/CommandReference21 > >> >>>>> >> > >> >>>>> >> The next thing I would do is run the handles plugin [1] and > look > >> >>>>> >> for > >> >>>>> >> any reference to the open file. You can filter with the -p > option > >> >>>>> >> to > >> >>>>> >> be only the TrueCrypt process that you found in pslist, but if > >> >>>>> >> you > >> >>>>> >> do > >> >>>>> >> not see any encrypted container referenced there then you may > >> >>>>> >> want > >> >>>>> >> to > >> >>>>> >> run it across all processes (the default) because we have seen > >> >>>>> >> where > >> >>>>> >> files opened by drivers end up in other processes' handles > (e.g. > >> >>>>> >> SYSTEM). > >> >>>>> >> > >> >>>>> >> I think handles would be more helpful to determine if any files > >> >>>>> >> were > >> >>>>> >> opened b/c it will show you exactly what truecrypt had open > when > >> >>>>> >> the > >> >>>>> >> machine hibernated. With filescan you would have to already > know > >> >>>>> >> the > >> >>>>> >> name of the encrypted container to see if it was ever opened. > >> >>>>> >> > >> >>>>> >> Also, MHL suggested using the symlink scan command [2] as this > >> >>>>> >> will > >> >>>>> >> map drive letters to physical device paths. Here is some sample > >> >>>>> >> output > >> >>>>> >> for the command: > >> >>>>> >> > >> >>>>> >> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 > symlinkscan > >> >>>>> >> Volatile Systems Volatility Framework 2.2_alpha > >> >>>>> >> Offset(P) #Ptr #Hnd Creation time From > >> >>>>> >> To > >> >>>>> >> ------------------ ------ ------ ------------------------ > >> >>>>> >> -------------------- > >> >>>>> >> ------------------------------------------------------------ > >> >>>>> >> 0x0000000007331840 1 0 2011-12-30 08:26:15 > Global > >> >>>>> >> \Global?? > >> >>>>> >> 0x0000000013d6a930 1 0 2012-01-10 18:35:28 Z: > >> >>>>> >> > >> >>>>> >> \Device\LanmanRedirector\;Z:0...000003b08d\10.1.47.238\setup > >> >>>>> >> 0x0000000023bc0140 1 0 2011-12-30 08:25:30 A: > >> >>>>> >> \Device\Floppy0 > >> >>>>> >> 0x000000002ab23430 1 0 2011-12-30 08:25:30 D: > >> >>>>> >> \Device\CdRom0 > >> >>>>> >> 0x000000002d3b8c90 1 0 2011-12-30 08:25:26 C: > >> >>>>> >> \Device\HarddiskVolume2 > >> >>>>> >> > >> >>>>> >> And you can see, C: is mapped to HarddiskVolume2. From there > you > >> >>>>> >> can > >> >>>>> >> run handles and filter specifically to files opened on that > >> >>>>> >> device > >> >>>>> >> like this: > >> >>>>> >> > >> >>>>> >> $ python vol.py -f win7x64cmd.dd --profile=Win7SP1x64 handles > -t > >> >>>>> >> File > >> >>>>> >> | grep HarddiskVolume2 > >> >>>>> >> Volatile Systems Volatility Framework 2.2_alpha > >> >>>>> >> 0xfffffa800248e5a0 4 0x5c 0x12008b > >> >>>>> >> File > >> >>>>> >> > >> >>>>> >> \Device\HarddiskVolume2\Windows\System32\wfp\wfpdiag.etl > >> >>>>> >> 0xfffffa800267f300 4 0xa4 0x13019f > >> >>>>> >> File > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > >> >>>>> >> 0xfffffa800267b540 4 0xa8 0x12019f > >> >>>>> >> File > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > >> >>>>> >> 0xfffffa8002671350 4 0xac 0x13019f > >> >>>>> >> File > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > \Device\clfs\Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLog > >> >>>>> >> 0xfffffa80026794e0 4 0xb0 0x12019f > >> >>>>> >> File > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > \Device\HarddiskVolume2\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002 > >> >>>>> >> 0xfffffa8002679c30 4 0xb4 0x1 > >> >>>>> >> File > >> >>>>> >> \Device\HarddiskVolume2 > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> If the combination of handles and symlinkscan does not answer > >> >>>>> >> your > >> >>>>> >> question please write back. Also, it would be interesting if > you > >> >>>>> >> documented your process through this (assuming you can), as I > am > >> >>>>> >> sure > >> >>>>> >> many other people will encounter this situation. > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> [1] > >> >>>>> >> > >> >>>>> >> > http://code.google.com/p/volatility/wiki/CommandReference21#handles > >> >>>>> >> [2] > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > http://code.google.com/p/volatility/wiki/CommandReference21#symlinkscan > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> > >> >>>>> >> .... > >> >>>>> >> > >> >>>>> >> On Thu, Aug 16, 2012 at 8:41 AM, Adam Bridge > >> >>>>> >> <adam.bridge(a)yahoo.com> > >> >>>>> >> wrote: > >> >>>>> >> > Hello All, > >> >>>>> >> > > >> >>>>> >> > I'm new to Volatility but am a reasonably experienced > forensic > >> >>>>> >> > examiner. > >> >>>>> >> > > >> >>>>> >> > I'm working on a hiberfil.sys from a WIN7SP1x64 machine and > am > >> >>>>> >> > trying to > >> >>>>> >> > determine whether a TrueCrypt volume was mounted and, for > bonus > >> >>>>> >> > points, > >> >>>>> >> > the > >> >>>>> >> > path to the TrueCrypt volume file. > >> >>>>> >> > > >> >>>>> >> > I've used devicetree and found: > >> >>>>> >> > > >> >>>>> >> > DRV 0x23ea15de0 \Driver\truecrypt > >> >>>>> >> > ---| DEV 0xfffffa800946f080 TrueCryptVolumeG FILE_DEVICE_DISK > >> >>>>> >> > ---| DEV 0xfffffa8007127ac0 TrueCrypt FILE_DEVICE_UNKNOWN > >> >>>>> >> > > >> >>>>> >> > So a good start. > >> >>>>> >> > > >> >>>>> >> > Question: Does that tell me that there _IS_ a TrueCrypt > volume > >> >>>>> >> > mounted > >> >>>>> >> > as > >> >>>>> >> > the G drive or there _WAS_ a TrueCrypt volume mounted as the > G > >> >>>>> >> > drive, or > >> >>>>> >> > that there's no way of knowing one way or the other? > >> >>>>> >> > > >> >>>>> >> > filescan shows two entries for \TrueCrypt.exe. The only > >> >>>>> >> > difference > >> >>>>> >> > between > >> >>>>> >> > the two (besides a slight difference in #Ptr) is that one has > >> >>>>> >> > access of: > >> >>>>> >> > > >> >>>>> >> > R--rwd > >> >>>>> >> > > >> >>>>> >> > and the other: > >> >>>>> >> > > >> >>>>> >> > R--r-d > >> >>>>> >> > > >> >>>>> >> > What should I be discerning from this? Why does one have a > >> >>>>> >> > write > >> >>>>> >> > permission > >> >>>>> >> > that the other does not? > >> >>>>> >> > > >> >>>>> >> > And finally, pslist shows me that TrueCrypt.exe was started > but > >> >>>>> >> > has no > >> >>>>> >> > exit > >> >>>>> >> > time. > >> >>>>> >> > > >> >>>>> >> > I'm just not really sure where to go next? > >> >>>>> >> > Can anybody suggest anything? > >> >>>>> >> > > >> >>>>> >> > More than happy for someone to tell me to go read X! Just > can't > >> >>>>> >> > find a > >> >>>>> >> > helpful X to read. > >> >>>>> >> > > >> >>>>> >> > Thank you all, > >> >>>>> >> > AB > >> >>>>> >> > > >> >>>>> >> > _______________________________________________ > >> >>>>> >> > Vol-users mailing list > >> >>>>> >> > Vol-users(a)volatilityfoundation.org > >> >>>>> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >> >>>>> >> > > >> >>>>> > > >> >>>>> > > >> >>>>> > > >> >>>>> > _______________________________________________ > >> >>>>> > Vol-users mailing list > >> >>>>> > Vol-users(a)volatilityfoundation.org > >> >>>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >> >>>>> > > >> >>>>> > >> >>>>> > >> >>>>> > >> >>>>> -- > >> >>>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 > AC92 > >> >>>> > >> >>>> > >> >>>> > >> >>>> _______________________________________________ > >> >>>> Vol-users mailing list > >> >>>> Vol-users(a)volatilityfoundation.org > >> >>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >> >>>> > >> >>> > >> >> > >> > > >> > > >> > _______________________________________________ > >> > Vol-users mailing list > >> > Vol-users(a)volatilityfoundation.org > >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >> > > >> > >> > >> > >> -- > >> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 > > > > > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org > > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > >

12 years, 8 months

5
4
0 0

Windows memory forensics class

by Howard Patterson

Anyone attending the SANS Windows Memory Forensics class in DC in a couple of weeks? Howard Patterson Howard.Patterson(a)tn.gov

12 years, 8 months

2
1
0 0

volatility linux

by Adam Bridge

If you're still suffering this problem, could you post an example of what you have typed in the shell? There are many excellent examples available here: http://code.google.com/p/volatility/wiki/CommandReference21

12 years, 8 months

1
0
0 0

volatility linux

by bellissimopython＠email.it

Hi, I am trying to use volatility under linux image. I am a newbie of volatility so that I'm find troubles to use it. most of plugin seems dont work... look: In [7]: plugins.mount --------------------------------------------------------------------------- AttributeError Traceback (most recent call last) /home/user/src/lin64-support/<ipython-input-7-bdbca450f1fd> in <module>() ----> 1 plugins.mount AttributeError: 'Container' object has no attribute 'mount' ..... ..... ..... but some works, look: In [8]: plugins.ifconfig ------> plugins.ifconfig() lo 127.0.0.1 00:00:00:00:00:00 eth0 192.168.1.226 f0:4d:a2:ae:f2:2c eth1 0.0.0.0 00:00:00:00:00:00 Anyone could help me to use volatility plugins under linux ? thanks very much -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Offerte all inclusive in Romagna. Speciale Agosto da Euro 480,00 Speciale Settembre da Euro 295. Terzo letto Gratis e Quarto scontato al 50% Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12594&d=20120817 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Offerta Nordic walking Festival dal 7 al 9 settembre a Riccione e Misano con le proposte hotel di Costahotels della riviera romagnola per tutti gli appassionati di questo sport salutare Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12585&d=17-8

12 years, 8 months

2
1
0 0

Interesting finding

by Armet, Lee

Anyone ever see this? 0x2253cfb9 14...5 False True False False False Volatile Systems Volatility Framework 2.2_alpha Offset(P) Name PID pslist psscan thrdproc pspcdid csrss ---------- -------------------- ------ ------ ------ -------- ------- ----- 0x05760020 System 4 True True True True False 0x19863d21 svchost.exe 804 False True False False False 0x18fa330d pdfPro5Hook.ex 3832 False True False False False 0x18a9d585 cmd.exe 3052 False True False False False 0x2eac4d45 svchost.exe 724 False True False False False 0x1d844541 taskhost.exe 3308 False True False False False 0x190203a9 ISUSPM.exe 3956 False True False False False 0x18b2d26a System 4 False True False False False 0x0c1577ed sppsvc.exe 3276 False True False False False 0x190b1335 svchost.exe 796 False True False False False 0x13473a2d wininit.exe 504 False True False False False 0x2253cfb9 14...5 False True False False False 0x22e79729 wuauclt.exe 2908 False True False False False 0x21442a21 ccSvcHst.exe 3040 False True False False False 0x18f75c35 BrStMonW.exe 3936 False True False False False 0x19044359 SearchIndexer. 2588 False True False False False 0x22209305 svchost.exe 1332 False True False False False 0x1900a539 BrCcUxSys.exe 1136 False True False False False 0x227df30d svchost.exe 1764 False True False False False 0x3accbd3d explorer.exe 3492 False True False False False 0x18f980a5 pptd40nt.exe 3772 False True False False False Regards, Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group O:416-982-6855 | M:647-242-0002 NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions. AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique pour des instructions.

12 years, 8 months

4
10
0 0

Problem with 2.2_alpha

by Armet, Lee

I imaged a live Win7 32bit system 3gb just now with both ftkimager and winen and when I try to analyse the ram vol just hangs and hangs. The memory acquisition seemed to complete without error. Should I use an older version of vol? Regards, Lee Armet | Senior Investigator, Forensic Technology Services| Global Security & Investigations | TD Bank Group‬‪ T: (416) 982-6855 | M: (647) 242-0002‬‪ NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions. AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique pour des instructions.

12 years, 8 months

2
4
0 0

Error on Pycrypto

by aph.4nc

Dear all, I am Andri Heriyanto. I am just starting to use Volatility as the tools for analyzing the memory. I am using Python-2.7.3 and already installed Volatility ver 2.1 on both OS: Windows 7 64-bit and Linux Ubuntu 12.04 LTS 32-bit, unfortunately I could not resolve the problem on pycrypto. Especially on the Linux Ubuntu 12.04 LTS, there is always a notification of an error like this: ERROR : root : code for hash sha224 was not found. Traceback (most recent call last): File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/local/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor raise ValueError('unsupported hash type %s' % name) ValueError: unsupported hash type sha224 ERROR : root : code for hash sha256 was not found. Traceback (most recent call last): File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/local/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor raise ValueError('unsupported hash type %s' % name) ValueError: unsupported hash type sha256 ERROR : root : code for hash sha384 was not found. Traceback (most recent call last): File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/local/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor raise ValueError('unsupported hash type %s' % name) ValueError: unsupported hash type sha384 ERROR : root : code for hash sha512 was not found. Traceback (most recent call last): File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/local/lib/python2.7/hashlib.py", line 91, in __get_builtin_constructor raise ValueError('unsupported hash type %s' % name) ValueError: unsupported hash type sha512 Sorry for my simple question, but I've tried googling to sort this things out, but I still could not solve it. Thank you very much in advance for any support and suggestion. Cheers

12 years, 8 months

3
2
0 0

Volatility 2.1 Released! (Official x64 Support)

by AAron Walters

https://code.google.com/p/volatility/ We are very excited to announce the official release of Volatility 2.1! While the main goal of this release was to get x64 support into an official release, we also sneaked in a number of interesting new capabilities! Highlights of this release include: New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64) Majority of Existing Plugins Updated with x64 Support Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21) WindowsHiberFileSpace32 Overhaul (also includes x64 Support) Expanded Operating System Profiles: Windows XP SP1, SP2 and SP3 x86 Windows XP SP1 and SP2 x64 (there is no SP3 x64) Windows Server 2003 SP0, SP1, and SP2 x86 Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64) Windows Vista SP0, SP1, and SP2 x86 Windows Vista SP0, SP1, and SP2 x64 Windows Server 2008 SP1 and SP2 x86 (there is no SP0) Windows Server 2008 SP1 and SP2 x64 (there is no SP0) Windows Server 2008 R2 SP0 and SP1 x64 Windows 7 SP0 and SP1 x86 Windows 7 SP0 and SP1 x64 Plugin Additions (Now Over 70+ Analysis Plugins!): Printing Process Environment Variables (envvars) Inspecting the Shim Cache (shimcache) Profiling Command History and Console Usage (cmdscan, consoles) Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp) Plugin Enhancements: Verbose details for kdbgscan and kpcrscan idt/gdt/timers plugins cycle automatically for each CPU apihooks detects LSP/winsock procedure tables New Output Formatting Support (Table Rendering) New Mechanism for Profile Modifications New Registry API Support New Volshell Commands Updated Documentation and Command Reference In particular, I also wanted to take this opportunity to recognize those on the development team who helped push to make this release possible: Mike Auty, Andrew Case, Michael Cohen, Michael Hale Ligh, and Jamie Levy. These are the people who make a number of sacrifices in their own personal lives to continue to bring you the most advanced memory forensics framework in the world! If you appreciate the hard work they put into Volatility, I encourage you to Support Open Source Forensics Developers (SOSFD). Finally, shoutz to the Volatility Community for their continued support and feedback! As an added bonus, we will also be releasing Volatility 2.2 at the Open Memory Forensics Workshop 2012 on October 2. This will be your only opportunity to learn about all the new features in 2.1 and 2.2 from the actual Volatility development team. Please register early. Seats are filling up fast! The Volatility Project

12 years, 8 months

2
1
0 0

order of command line options breaks the execution

by Skippy VonDrake

This may just be an "aspect" of the Windows version. Win7, Python 2.7.3, Volatility 2.1 RC3. After receiving MLH's direction on getting "conf-file" to work on Windows, I set the profile and location in my conf file. Works fine: python <pathTo>\vol.py --conf-file="<my conf file>" --plugins="<pathToMyPlugins>" someSillyPlugin Does NOT work: python <pathTo>\vol.py --plugins="<pathToMyPlugins>" --conf-file="<my conf file>" someSillyPlugin The error: __main__ : Please specify a location (-l) or filename (-f) I don't know if this is also true on non-Windows systems. Skippy

12 years, 8 months

1
0
0 0

failed to import plugins.overlays

by Skippy VonDrake

Just tried the 2.1 RC3 version and got the errors below. Then did the 'python setup.py clean' command followed by repeating the install command 'python setup.py install'. Still no difference. No errors produced during install. Egg was built and copied. Using Win7 and Python 2.7.3. D:\Forensics>python %PYTHON_SCRIPTS%\vol.py -h Volatile Systems Volatility Framework 2.1_rc3 *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win7_sp0_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp1_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.vista_sp1_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win7_sp1_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.vista_sp2_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.xp_sp3_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp0_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.xp_sp2_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.vista_sp0_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp2_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError: 'module' object has no attribute 'xpsp2_types') Usage: Volatility - A memory forensics analysis platform.

12 years, 9 months

2
1
0 0

no conf-file option in Vol 2.0

by Skippy VonDrake

Using help on the command line I see no reference to the "--conf-file" option. Was it removed?

12 years, 9 months

2
1
0 0

Linux memory analysis with scudettesbranch

by Sebastien Bourdon-Richard

Hi, I'm trying to analyze linux memory dumps with scudettesbranch r2040, but it doesn't seems to work. Is there something I do wrong? *Ubuntu 11.04 64bit (acquired with lime, padded format)* H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "N:\Lime\Ubuntu-11.04-64-bit\u64.padded" In [2]: session.profile_file = "N:\Lime\Ubuntu-11.04-64-bit\myprofile.zip" In [3]: session.profile = profiles.Linux64 In [4]: vol plugins.pslist ------> vol(plugins.pslist) WARNING:root:comm has no offset in object task_struct. Check that vtypes has a concrete definition for it. WARNING:root:name has no offset in object net_device. Check that vtypes has a concrete definition for it. WARNING:root:s_id has no offset in object super_block. Check that vtypes has a concrete definition for it. WARNING:root:sun_path has no offset in object sockaddr_un. Check that vtypes has a concrete definition for it. WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it. WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it. WARNING:root:name has no offset in object module. Check that vtypes has a concrete definition for it. Offset Name Pid Uid ERROR:root:Error: Type task_struct has no member tasks --------------------------------------------------------------------------- AttributeError Traceback (most recent call last) <ipython-input-4-a5edbfb3c155> in <module>() ----> 1 vol(plugins.pslist) H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs) 217 result = plugin_cls(*args, **kwargs) 218 try: --> 219 result.render(ui_renderer) 220 except KeyboardInterrupt: 221 self.report_progress("Aborted!\r\n", force=True) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd) 49 "Offset", "Name", "Pid", "Uid")) 50 ---> 51 for task in self.pslist(): 52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format( 53 task.obj_offset, task.comm, str(task.pid), str(task.uid))) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self) 42 43 # walk the ->tasks list, note that this will *not* display "swapper" ---> 44 for task in init_task.tasks: 45 yield task 46 H:\Volatility\Scudette\volatility\obj.pyc in __getattr__(self, attr) 921 if attr not in self.members: 922 raise AttributeError("Type {0} has no member {1}".format( --> 923 self.obj_name, attr)) 924 925 return self.m(attr) AttributeError: Type task_struct has no member tasks *Ubuntu 11.04 64bit (acquired with lime, raw format)* * * H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "N:\\Lime\\Ubuntu-11.04-64-bit\\u64.raw" In [2]: session.profile_file = "N:\\Lime\\Ubuntu-11.04-64-bit\\myprofile.zip" In [3]: session.profile = profiles.Linux64 In [4]: vol plugins.pslist ------> vol(plugins.pslist) WARNING:root:comm has no offset in object task_struct. Check that vtypes has a concrete definition for it. WARNING:root:name has no offset in object net_device. Check that vtypes has a concrete definition for it. WARNING:root:s_id has no offset in object super_block. Check that vtypes has a concrete definition for it. WARNING:root:sun_path has no offset in object sockaddr_un. Check that vtypes has a concrete definition for it. WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it. WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it. WARNING:root:name has no offset in object module. Check that vtypes has a concrete definition for it. Offset Name Pid Uid Out[4]: <volatility.plugins.linux.pslist.LinuxPsList at 0x2e50930> *Fedora 15 32bit (acquired with lime, raw format)* H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "N:\\Lime\\Fedora-15-32bit\\f32.raw" In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip" In [3]: session.profile = profiles.Linux32 In [4]: vol plugins.pslist ------> vol(plugins.pslist) ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute' ERROR:root:Failed running plugin pslist: kernel_address_space not specified. In [5]: session.kernel_address_space = "standard" In [6]: vol plugins.pslist ------> vol(plugins.pslist) Offset Name Pid Uid ERROR:root:Error: 'init_task' --------------------------------------------------------------------------- KeyError Traceback (most recent call last) <ipython-input-6-a5edbfb3c155> in <module>() ----> 1 vol(plugins.pslist) H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs) 217 result = plugin_cls(*args, **kwargs) 218 try: --> 219 result.render(ui_renderer) 220 except KeyboardInterrupt: 221 self.report_progress("Aborted!\r\n", force=True) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd) 49 "Offset", "Name", "Pid", "Uid")) 50 ---> 51 for task in self.pslist(): 52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format( 53 task.obj_offset, task.comm, str(task.pid), str(task.uid))) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self) 35 def pslist(self): 36 """A generator of task_struct objects for all running tasks.""" ---> 37 init_task_addr = self.profile.constants["init_task"] 38 39 init_task = self.profile.Object(theType="task_struct", KeyError: 'init_task' *Fedora 15 32bit (virtual box snapshot)* * * H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "V:\\VM\\Fedora Core 15 32-bit\\Snapshots\\2012-07-17T14-50-40-994836400Z.sav" In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip" In [3]: session.profile = profiles.Linux32 In [4]: vol plugins.pslist ------> vol(plugins.pslist) ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute' ERROR:root:Failed running plugin pslist: kernel_address_space not specified. In [5]: session.kernel_address_space = "vboxelf" In [6]: vol plugins.pslist ------> vol(plugins.pslist) Offset Name Pid Uid ERROR:root:Error: 'init_task' --------------------------------------------------------------------------- KeyError Traceback (most recent call last) <ipython-input-7-a5edbfb3c155> in <module>() ----> 1 vol(plugins.pslist) H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs) 217 result = plugin_cls(*args, **kwargs) 218 try: --> 219 result.render(ui_renderer) 220 except KeyboardInterrupt: 221 self.report_progress("Aborted!\r\n", force=True) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd) 49 "Offset", "Name", "Pid", "Uid")) 50 ---> 51 for task in self.pslist(): 52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format( 53 task.obj_offset, task.comm, str(task.pid), str(task.uid))) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self) 35 def pslist(self): 36 """A generator of task_struct objects for all running tasks.""" ---> 37 init_task_addr = self.profile.constants["init_task"] 38 39 init_task = self.profile.Object(theType="task_struct", KeyError: 'init_task' *The analysis works with Windows XP SP3* H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "W:\XP SP3\XP SP3-Snapshot7.vmem" In [2]: session.profile = profiles.WinXPSP3x86 In [3]: vol plugins.pslist ------> vol(plugins.pslist) Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- -------------------- 0x867c49c8 System 4 0 54 216 ------ False - - 0x8656b020 smss.exe 556 4 3 17 ------ False 2008-11-19 19:30:19 - [...] Out[3]: <volatility.plugins.windows.taskmods.WinPsList at 0x21668f0> Thanks in advance for your help! Sebastien

