Hi Brian,
There is no such thing as a stupid question; don't worry. To my knowledge nobody
has published much information about doing memory analysis on 64-bit systems, so
the following is mostly conjecture.
When working in 64-bit mode Intel processors use a different method of
translating the virtual addresses used by programs and the operating system into
the physical addresses in RAM where data really lives. As such there are going to
be several differences in the operating system for a) keeping track of where data
lives and b) virtual to physical address translation. You can read much more
about these difference in the Intel Architecture Software Developer's Manuals,
http://www.intel.com/products/processor/manuals/. BTW, Intel will mail you hard
copies of those books for free. Really! As many as you'd like of whichever ones
you'd like. Enjoy!
As for the differences in anything else, like I said, I don't think anybody has
published on those yet. You could be the first!
cheers,
--
Jesse
jessek(a)speakeasy.net
Hi all,
Forgive me if this is a stupid question, i'm a bit new to physical memory
analysis.
Is the structure of physical memory on a 64bit operating system different
than that of a 32bit operating system, and if so does volatility have the
capability to parse 64bit images?
v/r
--
-Brian
> Interesting, I haven't tried Volatility with Python 2.6 yet. Looking
> at the module in question, I don't actually see anywhere that sha is
> used. I'll make a note to look whether we can just remove that.
One of my students noticed this as well. I had asked her to send me
the error message, but I guess she forgot... After she commented out
that line it worked fine.
All the best,
-Jamie
I am trying to develop a step-by-step guide for installation and use of
Volatility and Python in *Windows* as many of our users have a different
knowledge level.
I was wondering if anyone has any "best practice" guidelines for:
1. If you install Python, would it be preferable to change the Path in
Environment Variables to allow Python to be recognized by any directory?
2. Where should I install Volatility to (Python directory, it's own
directory)? Should this directory be "pathed" as well? I am trying to
reduce the complexity of the command line to run the program.
3. Is if preferable to have the memory image in any specific directory?
4. I am getting a warning, although can still get an output. The error is:
"c:\python26\forensics\win32\crashdump.py:31:31: DeprecationWarning: the sha
module is deprecated; use the hashlib module instead
import sha "
Any guidance would be appreciated.
Darren Sabourin
Forensic Analyst
Royal Canadian Mounted Police
Regina, Saskatchewan CANADA
ph. (306) 780-7334
Hi,
when running
python volatility files -f ../mem.dd
I get a correct looking result for the first 8 processes, then I get the
following error:
<-------------------------------------snip
-------------------------------------------->
Pid: 644
Traceback (most recent call last):
File "volatility", line 219, in <module>
main()
File "volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "/home/chris/tmp/Mem-Image/Volatility-1.3_Beta/vmodules.py", line
62, in execute
self.cmd_execute(module, args)
File "/home/chris/tmp/Mem-Image/Volatility-1.3_Beta/vmodules.py", line
545, in get_open_files
L1_table = handle_entry_object(addr_space, types, L1_entry)
File
"/home/chris/tmp/Mem-Image/Volatility-1.3_Beta/forensics/win32/handles.py",
line 77, in handle_entry_object
['_HANDLE_TABLE_ENTRY', 'Object'], entry_vaddr) & ~0x00000007
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
<-------------------------------------snip
-------------------------------------------->
The operating system in the image is a XPSP3, volatility ident shows:
Image Name: ../mem.dd
Image Type: Service Pack 3
VM Type: pae
DTB: 0xa1c000
Datetime: Wed Nov 12 18:39:28 2008
Any ideas what could be the problem ?
Christian
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
I'm trying out Volatility 1.3 Beta on Linux (RedHat Enterprise 5).
I quickly encountered a problem as follows:
[root@HX80722V1 Volatility-1.3_Beta]# python volatility
Traceback (most recent call last):
File "volatility", line 37, in ?
from vmodules import *
File "/usr/local/src/Volatility-1.3_Beta/vmodules.py", line 1938
finally:
^
SyntaxError: invalid syntax
The md5 checksum is correct for the downloaded file.
Is there a fix for this ?
Thanks !
