- Vol-users - volatilityfoundation.org

Announcing memory forensics training directly from Volatility developers!

by Andrew Case

Hello, We are writing to announce the public offering of our Windows Memory Forensics for Analysts training course. This course is taught directly by Volatility developers, and will provide intense training in memory forensics for incident response, malware analysis, and digital forensic investigation. Full details can be found here: http://volatility-labs.blogspot.com/2012/11/windows-memory-forensics-traini… Please write or comment on the post if you have any questions or comments. Thanks, Andrew (@attrc)

12 years, 7 months

1
0
0 0

procexedump Error: Cannot acquire process AS

by Dewhirst, Rob

Have never seen this error when trying to dump a process. Any suggestions? tried -u as well with the same results. vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684 Volatile Systems Volatility Framework 2.2 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process AS

12 years, 7 months

4
7
0 0

Re: [Vol-users] procexedump Error: Cannot acquire process AS

by Dewhirst, Rob

I am aware of the tech preview tools (that I learned about sitting in scudette's class no less!) but I haven't had enough "stick time" with them to trust a remote user running a dump for me with them. On Tue, Oct 30, 2012 at 7:47 PM, alex pease <alex.pease(a)gmail.com> wrote: > > http://volatility.googlecode.com/files/volatility-3.0-tp2.zip > > Not that I am saying use a different imager. > > I know scudette didn't write that all you need to do is run his tool. If I > remember write it is winpmem.exe -o file.mem, and you have a raw memory > dump. > > Dumpit likes to deadlock systems. > > > On Tuesday, October 30, 2012, Dewhirst, Rob wrote: >> >> I know I have the right profile but hearing something like this makes >> me question the image. I took a new image with a different tool and >> can now dump the process without error. >> >> FWIW I used Dumpit for the first image and FTK Imager for the second. >> >> On Tue, Oct 30, 2012 at 11:47 AM, Michael Cohen <scudette(a)gmail.com> >> wrote: >> > Rob, >> > According to the psscan output you posted the PDB (Process directory >> > base) is 0xcf3392c0. This is clearly an invalid address since a DTB is >> > always aligned on page boundaries. >> > >> > Can you dump other processes from this image? Is it possible that you >> > dont have the correct profile chosen for your image? >> > >> > Michael. >> > >> > On 30 October 2012 17:07, Dewhirst, Rob <robdewhirst(a)gmail.com> wrote: >> >> The process doesn't appear to have exited based on pslist (and it was >> >> still generating network traffic while I dumped ram) >> >> >> >> Offset(V) Name PID PPID Thds Hnds Sess >> >> Wow64 Start Exit >> >> ---------- -------------------- ------ ------ ------ -------- ------ >> >> ------ -------------------- -------------------- >> >> 0x8b3802a8 System 4 0 127 -------- ------ >> >> 0 >> >> 0x89be3290 smss.exe 312 4 2 -------- ------ >> >> 0 2012-10-26 02:29:26 >> >> [...] >> >> 0x89b1e020 redactedxx.e 1684 432 15 -------- ------ >> >> 0 2012-10-26 02:29:39 >> >> >> >> Don't know if this helps >> >> >> >> psxview >> >> >> >> Volatile Systems Volatility Framework 2.2 >> >> Offset(P) Name PID pslist psscan thrdproc pspcdid >> >> csrss >> >> ---------- -------------------- ------ ------ ------ -------- ------- >> >> ----- >> >> 0x09b17b70 svchost.exe 2632 True True False False >> >> False >> >> [...] >> >> 0x09b1e020 redactedxx.e 1684 True True False False >> >> False >> >> >> >> psscan >> >> >> >> sansforensics@SIFT-Workstation:~/Desktop$ vol.py -f >> >> ~/Desktop/image.raw --profile Win2003SP2x86 psscan >> >> Volatile Systems Volatility Framework 2.2 >> >> Offset(P) Name PID PPID PDB Time created >> >> Time exited >> >> ---------- ---------------- ------ ------ ---------- >> >> -------------------- -------------------- >> >> 0x09b1e020 redactedxx.e 1684 432 0xcf3392c0 2012-10-26 02:29:39 >> >> >> >> >> >> On Mon, Oct 29, 2012 at 6:44 PM, Michael Hale Ligh >> >> <michael.hale(a)gmail.com> wrote: >> >>> This means that the DTB (page directory) for the process doesn't >> >>> appear >> >>> valid, which is typically because the process has exited (although the >> >>> _EPROCESS structure itself may still exist, its page tables can be >> >>> corrupt). >> >>> Can you check the exit time for this process with pslist or psscan? >> >>> >> >>> MHL >> >>> >> >>> On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <robdewhirst(a)gmail.com> >> >>> wrote: >> >>>> >> >>>> Have never seen this error when trying to dump a process. Any >> >>>> suggestions? tried -u as well with the same results. >> >>>> >> >>>> vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p >> >>>> 1684 >> >>>> Volatile Systems Volatility Framework 2.2 >> >>>> Process(V) ImageBase Name Result >> >>>> ---------- ---------- -------------------- ------ >> >>>> 0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire >> >>>> process >> >>>> AS >> >>>> _______________________________________________ >> >>>> Vol-users mailing list >> >>>> Vol-users(a)volatilityfoundation.org