12 years, 9 months

2
3
0 0

Volatility 2.1 RC1 is available

by Michael Hale Ligh

Hey everyone, The 2.1 RC1 downloads are now available [1]. Per the usual, there are zip and tar archives of the source code, a windows module installer, and a standalone windows executable (with python and all dependencies build-in). We ask that you test vigorously over the next 2 weeks, especially with any x64 images, and let us know via the issue tracker [2] if you run into any bugs. At the end of July, we'll announce the official release of 2.1. Also, a lot of the documentation [3] has been updated, including the FAQ, command reference, features by plugin matrix, and roadmap, so that may be a useful resource to you when using 2.1. Thank you very much! [1]. http://code.google.com/p/volatility/downloads/list [2]. http://code.google.com/p/volatility/issues/list [3]. http://code.google.com/p/volatility/w/list

12 years, 9 months

2
3
0 0

understanding impscan and Zeus 1.0

by Michael Felber

Hi folks, Testing impscan with zeus.vmem I have a little question about the capabilities of impscan: Malfind finds 2 regions with injected code as seen many times: C:\Micha\Forensics\Volatility-2.1a>python vol.py malfind -f D:\X-Ways-Images\zeus.vmem -p 1724 Volatile Systems Volatility Framework 2.1_rc1 Process: explorer.exe Pid: 1724 Address: 0x1600000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x01600000 b8 35 00 00 00 e9 cd d7 30 7b b8 91 00 00 00 e9 .5......0{...... . Process: explorer.exe Pid: 1724 Address: 0x15d0000 Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE Flags: CommitCharge: 38, MemCommit: 1, PrivateMemory: 1, Protection: 6 0x015d0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. . Base 0x015d0000 is a "real" exe-module and impscan can detect the hooked calls very well: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x015d0000 Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x015d1000 0x77dea43c ADVAPI32.dll CryptGetHashParam 0x015d1004 0x77dd7535 ADVAPI32.dll RegCreateKeyExW 0x015d1008 0x77de8546 ADVAPI32.dll CryptReleaseContext 0x015d100c 0x77dd6fc8 ADVAPI32.dll RegQueryValueExW 0x015d1010 0x77dd778e ADVAPI32.dll InitializeSecurityDescriptor 0x015d1014 0x77df986b ADVAPI32.dll GetSidSubAuthorityCount 0x015d1018 0x77dd77b3 ADVAPI32.dll SetSecurityDescriptorDacl 0x015d101c 0x77df1285 ADVAPI32.dll SetNamedSecurityInfoW 0x015d1020 0x77dfcaf6 ADVAPI32.dll LookupPrivilegeValueW 0x015d1024 0x77dea2f9 ADVAPI32.dll CryptCreateHash 0x015d1028 0x77de2cde ADVAPI32.dll ConvertStringSecurityDescriptorToSecurityDescriptorW 0x015d102c 0x77dd6a78 ADVAPI32.dll RegOpenKeyExW . Base 0x01600000 contains jump instructions to other addresses: 0x1600000 b835000000 MOV EAX, 0x35 0x1600005 e9cdd7307b JMP 0x7c90d7d7 0x160000a b891000000 MOV EAX, 0x91 0x160000f e94fdf307b JMP 0x7c90df63 0x1600014 8bff MOV EDI, EDI 0x1600016 55 PUSH EBP 0x1600017 8bec MOV EBP, ESP 0x1600019 e9ef17c175 JMP 0x7721180d So it seems to be consistent that impscan is unable to find hooked calls there: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x01600000 Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- Traceback (most recent call last): File "vol.py", line 185, in <module> main() File "vol.py", line 176, in main command.execute() File "C:\Micha\Forensics\Volatility-2.1a\volatility\commands.py", line 111, in execute func(outfd, data) File "C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py", line 358, in render_text for iat, call, mod, func in data: File "C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py", line 338, in calculate forward = True) File "C:\Micha\Forensics\Volatility-2.1a\volatility\plugins\malware\impscan.py", line 130, in _vicinity_scan start_addr = sortedlist[0] IndexError: list index out of range Or does the error message mean something other? Looked at the first jump target there is the "detoured" call as expected: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90d7d7 Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x7c97d280 0x7c832b5c kernel32.dll BaseQueryModuleData So impscan is not able to directly handle such trampoline calls, is it? Following the trace of the jump targets there are two imports of BaseQueryModuleData: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7c90df63 Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x7c97d280 0x7c832b5c kernel32.dll BaseQueryModuleData Also the next jump targets import the same api calls: C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x7721180d Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x77261000 0x77dd761b ADVAPI32.dll RegOpenKeyExA 0x77261004 0x77dfd4c9 ADVAPI32.dll GetUserNameA 0x77261034 0x77dfc41b ADVAPI32.dll RegOpenKeyA . C:\Micha\Forensics\Volatility-2.1a>python vol.py impscan -f D:\X-Ways-Images\zeus.vmem -p 1724 --base 0x771c76bd Volatile Systems Volatility Framework 2.1_rc1 IAT Call Module Function ---------- ---------- -------------------- -------- 0x77261000 0x77dd761b ADVAPI32.dll RegOpenKeyExA 0x77261004 0x77dfd4c9 ADVAPI32.dll GetUserNameA 0x77261034 0x77dfc41b ADVAPI32.dll RegOpenKeyA . I have no clue why theses api-call are hooked twice. Does anybody have an idea? Regards Michael

12 years, 9 months

2
2
0 0

got a rootkit or what?

by phocean

Hi list, I believe that one of my lab VM is owned by a sophisticated rootkit. There are many signs of that: Rootkit in my lab? Rootkit in my lab? (part II) Live analysis was a dead end. Needless to say that common live analysis tools and AV found nothing. So I have been focussed for days on analyzing the RAM with Volatility. And I found absolutely nothing. I am just afraid that now it is beyond my skills at this moment. If some of you are curious, do not hesitate to have a look. Of course, I would love to learn more and get some tips and feedbacks. I can provide more volatility output if necessary, or even the dump. Thank you! --- phocean

12 years, 9 months

1
0
0 0

Windows Server 2008

by Mike Lambert

I know we can't work on Windows Server 2008 with Volatility at this time. What products are capable of examining Windows Server 2008? Thanks, Mike

12 years, 9 months

13
49
0 0

Impact on memory images when suspending a virtual machine

by Stefan Vömel

Hi everyone, in prior threads, Michael and Aaron pointed out changes in memory structures when suspending a virtual machine. I think this is an important observation and would therefore suggest moving the respective discussion to a separate thread. I have summarized the relevant passages below. ---- Michael H. Ligh (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-June/000441.…) > Also, if you're analyzing a memory dump by suspending the VM, that has > significant impact on the lifetime and availability of network > structures. When you suspend/pause a VMware guest, VMware tools runs a > bat script on the guest (I think its vm-suspend.bat) which forcefully > closes TCP/UDP and frees the IP. Jesse Bowling (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000470.…) > This was a VMWare 4.1 virtual machine that was paused, and the vmss file > copied out. > Much later I head referenced that pausing the virtual machine actually > causes a lot of information to be removed from memory due to the way VMWare > prepares the OS to pause... :( (Can you or anyone speak to the truth-iness > of this?) AAron Walters (http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000473.…) > This is definitely something to take in consideration with this particular > acquisition method. I think you are referring to a comment that MHL made > previously about vmware tools. A similar thing happens when people > attempt to use hibernation files. Intuitively, what does it mean to resume > a network connection that disappeared hours, if not days, earlier? In some > instances, it is possible to still extract associated artifacts from > unallocated regions, a technique most debuggers don't handle very well. ---- Last year, I wrote a survey article about memory acquisition and analysis techniques (http://www.sciencedirect.com/science/article/pii/S1742287611000508) and stated in a short section about virtual machines that, by suspending a system, a memory snapshot with a high level of atomicity and correctness could be produced. With respect to the issues raised by Michael, this statement is maybe a bit too optimistic now?! I have recently done a lot of research in the area of memory acquisition, specifically with regard to software-based utilities. We have tried to formalize criteria for sound memory imaging in a different paper (http://www.sciencedirect.com/science/article/pii/S1742287612000254) and I'm currently working on a platform that may help evaluating the correctness, impact, etc. of a utility more accurately. As the discussion about virtual machines roughly touches my research interests, I would like to know if there's any more information on this topic. Specifically: - Has anyone ever measured the impact on a memory image when suspending a system? - I have briefly looked at the vm-suspend-default.bat file which is located in the folder of the VMware tools. It just includes an "ipconfig /release" command, so it appears "only" network-related information would be affected. Is anyone aware of any other structures that would be changed/destroyed when going into suspensed mode? - Is the batch script (or similar operations) actually executed every time a machine is suspended? I have just run a quick google query on the file and only saw that its use was optional? I would very much appreciate if anyone had some more details on this or could share some references. Best regards, Stefan

12 years, 9 months

2
1
0 0

Stuxnet "Are you there?" mutant

by Mike Lambert

I want to check to see if my test computer is infected with Stuxnet. I have not finished the forensics on it and do not want to know any answers. I don't want to check the behaviorial data yet because that would give too much away. My hash and signature analysis says it is not infected. I don't want to waste time if it is not infected. I think the simplest way to determine if it is infected is to see if the "Are you there?" mutant is there. If you know the mutant, please let me know. There is a lot of analysis of it on the internet and I have kept away from it. No fun to get the answer from someone else. Thanks, Mike

12 years, 10 months

1
0
0 0

Option 2 for injected malware extraction

by Mike Lambert

I am looking at a sample of the Pilleuz worm that infects USB. I ran malfind and was not successful extracting a sample Is there another option for extracting injected code? Is there a way to dump threads? Thanks, Mike

12 years, 10 months

2
3
0 0

problems dumping a process

by Michael Felber

Hi all, still playing with fire (or a single "Flame" ;-)) I have tried to dump the possibly infected services.exe from a decompressed hiberil.sys but run into an error message: C:\Micha\Forensics\Volatility-2.1a>python vol.py pslist -f D:\X-Ways-Images\flame.mem | egrep -i "(PID|services)" Volatile Systems Volatility Framework 2.1_alpha Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit 0x84cae5a8 services.exe 912 868 37 966 0 0 2012-06-03 07:47:48 C:\Micha\Forensics\Volatility-2.1a>python vol.py procexedump -p 868 -f D:\X-Ways-Images\flame.mem -D C:\temp\VolDumpFlame Volatile Systems Volatility Framework 2.1_alpha ************************************************************************ Dumping winlogon.exe, pid: 868 output: executable.868.exe C:\Micha\Forensics\Volatility-2.1a>python vol.py procexedump -p 912 -f D:\X-Ways-Images\flame.mem -D C:\temp\VolDum pFlame Volatile Systems Volatility Framework 2.1_alpha ************************************************************************ Error: ImageBaseAddress not memory resident for process [912] C:\Micha\Forensics\Volatility-2.1a>python vol.py procexedump -o 0x84cae5a8 -f D:\X-Ways-Images\flame.mem -D C:\temp \VolDumpFlame Volatile Systems Volatility Framework 2.1_alpha ************************************************************************ Error: PEB not memory resident for process [-] Why the PEB header seems to be paged out? Isn't it a strange behavior for such an important process like services.exe? There is really no header: C:\Micha\Forensics\Volatility-2.1a>python vol.py volshell -f D:\X-Ways-Images\flame.mem Volatile Systems Volatility Framework 2.1_alpha Current context: process System, pid=4, ppid=0 DTB=0x39000 Welcome to volshell! Current memory image is: file:///D:/X-Ways-Images/flame.mem >>> cc (offset=0x84cae5a8) Current context: process services.exe, pid=912, ppid=868 DTB=0x13edc000 >>> db(0x84cae5a8) 0x84cae5a8 03 00 1b 00 00 00 00 00 b0 7c b6 84 b0 7c b6 84 .........|...|.. 0x84cae5b8 b8 e5 ca 84 b8 e5 ca 84 00 c0 ed 13 00 50 ee 13 .............P.. 0x84cae5c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x84cae5d8 ac 20 00 00 00 00 00 00 39 0a 00 00 4f 0c 00 00 ........9...O... 0x84cae5e8 e8 e5 ca 84 e8 e5 ca 84 00 00 00 00 00 00 00 00 ................ 0x84cae5f8 58 9f b8 84 d0 51 60 84 00 00 00 00 01 00 00 00 X....Q`......... 0x84cae608 14 00 09 06 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x84cae618 00 f3 e8 2b 5d 41 cd 01 00 00 00 00 00 00 00 00 ...+]A.......... >>> dis(0x84cae5a8) 0x84cae5a8 0300 ADD EAX, [EAX] 0x84cae5aa 1b00 SBB EAX, [EAX] 0x84cae5ac 0000 ADD [EAX], AL 0x84cae5ae 0000 ADD [EAX], AL 0x84cae5b0 b07c MOV AL, 0x7c 0x84cae5b2 b684 MOV DH, 0x84 0x84cae5b4 b07c MOV AL, 0x7c 0x84cae5b6 b684 MOV DH, 0x84 0x84cae5b8 b8e5ca84b8 MOV EAX, 0xb884cae5 0x84cae5bd e5ca IN EAX, 0xca 0x84cae5bf 8400 TEST [EAX], AL 0x84cae5c1 c0ed13 SHR CH, 0x13 . The goal was to find hooks within the code but it seems to be a challenge to find the complete process itself.. What could I do? Regards Mic

12 years, 10 months

2
1
0 0

format of UDP record in memory

by Mike Lambert

I've used 1.3 and 2.0 but neither gives me any "old" UDP artifacts. I know they are there because I have the pcap, so I am looking for them in memory. Can someone tell me the format of a UDP artifact in memory please? For example I'm looking for from a connection UDP 192.168.136.129:1044 to 204.13.161.100:6600 I'm looking at 11 83 89 CO A8 88 81 CC 0D A1 64 04 14 19 C8 that looks like UDP Unk Unk 192.168.136.129 204.13.161.100 1044 6600 The "Unk" means I don't know what they are (the 83 (seems to be constant) and 89 (changes slightly)). I've found this in the kernel 01fb5017 [kernel:2180730903] UDP to 204.13.161.100 This may just be a parameter block that is passed to the OS, but it does show that there was such a packet sent. Tell me what I need to be looking for if I am in the wrong place. Thanks, Mike

12 years, 10 months

4
7
0 0

malware memory forensics using volatility

by malware monna

Hi All, I presented a topic on "malware memory forensics" using Volatility.....the ppt and video can be found in the below link....i hope you will like it :-) http://goo.gl/7bRFK Thanks, Monnappa

12 years, 10 months

3
2
0 0

Volatility branches?

by Roman Daszczyszak

Just curious whether the Volatility 2.0.1 branch is a bugfix for the stable 2.0 branch, or is it something else entirely? -Roman Please cc: this address in addition to the mailing list, as I'm not normally a subscriber.

12 years, 10 months

2
1
0 0

missing apihooks

by Michael Felber

Hi all, I did not use apihooks for a while. Now I am playing around with that flame sample from Mike Lambert (THX a lot!!) and miss that plugin. It may have gone with the integration of the malware plugin directly to the Volatility core. Is it still available somewhere for 2.1a or do I have to reuse an older version? Regards Michael

12 years, 10 months

2
3
0 0

Flame

by Mike Lambert

Is anyone working on Flame? I am too, email me if interested. dragonforen(a)hotmail.com Thanks, Mike

12 years, 10 months

1
0
0 0

Determining the image path of a process

by Michael Felber

Hallo all, According to a hint from Andreas Schuster (THX!!) I have tried to access the _SE_AUDIT_PROCESS_CREATION_INFO-structure which is referenced in _EPROCESS. SeAuditProcessCreationInfo: >>> for proc in win32.tasks.pslist(self.addrspace): ... if proc.UniqueProcessId in (172, 528, 1560): ... print "SeAuditProcessCreationInfo: {0:#x}".format(proc.SeAuditProcessCreationInfo) ... SeAuditProcessCreationInfo: 0x82014964 SeAuditProcessCreationInfo: 0x81c8e6ac SeAuditProcessCreationInfo: 0x81cc1214 So I have displayed the pointers to the _SE_AUDIT_PROCESS_CREATION_INFO-structure. I hoped to find a Unicode-string somewhere containing the path to the imagefile. Sadly a hexdump seems to be useless:: >>> db(0x82014964, length=256) 0x82014964 d0 b8 fe 81 40 b3 27 ff e7 d2 c9 01 00 00 01 00 ....@.'......... 0x82014974 5e 03 00 00 00 03 00 00 00 03 00 00 32 00 00 00 ^...........2... 0x82014984 59 01 00 00 00 30 88 c0 64 3c 22 82 c4 95 ff 81 Y....0..d<"..... 0x82014994 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ... But that's OK, because there should be a only another pointer again: >>> dt("_SE_AUDIT_PROCESS_CREATION_INFO") '_SE_AUDIT_PROCESS_CREATION_INFO' (4 bytes) 0x0 : ImageFileName ['pointer', ['_OBJECT_NAME_INFORMATION']] How can I access this structure via object.method? CU Mic

12 years, 10 months

3
3
0 0

Netscan and Win 7 64-bit memory?

by Tom Yarrish

Hey all, Does the netscan plugin work against Windows 7 64-bit memory samples? When I'm running it with the latest build (1574), I get the following: Computer:volatility-read-only $ python vol.py -f ../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan Volatile Systems Volatility Framework 2.1_alpha *** Failed to import volatility.plugins.evtlogs (AttributeError: 'module' object has no attribute 'LdrModules') *** Failed to import volatility.plugins.timeliner (AttributeError: 'module' object has no attribute 'LdrModules') Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x11747cef0 TCPv4 0.0.0.0:62887 0.0.0.0:0 LISTENING 3212 svchost.exe 0x11785da10 TCPv4 0.0.0.0:3389 0.0.0.0:0 LISTENING 1260 svchost.exe 0x117894ef0 TCPv4 0.0.0.0:3389 0.0.0.0:0 LISTENING 1260 svchost.exe 0x117894ef0 TCPv6 :::3389 :::0 LISTENING 1260 svchost.exe 0x117a00670 TCPv4 0.0.0.0:49601 0.0.0.0:0 LISTENING 2412 vmware-convert 0x117a1ee00 TCPv4 0.0.0.0:62870 0.0.0.0:0 LISTENING 568 services.exe 0x117a1ee00 TCPv6 :::62870 :::0 LISTENING 568 services.exe WARNING : volatility.obj : Cant find object _IN_ADDR in profile <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x10b5be390>? Traceback (most recent call last): File "vol.py", line 173, in <module> main() File "vol.py", line 164, in main command.execute() File "/Users/e18529/volatility-read-only/volatility/commands.py", line 101, in execute func(outfd, data) File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py", line 266, in render_text for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data: File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py", line 212, in calculate for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry): File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py", line 183, in enumerate_listeners inaddr = LocalAddr.pData.dereference().dereference().v() AttributeError: 'NoneType' object has no attribute 'v' All the other plugins are working, this is the only one I'm having issues with....I know about the first two "Failed to import" lines... And I did remember to do a "make clean" after updating this time.... :) Thanks, Tom

12 years, 11 months

2
2
0 0

searching registries

by Mike Lambert

One thing we need to do is search the registries for the keys that autorun malware. Does anyone know of a free tool that will do that? I'm currently using Encase to do that but it is and expensive solution. Harlan's RegRipper will dump some registry entries and sometimes it works, but it does not search. Mike

12 years, 11 months

4
5
0 0

searching registries

by Mark Kealiher

Mike, Have you tried any of the following?: YARU (Yet Another Registry Utility) - http://www.tzworks.net/prototype_page.php?proto_id=3 Regdecoder - http://code.google.com/p/registrydecoder/ Autoruns - http://computer-forensics.sans.org/blog/2010/06/28/autoruns-dead-forensics/ Today's Topics: > > 1. searching registries (Mike Lambert) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 15 May 2012 17:38:58 -0500 > From: Mike Lambert <dragonforen(a)hotmail.com> > Subject: [Vol-users] searching registries > To: Volatility List <vol-users(a)volatilityfoundation.org> > Message-ID: <SNT118-W5182DD5900ED6A56B23C3FAE1B0(a)phx.gbl> > Content-Type: text/plain; charset="iso-8859-1" > > > One thing we need to do is search the registries for the keys that autorun > malware. > > Does anyone know of a free tool that will do that? I'm currently using > Encase to do that but it is and expensive solution. > > Harlan's RegRipper will dump some registry entries and sometimes it works, > but it does not search. > > Mike > >

12 years, 11 months

1
0
0 0

SpyEye example illustrating The Mis-leading 'Active' in PsActiveProcessHead

by Mike Lambert

I created a SpyEye VM infection for a presentation. (usexxxxxxxx.exe) I lucked out and found that it is an example of "The Mis-leading 'Active' in PsActiveProcessHead and ActiveProcessLinks" (thank you MHL) http://mnin.blogspot.com/2011/03/mis-leading-active-in.html This makes it a great example to use in my presentation!! I've attached imageinfo, pslist, psscan, and psxview for anyone interested in seeing it. (BTW, if you are going to the presentation, don't give it away until I give you a chance near the end. I'll let you explain it. (let someone else notice the 'wierd' stuff and wonder why) I will make a package of this available if someone wants a copy. I can put it on my web site for download. The package would consist of: 1. the incident response batch file output with win32dd imaging (I like win32dd, great for times, info and MD5) 2. 512MB memory image 3. E01 disk image of the 10GB disk MHL, in this case is this a bug in SpyEye? OR does it have anything to do with injecting into your parent? <g> Have a good day all! Mike PS. Thanks Jamie for linking to MHL's explanation in the Command Reference

12 years, 11 months

1
0
0 0

Need to pick a malware for a demo

by Mike Lambert

I've got a memory forensics presentation coming up next week and I'd like to use a sample that will illustrate a crossview example. Specifically, I'd like to use an example that hides from pslist on the running system (don't want a DKOM example) but we can find it using Volatility. I'd like it to be something running and not a process injection sample. Does someone have a suggestion which one may provide a good illustration? Thanks, Mike

12 years, 11 months

3
8
0 0

One-byte Modification for Breaking Memory Forensic Analysis.

by George M. Garner J.r (online)

In case you missed it, this is an interesting paper how how to frustrate a few free memory forensic tools using one-byte modifications to main computer memory: https://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Foren…. The paper examines potential single points of failure in 3 free memory forensic tools: 1. Volatility 2. Memoryze 3. Responder Community Edition The reliability of memory forensic tools (both acquisition and analysis) is a topic which to date has received very little attention (except on the part of the "bad guys"). Hence, this paper provides some welcome relief. The paper is marred however by its focus exclusively on free tools. The commercial tools which cost $10K or $100K also may have defects and it would be interesting to know how they compare to the free tools. As I remember it, at least one of the commercial tools has a license provision which prevents you from telling anyone if you find a defect. So perhaps the author limited his focus due to legal constraints.