Cameron
Cameron C. Caffee, CPA, GCFA, GCIH
IT Audit Manager
Voice: (804) 786-4882
FAX: (804) 786-2487
Hi everybody,
Jun asked me about a paper I wrote and which Harlan's tools were
based. Although I can't send out the full paper, I can show you a
slide from my talk at the 2007 DoD Cyber Crime Conference athttp://jessekornblum.com/tmp/determine-os.pdf
. The slide shows how you can use the spaces between known values, in
this case between the Eprocess header and the name of the process, to
identify what OS you're working with.
For the record, Volatility looks at each process' Peb, IIRC, which in
turn contains a string naming the Service Pack number. The framework
records how many processes indicate which string (e.g. 7 say "Service
Pack 2" and 2 say (null)). The string encountered the most times is
displayed.
cheers,
--
Jesse
jessek(a)speakeasy.net
Hi,
Suppose that I have a raw memory image of a particular Windows
machine. Is there any way to determine its version? It can be W2k,
WinXP SP2 or SP3 or Vista.
Perhaps we can look into some places into the image to get those
information out?
Thanks,
J
Hi,
I am interested in working with the experimental version that supports Linux memory images and integrates with PyFlag. I would greatly appreciate a copy of the source code with those features (e.g. the version used in the DRFWS 2008 challenge).
Thanks,
Sam
Hi everybody,
Here's a Volatility plugin to first recover the command line for each process and
then find any suspicious ones. I wrote it to get a feel for the framework's
Object model. Please note that the current version of the framework has a (soon
to be corrected) bug that can result in a crash. Don't panic!
The plugin considers a command line to be suspicious if it contains the word
"TrueCrypt" or if it starts with a lower case drive letter. The latter is
indicative of a manually typed command line. I've found it handy to examine
TrueCrypt command lines because they can contain the filename of a mounted
protected volume.
cheers,
--
Jesse
jessek(a)speakeasy.net
Attached please find a Volatility plugin to scan for TrueCrypt passphrases using
the method described in Brian Kaplan's thesis, 'RAM is Key, Extracting Disk
Encryption Keys From Volatile Memory', pages 22-23. You can downlaod the thesis
at http://www.andrew.cmu.edu/user/bfkaplan/.
Usage:
python volatility cryptoscan -f [FILE]
The output will look like:
Found TrueCrypt passphrase "8964h khI@*TGUIG!!" at offset 0x65f8094
cheers,
--
Jesse
jessek(a)speakeasy.net
Hi,
Anybody know where we can get the sample image mentioned
xp-laptop-2005-07-04-1430.img in README.txt?
I got http://www.cfreds.nist.gov/mem/memory-images.rar, but inside I
found only an Win2003 image, and it doesnt work with 1.3-beta.
If it is not there anymore, can anybody upload the XP image somewhere
for us to try?
Thanks,
J
Hi all,
Please, is it possible to examine hiberfil.sys file (extracted from a
"dead" system) directly with volatility such as ?
python volatility pslist -f c:\tmp\hiberfil.sys => Error : Unable to
locate valid DTB in Image
or do I have to convert it before in an other format ?
Thanks
Have a good weekend
:)
Best regards
Jean Francois
Sauf indication contraire ci-dessus:/ Unless stated otherwise above:
Compagnie IBM France
Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400
Courbevoie
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 542.737.118 euros
SIREN/SIRET : 552 118 465 02430
I tried to use Volatility with pyFlag which doesn't work due to the
missing Linux analysis part in Volatility. What happend with the
directory forensics/linux in Volatility ?
chris
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
The Volatility Team is pleased to announce the release of Volatility 1.3,
the open source memory forensics framework. The framework was recently
used to help win both the DFRWS 2008 Forensics Challenge and the Forensics
Rodeo, demonstrating its power and effectiveness for augmenting digital
investigations.
The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for performing
advanced memory forensics. The extraction techniques are performed
completely independent of the system being investigated but still offer
unprecendented visibility into the run time state of the system. The
framework is intended to introduce people to the techniques and
complexities associated with extracting digital artifacts from volatile
memory samples, while providing a powerful platform for further research.
Volatility 1.3 currently supports the investigation of Microsoft Windows
XP Service Pack 2 and Service Pack 3 memory samples. Preliminary support
has also been added for the Linux operating system, making Volatility the
only cross platform memory analysis framework.
Some of the new features in Volatility 1.3 include:
* Over 14 new data view modules!