12 years, 7 months

1
0
0 0

Create a profile for Android

by Tad Bauer

Hello All, I'm trying to create a profile for Android. First, I changed Makefile, and then executed make command. but, make command was failed. So, Could someone check the Makefile ? error message --- ubuntu:~/volatility-2.2/tools/linux$ make make ARCH=arm CROSS_COMPILE=~/android-ndk-r8/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C ~/goldfish CONFIG_DEBUG_INFO=y M=/home/td/volatility-2.2/tools/linux modules make[1]: Entering directory `/home/td/goldfish' CC [M] /home/td/volatility-2.2/tools/linux/module.o /home/td/volatility-2.2/tools/linux/module.c:212:5: warning: "STATS" is not defined /home/td/volatility-2.2/tools/linux/module.c:228:5: warning: "DEBUG" is not defined CC [M] /home/td/volatility-2.2/tools/linux/pmem.o In file included from /home/td/volatility-2.2/tools/linux/pmem.c:51: /home/td/goldfish/arch/arm/include/asm/mmzone.h:21:1: warning: "NODE_DATA" redefined In file included from include/linux/gfp.h:4, from include/linux/kmod.h:22, <snip> /home/td/volatility-2.2/tools/linux/pmem.c: In function 'pmem_read_partial': /home/td/volatility-2.2/tools/linux/pmem.c:142: warning: comparison of distinct pointer types lacks a cast make[2]: *** [/home/td/volatility-2.2/tools/linux/pmem.o] Error 1 make[1]: *** [_module_/home/td/volatility-2.2/tools/linux] Error 2 make[1]: Leaving directory `/home/td/goldfish' make: *** [dwarf] Error 2 --- Makefile --- obj-m += module.o obj-m += pmem.o KDIR := ~/goldfish CCPATH := ~/android-ndk-r8/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin -include version.mk all: dwarf pmem pmem: pmem.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR) M=$(PWD) modules dwarf: module.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules dwarfdump -di module.ko > module.dwarf $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR) M=$(PWD) clean clean: $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR) M=$(PWD) clean rm module.dwarf --- Thanks, Tad

12 years, 8 months

2
2
0 0

Last week of MoVP, OMFW 2012 slides, and the GrrCon network forensics challenge

by Andrew Case

Hello All, We are writing to announce a few new things related to Volatility and memory forensics. First, we have posted the last week of the Month of Volatility plugins: Post 1: Detecting Malware with GDI Timers and Callbacks This posts covers analyzing malware samples that use timer callbacks to schedule actions. http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-… Post 2: Taking Screenshots from Memory Dumps This posts covers the data structures and algorithms required to recreate the state of the screen (a screenshot) at the time of the memory capture. http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from… Post 3: Recovering Master Boot Records (MBRs) from Memory This post covers recovering the MBR from memory and detecting bootkits. http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-… Post 4: Cache Rules Everything Around Me(mory) This post covers a new plugin that can recover in-tact files from the Windows Cache Manager. http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-… Post 5: Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit This post covers analyzing the Phalax2 rootkit with Volatility and other reversing tools. http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volati… Second, slides from the 2012 Open Memory Forensics Workshop are being put online: Datalore: Android Memory Analysis: http://volatility-labs.blogspot.com/2012/10/omfw-2012-datalore-android-memo… Malware In the Windows GUI Subsystem: http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gu… Reconstructing the MBR and MFT from Memory: http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-an… Analyzing Linux Kernel Rootkits with Volatility: http://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kerne… Finally, we have posted our writeup on solving the GrrCon network forensics challenge using only memory analysis: http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensic… If you have any questions or comments please either comment on the respective blog post or reply to the list. Thanks, Andrew