12 years, 11 months

3
3
0 0

Plugin errors in scudette-branch

by Stefan Steizer

Hi everybody, i have tried the scudette branch r1628 for linux memory analysis and received some Errors. My test-systems were Ubuntu 11.10 (Kernel 3.0.0-17-generic, 64 Bit) and Debian 6.0.2.1 (Kernel 2.6.32-5-686, 32 Bit). The plugins i have tested were pslist, cpuinfo, dmesg, ifconfig and netstat. As i followed the instructions at the Wiki-Page the first thing i have noticed was an NameError after the *vol pslist* command: $ python vol.py Welcome to volshell! To get help, type 'help()' In [1]: session.filename = "memory.dd" In [2]: session.profile_file = "myprofile.zip" In [3]: session.profile = "Linux32" In [4]: vol pslist ------> vol(pslist) --------------------------------------------------------------------------- NameError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 NameError: name 'pslist' is not defined After i changed the *In [4]: vol pslist* command into *In [4]: vol "pslist"*the NameError disappeared and the pslist plugin worked well on both systems. The next plugin was cpuinfo. On both system i've got the right processor output, but on Ubuntu i additionally received a warning/error: In [5]: vol "cpuinfo" ------> vol("cpuinfo") Processor Vendor Model *ERROR:root:Constant per_cpu__cpu_info does not exist in profile.* 0 GenuineIntel Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz Out[5]: <volatility.plugins.linux.cpuinfo.CpuInfo object at 0x2fc5190> The ifconfig plugin returned on both systems a ValueError. *On Ubuntu:* In [6]: vol "ifconfig" ------> vol("ifconfig") lo 127.0.0.1 00:00:00:00:00:00 ERROR:root:Error: Unknown format code 's' for object of type 'int' --------------------------------------------------------------------------- ValueError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, debug, output, **kwargs) 194 kwargs['session'] = self 195 result = plugin_cls(**kwargs) --> 196 result.render(fd) 197 198 return result /home/vitax/lin64-support/volatility/plugins/linux/ifconfig.py in render(self, outfd) 97 98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format( ---> 99 net_dev.name, ip, mac_addr)) 100 101 ValueError: Unknown format code 's' for object of type 'int' *On Debian:* In [6]: vol "ifconfig" ------> vol("ifconfig") lo 127.0.0.1 00:00:00:00:00:00 eth0 10.0.2.15 08:00:27:f6:0e:dd ERROR:root:Error: Unknown format code 's' for object of type 'int' --------------------------------------------------------------------------- ValueError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls, fd, debug, output, **kwargs) 194 kwargs['session'] = self 195 result = plugin_cls(**kwargs) --> 196 result.render(fd) 197 198 return result /home/vitax/lin64-support/volatility/plugins/linux/ifconfig.pyc in render(self, outfd) 97 98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format( ---> 99 net_dev.name, ip, mac_addr)) 100 101 ValueError: Unknown format code 's' for object of type 'int' After that i tried the netstat plugin. I received on both systems an AttributeError: *On Ubuntu:* * * In [7]: vol "netstat" ------> vol("netstat") --------------------------------------------------------------------------- AttributeError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, debug, output, **kwargs) 178 """ 179 if isinstance(plugin_cls, basestring): --> 180 plugin_cls = getattr(self.plugins, plugin_cls) 181 182 if output is not None: /home/vitax/lin64-support/volatility/session.py in __getattr__(self, attr) 79 return self.plugins[attr] 80 except KeyError: ---> 81 raise AttributeError(attr) 82 83 AttributeError: netstat *On Debian:* * * In [7]: vol "netstat" ------> vol("netstat") ERROR: An unexpected error occurred while tokenizing input The following traceback may be corrupted or invalid The error message is: ('EOF in multi-line statement', (40, 0)) --------------------------------------------------------------------------- AttributeError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls, fd, debug, output, **kwargs) 178 """ 179 if isinstance(plugin_cls, basestring): --> 180 plugin_cls = getattr(self.plugins, plugin_cls) 181 182 if output is not None: /home/vitax/lin64-support/volatility/session.pyc in __getattr__(self, attr) 79 return self.plugins[attr] 80 except KeyError: ---> 81 raise AttributeError(attr) 82 83 AttributeError: netstat In the end i tried the dmesg plugin. On Debian it worked well, but on Ubuntu i got this error: In [8]: vol "dmesg" ------> vol("dmesg") ERROR:root:Error: 'ascii' codec can't decode byte 0xc2 in position 74140: ordinal not in range(128) --------------------------------------------------------------------------- UnicodeDecodeError Traceback (most recent call last) /home/vitax/lin64-support/vol.py in <module>() ----> 1 2 3 4 5 /home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, debug, output, **kwargs) 194 kwargs['session'] = self 195 result = plugin_cls(**kwargs) --> 196 result.render(fd) 197 198 return result /home/vitax/lin64-support/volatility/plugins/linux/dmesg.py in render(self, outfd) 44 45 def render(self, outfd): ---> 46 outfd.write(self.get_dmesg()) 47 48 /home/vitax/lin64-support/volatility/session.py in write(self, data) 111 def write(self, data): 112 # Encode the data according to the output encoding. --> 113 data = data.encode(self.encoding) 114 try: 115 self.pager.write(data) UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 74140: ordinal not in range(128)

12 years, 12 months

2
1
0 0

using hex values with strings command

by Mike Lambert

I have read the command reference for the strings plugin and do not see an option to specify the string to look for in anything other than ascii. Could strings be expanded to include hex values, perhaps in the form of \x55\x5e\xe2\xfd\x83\xc4 or something like that? Thanks, Mike Lambert

13 years

5
8
0 1

FW: [Vol-users] Using Windows XP VMs for testing and windows activation

by Mike Lambert

Thanks Howard, it works like a champ! Mike From: Howard.Patterson(a)tn.gov To: dragonforen(a)hotmail.com Subject: RE: [Vol-users] Using Windows XP VMs for testing and windows activation Date: Thu, 12 Apr 2012 23:27:12 +0000 The easiest way I've found, and one I think will work in your situation, is to boot into Safe Mode with the XP system. Then choose "Start, Run" and enter the following: rundll32.exe syssetup,SetupOobeBnk Those are both the letter "Ohs" in there and it is case sensitive. If it works you won't see any sign of it until you reboot. If you type it incorrectly an error message will come back. This basically resets how long you have to activate (I believe 30 days). -Howard From: vol-users-bounces(a)volatilityfoundation.org [mailto:vol-users-bounces@volatilesystems.com] On Behalf Of Mike Lambert Sent: Thursday, April 12, 2012 6:06 PM To: Volatility List Subject: [Vol-users] Using Windows XP VMs for testing and windows activation I have not used VMs in the past to do malware testing because of the windows activation problems I run into. Clone, you have to activate; copy, you have to activate; move, you have to activate. I'm surprised that it still activates! I would like to talk to someone who knows the best way to deal with this. (or not) I'd like to have a clone that is infected that I can go back to later. (I do that now with hard disk images - I can put back a disk image to disk and plug it into the computer and bring it right back up.) I can continue to use my test system, which I do not have any problem with. I blow a copy of a clean system to disk and then go on testing without any activation problems. Let me know if you have a solution. Thanks, Mike

13 years

1
0
0 0

Using Windows XP VMs for testing and windows activation

by Mike Lambert

I have not used VMs in the past to do malware testing because of the windows activation problems I run into. Clone, you have to activate; copy, you have to activate; move, you have to activate. I'm surprised that it still activates! I would like to talk to someone who knows the best way to deal with this. (or not) I'd like to have a clone that is infected that I can go back to later. (I do that now with hard disk images - I can put back a disk image to disk and plug it into the computer and bring it right back up.) I can continue to use my test system, which I do not have any problem with. I blow a copy of a clean system to disk and then go on testing without any activation problems. Let me know if you have a solution. Thanks, Mike

13 years

2
2
0 0

Server 2008

by Dustin Mooney

All, Has anyone successfully analyzed memory from a windows 2008 server memory dump? This is my third time attempting to do so, and have yet to have any success with volatility. I took the memory dump so I know the profile, however, volatility reports it as a Windows 7 machine. Any advice on how to approach this persistent problem?

13 years

3
3
0 0

Analyzing diasassembly with little information

by fd ksdf

Hello! malfind found some suspicious regions and printed the disassembly so I went into volshell to get more information, but what exactly can someone do with this disassembly? As far as I know, there are no symbols, no way to view what is in the registers or these memory addresses, and when I try to disassemble the few CALLs I can, I get a "Memory unreadable" error. >>> dis(0x08070000,512) 0x8070000 55 PUSH EBP 0x8070001 8bec MOV EBP, ESP 0x8070003 83c4ec ADD ESP, -0x14 0x8070006 56 PUSH ESI 0x8070007 57 PUSH EDI 0x8070008 8b4508 MOV EAX, [EBP+0x8] 0x807000b 8bf0 MOV ESI, EAX 0x807000d 8d7dec LEA EDI, [EBP-0x14] 0x8070010 a5 MOVSD 0x8070011 a5 MOVSD 0x8070012 a5 MOVSD 0x8070013 a5 MOVSD 0x8070014 a5 MOVSD 0x8070015 ff75f8 PUSH DWORD [EBP-0x8] 0x8070018 ff55f4 CALL DWORD [EBP-0xc] 0x807001b ff75fc PUSH DWORD [EBP-0x4] 0x807001e 50 PUSH EAX 0x807001f ff55f0 CALL DWORD [EBP-0x10] 0x8070022 50 PUSH EAX 0x8070023 ff55ec CALL DWORD [EBP-0x14] 0x8070026 5f POP EDI 0x8070027 5e POP ESI 0x8070028 8be5 MOV ESP, EBP 0x807002a 5d POP EBP 0x807002b c20400 RET 0x4 0x807002e 8bc0 MOV EAX, EAX 0x8070030 53 PUSH EBX 0x8070031 56 PUSH ESI 0x8070032 57 PUSH EDI 0x8070033 55 PUSH EBP 0x8070034 83c4e8 ADD ESP, -0x18 0x8070037 8be9 MOV EBP, ECX 0x8070039 8bfa MOV EDI, EDX 0x807003b 8bd8 MOV EBX, EAX 0x807003d 33f6 XOR ESI, ESI 0x807003f 6800334000 PUSH DWORD 0x403300 0x8070044 6814334000 PUSH DWORD 0x403314 0x8070049 e85efaffff CALL 0x806faac 0x807004e 50 PUSH EAX 0x807004f e860faffff CALL 0x806fab4 0x8070054 8944240c MOV [ESP+0xc], EAX 0x8070058 6820334000 PUSH DWORD 0x403320 0x807005d 6814334000 PUSH DWORD 0x403314 0x8070062 e845faffff CALL 0x806faac 0x8070067 50 PUSH EAX 0x8070068 e847faffff CALL 0x806fab4 0x807006d 89442408 MOV [ESP+0x8], EAX 0x8070071 6830334000 PUSH DWORD 0x403330 0x8070076 6814334000 PUSH DWORD 0x403314 0x807007b e82cfaffff CALL 0x806faac 0x8070080 50 PUSH EAX 0x8070081 e82efaffff CALL 0x806fab4 0x8070086 89442404 MOV [ESP+0x4], EAX 0x807008a 8bd5 MOV EDX, EBP 0x807008c 8bc3 MOV EAX, EBX 0x807008e 0000 ADD [EAX], AL 0x8070090 0000 ADD [EAX], AL 0x8070092 0000 ADD [EAX], AL 0x8070094 0000 ADD [EAX], AL 0x8070096 0000 ADD [EAX], AL 0x8070098 0000 ADD [EAX], AL 0x807009a 0000 ADD [EAX], AL 0x807009c 0000 ADD [EAX], AL 0x807009e 0000 ADD [EAX], AL [snip] >>> dis(0x806faac) >>> db(0x806faac) Memory unreadable at 0806faac >>>

13 years

3
3
0 0

Volatility 1.3 cryptoscan plugin output

by Mike Lambert

Could someone send me a sample of what the output for the cryptoscan plugin output should be? Thanks, Mike

13 years

1
0
0 0

"RAM is Key, Extracting Disk Encryption Keys From Volatile Memory" paper

by Mike Lambert

Does anyone have a copy of Brian Kaplan's paper, "RAM is Key, Extracting Disk Encryption Keys From Volatile Memory" that they could email me at dragonforen(a)hotmail.com If so, thank you! Mike

13 years

2
1
0 0

decrypting the zeus config file

by malware monna

Hi, I'm using zeusscan2 module against a zeus infected memory dump, i'm able to get the rc4 keys and xor keys as mentioned in this link " http://mnin.blogspot.in/2011/09/abstract-memory-analysis-zeus.html".......i have also downloaded the zeus config file, that this sample tried to download, knowing this information, is it possible to decrypt the config file, if yes, how can i decrypt the config file or what are the steps to decrypt the config file?....and i think the zeuscan plugin is really awesome (Thanks Michael for writing such a great plugin, its really useful?).. Thanks,

13 years

1
0
0 0

Hiberfil information

by Dewhirst, Rob

Does this mean volatility can't identify the hiberfil? $ python ~/Volatility/vol.py hibinfo -f hiberfile.sys Volatile Systems Volatility Framework 2.1_alpha No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space EWFAddressSpace: No base address space provided WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space JKIA32PagedMemoryPae: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled WindowsHiberFileSpace32: No xpress signature found EWFAddressSpace: EWF signature not present WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected JKIA32PagedMemory: No valid DTB found JKIA32PagedMemoryPae: No valid DTB found IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space

13 years, 1 month

3
8
0 0

Failed to import errors on last few revisions

by Tom Yarrish

Hello, Over the last week or so, when I've done an svn update on the 2.1_alpha code, I've been receiving the following errors: Volatile Systems Volatility Framework 2.1_alpha *** Failed to import volatility.plugins.overlays.windows.win2k3_sp2_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win7_sp0_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.zeusscan1 (AttributeError: 'module' object has no attribute 'ImpScan') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp1_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.zeusscan2 (AttributeError: 'module' object has no attribute 'ApiHooks') *** Failed to import volatility.plugins.overlays.windows.vista_sp1_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win7_sp1_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.vista_sp2_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp1_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.xp_sp3_x86 (AttributeError: 'module' object has no attribute 'nt_types') *** Failed to import volatility.plugins.evtlogs (AttributeError: 'module' object has no attribute 'LdrModules') *** Failed to import volatility.plugins.overlays.windows.vista_sp1_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp0_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win7_sp1_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp2_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.vista_sp0_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.vista_sp2_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.xp_sp2_x86 (AttributeError: 'module' object has no attribute 'nt_types') *** Failed to import volatility.plugins.timeliner (AttributeError: 'module' object has no attribute 'LdrModules') *** Failed to import volatility.plugins.overlays.windows.vista_sp0_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win7_sp0_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') (This is with revision 1558) This is just from doing an imageinfo. I was thinking since it includes plugins that some plugins need to be updated for 2.1, but I didn't want to make the assumption. It does finish the KDBG search and give me the correct profile, so it's parsing the dump. Just wasn't sure about the errors. Thanks, Tom

13 years, 1 month

3
4
0 0

V2.0 connscan

by Mike Lambert

I have found an interesting result and have a fair amount of data to share. Bottom line is that connscan may have missed (and miss reported) some connections (see memory image). 2 IPs are missing and note the ports recorded by cports and those reported by V2.0 connscan. Check the attached xls search hits, where did port 1088 and 1064 come from? I can provide a copy of the memory image! Imager is win32dd.exe. Here is the IP connection record I have from cports: Date Time Log action PID Program Name Proto Source IP Destination IP 3/12/2012 3:53:10 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1063 212.117.175.34:80 3/12/2012 3:53:10 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1065 98.142.243.60:80 3/12/2012 3:53:10 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1066 98.142.243.60:80 3/12/2012 3:53:11 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1065 98.142.243.60:80 3/12/2012 3:53:11 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1066 98.142.243.60:80 3/12/2012 3:53:45 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1078 92.123.68.97:80 3/12/2012 3:54:06 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1080 98.142.243.60:80 3/12/2012 3:54:06 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1078 92.123.68.97:80 3/12/2012 3:54:27 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1080 98.142.243.60:80 3/12/2012 3:54:30 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1087 98.142.243.60:80 3/12/2012 3:54:31 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1063 212.117.175.34:80 3/12/2012 3:54:31 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1087 98.142.243.60:80 Here is the result of V2.0 connscan: Scan for connection objects (connscan): Offset Local Address Remote Address Pid ---------- ------------------------- ------------------------- ------ 0x041484c0 192.168.1.44:1088 98.142.243.60:80 1344 0x04193278 192.168.1.44:1093 65.54.51.29:443 3756 0x041cdc40 192.168.1.44:1064 98.142.243.60:80 1344 Attached is search results of the memory image, with memory offsets. (A few are dups and that may be the Win32dd imager) Where did ports 1088 and 1064 come from? If anyone wants a copy of the memory image, it is 115 MB Mike

13 years, 1 month

2
1
0 0

: v1.3 plugin installation

by Mike Lambert

When clicking on the list of Volatility plugins, I go to http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins >From the web page "Here is a list of the published plugins for the Volatility 1.3 framework" I do not see any "installation instructions" Do these plugins just get copied to C:\Python27\Volatility-1.3_Beta\memory_plugins ? Also, is there a like page for v2.0 ? >From http://code.google.com/p/volatility/wiki/FAQ#Where_do_I_find_the_"malware"_plugins there is a link to http://malwarecookbook.googlecode.com/svn/trunk/malware.py what Volatility version is the plugin for? I do not see Volatility version number in .py files so I get a little confused which is for which. Will plugins have "for Volaitility vX" in the future? Maybe I'm just not getting it. Sorry, Mike

13 years, 1 month

1
1
0 0

Fwd: Re: [Vol-users] BSOD while collecting a memory image

by George M. Garner J.r (online)

Meant to send this to the list not just the OP. -------- Original Message -------- Subject: Re: [Vol-users] BSOD while collecting a memory image Date: Sun, 11 Mar 2012 11:07:54 -0400 From: George M. Garner Jr. <ggarner_online(a)gmgsystemsinc.com> To: Mike Lambert <dragonforen(a)hotmail.com> Mike, > Is there malware that stops all imaging programs.. < Don't know about ALL imaging programs. There is anecdotal evidence of malware that stops some imaging programs and then allows others to run. Smart malware doesn't stop anything from running. Everything appears to be normal. Welcome to the matrix. Malware has for a long time sought to identify "white hat" software. Until recently this has been almost exclusively based on the file names of common anti-rootkit and IR packages. You could effectively defeat the anti-forensic techniques simply by renaming your tools. More recently, however, rootkits have begun to use other information to identify IR tools, in particular, the certificate info for signed PE executables. This is much more problematic. Particularly with the widespread adoption of 64-bit Windows, all device drivers must be signed and the signature can be used to identify your tools in an unambiguous way. There is a paper that will be published in the near future on developing a blackhat scanner. If you investigate sophisticated malware you should be thinking about getting your own code signing certificate(s). I believe that Sinowal was/is a "public" rootkit that attempts to remove itself from memory during hibernation. Whether a rootkit successfully removes all traces of itself from a hibernation file is another matter. Regards, g.