* New object model allowing easier module development and memory
exploration
* New plugin design allowing organizations to easily create, maintain, and
share modules
* New object oriented scanning infrastructure (Very Fast!)
* Process graphing capabilities
* Ability to extract open registry handles
* Ability to dump a process' addressable memory
* Ability to extract executables from memory samples
* Transparently supports a variety of sample formats (ie, CrashDump,
Hibernate, DD)
* Automated conversion between sample formats
* New scanning modules (ie, modules)
* Support for XP SP3
Special thanks to Brendan Dolan-Gavitt, Andreas Schuster, Michael Cohen,
and Matthieu Suiche.
Download the Volatility Framework from:
https://www.volatilityfoundation.org/default/volatility
Thanks,
The Volatility Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry AAron, Yahoo spam filter was a bit aggressive ! I got here in
the end :-)
What tools do peeps prefer for memory acquisition now that we have some
choices ?
Regards,
Jon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIe38XbSv1saVS9ucRAvm/AJ0R+nu5ud781uohH5bTrTKafJwZXACdGRJq
alg5C8CXQqUmvwKm/bgLWEg=
=qY5a
-----END PGP SIGNATURE-----
http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-ma…
I recently had a little extra time to dig through the Linux kernel and
thought some people may be interested. This was an excerpt from a
collaboration with the PyFlag team! I want to thank both Michael Cohen
and David Collett for letting me play along despite being on opposite
sides of the world!!
That's right Volatility now supports both Windows and Linux!
If you have questions/comments/suggestions, let me know!
Thanks,
AW
:
:: In at least one
::case they clearly were unreliable.
:
Rossetoecioccolato,
Do you really know of such a case, ... or not really?
eric
www.risk-averse.com
I know that Jon Evans at Gwent Police in the UK has demonstrated this
method. I'll be amazed if Jon doesn't subscribe to this list and so may be
able to give some more info.
More info can be found here:
http://forums.remote-exploit.org/archive/index.php/t-13922.html
The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw tool
is available on Helix. http://www.e-fense.com/helix/downloads.php
If I recall one "slight" issue with this method is the tendency to BSOD. To
quote Keith Lockhart at Access Data "This is a Bad thing!"
Jim
On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org"
<vol-users-request(a)volatilityfoundation.org> wrote:
>
> Send Vol-users mailing list submissions to
> vol-users(a)volatilityfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> vol-users-request(a)volatilityfoundation.org
>
> You can reach the person managing the list at
> vol-users-owner(a)volatilityfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Vol-users digest..."
>
>
> Today's Topics:
>
> 1. RE: Memory imaging (Jamie Levy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 7 Jul 2008 14:57:33 -0400
> From: "Jamie Levy" <jamie.levy(a)gmail.com>
> Subject: RE: [Vol-users] Memory imaging
> To: vol-users(a)volatilityfoundation.org
> Message-ID:
> <cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi evb,
>
> I'm not sure, but maybe this will help (maybe someone else on here
> knows better than I do):
>
> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html
>
> I've never tried memory acquisition using firewire, but it sounds like
> it might be worth a try.
>
> All the best,
>
> -Jamie
>
>
> ------------------------------
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> End of Vol-users Digest, Vol 10, Issue 4
> ****************************************
If this is a managed system, then if you have a software deployment tool like SMS, Tivoli, or Unicenter can you just send down a job that runs something like Mantech's new MDD.exe tool and write the RAM dump out to a \\servername\sharename\filename?
Otherwise, if you have admin access to the machine, can you psexec the MDD.exe tool on the machine and write the RAM dump out to a \\servername\sharename share (mdd -o \\servername\sharename\filename.dd)?
Doing either of the above would definitely alter the target machine more than the Firewire method, but might be good enough depending on your situation.
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of AAron
Walters
Sent: Tuesday, July 08, 2008 4:29 PM
To: Jim Gordon
Cc: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Memory Imaging Using Firewire
evb,
There a number of potential techniques that are being used to deal with
locked machines. Though I must give my usual caveats that I would make
sure you know what you are doing and actually have experience with the
acquisition method before trying it as part of a real investigation.