12 years, 8 months

3
2
0 0

Live memory acquisition with a limited user account on Windows XP?

by Minh Triet Pham Tran

I have a memory acquisition case which I don't know how to solve it: If a limited user account on Windows XP SP3 is infected by malware, how could I acquire a live memory dump from his account? Could you help me please, thank you a lot.

12 years, 8 months

1
0
0 0

Android Plugin: Missing gDvm type definition

by Dario Schwab

Hi We are trying to reproduce the steps to access application specific informations from Android phones as Andrew Case demonstrated here: http://digitalforensicssolutions.com/papers/android-memory-analysis.pdf (Page 17 and following) We already have a Android Profile for our Goldfish kernel and are able to run the existing plugins (e.g. linux_pslist) against the memory dump acquired from the emulator. Now we are writing our own Volatility Plugin according to Andrews presentation. But so far we could not instantiate a DvmGlobals object as Volatility does not know this specific type. A snippet from our plugin: gDvm = obj.Object("DvmGlobals", vm = self.addr_space, offset = gDvm_addr) When run, Volatility prints the following warning: WARNING : volatility.obj : Cant find object DvmGlobals in profile <volatility.plugins.overlays.linux.linux.LinuxAndroid_Goldfishx86 object at 0x3a57910>? How can we get Volatility to know this object type? We pulled libdvm.so from our emulator and disassembled it using arm-linux-androideabi-objdump and found the following: *000aa1a8 *<gDvm>: This lines up with the DWARF informations from libdvm.so we compiled ourselves: <1><0x12484><DW_TAG_variable> DW_AT_name<"gDvm"> DW_AT_decl_file<0x00000001 dalvik/vm/Init.cpp> DW_AT_decl_line<0x00000032> DW_AT_type<<0x0000c3b8>> DW_AT_external<yes(1)> DW_AT_location<DW_OP_addr *0x000aa1a8*> We aren't sure if this address actually is what we are looking for, that is the offset of gDvm in the memory dump. Can you confirm this? Thanks for any help Alex & Dario

12 years, 8 months

1
0
0 0

dwarfdump ERROR: can't open module.ko

by Jason Link

I've tried this on SuSE Linux 11.1 32-bit and 64-bit with the same results. Following linux instructions for creating a profile, dwarfdump is unable to locate module.ko. https://code.google.com/p/volatility/wiki/LinuxMemoryForensics user@linux:~> cat /etc/SuSE-release SUSE Linux Enterprise Server 11 (i586) VERSION = 11 PATCHLEVEL = 1 user@linux:~> uname -r 2.6.32.12-0.7-pae user@linux:~> wget https://volatility.googlecode.com/files/volatility-2.2.tar.gz user@linux:~> tar -xzf volatility-2.2.tar.gz user@linux:~> cd volatility-2.2/tools/linux user@linux:~/volatility-2.2/tools/linux> sudo make .... wait a very long time on first run .... WARNING: modpost: Found 6 section mismatch(es). To see full details build your kernel with: 'make CONFIG_DEBUG_SECTION_MISMATCH=y' make[1]: Leaving directory `/usr/src/linux-2.6.32.12-0.7-obj/i386/pae' dwarfdump -di module.ko > module.dwarf dwarfdump ERROR: can't open module.ko make: *** [dwarf] Error 1 user@linux:~/volatility-2.2/tools/linux> sudo make CONFIG_DEBUG_SECTION_MISMATCH=y .... make[1]: Leaving directory `/usr/src/linux-2.6.32.12-0.7-obj/i386/pae' dwarfdump -di module.ko > module.dwarf dwarfdump ERROR: can't open module.ko make: *** [dwarf] Error 1 user@linux:~/volatility-2.2/tools/linux> dwarfdump -V Tue Apr 10 11:43:32 PDT 2012 What am I missing?