13 years, 1 month

1
0
0 0

BSOD while collecting a memory image

by Mike Lambert

I was testing different memory imaging programs on a 64 bit Windows 7 with 8 GB of memory and found that I could (not on purpose) BSOD the system. That put a dent in determining which memory imaging products are compatible with Volatility. Then I wondered if the "full memory dump on blue screen would be compatible". I'm looking into that now. A couple of problems are 1. "Full memory" dump is not available on the machines I'm working on so I don't know if I can just set it and go, or, does the system have to be booted with that option set. 2. Is the "full memory dump" comaptible with Volatility? 3. Keyboard generated crash dump is an option that has to be set and the system rebooted so that wouldn't work as a backup plan. My ultimate backup plan is to hibernate and convert the hiberfil.sys. That works so I'm not stuck with nothing. Question: Has someone gotten a full memory dump on BSOD and successfully processed it with Volatility? Question: Has anyone else thought about how to deal with BSOD and analysis? If it is not something that the list is interested in, we could take this offline. Have a good day everyone! Mike Lambert

13 years, 1 month

3
4
0 0

Volatility and Windows 7 images

by Tom Yarrish

Hey all, So we're moving to Windows 7 (64-bit) in our environment, and our current method of getting memory images off of machines has changed. So we're using EnCase Enterprise to grab memory dumps. Then what I've been doing is using FTK Imager to convert that to a DD image, and we run it through our regular tool. I run the same DD image through Volatility. I'm running Volatility on OS X Lion. Recently, I've noticed when I'm just doing an imageinfo with Volatility (both 2.0 and 2.1_alpha), I'm getting the following: Volatile Systems Volatility Framework 2.0 Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with no profile) AS Layer1 : FileAddressSpace (memory.bin) PAE type : No PAE So my first thought was is was an issue with converting an E01 to a DD image. So I ran a test on a standard Windows 7 build in our organization. 1) Do a memory collection with EnCase, convert to DD with FTK Imager 2) Do a memory collection with FDPro 3) Do a memory collection with DumpIt Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha code, and the results were the same with one exception. With the 2.0 code, and the DumpIt memory dump, I got the following: Volatile Systems Volatility Framework 2.0 Determining profile based on KDBG search... Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile) AS Layer1 : FileAddressSpace (memory.raw) PAE type : No PAE But if I try to run another command with --profile=Win7SP0x64 I get: Volatile Systems Volatility Framework 2.0 ERROR : volatility.addrspace: Invalid profile Win7SP0x64 selected I'm just wondering if there's something funky with my Volatility installation, or if there could be something I need to check in our 7 build that could be causing this. Thanks ahead of time, Tom

13 years, 1 month

6
12
0 0

Re: [Vol-users] Volatility and Windows 7 images

by George M. Garner J.r (online)

Tom, > If you have anything I'd love to see it. Unfortunately nothing for public distribution. We provide our customers with a test framework which is intended to help validate our tools for the production of evidence suitable for admission in a court of law. A lot of work remains to be done. As you know volatile evidence collection tools cannot be validated in the same manner as traditional computer forensic tools which are designed for the acquisition of non-volatile storage media. There is no "image" that you can acquire and then reproduce. Running computer systems are often modeled as a continuous time stochastic process. By its nature a continuous time stochastic process cannot be measured in its entirety. It can only be sampled. Nevertheless, while they cannot be measured in their entirety, running computer systems do possess two attributes which may make it possible to validate, or rather invalidate, memory acquisition tools. The first attribute is that a running computer system is a STRUCTURED stochastic process. It is not entirely random and could not run if it were. The operating system, processor and other hardware define certain structural elements the presence of which may be inferred merely by the fact that the system is running. These structural elements CAN be measured and if they are not found in precisely the right location then your memory "dump" is crap. The second attribute derives from the fact that Microsoft Windows (and probably most other general purpose operating systems) provide an API which permits the programmer/user to define a discrete time stochastic process within the context of the larger continuous time stochastic process. By this I mean that you can load and lock a block of data with a known hash value into memory at a fixed location. You can then acquire the memory "dump" and attempt to recover the data block from the memory dump. If the number of samples is sufficiently large and the location of the samples is representative with respect to the location (below 4 GiB, above 4 GiB, "unmanaged" memory) and architecture (Intel, AMD, NUMA, non-NUMA) and amount of memory (< 4 GiB, > 4 GiB, > 16 GiB***) then it should be possible to make an inference as to the reliability of acquisition of memory as a whole based upon the reliability of acquisition of the samples. In any event, being able to exclude particularly unreliable memory acquisition tools would be a step forward, even if it falls short of validating the tools that remain for LE evidentiary purposes. I though that Volatility might be able to play a useful role in developing a public test framework if it were reworked to identify the present or missing structural elements (e.g. the missing page tables) in a documentable way. I asked Aaron about it last year but never got any response. Regards, gmg.

13 years, 1 month

2
1
0 0

Volatility install on OS X Lion

by Tom Yarrish

Hey all, So I went through the install docs for Linux on the wiki to install Volatility on my MacBook Pro running OS X Lion. I'm testing it using the samples from the Malware Cookbook (stuxnet.vmem in this case), and just doing: python ~/volatility-read-only/vol.py -f stuxnet.vmem imageinfo I'm getting the following output: Volatile Systems Volatility Framework 2.1_alpha Determining profile based on KDBG search... Traceback (most recent call last): File "/Users/e18529/volatility-read-only/vol.py", line 135, in <module> main() File "/Users/e18529/volatility-read-only/vol.py", line 126, in main command.execute() File "/Users/e18529/volatility-read-only/volatility/commands.py", line 101, in execute func(outfd, data) File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py", line 37, in render_text for k, v in data: File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py", line 47, in calculate suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)] File "/Users/e18529/volatility-read-only/volatility/plugins/kdbgscan.py", line 95, in calculate buf = addrspace.BufferAddressSpace(self._config) File "/Users/e18529/volatility-read-only/volatility/addrspace.py", line 161, in __init__ BaseAddressSpace.__init__(self, None, config, **kwargs) File "/Users/e18529/volatility-read-only/volatility/addrspace.py", line 68, in __init__ self.profile = self._set_profile(config.PROFILE) File "/Users/e18529/volatility-read-only/volatility/addrspace.py", line 90, in _set_profile ret = registry.PROFILES[profile_name]() File "/Users/e18529/volatility-read-only/volatility/obj.py", line 879, in __init__ self.reset() File "/Users/e18529/volatility-read-only/volatility/obj.py", line 906, in reset self.load_modifications() File "/Users/e18529/volatility-read-only/volatility/obj.py", line 960, in load_modifications mod.modification(self) File "/Users/e18529/volatility-read-only/volatility/plugins/overlays/windows/ssdt_vtypes.py", line 57, in modification profile.additional['syscalls'] = module.syscalls AttributeError: 'NoneType' object has no attribute 'syscalls' So I'm guessing I still don't have something configured correctly. Thanks ahead of time, Tom

13 years, 1 month

5
5
0 0

Re: [Vol-users] Windows kernel memory.

by carl galton

Thank you for your answers. > There is no such thing as "the address spaces of all processes." What I meant to say was that moddump plugin uses find_space function to find a process whose address space maps the searched driver. def find_space(self, addr_space, procs, mod_base): """Search for an address space (usually looking for a GUI process)""" if addr_space.is_valid_address(mod_base): return addr_space for proc in procs: ps_ad = proc.get_process_address_space() if ps_ad != None: if ps_ad.is_valid_address(mod_base): return ps_ad return None

13 years, 1 month

1
0
0 0

Windows kernel memory.

by carl galton

Hello, I am doing some research on Windows kernel, using volatility. I need to get the mapping from virtual addresses to physical ones for kernel memory. As far as I know, every process maps kernel virtual addresses (addresses upper than 0x7fffffff in 32bit Windows versions with 3GB split disabled) to physical ones in the same way. In other words, the address spaces relative to every process are equals for kernel virtual addresses. Is this always true? I noticed that some plugins (e.g. kdbgscan) use the address space of the process "Idle", others use the address spaces of all processes (e.g. modscan). Which is the right way to proccede to develop a plugin to get the full virtual to physicall mapping for kernel addresses? Thank you.

13 years, 1 month

3
2
0 0

Userhandles

by Sebastien Bourdon-Richard

Hi All, I was looking at the Stuxnet footprint blog post (who is excellent btw) and I was interested by the userhandles plugin. ./vol.py userhandles -t TYPE_WINDOW http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html I can't find this plugin for volatility... Does it comes with another plugin? Where can I download it? Thanks in advance, Sebastien

13 years, 1 month

4
7
0 0

strings for new SpyEye

by Mike Lambert

Does anyone have any strings unique for the new SpyEye mentioned in this article? http://redtape.msnbc.msn.com/_news/2012/01/06/9986119-new-virus-raids-your-… If you have a memory image with this trojan, could you share it with me? Mike Lambert michael-lambert.us

13 years, 1 month

2
2
0 0

Re: [Vol-users] stings input file format question

by Jamie Levy

Glad I could help! Yep, I've seen this before many times ;-) All the best, -gleeda -----Original Message----- From: Mike Lambert <dragonforen(a)hotmail.com> Date: Mon, 27 Feb 2012 17:02:15 To: <jamie.levy(a)gmail.com> Subject: RE: [Vol-users] stings input file format question My thanks! Well you called that one! I was using Encase's "Export" to output a text file of the offsets of the hits from the search result tab. Encase outputs unicode text. I just need to put a new step in the process, convert it to ANSI before running it with the strings command. And it does have a funky befinning of file marker.... You must have seen this before? Best, Mike > Date: Mon, 27 Feb 2012 16:39:08 -0500 > Subject: Re: [Vol-users] stings input file format question > From: jamie.levy(a)gmail.com > To: dragonforen(a)hotmail.com > > hrmmmmm I don't see anything obviously wrong here... But since you > said these offsets are from EnCase, how were they obtained? By > EnScript to a file, copy+paste from the console or some other method? > I'm just curious if the offsets were exported in ASCII or EnCase's > default UTF-16. Also sometimes when exporting in unicode, there's a > funky corrupt BOM that EnCase uses that might be messing things up... > I'm just trying to think of things that might have gone wrong here. > > Maybe you could try copy and pasting a few of these "Ypycub" entries > into a new text file and running the strings plugin again to see. > > All the best, > > -gleeda > > > On Mon, Feb 27, 2012 at 4:06 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote: > > I am mystified why I see the following: in one case I get output from > > strings and the other I get an input file format error. I have tried this > > with 1.3 and 2.0 and get the same result. It takes 1.3 a looonnngg time to > > return the error, 2.0 returs the error quickly. > > > > I thought the reason may be length, so I broke up the Ypycub offsets into > > increasingly smaller input files; no success was achived with the smaller > > input files. > > I don't see a format difference in these 2 files. > > > > The offsets come from an Encase search of 120225b.mem. It is a 458MB > > WinXPSP3x86 image converted from hiberfil.sys. > > > > > > Vol 1.3 example: The same result is seen with Vol 2.0 > > > > The input file is: > > > > 357229672:Glows > > 280642408:Glows > > 257105340:Glows > > 113457472:Glows > > 357230696:Glows > > > > > > C:\Python27\Volatility-1.3_Beta>python volatility strings -f > > e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Glows_offsets.txt > > > > 357229672 [kernel:df864468 ] Glows > > 280642408 [1456:45b8368 ] Glows > > 257105340 [kernel:e1ec1dbc ] Glows > > 113457472 [1456:2ac0940 ] Glows > > 357230696 [kernel:df864868 ] Glows > > > > ----------------------cut-here------------------------- > > The input file is: > > > > 7744388:Ypycub > > 10830274:Ypycub > > 70385414:Ypycub > > 70918297:Ypycub > > 70918649:Ypycub > > 73375514:Ypycub > > 91390974:Ypycub > > 104879126:Ypycub > > 104879154:Ypycub > > 132968006:Ypycub > > 215776800:Ypycub > > 232868024:Ypycub > > 232869190:Ypycub > > 237434963:Ypycub > > 237434991:Ypycub > > 256642118:Ypycub > > 285030170:Ypycub > > 310449659:Ypycub > > 310449687:Ypycub > > 314178656:Ypycub > > 325974496:Ypycub > > 327972307:Ypycub > > 327972335:Ypycub > > 338814062:Ypycub > > 338814854:Ypycub > > 339229856:Ypycub > > 339763304:Ypycub > > 339763544:Ypycub > > 339893168:Ypycub > > 340101984:Ypycub > > 343215259:Ypycub > > 343215287:Ypycub > > 357229759:Ypycub > > 361836122:Ypycub > > 367889650:Ypycub > > 455348611:Ypycub > > 455348639:Ypycub > > > > > > C:\Python27\Volatility-1.3_Beta>python volatility strings -f > > e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Ypycub_offsets.txt > > > > Usage: strings [options] (see --help) > > volatility: error: String file format invalid. > > > > > > Thanks for any assistance. > > > > Mike > > > > > > > > > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilesystems.com > > http://lists.volatilesystems.com/mailman/listinfo/vol-users > > > > > > -- > PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

13 years, 1 month

2
3
0 0

Re: [Vol-users] stings input file format question

by Jamie Levy

Sorry I meant for this to go to the list also: On Mon, Feb 27, 2012 at 4:39 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote: > hrmmmmm I don't see anything obviously wrong here... But since you > said these offsets are from EnCase, how were they obtained? By > EnScript to a file, copy+paste from the console or some other method? > I'm just curious if the offsets were exported in ASCII or EnCase's > default UTF-16. Also sometimes when exporting in unicode, there's a > funky corrupt BOM that EnCase uses that might be messing things up... > I'm just trying to think of things that might have gone wrong here. > > Maybe you could try copy and pasting a few of these "Ypycub" entries > into a new text file and running the strings plugin again to see. > > All the best, > > -gleeda > > > On Mon, Feb 27, 2012 at 4:06 PM, Mike Lambert <dragonforen(a)hotmail.com> wrote: >> I am mystified why I see the following: in one case I get output from >> strings and the other I get an input file format error. I have tried this >> with 1.3 and 2.0 and get the same result. It takes 1.3 a looonnngg time to >> return the error, 2.0 returs the error quickly. >> >> I thought the reason may be length, so I broke up the Ypycub offsets into >> increasingly smaller input files; no success was achived with the smaller >> input files. >> I don't see a format difference in these 2 files. >> >> The offsets come from an Encase search of 120225b.mem. It is a 458MB >> WinXPSP3x86 image converted from hiberfil.sys. >> >> >> Vol 1.3 example: The same result is seen with Vol 2.0 >> >> The input file is: >> >> 357229672:Glows >> 280642408:Glows >> 257105340:Glows >> 113457472:Glows >> 357230696:Glows >> >> >> C:\Python27\Volatility-1.3_Beta>python volatility strings -f >> e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Glows_offsets.txt >> >> 357229672 [kernel:df864468 ] Glows >> 280642408 [1456:45b8368 ] Glows >> 257105340 [kernel:e1ec1dbc ] Glows >> 113457472 [1456:2ac0940 ] Glows >> 357230696 [kernel:df864868 ] Glows >> >> ----------------------cut-here------------------------- >> The input file is: >> >> 7744388:Ypycub >> 10830274:Ypycub >> 70385414:Ypycub >> 70918297:Ypycub >> 70918649:Ypycub >> 73375514:Ypycub >> 91390974:Ypycub >> 104879126:Ypycub >> 104879154:Ypycub >> 132968006:Ypycub >> 215776800:Ypycub >> 232868024:Ypycub >> 232869190:Ypycub >> 237434963:Ypycub >> 237434991:Ypycub >> 256642118:Ypycub >> 285030170:Ypycub >> 310449659:Ypycub >> 310449687:Ypycub >> 314178656:Ypycub >> 325974496:Ypycub >> 327972307:Ypycub >> 327972335:Ypycub >> 338814062:Ypycub >> 338814854:Ypycub >> 339229856:Ypycub >> 339763304:Ypycub >> 339763544:Ypycub >> 339893168:Ypycub >> 340101984:Ypycub >> 343215259:Ypycub >> 343215287:Ypycub >> 357229759:Ypycub >> 361836122:Ypycub >> 367889650:Ypycub >> 455348611:Ypycub >> 455348639:Ypycub >> >> >> C:\Python27\Volatility-1.3_Beta>python volatility strings -f >> e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Ypycub_offsets.txt >> >> Usage: strings [options] (see --help) >> volatility: error: String file format invalid. >> >> >> Thanks for any assistance. >> >> Mike >> >> >> >> >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> > > > > -- > PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

13 years, 1 month

1
0
0 0

VM image of memory- This is not a VMEM file

by Lou LaRocca

When imaging memory on a live VM system to do analysis for malware Volatililty does not recognize it (see below). Is there anyone on this mailing list that has the knowledge on how I can remedy this without shutting the system down and grabbing the VMEM file? Is it possible to substitute a valid DTB from another image into the memdump of a live VM machine with a Hex editor? And if it can be done does anyone know the addresses of that space to take out and substitute? I hope that made sense...... If you look at a normal image of memory in a hex editor you can clearly see the difference between that and a VM dump from a live system, there seems to be some extra padded stuff right up front. Volatile Systems Volatility Framework 2.0 No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemory: No base Address Space JKIA32PagedMemoryPae: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled WindowsHiberFileSpace32: No xpress signature fou WindowsCrashDumpSpace32: Header signature invali JKIA32PagedMemory: No valid DTB found JKIA32PagedMemoryPae: No valid DTB found IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space Thanks Lou

13 years, 2 months

6
7
0 0

64 bit branch

by Glenn P. Edwards Jr.

I recall there being an experimental 64 bit branch up at the Google code site (not the lin64 one)... But when I just went to grab it , it appears to be gone. Is it somewhere else? :: Sent from my mobile phone; please excuse any typos ::

13 years, 2 months

2
1
0 0

Get virtual address corresponding to a dll

by Eknath Venkataramani

I have a foo.dll loaded in memory. Using `dlllist` I can see that the physical address is 0x252438. How do I get the virtual address? -- Eknath Venkataramani

13 years, 2 months

3
2
0 0

what is at that address

by Mike Houston

I have a text string that I found in memory and I would like to find out what is using/mapped to that address. (a process, a dll, a buffer, unallocated, etc.) How do I do that? I'm exploring the docs to see how close I can get; for example dumping what I can with memmap, and then searching for my physical offset. (but that only gets me processes) Any suggestions appreciated. Mike Lambert dragonforen(a)hotmail.com

13 years, 2 months

5
9
0 0

FW: [Vol-users] what is at that address

by Mike Lambert

Thanks Mike, I got the plugin and put it in the plugin directory. I looked at the plugin help and did not see how to specify the address to translate. I tried this without a switch: C:\Python27\volatility-2.0>python vol.py pas2kas -f \mem\120129\120129c.w32 --profile=WinXPSP3x86 0x19248000 Volatile Systems Volatility Framework 2.0 YARA is not installed, see http://code.google.com/p/yara-project/ distorm3 is not installed, see http://code.google.com/p/distorm/ Phys AS KAS C:\Python27\volatility-2.0> It seems I am not specifying the address to translate properly. Perhaps you can correct my commandline. Thanks, Mike PS. Yara will not install because it does not see a key for python27 in the registry. Do you know what key I should put in the registry so Yara will install? > From: scudette(a)gmail.com > Date: Fri, 3 Feb 2012 23:34:43 -0800 > Subject: Re: [Vol-users] what is at that address > To: dragonforen(a)hotmail.com > CC: vol-users(a)volatilityfoundation.org > > Mike, > You could also use the pas2kas module: > > http://code.google.com/p/volatility/source/browse/branches/scudette/volatil… > > Michael. > > On 3 February 2012 15:00, Mike Houston <dragonforen(a)hotmail.com> wrote: > > I have a text string that I found in memory and I would like to find out > > what is using/mapped to that address. (a process, a dll, a buffer, > > unallocated, etc.) > > > > How do I do that? I'm exploring the docs to see how close I can get; for > > example dumping what I can with memmap, and then searching for my physical > > offset. (but that only gets me processes) > > > > Any suggestions appreciated. > > > > Mike Lambert > > dragonforen(a)hotmail.com > > > > > > > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org > > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >

13 years, 2 months

1
0
0 0

Traceback errors when using yara

by Andre' M. DiMino

Greetings, I'm seeing the following errors when attempting to run volatility with 'malfind' and referencing yara. This used to work fine on yara 1.4, but now fails on 1.6. I'm wondering what might have happened and how to resolve it. ~/vol.py -f purple.vmem --profile=WinXPSP3x86 malfind -D /home/apollo/workspace/dump_dir/ --yara-rules="http://" -p 1004 Volatile Systems Volatility Framework 2.1_alpha Name Pid Start End Tag Hits Protect Traceback (most recent call last): File "/home/apollo/vol.py", line 135, in <module> main() File "/home/apollo/vol.py", line 126, in main command.execute() File "/home/sportivo/tools/Volatility/volatility/commands.py", line 101, in execute func(outfd, data) File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py", line 1042, in render_text for (name,pid,start,end,tag,prx,fname,hits,chunk) in data: File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py", line 992, in calculate for ps_ad, start, end, tag, prx, data in self.get_vads(proc): File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py", line 923, in get_vads yield (ps_ad, start, end, vad.Tag, vad.Flags.Protection >> 24, data) File "/home/sportivo/tools/Volatility/volatility/obj.py", line 777, in __getattr__ return self.m(attr) File "/home/sportivo/tools/Volatility/volatility/obj.py", line 762, in m raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) AttributeError: Struct VadRoot has no member Flags Any thoughts or ideas are welcome. Thanks! Andre' -- Andre' M. DiMino DeepEnd REsearch http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

13 years, 2 months

2
2
0 0

Volatility errors after update?