Some of the techniques are hardware dependent, have the potential to
BSOD the machine, or are potentially destructive, so you may only get
one attempt. In some instances, it may be useful to get outside help.
As Jim and Jamie mentioned, performing acquisition via firewire is a
potential option. Details about this technique can be found on the
follow
site: http://storm.net.nz/projects/16. They even mention using a
CardBus firwire card. Others have successfully used techniques similar
to those presented in the Cold Boot paper
(http://citp.princeton.edu/memory/) or similarly, msramdmp:
(http://mcgrewsecurity.com/projects/msramdmp/)
Depending on how the laptop is configured, the hibernation file is
another alternative. There are also other hardware solutions but they
are very expensive.
Regards,
AW
On Tue, 8 Jul 2008, Jim Gordon wrote:
>
> I know that Jon Evans at Gwent Police in the UK has demonstrated this
> method. I'll be amazed if Jon doesn't subscribe to this list and so
> may be able to give some more info.
>
> More info can be found here:
>
> http://forums.remote-exploit.org/archive/index.php/t-13922.html
>
> The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw
> tool is available on Helix.
> http://www.e-fense.com/helix/downloads.php
>
> If I recall one "slight" issue with this method is the tendency to
> BSOD. To quote Keith Lockhart at Access Data "This is a Bad thing!"
>
> Jim
>
>
>
>
> On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org"
> <vol-users-request(a)volatilityfoundation.org> wrote:
>
>>
>> Send Vol-users mailing list submissions to
>> vol-users(a)volatilityfoundation.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> or, via email, send a message with subject or body 'help' to
>> vol-users-request(a)volatilityfoundation.org
>>
>> You can reach the person managing the list at
>> vol-users-owner(a)volatilityfoundation.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Vol-users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. RE: Memory imaging (Jamie Levy)
>>
>>
>> ---------------------------------------------------------------------
>> -
>>
>> Message: 1
>> Date: Mon, 7 Jul 2008 14:57:33 -0400
>> From: "Jamie Levy" <jamie.levy(a)gmail.com>
>> Subject: RE: [Vol-users] Memory imaging
>> To: vol-users(a)volatilityfoundation.org
>> Message-ID:
>> <cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Hi evb,
>>
>> I'm not sure, but maybe this will help (maybe someone else on here
>> knows better than I do):
>>
>> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.htm
>> l
>>
>> I've never tried memory acquisition using firewire, but it sounds
>> like it might be worth a try.
>>
>> All the best,
>>
>> -Jamie
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>> End of Vol-users Digest, Vol 10, Issue 4
>> ****************************************
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hi evb,
I'm not sure, but maybe this will help (maybe someone else on here
knows better than I do):
http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html
I've never tried memory acquisition using firewire, but it sounds like
it might be worth a try.
All the best,
-Jamie
How does one image RAM on a Windows system with no known Windows
login/password, if autorun is turned off, and if there is no network access.
Thanks!
eric
Vol-users,
With the recent increase in acquisition tools, there are obviously more
people capturing samples of physical memory. As a result, we decided to
back port the bug fixes from the upcoming 1.3 release into the 1.1 branch.
This release will also support samples taken from SP3 systems. Let us know
if you have any issues! We will keep you posted on the status of 1.3!
Thanks,
AW
Open Memory Forensics Workshop (OMFW)
Volatile memory forensics (ie., RAM forensics) is becoming an extremely
important topic to the future of digital investigations. It has the
potential to dramatically transform the way we currently perform digital
investigations and help address many of the challenges currently facing
the digital forensics community.
We are pleased to announce the first ever workshop focused on open source
volatile memory analysis. This workshop will bring together digital
investigation researchers and practitioners to discuss the latest
advancements in volatile memory analysis. You will also learn how memory
analysis is currently being used to augment digital investigations.
Through a series of invited talks and panel discussions you will have the
opportunity to engage this exciting community.
This half-day workshop will be co-located with Digital Forensics Research
Workshop (DFRWS) 2008 in Baltimore, Maryland, USA, on August 10, 2008.
Pre-registration is required and space is limited, so register early.
Please note that it will not be possible to register at the door. Reserve
your seat by contacting: AAron Walters (awalters [at] 4tphi [dot] net). We
are also still seeking individuals with interesting insights who would
like to participate as a speaker or panelist.