12 years, 8 months

1
0
0 0

Understanding 'sessions'

by Brett Cunningham

I RDP'ed into another VM, opened notepad, regedit and cmd in order to reenact the sessions plugin. I didn't get the expected output as was on the blog post ( http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processe…) It shows up under the main RDP console ID. I'm guessing that this is because I'm using WinXP and it doesn't support multiple logins. Is this the reason? $ vol.py sessions -f ~/vmware/VD/VD.vmem --profile=WinXPSP2x86 Volatile Systems Volatility Framework 2.2_rc2 ************************************************** Session(V): f7b0f000 ID: 0 Processes: 27 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff Process: 656 csrss.exe 2012-09-27 01:15:38 Process: 680 winlogon.exe 2012-09-27 01:15:38 Process: 724 services.exe 2012-09-27 01:15:38 Process: 736 lsass.exe 2012-09-27 01:15:38 Process: 888 vmacthlp.exe 2012-09-27 01:15:39 Process: 900 svchost.exe 2012-09-27 01:15:39 Process: 984 svchost.exe 2012-09-27 01:15:39 Process: 1076 svchost.exe 2012-09-27 01:15:39 Process: 1120 svchost.exe 2012-09-27 01:15:39 Process: 1196 svchost.exe 2012-09-27 01:15:40 Process: 1412 spoolsv.exe 2012-09-27 01:15:41 Process: 1544 svchost.exe 2012-09-27 01:15:50 Process: 1616 jqs.exe 2012-09-27 01:15:50 Process: 1652 PortReporter.ex 2012-09-27 01:15:50 Process: 1820 vmtoolsd.exe 2012-09-27 01:15:53 Process: 1880 VMUpgradeHelper 2012-09-27 01:15:53 Process: 508 alg.exe 2012-09-27 01:16:01 Process: 1512 explorer.exe 2012-09-27 18:39:34 Process: 1156 wscntfy.exe 2012-09-27 18:39:35 Process: 1472 VMwareTray.exe 2012-09-27 18:39:58 Process: 628 jusched.exe 2012-09-27 18:39:59 Process: 1312 cmd.exe 2012-09-27 18:51:10 Process: 2040 jucheck.exe 2012-09-27 18:51:17 Process: 252 wuauclt.exe 2012-09-29 17:28:35 Process: 824 rdpclip.exe 2012-09-29 17:28:43 Process: 388 notepad.exe 2012-10-04 22:24:31 Process: 268 regedit.exe 2012-10-04 22:24:34 Image: 0x829596a0, Address bf800000, Name: win32k.sys Image: 0x82abc2d8, Address bf000000, Name: dxg.sys Image: 0x829d66e0, Address bffa0000, Name: ATMFD.DLL Image: 0x82955e20, Address bff60000, Name: RDPDD.dll Image: 0xbeff009c, Address c07bd878, Name: ************************************************** Session(V): f7b6f000 ID: 3 Processes: 2 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff Process: 1032 csrss.exe 2012-09-29 17:28:42 Process: 2004 winlogon.exe 2012-09-29 17:28:42 Image: 0x82b83788, Address bf800000, Name: win32k.sys Image: 0x8299eb70, Address bf000000, Name: dxg.sys Image: 0x82b9de80, Address bf012000, Name: vmx_fb.dll Image: 0x82a084c8, Address bffa0000, Name: ATMFD.DLL Image: 0xbeff009c, Address c07bdb78, Name: ************************************************** Session(V): f7b43000 ID: 1 Processes: 0 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff

12 years, 8 months

2
2
0 0

linux_bash plugin: problem getting needed offset

by neofito

Hi, I have troubles getting the offset from an x86 Ubuntu system. Using GDB is not showing the needed address: # gdb --quiet /bin/bash Leyendo simbolos desde /bin/bash...(no se encontraron simbolos de depuracion)hecho. (gdb) disassemble history_list Dump of assembler code for function history_list: 0x080eb0c0 <+0>: push %ebp 0x080eb0c1 <+1>: mov 0x81159fc,%eax 0x080eb0c6 <+6>: mov %esp,%ebp 0x080eb0c8 <+8>: pop %ebp 0x080eb0c9 <+9>: ret End of assembler dump. (gdb) Thoughts? Thanks in advance!!

12 years, 8 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users