by Andre' M. DiMino

I just did an svn update to version 1327 and I'm now noticing the following errors upon execution of any volatility command. For example: ~/tools/Volatility/vol.py -f XP_SP3.vmem imageinfo Volatile Systems Volatility Framework 2.1_alpha *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86) : snip : ~/tools/Volatility/vol.py -f XP_SP3.vmem --profile=WinXPSP3x86 connscan Volatile Systems Volatility Framework 2.1_alpha *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- ------ 0x0219fa40 0.0.0.0:19272 0.0.0.0:55542 2147487916 ~/tools/Volatility/vol.py -f XP_SP3.vmem --profile=WinXPSP3x86 modules Volatile Systems Volatility Framework 2.1_alpha *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp1_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86_vtypes (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') *** Failed to import volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError: 'module' object has no attribute 'ntkrnlmp_types') Offset(V) File Base Size Name 0x823fc3a0 \WINDOWS\system32\ntkrnlpa.exe 0x00804d7000 0x1f8580 ntoskrnl.exe 0x823fc338 \WINDOWS\system32\hal.dll 0x00806d0000 0x020300 hal.dll : snip : Everything seems to complete OK so far, but I'm wondering what might have caused these new error messages. Thanks! Andre' -- Andre' M. DiMino DeepEnd REsearch http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

13 years, 2 months

3
3
0 0

Volatility-Linux TypeError

by Patrick Burkard

Hello, in the last view weeks i've tried to analyze Linux memorydumps with the volatility-linux Version (Revision 1313 from svn). My goal is to show that it is possible to discover hidden processes, kernelmodules etc. (for example from a rootkit) from a memory dump. By comparing the output from the memorydump analysis with the native execution of the system commands. I created a profile for the current stable Debian version. Trying to use this profile leads to the following TypeError: python volatility.py --profile=LinuxDebian26325 -f ~/Desktop/LF32.ram linux_task_list_ps Volatile Systems Volatility Framework 1.4_rc1 Name Pid Uid Traceback (most recent call last): File "volatility.py", line 129, in <module> main() File "volatility.py", line 120, in main command.execute() File "/home/dark-eye/Sources/volatility_linux/volatility/commands.py", line 101, in execute func(outfd, data) File "/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py", line 59, in render_text for task in data: File "/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py", line 50, in calculate for task in linux_common.walk_list_head("task_struct", "tasks", init_task.tasks, self.addr_space): File "/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_common.py", line 110, in walk_list_head yield obj.Object(struct_name, offset = list_ptr - offset, vm = addr_space) TypeError: unsupported operand type(s) for -: 'instancemethod' and 'int' I would really appreciate to debug or help to debug this issue. Sadly I can't find a way to evaluate the correctness of the kernel-profile. Is this a known problem from volatility-linux or could it be the result of a failure i've made while creating the debian profile? Thanks for every hint! Greetings Patrick

13 years, 2 months

5
11
0 0

Vote Volatility: 2011 Toolsmith Tool of the Year

by AAron Walters

In case you may have missed it, Volatility 2.0 has been nominated for the ISSA Journal's Toolsmith Tool of the Year. If you believe in open source forensics tools and want to show your support for the Volatility team, please take a few moments to cast your vote! Feel free to tell all your friends and family to vote as well! You have until January 31 to vote from all your machines! http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-y… X September - Volatility for memory analysis If you need extra motivation, you may want to check out the 64-bit Beta support recently merged into trunk! Bug reports welcome! Enjoy! Thanks, The Volatility Project (TVP)

13 years, 2 months

1
0
0 0

api hooking

by malware monna

Hi All, i'm new to Volatility, i was trying to analyze a spyeye sample, and while running apihooks i got the below output, it looks like there is inline api hook and i see jump into this 0xba.....location.... i would like to know the DLL that is associated with a JMP, in this case it shows unknown............how can i determine the dll? and how can dump the dll from the memory?.....any information would be helpful, sorry this could be a stupid question. VMwareUser.exe[636] inline wininet.dll!InternetReadFile[0x7806abb4] 0x7806abb4 JMP 0xbaf140c (UNKNOWN) VMwareUser.exe[636] inline wininet.dll!InternetReadFileExA[0x78082ae2] 0x78082ae2 JMP 0xbaf1526 (UNKNOWN) VMwareUser.exe[636] inline wininet.dll!InternetWriteFile[0x78073645] 0x78073645 JMP 0xbaf2d4b (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!NtVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN) VMwareUser.exe[636] inline ntdll.dll!ZwVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN) VMwareUser.exe[636] inline crypt32.dll!PFXImportCertStore[0x77aeff8f] 0x77aeff8f JMP 0xbae0b02 (UNKNOWN) VMwareUser.exe[636] inline user32.dll!TranslateMessage[0x7e418bf6] 0x7e418bf6 JMP 0xbadc47f (UNKNOWN) VMwareUser.exe[636] inline advapi32.dll!CryptEncrypt[0x77dee340] 0x77dee340 JMP 0xbaeda23 (UNKNOWN) VMwareUser.exe[636] inline ws2_32.dll!send[0x71ab4c27] 0x71ab4c27 JMP 0xbaee35d (UNKNOWN) ctfmon.exe[768] inline ntdll.dll!NtClose[0x7c90cfd0] 0x7c90cfd0 JMP 0xa003b2 (UNKNOWN) ctfmon.exe[768] inline ntdll.dll!ZwClose[0x7c90cfd0] 0x7c90cfd0 JMP 0xa003b2 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtResumeThread[0x7c90db20] 0x7c90db20 JMP 0xbaf625c (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!NtVdmControl[0x7c90df00] 0x7c90df00 JMP 0xbae4fd6 (UNKNOWN) wmiprvse.exe[1876] inline ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN) Thanks

13 years, 4 months

2
1
0 0

Re: [Vol-users] profile based plugin list

by Jamie Levy

> Is there list of plugins on a per profile basis. > For eg. connections, sockscan, sockets don't work for Windows 7 dumps. I > didnot know this and was wondering what would've gone wrong > > > -- > Eknath Venkataramani We have most of the plugins broken down here (note the "OS Support" column): http://code.google.com/p/volatility/wiki/FeaturesByPlugin Also you can often see notes like that here: http://code.google.com/p/volatility/wiki/CommandReference All the best, -gleeda

13 years, 5 months

2
1
0 0

profile based plugin list

by Eknath Venkataramani

Is there list of plugins on a per profile basis. For eg. connections, sockscan, sockets don't work for Windows 7 dumps. I didnot know this and was wondering what would've gone wrong -- Eknath Venkataramani

13 years, 5 months

1
0
0 0

Identifying HIPS process injection

by Darren Spruell

I've got a suspect process running on a system. 0x0703fcb8 8880792.tmp 5940 1504 0x0b353000 2011-05-27 07:00:12 %Windir%\Temp\8880792.tmp It's 64K on disk and looks like it's packed with Armadillo: File Name: 8880792.tmp File Size: 65536 File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 Hash: fec737234a47ae90ee79af44d3081a4d SHA1 Hash: 4fb9abf6aba05ec1232b98ab39073c7635f7b9aa Cymru MHR: Not listed Packer ID(s): => Armadillo v1.71 Number of sections: 3 -------------------- ('.text\x00\x00\x00', '0x1000', '0xb446', 49152) ('.rdata\x00\x00', '0xd000', '0x15d2', 8192) ('.data\x00\x00\x00', '0xf000', '0x20c0', 4096) I dump process memory (procmemdump) and end up with strings not much different than what I get for the file on disk. The procmemdump output is about 10K larger. The memdump output is 245M and going through the addressable memory contents I get loads of suspicious data that looks like it's related to malware. Samples: are\EES\BIFROST //sharedfreehosting.c USER remote hello keypublic WEBCAM Ekran.png Ekran.bmp 60.167.78.224 www.proxyserverlist.biz proxy_checker/index.php ClientSocket www.66444.com open ww4.tmdqq.net/51lin www3.57185.com/is686_.h 1.hao591.net/is6 exefile=cdb.exe dllfile=test.dll regedits=stubpath tp://bravor.net w.ya.ru whatismyip.co Welcom to BackDor serv by emPyte Fan666` . tem\lsass.ex ion\Run *sniff* sad yo, PRIVMSG Splinter ddos v1.0 INFECT Plus! terra.com.mx send.aspx?id= Windll22.exe !reboot !reconnect !join !pwl !connection !switch !chatslaves Connected to NetShadow v1.2 Server ID: F:\Work\TEST MyFunlove \calc.ex LAgPCfAGCxoRI CwgMCA8JERAO9x Chat-Fenster pcinfo Resolution: tmdqq.net 57185.com szfocus.net cool-pic.com dcomScaner Vortex1 mazafaka GONNA BE AN IRCF HTTP://WWW.ASEXVIDEO HACKTOOLZ ?ACTION=LOGIN&SEND= ICQBETA I suppose though that this is data from the HIPS application that has been injected into this executable's process space. The same strings are present in the memory space of all processes. I want to confirm this by finding an indicator in the process memory that attributes this data to the HIPS application. What is the best way to do this? My initial suspicion is that the VAD table could show me that. Is this right? How could this analysis proceed in Volatility? The 'modules' plugin shows me a couple of entries that I suspect relate to it. 0x8a3c01e8 mfehidk.sys 0x00f70a9000 0x052000 mfehidk.sys 0x89030a20 \SystemRoot\system32\drivers\mfetdik.sys 0x00f7697000 0x00e000 mfetdik.sys 0x89237e68 \Device\mfehidk01.sys 0x00b7f38000 0x053000 mfehidk01.sys -- Darren Spruell phatbuckett(a)gmail.com

13 years, 5 months

2
1
0 0

stuxnet.vmem and VMware

by G. Scott Graham

MHL has been helpful in the past, but I thought I would throw this one out to a wider audience. Simply put, I asked my sysadmin, who has helped me set up my VMware environment, to set up an XP SP3 VM and load stuxnet.vmem as the suspended memory image. VMware crapped out with "A fault has occurred causing the virtual CPU to enter the shutdown state. ..." Does anyone have any insight here? Is stuxnet.vmem the suspended memory image of a Stuxnet infected XP SP3 machine? If it had worked, I wanted to get sysinternals running on the VM, so that I would have sysinternals and Volatility insight into Stuxnet -- although not approaching what Mark Russinovitch was able to show with booting up the machine and infecting it from the start. For educational purposes, for the class I am teaching. Thanks for any guidance, VMware or stuxnet. bfn -- Professor G. Scott Graham administratively: Dean's Designate for Academic Offences academically: Associate Professor, Computer Science and Forensic Science University of Toronto Mississauga

13 years, 5 months

2
1
0 0

Re: [Vol-users] how does malfind plugin work

by malware monna

Hi Curt/Michael, Thanks for the reponse, i need little bit of help, as i'm new to memory forensics...i need your help in understanding how to interpret the results ....any material on additional information on this topic will be helpful Thanks, Monnappa On Tue, Oct 25, 2011 at 9:55 AM, Curt Wilson <research(a)perpetualhorizon.org>wrote: > > > Michael Ligh responded, but it's possible that you might need more > explanation. While I'm not an expert, I'm getting better and would be glad > to try to help you understand the assembly if necessary. Let me know and > I'll see if I can help, if you don't already have it down. > > > > > > > On 10/22/2011 3:17 PM, malware monna wrote: > > Hi All, > > I'm new to volatility and i was reading one of the article on the > internet and found the below output, so i was curious to know what does > below ouput mean?, can anybody please help me understand the malfind pluging > and the below ouput, any info would be useful. > > > --------------------------------------------------------------------------------------------------------------------------------------- > > VMwareTray.exe 432 0x00e30000 0xe30fff00 VadS 0 > PAGE_EXECUTE_R > EADWRITE > Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp > 0x00e30000 b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9 > .5.......{...... > > 0x00e30010 4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff > O..{..U.....>v.. > > 0x00e30020 55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53 > U....v9v..U....S > > 0x00e30030 3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b > :v..U.....>v..U. > > 0x00e30040 ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76 > ....9v..U...O~<v > > 0x00e30050 8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9 > ..U....2:v..U... > > 0x00e30060 7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76 > }a9vj,h...w...9v > > 0x00e30070 8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9 > ..U......p..U... > > Disassembly: > 00e30000: b835000000 MOV EAX, 0x35 > 00e30005: e9cdd7ad7b JMP 0x7c90d7d7 > 00e3000a: b891000000 MOV EAX, 0x91 > 00e3000f: e94fdfad7b JMP 0x7c90df63 > 00e30014: 8bff MOV EDI, EDI > 00e30016: 55 PUSH EBP > 00e30017: 8bec MOV EBP, ESP > 00e30019: e9ef173e76 JMP 0x7721180d > 00e3001e: 8bff MOV EDI, EDI > 00e30020: 55 PUSH EBP > > --------------------------------------------------------------------------------------------------------------------------------------------- > > Thanks > > > _______________________________________________ > Vol-users mailing listVol-users@volatilityfoundation.orghttp://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > > -- > Curt Wilson > Research Analyst, Arbor Networks ASERT cwilson(a)arbor.net > Personal Security Research: research(a)perpetualhorizon.org > >

13 years, 5 months

1
0
0 0

Need some assistance with strings output

by Tom Yarrish

Hello all, I'm looking for some guidance on next steps with some data I have from a memory analysis. I was following the steps on using strings to look for processes that might have malicious IP's or URL's in memory: https://code.google.com/p/volatility/wiki/CommandReference#strings The issue I'm having now is where to proceed with the output I have. So for example in my URL.txt file I have this: 1b64666b7 [2632:834520759] http://ghc.ru 1b646674d [2632:834520909] http://rst.void.ru Now my understanding of the output is [PID:Address Space]. The particular PID in this instance refers to: 0x89c82020 WINWORD.EXE 2632 2284 11 943 2011-10-11 15:07:13 So how do I go deeper in to looking at why winword.exe may be making http requests? And what does the first value (ex 1b64666b7) refer to? Is that the virtual address in the memory dump file or something else? If there's any additional docs online I could look at to explain this further that would be helpful as well. Thanks ahead of time, Tom

13 years, 6 months

1
0
0 0

how does malfind plugin work

by malware monna

Hi All, I'm new to volatility and i was reading one of the article on the internet and found the below output, so i was curious to know what does below ouput mean?, can anybody please help me understand the malfind pluging and the below ouput, any info would be useful. --------------------------------------------------------------------------------------------------------------------------------------- VMwareTray.exe 432 0x00e30000 0xe30fff00 VadS 0 PAGE_EXECUTE_R EADWRITE Dumped to: c:\re\zeus_demo\VMwareTray.exe.4be97e8.00e30000-00e30fff.dmp 0x00e30000 b8 35 00 00 00 e9 cd d7 ad 7b b8 91 00 00 00 e9 .5.......{...... 0x00e30010 4f df ad 7b 8b ff 55 8b ec e9 ef 17 3e 76 8b ff O..{..U.....>v.. 0x00e30020 55 8b ec e9 95 76 39 76 8b ff 55 8b ec e9 be 53 U....v9v..U....S 0x00e30030 3a 76 8b ff 55 8b ec e9 d6 18 3e 76 8b ff 55 8b :v..U.....>v..U. 0x00e30040 ec e9 14 95 39 76 8b ff 55 8b ec e9 4f 7e 3c 76 ....9v..U...O~<v 0x00e30050 8b ff 55 8b ec e9 0a 32 3a 76 8b ff 55 8b ec e9 ..U....2:v..U... 0x00e30060 7d 61 39 76 6a 2c 68 b8 8d 1c 77 e9 01 8c 39 76 }a9vj,h...w...9v 0x00e30070 8b ff 55 8b ec e9 c4 95 c8 70 8b ff 55 8b ec e9 ..U......p..U... Disassembly: 00e30000: b835000000 MOV EAX, 0x35 00e30005: e9cdd7ad7b JMP 0x7c90d7d7 00e3000a: b891000000 MOV EAX, 0x91 00e3000f: e94fdfad7b JMP 0x7c90df63 00e30014: 8bff MOV EDI, EDI 00e30016: 55 PUSH EBP 00e30017: 8bec MOV EBP, ESP 00e30019: e9ef173e76 JMP 0x7721180d 00e3001e: 8bff MOV EDI, EDI 00e30020: 55 PUSH EBP --------------------------------------------------------------------------------------------------------------------------------------------- Thanks

13 years, 6 months

2
1
0 0

Trouble with forensic1394 III

by Michael Felber

It seems that Volatility uses a I/O packet size that's to large for my system. Thanks to Freddie Witherden for supporting me. Using a small dumping application (see below) provided by Freddie I was successfully able to dump that 2GiB of RAM. So I transferred this thread to vol-dev. CU Michael

13 years, 8 months

2
1
0 0

Difference between LIST_ENTRY_PTR and LIST_ENTRY

by Eknath Venkataramani

While analyzing a memory snapshot, I saw some objects of the type LIST_ENTRY_PTR and some of the type LIST_ENTRY. From the addresses of those objects, it looked as if LIST_ENTRY_PTRs where the corresponding list heads and the LIST_ENTRY's were simply the nodes in the list. Is this correct? -- Eknath Venkataramani

13 years, 8 months

1
0
0 0

Trouble with forensic1394 II

by Michael Felber

So, a ldconfig later it looks more comfortable but still it does not work: # python vol.py -l Firewire://forensic1394/0 pslist Volatile Systems Volatility Framework 2.1_alpha IOError(u'forensic1394_read_device_v: Bad I/O request size',) IOError(u'forensic1394_read_device_v: Bad I/O request size',) No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space EWFAddressSpace: Location is not of file scheme WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled JKIA32PagedMemoryPae: No base Address Space IA32PagedMemory: Module disabled WindowsHiberFileSpace32: Location is not of file scheme EWFAddressSpace: Location is not of file scheme WindowsCrashDumpSpace32: Location is not of file scheme JKIA32PagedMemory - EXCEPTION: Failed to read from firewire device IA32PagedMemoryPae: Module disabled JKIA32PagedMemoryPae - EXCEPTION: Failed to read from firewire device IA32PagedMemory: Module disabled FirewireAddressSpace: Must be first Address Space FileAddressSpace: Must be first Address Space Seems the python bindings were missed in the first approach. What could cause the FW-read-error? Regards Michael -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

13 years, 8 months

2
2
0 0

Trouble with forensic1394

by Michael Felber

Hello all, I have tried the libforensic1394 package from https://freddie.witherden.org/tools/libforensic1394/ with Volatility. That's the result: # python vol.py -l Firewire://forensic1394/0 pslist Volatile Systems Volatility Framework 2.1_alpha No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space EWFAddressSpace: Location is not of file scheme WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled JKIA32PagedMemoryPae: No base Address Space IA32PagedMemory: Module disabled FileAddressSpace: Location is not of file scheme What could I have missed? I had expected to to read something about the firewire address space but neither Firewire:... nor firewire:... did work. Regards Michael -- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone

13 years, 8 months

1
0
0 0

Finding API-Hooks

by Michael Felber

Hey Michael, trying to list the hooked API-calls in the zeus.vmem-image according page 666 of your "Cookbook" with Volatility 2.0 and maware.py r97 I get the following result only: C:\Python27\Scripts>python vol.py apihooks -f "D:\X-Ways-Images\Malware\zeus.vmem" Volatile Systems Volatility Framework 2.0 Name Type Target Value wuauclt.exe[468](a)wuaueng.dll iat sfc.dll!*invalid* 0x0 0x76c69828 (sfc_os.dll) Finished after 383.752000093 seconds Did I miss something or should I use an older version of Volatility and the malware-Plugin? Kindest regards Michael

13 years, 8 months

2
4
0 0

unable to extract process 1336 from prolaco-image

by Michael Felber

Hi, I have tried to extract the process 1336 (1_doc_RCData_61) from the prolaco-Image provided at http://malwarecookbook.googlecode.com/svn-history/r26/trunk/15/6/prolaco.vme m.zip Neither procexedump nor procmemdump did work for this process but for any other. What went wrong? Regards Michael

13 years, 8 months

2
2
0 0

Versions 1.3, 1.4 and 2.0

by macubergeek

I'm new to volatility and recently completed a SANS course which taught v. 1.3. I'm trying to straighten out in my head the different sets of plugins that come with each version. It looks like v. 2.0 absorbed some older third party plugins but didn't absorb others like malfind.py and the other malware related third party plugins. Am I right here? It appears one has to have all three versions available for different feature sets? Is this correct? Jim ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ %49%66%20%79%6F%75%20%63%61%6E%20%72%65%61%64%20%74%68%69%73%20%79%6F%75%20%6E%65%65%64%20%74%6F%20%67%65%74%20%61%20%67%69%72%6C%66%72%69%65%6E%64%2E

13 years, 8 months

5
5
0 0

feature request: Output in Dot-Format for psscan

by Michael Felber

Hello, in 1.4rc1 there was a nice feature to visualize the output of psscan in the GraphViz-dot-format with -output=dot. I have used it frequently to explain memory structures to non IT-Experts or for training purposes. Is it possible to add this feature to Version 2.0 again, please? Cu Michael

13 years, 8 months

1
0
0 0

files-command missed

by Michael Felber

Hi all, In v2.0 I miss the files-command. As a workaround I use C:\Python27\Scripts>python vol.py handles -p 816 -f . | grep -i "File" "files" was easier to use. Why it has gone? Cu Michael

13 years, 8 months

2
2
0 0

Solved: *** Failed to import volatility.plugins.registry.lsadump

by Michael Felber

The problem is solved: I still had a 64-bit-version of PyCrypto installed, with the x(86)-version all seems to work fine and the hashdump/lsadump-plugins appear again. Shame on me! CU Michael

13 years, 8 months

1
0
0 0

hivedump, lsadump and hashdump

by Michael Felber

Hi all, when will the plugins hivedump, lsadump and hashdump be available in v2.0? Or is there another way to extract that data? Cu Michael