Join with industry leaders to discuss the latest advancements in memory
forensics and the importance of open source initiatives. This is your
opportunity to help shape the future of memory forensics!
Invited speakers and panelists include:
* Dr. Brian Carrier (Basis Technology)
* Eoghan Casey (Stroz Friedberg, LLC)
* Dr. Michael Cohen (Australian Federal Police)
* Brian Dykstra (Jones Dykstra & Associates)
* Brendan Dolan-Gavitt (Georgia Institute of Technology)
* Matthew Geiger (CERT)
* Keith Jones (Jones Dykstra & Associates)
* Jesse Kornblum (ManTech)
* Andreas Schuster (Deutsche Telekom AG)
* AAron Walters (Volatile Systems, LLC)
* More to be announced......
Brought to you by the Volatility Team: Open Source Memory Forensics.
vol-users,
I recently posted the slides from our AAFS presentation:
Using Hashing to Improve Volatile Memory Forensic Analysis
http://volatilesystems.blogspot.com/2008/03/using-hashing-to-improve-volati…
A special thanks to Blake Matheny and Doug White for their help with this
ongoing research. We are working hard to make new resources available
to the volatile memory analyst community!
Thanks,
AW
vol-users,
In case you didn't see the volatility blog post, I wanted to let the
mailing list subscribers know that we have now created a new irc channel
on freenode for discussing volatile memory analysis:
#volatility on irc.freenode.net
If you are an irc user, this is your opportunity to hang out with the
developers of all your favorite open source memory forensics tools. Feel
free to stop by and say hello! We are here to help.
Thanks,
AW
Hi, just thought I'd share this, since it took me an hour or two of
googling to figure out. I wanted to take a VMWare disk I had for
testing and mount it so that I could get the hibernation file off to
use with Sandman.
If you're on Linux, you can just use vmware-mount.pl to mount the
vmware disk.
If you're on Windows, you can use vmware-mount for that platform:
http://www.vmware.com/pdf/VMwareDiskMount.pdf
If you just want to mount a dd image on OS X, skip to step 3.
Step 1: Get the OS X version of QEMU at http://www.kju-app.org/kju/ ,
which comes with qemu-img, which can convert between VMDK and raw
disk images.
Step 2: Convert the VMDK image to a raw disk image:
azzurra:~ moyix$ /Applications/Q.app/Contents/MacOS/qemu-img convert -
f vmdk WindowsXpProfessional-000001.vmdk ~/xpsp2_img.raw
Step 3: Use the fdisk to determine where the partition you want to
mount starts. In this case I want the NTFS (called HPFS by fdisk)
partition, which fdisk says starts at sector 63.
azzurra:~ moyix$ fdisk ~/xpsp2_img.raw
Disk: /Users/moyix/xpsp2_img.raw geometry: 0/4/63 [0 sectors]
Signature: 0xAA55
Starting Ending
#: id cyl hd sec - cyl hd sec [ start - size]
----------------------------------------------------------
*1: 07 0 1 1 - 1023 254 63 [ 63 - 41913522] HPFS/QNX/AUX
2: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
3: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
4: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
Step 4: Use hdid to attach the image as a block device. It outputs the
device it attaches it to.
azzurra:~ moyix$ hdid -section 63 -nomount -imagekey diskimage-
class=CRawDiskImage ~/xpsp2_img.raw
/dev/disk1
Step 5: Mount the resulting block device with the appropriate
filesystem mounter.
azzurra:~ moyix$ sudo mount_ntfs /dev/disk1 /mnt/ntfs_fs/
Step 6: When you're done, unmount the FS and detach the block device:
azzurra:~ moyix$ sudo umount /mnt/ntfs_fs/
azzurra:~ moyix$ hdiutil detach /dev/disk1
Hope this helps someone,
Brendan
vol-users,
Some of you may have noticed that Matthieu Suiche just released a tool for
converting hiberfil.sys to a physical memory dump.
http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/
We have added support for Sandman generated images of physical memory in
the upcoming Volatility 1.3 release. If you would like to play with it
before then, I have attached a patch for Volatility-1.1.1. If you get a
chance, give it a try. Please let us know, if you have any problems with
the Volatility modules!