13 years, 8 months

1
0
0 0

Error importing plugins.registry.lsadump

by Michael Felber

Hello all, finally I found time to test the new version 2.0. It looks great even if I became familiar with the old structure. I tried to use it on an 64Bit-Win7 with Python64. This seems not to work but after installing the x(86)-architecture it does. However when starting v2.0 with I get the following error message: *** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL load failed: %1 ist keine zulõssige Win32-Anwendung [transl.: %1 is no valid win32 application] What went wrong? Regards Michael

13 years, 8 months

1
0
0 0

Re: Vol-users Digest, Vol 39, Issue 1

by Shafik Punja

Mike - thanks so much for replying *************************************************************************************************** This is the terminal output for the lipo commands: qbl-mbp:~ qubyte$ lipo -info /usr/local/lib/libewf.dylib Non-fat file: /usr/local/lib/libewf.dylib is architecture: x86_64 qbl-mbp:~ qubyte$ lipo -info `which python` Architectures in the fat file: /Library/Frameworks/Python.framework/Versions/2.6/bin/python are: ppc i386 *************************************************************************************************** Output from from the versioner command: qbl-mbp:volatility2.0 qubyte$ VERSIONER_PYTHON_PREFER_32_BIT=yes python vol.py -h Volatile Systems Volatility Framework 2.0 *** Failed to import volatility.plugins.addrspaces.ewf (OSError: dlopen(/usr/local/lib/libewf.dylib, 6): no suitable image found. Did find: /usr/local/lib/libewf.dylib: mach-o, but wrong architecture) I have also cc'd Joachim Metz on this in case he has some insight. Joachim - in case you have time to read this i am encountering this error with libewf and volatility 2.0 when running volatitlity (mac ox 10.6.8 with libewf 20100226; this version of libewf is used to due to TSK 3.2.2): *** Failed to import volatility.plugins.addrspaces.ewf (OSError: dlopen(/usr/local/lib/libewf.dylib, 6): no suitable image found. Did find: /usr/local/lib/libewf.dylib: mach-o, but wrong architecture) Thanks to the vol group and joachim for taking the time to read this! I look forward to the next set of ideas! :) Cheers Shafik On Tue, Aug 9, 2011 at 11:00 AM, <vol-users-request(a)volatilityfoundation.org>wrote: > lipo -info `which python`

13 years, 8 months

3
4
0 0

Minor issue running volatility 2.0 on Mac OX 10.6.8 (Intel)

by Shafik Punja

Hello List! I have been fighting with this issue since volatility 1.4 RC1. I am not able to figure out why it cannot locate the correct libewf library. I have uninstalled and reinstalled from source the libewf 20100226 stable version. Can anyone assist me with this Terminal output: qbl-mbp:volatility2.0 qubyte$ python vol.py -h Volatile Systems Volatility Framework 2.0 *** Failed to import volatility.plugins.addrspaces.ewf (OSError: dlopen(/usr/local/lib/libewf.dylib, 6): no suitable image found. Did find: /usr/local/lib/libewf.dylib: mach-o, but wrong architecture) Usage: Volatility - A memory forensics analysis platform. OS: Mac OS X 10.6.8 Python: qbl-mbp:~ qubyte$ python Python 2.6.6 (r266:84374, Aug 31 2010, 11:00:51) [GCC 4.0.1 (Apple Inc. build 5493)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> Any help would be greatly appreciated...and please dont assume that I know my well around terminal shell..I am still a newbie and learning lots! Thanks! Shafik __________________________________ Shafik Punja BSc, A+, CISSP, Network+, ACE, CCE Senior Technical Officer *QuByte Logic Ltd* 612-500 Country Hills Blvd NE, Suite #404 Calgary, AB CANADA T3K 5K3 ph: 403.909.6120 em: shafghp(a)gmail.com or shafik(a)qubytelogic.com wp: http://www.qubytelogic.com

13 years, 8 months

2
1
0 0

Tracing suspicious mutex back to it's respective process or binary

by macubergeek

All I've had great success using recipes out of the Malware Analyst Cookbook. I particularly like the recipe involving mutantscandb and compare the mutexes in a binary under investigation with those in my sqlite3 database. Can anyone tell me how to trace the observed suspicious mutexes in a mutantscandb scan with the process/binary that owns that mutex? Jim ~~~~~~~~~~~~~~~~~~~~~~ ACK and you shall receive

13 years, 9 months

2
1
0 0

Process Memory - memdmp

by Derek Lee

Hi all, I'm using "Volatility-1.3_Beta" in a college project. I have a question regarding the 'memdmp' module. I use a 1GB memory dump from Windows XP SP2. Dumped using the tool win32dd. After extracting the list of running processes, I dump the addressable memory for each process using the command: python volatility memdmp -f *my_1GB_memory_dump *-p 1234 The output for each process is a very large PID.dmp. On average each PID.dmp is about 200MB. So, after extracting the memory for the first 5 processes (out of a total of 64 processes), I have already exceeded the size of the RAM dump (1 GB). I know that some processes will use DLL's and that this may become part of the addressable memory for that process. But can anyone explain to me why the dump files are so large? Is it possible to just extract memory for each process so that the total is approx. equal to the RAM dump? Looking at the code for mem_dump, I can see: File: vmodules.py mem_dump(...) ... entries = process_address_space.get_available_pages() for entry in entries: data = process_address_space.read(entry[0],entry[1]) ohandle.write("%s"%data) File: forensics/x86.py def get_available_pages(self): page_list = [] pgd_curr = self.pgd_vaddr for i in range(0,ptrs_per_pgd): start = (i * ptrs_per_pgd * ptrs_per_pte * 4) entry = self.read_long_phys(pgd_curr) pgd_curr = pgd_curr + 4 if self.entry_present(entry) and self.page_size_flag(entry): page_list.append([start, 0x400000]) elif self.entry_present(entry): pte_curr = entry & ~((1 << page_shift)-1) for j in range(0,ptrs_per_pte): pte_entry = self.read_long_phys(pte_curr) pte_curr = pte_curr + 4 if self.entry_present(pte_entry): page_list.append([start + j * 0x1000, 0x1000]) return page_list I'm not a Python programmer, but it appears that the method: get_available_pages() is searching across the 4KB page files, looking for physical addresses belonging to the specific process. Then the data at these physical addresses is extracted. The lower level details of these commands are currently beyond my reach. Any help is greatly appreciated, Regards, Derek.

13 years, 9 months

2
1
0 0

OMFW 2011 - Registration Open

by AAron Walters

vol-users: I wanted to give you the inside track on registering for OMFW. Tomorrow, I will be posting the announcement to the Volatility tumblr for wider distribution. Pre-registration is required and space is limited, so register early. https://www.volatilityfoundation.org/default/omfw Volatile memory forensics (ie., RAM forensics) has proven one of the most exciting and important topics to the future of digital investigations. It has dramatically transformed the way we perform digital investigations and helped provide a path for addressing many of the challenges we currently face. OMFW is the only digital forensics workshop focused on providing a venue for the most advanced digital investigators. It is intended for those people who realize that the only real defense against a creative technical human adversary is a creative technical human analyst. No shady vendors trying to describe how they re-implemented open source tools or boisterous trainers attempting to discuss topics they only superficially understand. This is your opportunity to learn directly from an international cadre of pioneering researchers and practitioners who have been shaping the field of memory analysis since its inception. Through a series of invited talks and panel discussions you will have the opportunity to engage this exciting community. At the end of the day, the attendees will have the opportunity to work through a challenging memory analysis skills exercise with the assistance of your expert speakers. Join with industry leaders to discuss the latest advancements in memory forensics and the importance of open source initiatives. This is your opportunity to help shape the future of memory forensics! AW

13 years, 10 months

1
0
0 0

Volatility Report for Windows

by Chris Bentley

HI all, I've just started taking a more active look at using Volatility and I though I would point people in the direction of a new windows batch script I've created (Its based on the one from lg's blog ). Feel free to post any improvements, I already have a few things I have in mind to update the script. Blog Post: http://active-security.blogspot.com/2011/05/volatility-script-for-windows.h… Script location: https://docs.google.com/leaf?id=0Bz2rZ4S-yK8AMDE5ODhhMzEtOGNhMS00N2U3LWEyMz…

13 years, 10 months

1
0
0 0

cf Help volatility

by L Gordon

Suggest: a) read volatility wiki doc b) buy Malware Analyst's Cookbook Michael Hale Ligh et al Wiley 716 pg lorgor

13 years, 11 months

1
0
0 0

Release of reglist.py plugin v1.41

by L Gordon

Just to mention that have written a python port of Regripper for Volatility 1.4: reglist.py Latest version is 1.41. Updated to have more reliable os determination from profile. Description is here: http://code.google.com/p/lgvtotal/wiki/ReglistPlugin Download here: http://code.google.com/p/lgvtotal/downloads/list

13 years, 12 months

1
0
0 0

Re: [Vol-users] Open Memory Forensics Workshop (OMFW) 2011

by AAron Walters

Curt, You always ask the good questions...We are currently in the process of finalizing the specifics of the logistics. My goal was to get this email out and see if there was anyone else interested in speaking. I will send an update by the end of the week discussing the "where and when..". Hope all is well! AW On Wed, 13 Apr 2011, Curt Wilson wrote: > > AAron, > > Is there a date and location? > > Thanks > Curt Wilson > > > On 4/12/2011 10:21 PM, AAron Walters wrote: >> >> After the amazing success of OMFW 2008 and a <cough>little</cough> >> hiatus, we are currently in the process of planning OMFW 2011. OMFW is >> the single most important event for those who are interested in the >> deep technical aspects of digital investigations and forensics. It is >> intended for those people who realize the only real defense against a >> creative technical human adversary is creative technical human >> analyst. No shady vendors trying to describe how they re-implemented >> open source tools or boisterous trainers attempting to discuss topics >> they only superficially understand. This is your opportunity to learn >> directly from an international cadre of pioneering researchers and >> practitioners who have been shaping the field of memory analysis since >> its inception. >> >> If you are interested in getting involved or have an exciting topic >> you would like to present, please let the team know. For those who >> want to attend, please be sure to check back frequently for >> registration details. Due to the overwhelming response in 2008, we >> were not able to fulfill all the registration requests, so please be >> sure to register early! There will be a number of surprises and I >> guarantee it will be an event you won't want to miss! Check out what >> previous attendees of OMFW have said: >> >> "AAron was able to bring together an outstanding group of folks >> interested in "memory forensics" and there was some spirited >> discussion among the participants along with some really outstanding >> talks/demos. It was also great to be able to put faces to folks who >> until then had only been handles in IRC or names on e-mail/blog posts >> in the past." >> -Jim Clausing: SANS Internet Storm Center Handler >> >> "My first impression of the event was that the underground could have >> set digital forensics back 3-5 years if they had attacked our small >> conference room. Where else do you have Eoghan Casey, Brian Carrier, >> Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., >> Jesse Kornblum, Andreas Schuster, Aaron Walters, et al, in the same >> room? I thought Brian Dykstra framed the situation properly when >> asking the following: "I know this is an easy question for all you >> 'beautiful minds,' but..."" >> -Richard Bejtlich: TaoSecurity >> >> >> Current invited speakers include: >> >> Andrew Case (attc) >> Michael Cohen (scudette) >> Brendan Dolan-Gavitt (moyix) >> Jamie Levy (gleeda) >> Michael Hale Ligh (MHL) >> AAron Walters >> >> More to be announced.... >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > -- > --- > Curt Wilson - Perpetual Horizon Security Research > SIUC IT Security Officer + Security Engineer >

14 years

1
0
0 0

Open Memory Forensics Workshop (OMFW) 2011

by AAron Walters

After the amazing success of OMFW 2008 and a <cough>little</cough> hiatus, we are currently in the process of planning OMFW 2011. OMFW is the single most important event for those who are interested in the deep technical aspects of digital investigations and forensics. It is intended for those people who realize the only real defense against a creative technical human adversary is creative technical human analyst. No shady vendors trying to describe how they re-implemented open source tools or boisterous trainers attempting to discuss topics they only superficially understand. This is your opportunity to learn directly from an international cadre of pioneering researchers and practitioners who have been shaping the field of memory analysis since its inception. If you are interested in getting involved or have an exciting topic you would like to present, please let the team know. For those who want to attend, please be sure to check back frequently for registration details. Due to the overwhelming response in 2008, we were not able to fulfill all the registration requests, so please be sure to register early! There will be a number of surprises and I guarantee it will be an event you won't want to miss! Check out what previous attendees of OMFW have said: "AAron was able to bring together an outstanding group of folks interested in "memory forensics" and there was some spirited discussion among the participants along with some really outstanding talks/demos. It was also great to be able to put faces to folks who until then had only been handles in IRC or names on e-mail/blog posts in the past." -Jim Clausing: SANS Internet Storm Center Handler "My first impression of the event was that the underground could have set digital forensics back 3-5 years if they had attacked our small conference room. Where else do you have Eoghan Casey, Brian Carrier, Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., Jesse Kornblum, Andreas Schuster, Aaron Walters, et al, in the same room? I thought Brian Dykstra framed the situation properly when asking the following: "I know this is an easy question for all you 'beautiful minds,' but..."" -Richard Bejtlich: TaoSecurity Current invited speakers include: Andrew Case (attc) Michael Cohen (scudette) Brendan Dolan-Gavitt (moyix) Jamie Levy (gleeda) Michael Hale Ligh (MHL) AAron Walters More to be announced....

14 years

1
0
0 0

Need Help

by kal maun

Hi All, I've been using Volatility few days ago, and I'm still new at this time. and until now I only use it only to look at it with regular orders...like 1. pslist 2. files 3.connections 4.etc. And I know, the information obtained from the volatility by the extraction of digital artifacts from volatile memory (RAM) is very useful in the investigation, but I do not know how to utilize, maximize, and use that information obtained by the volatility. and I know, here is the place of great people who can teach me how to better optimize the extraction of information on the results of volatility. Is there that can help me to better optimize the volatility ... please help me. I will very grateful for all help. Regards. Kalmaun.

14 years, 1 month

1
0
0 0

Issue installing 1.4RC1

by Michael Felber

Hello all, After I had changed to Win7 64 I've tried to install Volatility 1.4RC1 doing the following: - installing Python 2.7 x64 - installing a precompiled pccrypto 2.3.1 x64 bit from http://archive.warshaft.com/pycrypto-2.3.1.win7x64-py2.7x64.7z - compiling the modules did not work. - getting rc1 via wget and via SVN-checkout both When starting Volatility I get the following error message: C:\Micha\Forensics\Volatility-14rc1>python volatility C:\Python27\python.exe: can't find '__main__' module in 'volatility' What went wrong? Cu Michael

14 years, 2 months

2
2
0 0

Re: [Vol-users] Problem converting hiberfil.sys

by Christian Herndler

Thanks for your suggestion. I did try hibr2bin.exe, that didn't work either (error was: "Failed. Cannot open file. Please check if the file is not being used") The first page (4096 Byte) of the file is empty - but as far as I know that shouldn't be a problem. Christian On 11/17/2010 02:40 PM, Johnathan Bridbord wrote: > Christian- > > Perhaps try the following syntax: > > #python volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd > > I recommend Matt's standalone windows executable hibr2bin from moonsol. > > Thanks, > JB > Sent via BlackBerry by AT&T > > -----Original Message----- > From: Christian Herndler <christian(a)herndler.com> > Sender: vol-users-bounces(a)volatilityfoundation.org > Date: Wed, 17 Nov 2010 08:55:24 > To: <vol-users(a)volatilityfoundation.org> > Subject: [Vol-users] Problem converting hiberfil.sys > > Hello, > > I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the > following error: > > . > /volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd > Traceback (most recent call last): > File "./volatility", line 219, in <module> > main() > File "./volatility", line 212, in main > modules[argv[1]].execute(argv[1], argv[2:]) > File "/opt/Volatility/vmodules.py", line 62, in execute > self.cmd_execute(module, args) > File "/opt/Volatility/vmodules.py", line 1616, in hibinfo > hiberAS = WindowsHiberFileSpace32(fileAS,0,0) > File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146, > in __init__ > for i in range(0,EntryCount): > OverflowError: range() result has too many items > > any ideas ? > > Christian > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

14 years, 5 months

3
3
0 0

Problem converting hiberfil.sys

by Christian Herndler

Hello, I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the following error: . /volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd Traceback (most recent call last): File "./volatility", line 219, in <module> main() File "./volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "/opt/Volatility/vmodules.py", line 62, in execute self.cmd_execute(module, args) File "/opt/Volatility/vmodules.py", line 1616, in hibinfo hiberAS = WindowsHiberFileSpace32(fileAS,0,0) File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146, in __init__ for i in range(0,EntryCount): OverflowError: range() result has too many items any ideas ? Christian

14 years, 5 months

1
0
0 0

[Vol-dev] New memory profile question

by neofito

Following the instructions provided by Bradley Schatz [1] I added a new profile for Windows Vista SP2. since the code is actively revised it's obvious that not all commands work how is expected, but I'm very surprised that the command kpcrscan always get the same value: C:\Volatility-1.4_rc1>volatility.py --profile=VistaSP2x86 -f vistasp2.dmp kpcrscan Volatile Systems Volatility Framework 1.4_rc1 Potential KPCR structure virtual addresses: Phys addr 00150000 Virt addr ffdff000 _KPCR: ffdff000 obviously this is not correct 0: kd> !pcr KPCR for Processor 0 at 81d45800: Major 1 Minor 1 NtTib.ExceptionList: ffffffff NtTib.StackBase: 00000000 NtTib.StackLimit: 00000000 NtTib.SubSystemTib: 80151000 NtTib.Version: 001d39f9 NtTib.UserPointer: 00000001 NtTib.SelfTib: 00000000 SelfPcr: 81d45800 Prcb: 81d45920 Irql: 00000002 IRR: 00000000 IDR: ffffffff InterruptMode: 00000000 IDT: 81bff400 GDT: 81bff000 TSS: 80151000 CurrentThread: 81d49640 NextThread: 00000000 IdleThread: 81d49640 DpcQueue: The volatility code version is the latest available via subversion (r493). [1] http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-… --- La verdad nos hara libres http://neosysforensics.blogspot.com http://www.wadalbertia.org -<|:-P[G]

14 years, 6 months

1
1
0 0

New memory profile question

by neofito

First, sorry for my poor english :( Following the instructions provided by Bradley Schatz [1] I dont get load the new profile: C:\Volatility-1.4_rc1>dir plugins\overlays\Windows\vista_* ... 26/09/2010 22:47 2.232 vista_sp0_x86.py 26/09/2010 22:48 2.357 vista_sp0_x86.pyc 26/09/2010 22:47 286.008 vista_sp0_x86_vtypes.py 26/09/2010 22:48 192.774 vista_sp0_x86_vtypes.pyc 01/10/2010 23:18 2.235 vista_sp2_x86.py 01/10/2010 23:19 2.360 vista_sp2_x86.pyc 01/10/2010 22:36 315.748 vista_sp2_x86_vtypes.py 01/10/2010 23:19 207.429 vista_sp2_x86_vtypes.pyc ... C:\Volatility-1.4_rc1>volatility.py --info Volatile Systems Volatility Framework 1.4_rc1 ... PROFILES -------- VistaSP0x86 - A Profile for Windows Vista SP0 x86 Win7SP0x86 - A Profile for Windows 7 SP0 x86 WinXPSP2 - A Profile for Windows XP SP2 WinXPSP3 - A Profile for windows XP SP3 ... What am I doing wrong? [1] http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-… --- La verdad nos hara libres http://neosysforensics.blogspot.com http://www.wadalbertia.org -<|:-P[G]

14 years, 6 months

2
1
0 0

Unable to locate valid DTB in image

by Zack Sheikh

Hi i am using dfrws forensic challenge image from 2005 (both images). when I tried any option (pslist, connections etc) i get Unable to locate valid DTB in image. When i use psscan or connscan, i get no output. i am using volatility version 1.3 on Ubuntu. Zack

14 years, 7 months

1
0
0 0

Please Ignore

by AAron Walters

Test AW

14 years, 8 months

1
1
0 0

Cannot read/dump modules

by Tora

Hi there, I'm trying to code an small tool to interact with users, hash modules and dump them... but this last part is not working properly. I have in my code something like: (self.addr_space, self.symtab, self.types) = vutils.load_and_identify_image(self.op, self.opts) ... for module in modules_list(self.addr_space, self.types, self.symtab): ... driver_base = module_baseaddr(self.addr_space, self.types, module) driver_size = module_imagesize(self.addr_space, self.types, module) data = self.addr_space.read(driver_base, driver_size) The problem is that using this code, data is always None. Tracing a bit I found that is because at some point, one of the pages cannot be read because a call to vtop return None (PTE = 0 for that page, but it shouldn't be). I've been testing the code with different memory images and I even get the same behaviour when testing it with NIST's xp-laptop dumps, so I'm quite sure it's not because a weird memory dump. So, any ideas of what I'm doing wrong? Also any hint about the best way of use the API would be nice. I mean, I'm using calls to module_baseaddr while other code I saw (moddump by moyix) uses things like mod.BaseAddress.v() Thanks, Tora

14 years, 9 months

2
1
0 0

Re: [Vol-users] Third Party plugins

by Jamie Levy

Hi Mark, Did you install the registry plugins (that contain hivescan)? Make sure you get all supporting libraries installed. You can check Moyix's blogpost (http://moyix.blogspot.com/2009/01/memory-registry-tools.html) on how to install/use it and there are also installation manuals on the Documentation wiki that cover it as well (http://code.google.com/p/volatility/wiki/DocFiles) Also, you may want to use the framework from the SVN (http://code.google.com/p/volatility/source/checkout) if you haven't already (there's also documentation on how to use SVN on the documenation wiki)... As Darren also said, the forensics wiki (http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins) has a pretty good list of current Volatility plugins. All the best, -gleeda > Date: Mon, 28 Jun 2010 22:09:02 +0000 (UTC) > From: mark-wade(a)comcast.net > Subject: [Vol-users] Third Party plugins > To: vol-users(a)volatilityfoundation.org > Message-ID: > <1973170622.78668.1277762942105.JavaMail.root(a)sz0109a.westchester.pa.mail.comcast.net> > > Content-Type: text/plain; charset="utf-8" > > > > Hello, > > > > I am trying to see if there is a list or repository anywhere for third party plugins . Also, I am running the hivescan with the1.3 Beta. I dumped the hivescan plugin package in the Volatility directory, but when I run it I am getting the message: Error: Invalid module [ hivescan ]. Are there any docs to address running third party apps with Volatility ? I am running it on Windows. > > > > Thanks

14 years, 9 months

1
0
0 0

Third Party plugins

by mark-wade＠comcast.net

Hello, I am trying to see if there is a list or repository anywhere for third party plugins . Also, I am running the hivescan with the1.3 Beta. I dumped the hivescan plugin package in the Volatility directory, but when I run it I am getting the message: Error: Invalid module [ hivescan ]. Are there any docs to address running third party apps with Volatility ? I am running it on Windows. Thanks

14 years, 9 months

2
1
0 0

Vista hibernation files

by Howard Patterson

I tried the hibr2dmp utility, but it fails on both my Vista possible hacking hibernation file, as well as a Vista 32-bit test hibernation file. Both contain a block of zeros at the beginning of the file. Howard Patterson Special Agent Technical Services Unit Tennessee Bureau of Investigation 615-744-4376 howard.patterson(a)tn.gov

14 years, 11 months

2
2
0 0

Vista hibernation files

by Howard Patterson

Is anyone working on extending Volatility to work with Vista? I have a hibernation file from a Vista (32-bit) machine and am searching for possible intrusion/hacking. Don't have ram capture. Howard Patterson Special Agent Technical Services Unit Tennessee Bureau of Investigation 615-744-4376 howard.patterson(a)tn.gov

14 years, 12 months

1
0
0 0

RE: FTK Lite

by Chris Currier

Bruce, Change the extension from ".txt" to ".bin" or maybe even try ".dmp" and then run Volatility. It has been a while since I have done it, but I believe you will want to use ".bin". Regards, Chris Chris Currier CMT Digital Solutions, Inc.

15 years

1
0
0 0

A Volatile Challenge: The Honeynet Project has Banking Troubles

by AAron Walters

The latest forensics challenge for The Honeynet Project involves investigating a memory sample of an infected virtual machine. In order to encourage research and development in the area of memory forensics, The Order of Volatility plans to augment the prizes awarded to those submissions in the top three which leverage The Volatility Framework. Even if you are a Volatility power-user who doesn't find the questions particularly interesting, we still encourage you to participate. To that end, we are also planning to recognize the submission that extends the Volatility Framework in the most unique or creative way (i.e., plugins, visualizations, etc). Submissions are due by 17:00 EST, Sunday, April 18th 2010. Shoutz to Josh Smith, a Volatility supporter, for helping to encourage research in the area of memory forensics! http://www.honeynet.org/challenges/2010_3_banking_troubles

15 years

1
0
0 0

Hidden Network connection?

by K Bertens

I did a memory and volatile data acquisition with Helix. While using the enscript version of volatility I found on the blog, I ran it against the memorydump and the TCP network connections scan showed a connection: 192.168.1.104:1142 81.169.145.x:80 3852 The strange thing is, I cant find the process accociated with processid 3852 in the enscript version with pslist. When I run the volatility program from a linux commandline I cant see any connection at all (with the options connscan and connscan2) and there is no process in plist with id 3852. In the volatile data report of Helix this connection isnt showing either. Of course I want to know what kind of process this is, can anyone help me? Thanks a lot, K Bertens

15 years

2
1
0 0

Fwd: [linux_forensics] Interested in a Sleuth Kit and Open Source Forensics Users Conference? (fwd)

by AAron Walters

Begin forwarded message: > From: Brian Carrier <carrier(a)digital-evidence.org> > Date: March 2, 2010 10:57:02 AM EST > Subject: [linux_forensics] Interested in a Sleuth Kit and Open Source Forensics Users Conference? > > We are thinking about hosting the first ever Sleuth Kit and Open Source > Forensics Users Conference this year on June 9 in Chantilly, VA (USA). > It would be held in conjunction with the Basis Technology Government > Users Conference (but it will be open to non-Government users). The goal > of the conference would be to announce some new Sleuth Kit features, > learn about how Sleuth Kit is integrated into other tools, learn about > other open source forensics tools, and get some ideas on future > directions of the tools. > > We have commitments from some companies who are willing to talk about > how they are using TSK and I next wanted to get an idea about who was > interested in attending or giving a presentation. Can you send me an > e-mail (off list) if you would be interested in attending or presenting? > If there is enough interest, then we'll see you in June! > > For those who want more location details, here is a link to the Basis > conference site: > http://www.basistech.com/conference/2010/directions.html > > thanks, > brian >

15 years, 1 month

1
0
0 0

Re:[Vol-users] connscan ouput question

by Jamie Levy

Just out of curiosity, was there message text in this email? I didn't get it for some reason... > Date: Mon, 1 Mar 2010 09:31:42 -0600 > From: "Schroeder, William" <William.Schroeder(a)cmegroup.com> > Subject: [Vol-users] connscan ouput question > To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org> > Message-ID: > <B61619049B3B8049A5F883C2822A080C0E11583318(a)SMAPEXMBX2.prod.ad.merc.chicago.cme.com> > > Content-Type: text/plain; charset="us-ascii" > > Skipped content of type multipart/alternative

15 years, 1 month

3
2
0 0

unable to load image

by Meyer, Bruce

I think I know the answer to this, but I want to be certain. I captured live memory with FTK Imager Lite (Current version) I am now trying to examine the memory, and receive: commandme : python volatility connections -f memdump.txt /work/Volatility-1.3_Beta/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha Usage: connections [options] (see --help) volatility: error: Unable to load image. Possible causes: invalid dtb, wrong image type, unsupported image type. I suspect that FTK doesn't create a linear image. I tried this on a Mac and WIndows. If this is correct, does anyone know of an open source tool I can analyze this ftk memory dump with? I can't recreate another. I tried wmft_0.2 but I think that this tool is in the early stages of development. I was only able to pul a lit of drivers with it. -- Bruce D. Meyer Analysis & Encryption (803) 896-0469 (803) 896-1650 (SOC) My Key Fingerprint is: 8BC3 14B5 CE77 3C83 F4A7 5353 3F27 97FF 0591 44F9 ------------------------- South Carolina Information Sharing and Analysis Center (SC-ISAC) Department of State I.T. (D.S.I.T) http://sc-isac.sc.gov ~-~-~-~-~-~-~-~-~-~-~-~-~- Upload your PGP public key, download or verify mine at: http://keys.cio.sc.gov<http://keys.cio.sc.gov/>

15 years, 1 month

3
2
0 0

connscan ouput question

by Schroeder, William

Has any one seen the following on the output from connscan? The connections are both external and the PID is impossibly high. 73.0.83.0:20992 69.0.71.0:21504 6029401

15 years, 1 month

1
0
0 0

FileObjScan Plugin

by Mark Morgan

While running the above plugin using Vol 1.3.2 I keep getting the following error. It runs just fine for few minutes then I get the error "Range results has too many items." My question, is this expected? or is this a bug? Here is the output: root@morgan-laptop:/digitalforensics/Volatility-1.3.2# ./volatility fileobjscan -f /home/morgan/Raw\ Memory/PhysicalMemory.bin > fileobj.txt Traceback (most recent call last): File "./volatility", line 219, in <module> main() File "./volatility", line 215, in main command.execute() File "/digitalforensics/Volatility-1.3.2/memory_plugins/fileobjscan.py", line 257, in execute scan_addr_space(search_addr_space, scanners) File "/digitalforensics/Volatility-1.3.2/forensics/win32/scan2.py", line 218, in scan_addr_space o.process(chunk,as_offset+poffset, metadata=metadata) File "/digitalforensics/Volatility-1.3.2/forensics/win32/scan2.py", line 148, in process self.process_buffer(buf,self.offset,metadata) File "/digitalforensics/Volatility-1.3.2/forensics/win32/scan2.py", line 425, in process_buffer self.object_action(buff,ooffset) File "/digitalforensics/Volatility-1.3.2/memory_plugins/fileobjscan.py", line 190, in object_action for i in range(count): OverflowError: range() result has too many items Mark Morgan

15 years, 2 months

3
2
0 0

Error when using Printkey

by Mark Morgan

I am trying to use printkey against a Windows XP image and keep getting an error when I use printkey. I have also provided the commands I used for hivescan and hivelist which work great but printkey does not. Does anyone have any suggestions as to why. I initially thought it was because it was SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img that was suggested to use in Brendan's guide but I get the same results. Anyone have any thoughts as to why??? Mark Morgan 702-942-2556 morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin Offset (hex) 181006344 0xac9f008 181033824 0xaca5b60 189972488 0xb52c008 202671368 0xc148508 544586592 0x2075bb60 642878304 0x26518b60 643895304 0x26611008 678736920 0x2874b418 740933640 0x2c29c008 742706016 0x2c44cb60 789179232 0x2f09eb60 798029088 0x2f90f520 1107776776 0x42075508 1874516240 0x6fbad910 morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xac9f008 Address Name 0xe6348910 \Documents and Settings\144553\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xebe6e508 \Documents and Settings\144553\NTUSER.DAT 0xe8287508 \WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1895520 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT 0xe1396008 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT 0xe4f8eb60 \WINDOWS\system32\config\SAM 0xe77b9b60 \WINDOWS\system32\config\SECURITY 0xe77cd008 \WINDOWS\system32\config\SOFTWARE 0xe77ca418 \WINDOWS\system32\config\DEFAULT 0xe18b6008 [no name] 0xe1035b60 \WINDOWS\system32\config\SYSTEM 0xe102e008 [no name] morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xe1035b60 Key name: [9252] (Stable) Last updated: Wed Jul 29 02:08:26 2009 Subkeys: Traceback (most recent call last): File "./volatility", line 219, in <module> main() File "./volatility", line 215, in main command.execute() File "memory_plugins/registry/printkey.py", line 97, in execute for s in subkeys(key): File "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py", line 144, in subkeys s.is_valid() and s.Signature == NK_SIG] AttributeError: 'int' object has no attribute 'is_valid' morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin Image Name: /home/morgan/Memory Images/PhysicalMemory.bin Image Type: Service Pack 3 VM Type: pae DTB: 0x33e000 Datetime: Tue Aug 04 11:02:35 2009

15 years, 2 months

4
10
0 0

Need help: Can anyone provide information about plug-ins for volatility framework, especially used for Linux

by yuhang gao

Dear developers, I would like to work on the memory forensics of Linux and I know many researchers have written plug-ins for volatility framework. I 'd appreciate anyone who provides me with information about them, especially plug-ins for Linux. I am going to write some ones, so your kindness would help me save a lot of time. Thanks a lot. Yuhang Gao

15 years, 3 months

4
7
0 0

Need help with error when using dmp2raw

by Adrian Sanabria

When running dmp2raw on a small (256MB) Windows crash dump, I get the following: Traceback (most recent call last): | Time Remaining: --:--:-- File "volatility", line 219, in <module> main() File "volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "/root/memory_analysis/Volatility-1.3_Beta/vmodules.py", line 62, in execute self.cmd_execute(module, args) File "/root/memory_analysis/Volatility-1.3_Beta/vmodules.py", line 1746, in dmp2raw crash_to_dd(flat_address_space, types, opts.outfile) File "/root/memory_analysis/Volatility-1.3_Beta/forensics/win32/crashdump.py", line 721, in crash_to_dd for j in xrange(0, PageCount*0x1000, 0x1000): OverflowError: long int too large to convert to int dmpchk gives me the following info about this file: DUMP_HEADER32: MajorVersion 0x0000000f MinorVersion 0x00001772 KdSecondaryVersion 0x00000041 DirectoryTableBase 0x00122000 PfnDataBase 0x83200000 PsLoadedModuleList 0x81f5fc70 PsActiveProcessHead 0x81f55990 MachineImageType 0x0000014c NumberProcessors 0x00000002 BugCheckCode 0x0000007f PaeEnabled 0x00000001 KdDebuggerDataBlock 0x81f3fc98 ProductType 0x00000001 SuiteMask 0x00000110 WriterStatus 0x45474150 Physical Memory Description: Number of runs: 2 FileOffset Start Address Length 00001000 00001000 0009a000 0009b000 00100000 dcf4d000 dcfe7000 dd04c000 Any idea what the problem might be?

15 years, 3 months

1
0
0 0

Re: [Vol-users] Need help: Can anyone provide information about plug-ins for volatility framework, especially used for Linux

by Jamie Levy

Hi Yuhang, Welcome to the Volatility users list! While you have been pointed to a wiki of all publicly maintained plugins, some of the Linux code may not be so easy to find. The Linux code for the DFRWS 2008 Forensic Challenge is located in the PyFlag repository: http://www.pyflag.net/pyflag/src/plugins/MemoryForensics/Volatility-1.3_Lin… Further details are available here: http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-ma… Some Linux code has been pulled into the 1.4_beta1 branch of the Volatility SVN repository which you can browse at the following: http://code.google.com/p/volatility/source/browse/#svn/branches/Volatility-… or download: svn checkout http://volatility.googlecode.com/svn/branches/Volatility-1.4_beta1/ volatility This branch may not be stable, but you can have a look at the Linux plugins. If you need more help feel free to visit the #volatility channel on freenode (IRC). All the best, -Jamie > Date: Fri, 1 Jan 2010 20:08:32 +0800 > From: yuhang gao <rainman1919(a)gmail.com> > Subject: [Vol-users] Need help: Can anyone provide information about > plug-ins for volatility framework, especially used for Linux > To: vol-users(a)volatilityfoundation.org > > Dear developers, > I would like to work on the memory forensics of Linux and I know many > researchers > have written plug-ins for volatility framework. I 'd appreciate anyone > who provides me with > information about them, especially plug-ins for Linux. I am going to > write some ones, > so your kindness would help me save a lot of time. > Thanks a lot. > Yuhang Gao

15 years, 3 months

3
2
0 0

line 108

by zahra zohoor

Hi I have installed Windows XP SP3. I have got an image with Windd and have installed Python 3.1 I used the following command: python volatility pslist -f memory.dd I get this error: File "volatility" , line 108 print "\tSupported Commands:" SyntaxError: invalid syntax Please please help me...this means so much to me Best Regards Zahra

15 years, 4 months

2
1
0 0

Doubt on a new project

by Rodrigo Albernaz

Hi all, I am new on the list. I am trying to develop a project for a master in computer engineering about volatile memory. Can you help me with some ideas ? What is being research on this kind of assumption ? Where I find what have been developed and what's not ? Thanks attention. Rodrigo

15 years, 4 months

1
0
0 0

Extracting commands

by Jesse Lands

I'm wondering if there is a plugin/command to extract commands that have been run in the past via RDP/telnet etc...I have taken a look at few things, but usually I would look in the csrss.exe process dump. However, we went to an overall memory dump recently and it makes it a little more difficult to parse through. Thanks for any input Jesse

15 years, 4 months

1
0
0 0

hibernation files

by Matthew Donovan

On this mailing list there was some discussion about hibernation files with the first page (0x1000 bytes) zeroed out. The SVN version of hibinfo converts one of these "inactive" hibernation files into a raw dd-type image. But that seems to be all the support it currently has. As an experiment, we changed is_hiberfil() to always return True and ran the Volatility commands on an inactive hibernation file. They all appear to run successfully. So this leads to a few questions: 1) Was that just a fluke of the file we used that the Volatility commands worked? 2) Are there any plans to identify/support hibernation files with the first page zeroed out? 3) Can we assume that a file with the first 0x1000 bytes zeroed out is a hibernation file? 4) If the answer to (2) is 'no' and the answer to (3) is 'yes', where can we submit a patch? Thanks -matthew

15 years, 5 months

3
3
0 0

OMFW 2010!

by AAron Walters

After the amazing success of OMFW 2008 and a little hiatus in 2009, we are currently in the process of planning OMFW 2010. If you are interested in getting involved or have an exciting topic you would like to present, please let the team know. For those who want to attend, please be sure to stay tuned for registration details. Due to the overwhelming response in 2008, we were not able to fulfill all the registration requests, so please be sure to register early! There will be a number of surprises and I guarantee it will be an event you won't want to miss! Links from OMFW 2008: https://www.volatilityfoundation.org/default/omfw http://volatilesystems.blogspot.com/2008/08/open-memory-forensics-workshop-… http://isc.sans.org/diary.html?storyid=4895 http://taosecurity.blogspot.com/2008/08/thoughts-on-omfw-and-dfrws-2008.html AW

15 years, 6 months

1
0
0 0

hibinfo script

by Mark Morgan

I have a hiberfil.sys file from a windows xp sp3 machine and I am trying to convert it to dd using the hibinfo script in volatility. I keep getting an error half through the script as follows: $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\ Morgan/My\ Doc uments/Hiberfil\ Test/hiberfil.sys -d /c/Documents\ and\ Settings/Mark\ Morgan/ My\ Documents/Hiberfil\ Test/hiber.dd Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 80010031 CR0[PAGING]: 1 CR3: 0afc0080 CR4: 000006f1 CR4[PSE]: 1 CR4[PAE]: 1 Traceback (most recent call last): File "volatility", line 219, in <module> main() File "volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py", line 452, in get_version addr_space = IA32PagedMemoryPae(self,self.CR3) NameError: global name 'IA32PagedMemoryPae' is not defined I am wondering if it is because this is a sp3 box??? Any help would be appreciated. Mark Morgan 702-942-2556

15 years, 6 months

2
2
0 0

Re: [Vol-users] hibinfo script

by Richard Gilleland

Mark, Let me know if you figure it out. I just tried the same command and received the following error; ====================================================================== C:\Python25>python \Volatility3\volatility hibinfo -f c:\hiberfil_test\hiberfil.sys -d c:\hibertest.dd Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 00010000 CR0[PAGING]: 0 CR3: 7aed0001 CR4: 00010000 CR4[PSE]: 0 CR4[PAE]: 0 Traceback (most recent call last): File "\Volatility3\volatility", line 219, in <module> main() File "\Volatility3\volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "C:\Volatility3\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "C:\Volatility3\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "C:\Volatility3\forensics\win32\hiber_addrspace.py", line 467, in get_version ['_KGDTENTRY','BaseLow'], NtTibAddr) File "C:\Volatility3\forensics\object.py", line 206, in read_obj return read_value(addr_space, current_type, vaddr + offset) File "C:\Volatility3\forensics\object.py", line 71, in read_value buf = addr_space.read(vaddr, type_size) File "C:\Volatility3\forensics\x86.py", line 124, in read paddr = self.vtop(vaddr) File "C:\Volatility3\forensics\x86.py", line 109, in vtop if self.entry_present(pgd): File "C:\Volatility3\forensics\x86.py", line 72, in entry_present if (entry & (0x00000001)) == 0x00000001: TypeError: unsupported operand type(s) for &: 'NoneType' and 'int' ================================================================== Detective Ritch Gilleland, EnCE, CCI Sacramento Police Department Office: 916-808-0564 RGilleland(a)pd.cityofsacramento.org >>> Mark Morgan <mark.morgan47(a)gmail.com> 10/06/09 9:48 AM >>> I have a hiberfil.sys file from a windows xp sp3 machine and I am trying to convert it to dd using the hibinfo script in volatility. I keep getting an error half through the script as follows: $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\ Morgan/My\ Doc uments/Hiberfil\ Test/hiberfil.sys -d /c/Documents\ and\ Settings/Mark\ Morgan/ My\ Documents/Hiberfil\ Test/hiber.dd Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 80010031 CR0[PAGING]: 1 CR3: 0afc0080 CR4: 000006f1 CR4[PSE]: 1 CR4[PAE]: 1 Traceback (most recent call last): File "volatility", line 219, in <module> main() File "volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py", line 452, in get_version addr_space = IA32PagedMemoryPae(self,self.CR3) NameError: global name 'IA32PagedMemoryPae' is not defined I am wondering if it is because this is a sp3 box??? Any help would be appreciated. Mark Morgan 702-942-2556

15 years, 6 months

3
2
0 0

Re: [Vol-users] hibinfo script

by Andreas Schuster

I'm sorry, that by far exceeds my knowledge about the hibernate stuff. I don't even have a suitable file for testing on stock. Could someone else please look into this? Thanks, Andreas Mark Morgan: > Andreas, > > Thanks for the quick reply. I changed the line as requested and here > is the error I get: > > $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\ > Morgan/My\ Doc > uments/sandman/hiberfil.sys -d hiber.dd > Signature: > SystemTime: Thu Jan 01 00:00:00 1970 > > Control registers flags > CR0: 80010031 > CR0[PAGING]: 1 > CR3: 0afc0080 > CR4: 000006f1 > CR4[PSE]: 1 > CR4[PAE]: 1 > Traceback (most recent call last): > File "volatility", line 219, in <module> > main() > File "volatility", line 212, in main > modules[argv[1]].execute(argv[1], argv[2:]) > File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute > self.cmd_execute(module, args) > File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo > (major,minor,build) = hiberAS.get_version() > File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py", > line 467, in > get_version > ['_KGDTENTRY','BaseLow'], NtTibAddr) > File "c:\Volatility-1.3_Beta\forensics\object.py", line 246, in > read_obj > return read_value(addr_space, current_type, vaddr + offset) > File "c:\Volatility-1.3_Beta\forensics\object.py", line 71, in > read_value > buf = addr_space.read(vaddr, type_size) > File "c:\Volatility-1.3_Beta\forensics\x86.py", line 313, in read > paddr = self.vtop(vaddr) > File "c:\Volatility-1.3_Beta\forensics\x86.py", line 294, in vtop > if not self.entry_present(pdpe): > File "c:\Volatility-1.3_Beta\forensics\x86.py", line 239, in > entry_present > if (entry & (0x00000001)) == 0x00000001: > TypeError: unsupported operand type(s) for &: 'NoneType' and 'int' > > And here is the portion of the hiber_addrspace.py that I changed: > > from forensics.addrspace import FileAddressSpace > import forensics.x86 > from forensics.object import * > from forensics.win32.xpress import xpress_decode > from thirdparty.progressbar import * > from forensics.win32.datetime import * > from vtypes import xpsp2types as types > from forensics.x86 import IA32PagedMemory,IA32PagedMemoryPae > > > Mark Morgan > > On Tue, Oct 6, 2009 at 11:06 AM, Andreas Schuster > <a.schuster(a)yendor.net> wrote: > Mark, > > Thank you for your bug report. > > > CR4[PAE]: 1 > > > File "c:\Volatility-1.3_Beta\forensics\win32 > \hiber_addrspace.py", > > line 452, in > > get_version > > addr_space = IA32PagedMemoryPae(self,self.CR3) > > NameError: global name 'IA32PagedMemoryPae' is not defined > > > I am wondering if it is because this is a sp3 box??? Any > help would > > be appreciated. > > > No, it happens because the system was in PAE mode (CR4[PAE]: > 1), but the > programmer forgot to import the PAE address space. > > Please edit forensics/win32/hiber_addrspace.py, line 43, to > become: > from forensics.x86 import IA32PagedMemory, IA32PagedMemoryPae > > Please let us know if this fixes the problem. > > Thanks! > Andreas > >