cd Volatility-1.1.1
patch -p1 <Volatility-1.1.1.hiber.patch
Thanks,
AW
vol-users,
Once again, Brendan Dolan-Gavitt has another great blog entry. I highly
recommend you adding his blog to your feeds. In this entry, he discusses
extracting registry data from volatile memory. Granted, I'm also a little
biased since it was implemented within Volatility. Brendan is a major
contributor to the Volatility community! Powered by the people.
http://moyix.blogspot.com/2008/02/cell-index-translation.html
Thanks,
AW
Vol-users,
We are getting ready for the next release of Volatility. If you have any
bugs you would like to see fixed, modules you would like to see added,
code you would like to contribute, or general suggestions, please let us
know! There are a number of new and exciting changes in the pipeline.
A special thanks to all those who have already provided feedback either
through email or on IRC.
Thanks,
AW
The American Academy of Forensic Sciences has recently posted program
information for the 2008 Annual Meeting. There are a number of
interesting talks during the Digital Evidence Session. The session
program can be found under the General Scientific Sessions Schedules
(http://www.aafs.org/pdf/08General.pdf) In particular, we will presenting
on our collaborative effort with NIST:
"Using Hashing to Improve Volatile Memory Forensic Analysis", AAron R.
Walters, MS*; Blake Matheny, BS; Douglas White, MS
Thanks,
AW
It was only a matter of time....
In case you might have missed it during the holidays, the latest version
of PyFlag now leverages the Volatility Framework to add volatile memory
analysis to it's outstanding list of capabilities. As a result, making
PyFlag the first and only tool publically available that allows the
digital investigator to correlate disk images, log files, network traffic,
and RAM captures all within an intuitive interface. While the current
functionality is still preliminary, just imagine the possibilities!
Since PyFlag loads memory images through its standard IO source interface,
it is also now possible to store your memory images using the EWF format,
commonly used in commercial tools. Once the memory image is uploaded to
PyFlag, information can either be accessed through a browseable /proc
interface or through the Stats view. Michael Cohen and his team have
provided a tutorial and image to get you started:
http://www.pyflag.net/cgi-bin/moin.cgi/MemoryForensicsTutorial
As I mentioned in a previous post, a special thanks to Europol for
bringing our teams together through the High Tech Crime Expert Meeting.
I also want to thank Michael Cohen for the great work he has done with
PyFlag and his contributions to Volatility! Stay tuned for further
exciting collaborations and future Volatility releases in 2008!
Thanks,
AW
Hello,
I was just running Volatility on a couple of Linux boxes and received quite
different results. I have tested this on two other boxes to verify the
results and it seems to be a dual core issue.
Here is the expected output on a single core system:
$ cat /proc/version
Linux version 2.6.22.9-91.fc7
$ python -V
Python 2.5
$ Volatility-1.1.1/volatility pslist -f image.vmem
Name Pid PPid Thds Hnds Time
System 4 0 44 182 Thu Jan 01 00:00:00 1970
smss.exe 336 4 3 21 Mon Oct 29 19:23:16 2007
csrss.exe 392 336 9 287 Mon Oct 29 19:23:18 2007
winlogon.exe 416 336 24 453 Mon Oct 29 19:23:19 2007
services.exe 460 416 19 371 Mon Oct 29 19:23:20 2007
lsass.exe 472 416 26 319 Mon Oct 29 19:23:20 2007
svchost.exe 640 460 10 210 Mon Oct 29 19:23:21 2007
svchost.exe 684 460 79 1023 Mon Oct 29 19:23:21 2007
svchost.exe 780 460 4 67 Mon Oct 29 19:23:22 2007
svchost.exe 812 460 12 141 Mon Oct 29 19:23:23 2007
userinit.exe 1000 416 2 32 Mon Oct 29 19:23:25 2007
explorer.exe 1020 1000 12 231 Mon Oct 29 19:23:25 2007
spoolsv.exe 1048 460 6 37 Mon Oct 29 19:23:25 2007
msmsgs.exe 1468 1020 5 124 Mon Oct 29 19:23:33 2007
rundll32.exe 1524 1020 1 72 Mon Oct 29 19:23:37 2007