15 years, 6 months

2
1
0 0

Help with ModDump

by Mark Morgan

I am using WIN XP SP 2, python 2.6.2 and the 1.3 beta of volatility. I can get all the scripts to work just fine except those that require a dump. I am trying to dump the mods out of memory using the following syntax: python volatility moddump -f /c/memory.img > /f/dumps I have also tried with the backslash and forward slash but I either get the error: "File exists" or "Access Denied" Any help would be appreciated. Mark Morgan DOE/CIRC Las Vegas, NV

15 years, 9 months

5
4
0 0

New and Updated Volatility Plug-ins

by AAron Walters

http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Volatility contributor Michael Hale Ligh has recently released a number of new and updated plugins. * idt.py: printing the Interrupt Descriptor Table (IDT) addresses * driverirp.py: printing driver IRP function addresses * usermode_hooks2.py: updated usermode hook detection plug-in * kernel_hooks.py: detects IAT, EAT, and in-line hooks in kernel drivers * orphan_threads.py: detects hidden system/kernel threads * malfind2.py: updated plugin for detecting hidden/injected code in usermode processes His blog post also demonstrates how each plugin can be useful for detecting different types of malware. Please take some time to test these plugins and send Michael any feedback you may have. Shouts to MHL for his contributions to the Volatility community! Thanks, AW

15 years, 9 months

1
0
0 0

Unexplained Errors

by Robert Miller

Hello Everyone, I have been dumping memory on a few systems and when I go to process the memory images I get different errors, some of these I think I've found the answers but not sure on others. Here are the errors I have seen: procdump: ======= Memory Not Accessible: Virtual Address: 0x4ad50000 File Offset: 0x50000 Size: 0x1000 pslist: ==== volatility_v1.3/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha *** Unable to load module malfind: No module named pydasm *** Unable to load module malfind: No module named pydasm datetime: ====== /volatility_v1.3/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha *** Unable to load module malfind: No module named pydasm *** Unable to load module malfind: No module named pydasm I believe the DeprecationWarning is due to the version of Python, which is 2.6.2 The malfind module, not sure why I downloaded the module and have not looked into it, however there should not be an issue, but there is. Any Advice? Thanks, Robert

15 years, 9 months

2
1
0 0

decompression of hyberfil.sys

by Michael Felber , Steufa Chemnitz, IT-Forensik

Hello all, I have posted this twice because the decompression issue should be moved to vol-dev as Aaron suggested. yesterday Andreas did provide a hiberfil.sys for decompression testing. Thanks a lot again. I have processed it twice with X-Ways-Forensics 15.3 SR3 and Volatility (SVN-release). The good news: Both result files are identical. The bad news: I dont have any clue why the decompression of my case relevant hiberfil.sys did not properly work with volatility but did with XWF. If anyone other needs a hiberfil.sys decompressed with XWF for testing, do not hesitate to ask me. We have the most recent releases here. (I am back on the 29th of July) I did compare the vol and the XWF-version of my case files but I cant interpret or explain the differences. What should I look for? BR Michael Michael Felber, StA Finanzamt Chemnitz-Süd Steuerfahndung IT-Forensik Paul-Bertz-Str. 1 D-09120 Chemnitz Germany Fon: +49 371 279 446 Fax. +49 371 279 421

15 years, 9 months

1
0
0 0

Re: [Vol-users] Volatility Call for Bugs

by Andreas Schuster

All, Maybe I can help with the test case. I could reactivate the VM that I created to research the non-paged pool persistence about a year ago. It's a clean install of Windows XP, 32 bit, Service Pack 2, and only a few background services running. What are your opinions on the following test plan: 1. start VM, boot Windows 2. enable hibernation 3. suspend VM 4. copy VMEM to prehib.vmem 5. resume VM 6. cause system to hibernate, VM stops 7. map system disk 8. copy hiberfil.sys 9. unmap system disk 10. start VM, resume Windows 11. suspend VM 12. copy VMEM to posthib.vmem 13. Compare prehib.vmem and posthib.vmem page by page (assuming a page size of 4kiB, and neglecting large pages here). Assume, that identical pages also were unchanged at time of hibernation. 14. Process hiberfil.sys by tool of choice. Verify, that unchanged pages (step 13) match. This would give us a first estimate of quality. A thorough test would require a hiberfil.sys that has been constructed such that every possible code path (in the original algorithm) is executed at least once. But, unfortunately, that exceeds my abilities. Cheers, Andreas

15 years, 9 months

2
1
0 0

Volatility Call for Bugs

by AAron Walters

Jesse Kornblum, our favorite geek raised by wolves, has graciously agreed to help prepare the next release of Volatility. Please take some time and report any bugs you may have encountered. It's great to see people willing to step up and contribute back to the community! Remember, Volatility is powered by the people! If you are waiting for something to get worked on, it will get done a lot faster the more you are willing to contribute. Shouts to Jesse! http://jessekornblum.livejournal.com/253092.html Thanks, AW

15 years, 9 months

2
2
0 0

Analyzing a hiberfil.sys

by Michael Felber , Steufa Chemnitz, IT-Forensik

Hello folks, I am new to volatility but used it successfully several times. Thank to all contributors. Today I wanted to analyze some hibernation files with it but had no success: python volatility hibinfo -f "G:\X-Ways-Images\##bad guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack.sys" -d "g:\X-Ways-Images\##bad guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack-decom-vola.sys" C:\Micha\Forensics\Volatility\forensics\win32\crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 80010031 CR0[PAGING]: 1 CR3: 0a338080 CR4: 000006f9 CR4[PSE]: 1 CR4[PAE]: 1 Traceback (most recent call last): File "volatility", line 219, in <module> main() File "volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py", line 452, in get_version addr_space = IA32PagedMemoryPae(self,self.CR3) NameError: global name 'IA32PagedMemoryPae' is not defined The OS to be analyzed is WinXP SP 2. I used X-Ways-Forensics to cut the slack of the hiberfil.sys off. XWF did successfully decompress the so cutted file and interpret it as a virtual RAM-filesystem. I had more than one hiberfil to look at but non did work with volatility hibinfo. Has anyone made experiences with that? Any help appreciated. Regards Michael Felber Special agent Germany

15 years, 9 months

3
3
0 0

AW: AW: Analyzing a Hiberfil.sys

by Michael Felber , Steufa Chemnitz, IT-Forensik

Hello Brendan, hello all thanks a lot for the carefree-all-around zip package. It works fine. The hiberfil.sys gets decompressed now. Thanks a lot to all other for their useful hints. I have processed a "shortened" version of the original file without the hiberfil-slack. Now both programs (vol and WinHex) did decompress the file BUT: The files have the same length but different md-5-sums because of 'some' binary differences. At the moment I don't know, which version is the 'right'. Both mapped with X-Ways Forensics generated the following results: WinHex-version: totally 1.465 objects, Volatility-version: 1.363 objects I have compared the results and found, that some minor objects in the xwf-version are duped but some objects are not found in the vol-version. I have attached a list of the "missed" objects, quick and dirty, simply sorted by name. Maybe someone has a clue what may have caused this difference. Currently I try to find a way to compare extracted objects by vol and XWF. BR Michael @Andreas: Thanks for the offer to call you, will do that but need your "Telefonnummer"... -----Ursprüngliche Nachricht----- Von: Dolan-gavitt, Brendan F [mailto:brendandg@gatech.edu] Gesendet: Donnerstag, 2. Juli 2009 20:20 An: AAron Walters Cc: Michael Felber , Steufa Chemnitz, IT-Forensik Betreff: Re: AW: Analyzing a Hiberfil.sys I did indeed--you can get it here: http://amnesia.gtisc.gatech.edu/~moyix/Volatility-SVN.zip -Brendan ----- Original Message ----- From: "AAron Walters" <awalters(a)4tphi.net> To: "Michael Felber , Steufa Chemnitz, IT-Forensik" <MichaelFelber(a)gmx.net> Cc: brendandg(a)gatech.edu Sent: Thursday, July 2, 2009 11:13:55 AM GMT -05:00 US/Canada Eastern Subject: Re: AW: Analyzing a Hiberfil.sys Michael, You will need to check out the entire repository. At one point, Brendan created a zip file. Thanks, AW On Thu, 2 Jul 2009, Michael Felber , Steufa Chemnitz, IT-Forensik wrote: > Hello Aaron, > > have downloaded most of the new files but got volatility crashed with that. > I assume I have to download ALL the new released files manually an copy them > to their destination? Or is there a new complete package available? > > Cu > > Michael > > -----Ursprüngliche Nachricht----- > Von: AAron Walters [mailto:awalters@4tphi.net] > Gesendet: Donnerstag, 2. Juli 2009 16:22 > An: Michael Felber , Steufa Chemnitz, IT-Forensik > Cc: brendandg(a)gatech.edu > Betreff: Re: Analyzing a Hiberfil.sys > > > > Michael, > > Thanks for the email. I'm glad you have found Volatility useful. You may > want to check out the latest version from the svn repository which > includes a number of bug fixes. Let me know if it generates the same > errors. > > http://code.google.com/p/volatility/source/checkout > > Thanks, > > AW > > > On Thu, 2 Jul 2009, Michael Felber , Steufa Chemnitz, IT-Forensik wrote: > >> Hello, >> >> >> >> I am new to volatility but I am very impressed by the capabilities of that >> tool collection. I have already used it in a couple of cases and found >> interesting clues for further investigation more than one time. Thanks a >> lot, great tool. >> >> >> >> I used v 1.3 Beta with Python 2.6.2. to analyze a hiberfil.sys. The try > to >> decompress it produced the following error message: >> >> >> >> C:\Micha\Forensics\Volatility>python volatility hibinfo -f >> "F:\X-Ways-Images\##bad guy##\RAM-Analyse\NB Asus, Partition >> 2\hiberfil-NB-ASUS.sys" –d "hiberfil-NB-ASUS-vol.sys" >> >> C:\Micha\Forensics\Volatility\forensics\win32\crashdump.py:31: >> DeprecationWarning: the sha module is deprecated; use the hashlib module >> instead >> >> import sha >> >> Signature: >> >> SystemTime: Thu Jan 01 00:00:00 1970 >> >> >> >> Control registers flags >> >> CR0: 000212dd >> >> CR0[PAGING]: 0 >> >> CR3: 0001d69f >> >> CR4: 00020160 >> >> CR4[PSE]: 0 >> >> CR4[PAE]: 1 >> >> Traceback (most recent call last): >> >> File "volatility", line 219, in <module> >> >> main() >> >> File "volatility", line 212, in main >> >> modules[argv[1]].execute(argv[1], argv[2:]) >> >> File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute >> >> self.cmd_execute(module, args) >> >> File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo >> >> (major,minor,build) = hiberAS.get_version() >> >> File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py", >> line 452, in get_version >> >> addr_space = IA32PagedMemoryPae(self,self.CR3) >> >> NameError: global name 'IA32PagedMemoryPae' is not defined >> >> >> >> Options –q, -t pae|nopae did not help. >> >> >> >> What went wrong? >> >> >> >> Kindest regards >> >> >> >> Michael Felber >> >> Agent in charge >> >> >> >> Michael Felber, StA >> >> Finanzamt Chemnitz-Süd >> >> Steuerfahndung >> >> IT-Forensik >> >> Paul-Bertz-Str. 1 >> >> D-09120 Chemnitz >> >> Germany >> >> >> >> Fon: +49 371 279 446 >> >> Fax. +49 371 279 421 >> >> >> >> >:

15 years, 9 months

1
0
0 0

Re: [Vol-users] Analyzing a hiberfil.sys

by Matthieu Suiche

Agreed with Andreas. The first page is propably empty. I dont have the last version of XWays. Anyway, Ill release in the following months a package of useful tools for file conversion. Including a hibr2bin.exe tool with Windows 2000 support. Kind Regards, -- Matthieu Suiche On Thu, Jul 2, 2009 at 5:14 PM, Andreas Schuster<a.schuster(a)yendor.net> wrote: > Hello Michael, > >> Signature: > > I'd expect to see "hibr" here. Please check whether the file starts with the > proper magic string. Or did you already decompress the file? If so, then > please either decompress the original file using "hibinfo" or try "ident" on > the existing one. > > Regarding Matthieu's post: As far as I know, X-Ways switched to a different > implementation of the decompression algorithm after my blog post appeared. I > *think* it works as expected, but as a customer you may want to ask them for > their (internal) test results and methodology, just to be sure. > > I'll be back to my office on Tuesday. Feel free to give me a call if the > problem persists. > > Viele Gruesse, > Andreas > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

15 years, 9 months

1
0
0 0

Volatility Plug-in for IAT/EAT/Inline Hook Detection

by AAron Walters

http://mnin.blogspot.com/2009/05/volatility-plug-in-for-iateatinline.html Michael Hale Ligh has created another new Volatility plugin for malware analysts. This plug-in called usermode_hooks.py can be used to detect IAT/EAT/Inline rootkit hooks in usermode processes. I'm sure he would appreciate testing help and any feedback you are able to provide. Shouts to MHL! Thanks, AW

15 years, 11 months

1
0
0 0

Re: [Vol-users] Volatility's Network Connections

by david＠sharpebusinesssolutions.com

I concur with your point about needing to use all three tools. Each has its own strengths and weaknesses. I use HBGary Responder Pro primarily and fall over to Volatility or Mandiant Memoryze when I come across something HBGary can't do (or I don't know how to do in HBGary). To your point about analyzing network connections, I have recently observed cases where Volatility "connections" produces no output at all and HBGary does. In that situation Volatility "connscan" does find connections, but the lists doesn't 100% match HBGary. I am also a little concerned about what appears to me to be a drop in development activity around Volatility. Is Mandiant Memoryze going to take over the top slot? Right now, I see Mandiant Memoryze as third best behind HBGary and Volatility, but Volatility can't stand still. For example, does anyone know if there any plans to provide functionaility similar to HBGary's new Digital DNA in Volatility? If anyone wants to share information or experiences across all three applications or memory dump analysis in general, feel free to contact me at david(a)sharpebusinesssolutions.com. -- David --- cutaway(a)cutawaysecurity.com wrote: From: "Don C. Weber" <cutaway(a)cutawaysecurity.com> To: vol-users(a)volatilesystems.com Subject: [Vol-users] Volatility's Network Connections Date: Wed, 6 May 2009 08:48:47 -0500 I wanted to let you know that while using Volatility and several other memory analysis tools I received some conflicting information associated with network connections. I did a quick blog post on the subject that can be read here: http://www.cutawaysecurity.com/blog/archives/523 . It looks like Volatility shows more information than the others in some instances. Also, if you have additional information or detail on this please post a comment or let me know so that I can add an update to the post. -- -------------------------- Don C. Weber Information Security Consultant Cutaway Security CISSP, GIAC ######################################### Website: http://www.cutawaysecurity.com _______________________________________________ Vol-users mailing list Vol-users(a)volatilesystems.com http://lists.volatilesystems.com/mailman/listinfo/vol-users

15 years, 11 months

7
6
0 0

Re: [Vol-users] Volatility's Network Connections

by david＠sharpebusinesssolutions.com

The Volatility connscan and connscan2 output are identical byte-for-byte against the dump I am talking about. "Connections" terminates gracefully with no console output in tcb_connections in network.py after having trouble locating the right data structure to walk in my dump file. Thank you for taking the time to respond. I wasn't really asking for help with anything in my initial reply to this thread. I was just trying to support the original author's assertion that there are differences between the various commercial and non-commercial solutions in the Windows memory dump analysis space. In my view, all three that I personally have experience with so far: Volatility, HBGary Responder, and Mandiant Memoryze all have their own strengths and weaknesses. I see this space just like hard drive or mobile device forensics - each of the leading vendors has their strong points and sometimes you need to combine the results of multiple tools to get the best results. -- David --- taosecurity(a)gmail.com wrote: From: Richard Bejtlich <taosecurity(a)gmail.com> To: david(a)sharpebusinesssolutions.com Cc: "Don C. Weber" <cutaway(a)cutawaysecurity.com>, vol-users(a)volatilesystems.com Subject: Re: [Vol-users] Volatility's Network Connections Date: Mon, 11 May 2009 10:15:48 -0400 On Thu, May 7, 2009 at 10:12 AM, <david(a)sharpebusinesssolutions.com> wrote: > > > I concur with your point about needing to use all three tools. Each has its own strengths and weaknesses. I use HBGary Responder Pro primarily and fall over to Volatility or Mandiant Memoryze when I come across something HBGary can't do (or I don't know how to do in HBGary). > > To your point about analyzing network connections, I have recently observed cases where Volatility "connections" produces no output at all and HBGary does. In that situation Volatility "connscan" does find connections, but the lists doesn't 100% match HBGary. > Hi David, When you say "connscan", have you also used "connscan2"? Thank you, Richard _______________________________________________ Vol-users mailing list Vol-users(a)volatilesystems.com http://lists.volatilesystems.com/mailman/listinfo/vol-users

15 years, 11 months

1
0
0 0

Volatility's Network Connections

by Don C. Weber

I wanted to let you know that while using Volatility and several other memory analysis tools I received some conflicting information associated with network connections. I did a quick blog post on the subject that can be read here: http://www.cutawaysecurity.com/blog/archives/523 . It looks like Volatility shows more information than the others in some instances. Also, if you have additional information or detail on this please post a comment or let me know so that I can add an update to the post. -- -------------------------- Don C. Weber Information Security Consultant Cutaway Security CISSP, GIAC ######################################### Website: http://www.cutawaysecurity.com

15 years, 11 months

2
2
0 0

Acquiring data and support for Win2k3.

by Richard Miles

Hello volatile users, It's my first post, I'm not in the forensics Industry, I'm more like a curious... I'm very impressed with volatile system. Amazing project. Someone know if there any any plan to add support to Windows 2003 in Volatility? It should be awesome. Speaking a bit about acquiring data. I use mdd in general. However I always only copy a small amount of ram (256 mb in average), because try copy the whole system memory result in crashes. There is anyway to copy most data as possible without disrupt windows? In general, how do you deal with this problem? Thank you. R.

16 years

1
0
0 0

Volatility as an executable program

by Hermann Lizelfelner

Hallo! I'm currently working on a forensic aquisition tool to get live data from a running system. I want to extend the tool with volatility and therefore make the tool independent from an installed python on the system volatility is executed. What's the best possibility to have a "mobile" volatility? I tried py2exe but it is not trivial to include all the needed modules and dlls needed to run volitility correct. Currently the volatility-exe created with py2exe is only running when python is installed on the system. Has somebody a better idea to create a mobile volatility or a setup.py for py2exe that works? best regards hermann -- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a

16 years, 1 month

2
1
0 0

Getting network info from XP-SP3 image

by Doug Collins

Perhaps I'm off target here. I know that I was successfully obtaining open ports and IP addresses from my memory dumps before. But I haven't seen any output from the connections module or sockets for the last while. I have compared the results using the same image file, in Memoryze/Audit Viewer and am getting the correct network info. I'm wondering if this is a result of SP3? Or have I missed something. Thanks. Doug C.

16 years, 2 months

2
1
0 0

Volatile Week (New Plugins)

by AAron Walters

vol-users, In case any subscribers don't follow the Volatility tumblr (http://volatility.tumblr.com/) I wanted to highlight some new tools/plugins. Michael Hale Ligh just released a new Volatility plug-in, malfind.py to find and extract hidden and/or injected code from physical memory samples. He even provides a video demonstrating how it works. Shouts to MHL! http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html http://www.mnin.org/code/malfind.py http://www.mnin.org/video/malfind/malfind.html Brendan Dolan-Gavitt released a new plugin for Volatility called moddump. Moddump allows a memory forensics analyst to extract kernel modules from physical memory. Simply add it to your memory_plugins directory and start dumping kernel modules. Shouts to Brendan! http://moyix.blogspot.com/2008/10/plugin-post-moddump.html http://kurtz.cs.wesleyan.edu/~bdolangavitt/memory/moddump.py Finally, Gleeda publicly released vol2html. vol2html is a Perl script that takes the output of Volatility and creates an html report. Shouts to Gleeda! http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html Thanks, AW

16 years, 3 months

1
0
0 0

Re: [Vol-users] 64bit memory images

by Jesse Kornblum

Hi Brian, There is no such thing as a stupid question; don't worry. To my knowledge nobody has published much information about doing memory analysis on 64-bit systems, so the following is mostly conjecture. When working in 64-bit mode Intel processors use a different method of translating the virtual addresses used by programs and the operating system into the physical addresses in RAM where data really lives. As such there are going to be several differences in the operating system for a) keeping track of where data lives and b) virtual to physical address translation. You can read much more about these difference in the Intel Architecture Software Developer's Manuals, http://www.intel.com/products/processor/manuals/. BTW, Intel will mail you hard copies of those books for free. Really! As many as you'd like of whichever ones you'd like. Enjoy! As for the differences in anything else, like I said, I don't think anybody has published on those yet. You could be the first! cheers, -- Jesse jessek(a)speakeasy.net

16 years, 3 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users