And here is the output from a dual core system:
$ cat /proc/version
Linux version 2.6.9-55.0.12.ELsmp
$ python -V
Python 2.3.4
$ Volatility-1.1.1/volatility pslist -f image.vmem
/home/jlevy/forensic/Volatility-1.1.1/forensics/x86.py:101: FutureWarning:
x<<y losing bits or changing sign will return a long in Python 2.4 and up
return (pgd_entry & ((ptrs_per_pgd-1) << 22)) | (vaddr &
~((ptrs_per_pgd-1) << 22))
Name Pid PPid Thds Hnds Time
System 4 0 44 182 Thu Jan 01 00:00:00 1970
/home/jlevy/forensic/Volatility-1.1.1/forensics/win32/datetime.py:58:
FutureWarning: x<<y losing bits or changing sign will return a long in
Python 2.4 and up
return (high_time << 32) | low_time
smss.exe 336 4 3 21 Thu Jan 01 00:00:00 1970
csrss.exe 392 336 9 287 Thu Jan 01 00:00:00 1970
winlogon.exe 416 336 24 453 Thu Jan 01 00:00:00 1970
services.exe 460 416 19 371 Thu Jan 01 00:00:00 1970
lsass.exe 472 416 26 319 Thu Jan 01 00:00:00 1970
svchost.exe 640 460 10 210 Thu Jan 01 00:00:00 1970
svchost.exe 684 460 79 1023 Thu Jan 01 00:00:00 1970
svchost.exe 780 460 4 67 Thu Jan 01 00:00:00 1970
svchost.exe 812 460 12 141 Thu Jan 01 00:00:00 1970
userinit.exe 1000 416 2 32 Thu Jan 01 00:00:00 1970
explorer.exe 1020 1000 12 231 Thu Jan 01 00:00:00 1970
spoolsv.exe 1048 460 6 37 Thu Jan 01 00:00:00 1970
msmsgs.exe 1468 1020 5 124 Thu Jan 01 00:00:00 1970
rundll32.exe 1524 1020 1 72 Thu Jan 01 00:00:00 1970
$ Volatility-1.1.1/volatility vaddump -f image.vmem
/home/jlevy/forensic/Volatility-1.1.1/forensics/x86.py:101: FutureWarning:
x<<y losing bits or changing sign will return a long in Python 2.4 and up
return (pgd_entry & ((ptrs_per_pgd-1) << 22)) | (vaddr &
~((ptrs_per_pgd-1) << 22))
The above errors on the dual system have been observed on a dual core laptop
running Ubuntu as well... I was wondering if others have seen this, and if
there is a work around yet?
During the course of a day, I typically come across a number of useful
"things" related to volatile memory analysis. Often, I don't have the time
to post a complete blog entry so I've decided to start a tumblelog:
http://volatility.tumblr.com/
In particular, you may want to check out the hypothetical dialog between a
defense attorney and a forensic examiner about volatile memory.
http://volatility.tumblr.com/post/15164622
By the way, if any of you are interested in what is happening with
Volatility development. We are getting ready to release Volatility 1.2. We
mentioned it on the vol-dev list a couple of weeks ago:
http://www.volatilityfoundation.org/pipermail/vol-dev/2007-September/000001…
I would especially like to thank both Brendan Dolan-Gavitt and Andreas
Schuster for all their help and contributions. I would also like to thank
those who have provided feedback and bug reports.
thanks,
AW
The agenda for the 2008 DoD Cyber Crime Conference has been posted:
http://www.technologyforums.com/8CC/trackagenda.asp
I'll be giving a talk during the Research and Development Track at 0830
January 16, 2008. In this talk I will be discussing the latest
advancements in the area of Volatile Memory Analysis and how they affect
the way we perform digital investigations.
Title:
Advanced Volatile Memory Analysis
Abstract:
This session will focus on advanced techniques being used in
volatile memory analysis (VMA) and our experiences while performing VMA.
We will also discuss a number of open source tools and resources we have
made available to the digital investigation community. The session will
also explore how we are using VMA to perform automated malware analysis.
Finally, we will demonstrate how we are combining VMA with file system
analysis to help reconstruct and visualize the digital crime scene.
AW
These scripts were recently sent to me by a Volatility user, the methUd,
and I thought others might find them useful. These scripts will allow you
to run all the Volatility modules against a single image or against a
directory of images. Enjoy!!
AW
