- Vol-users - volatilityfoundation.org

Server 2008

by Dustin Mooney

All, Has anyone successfully analyzed memory from a windows 2008 server memory dump? This is my third time attempting to do so, and have yet to have any success with volatility. I took the memory dump so I know the profile, however, volatility reports it as a Windows 7 machine. Any advice on how to approach this persistent problem?

13 years

3
3
0 0

Analyzing diasassembly with little information

by fd ksdf

Hello! malfind found some suspicious regions and printed the disassembly so I went into volshell to get more information, but what exactly can someone do with this disassembly? As far as I know, there are no symbols, no way to view what is in the registers or these memory addresses, and when I try to disassemble the few CALLs I can, I get a "Memory unreadable" error. >>> dis(0x08070000,512) 0x8070000 55 PUSH EBP 0x8070001 8bec MOV EBP, ESP 0x8070003 83c4ec ADD ESP, -0x14 0x8070006 56 PUSH ESI 0x8070007 57 PUSH EDI 0x8070008 8b4508 MOV EAX, [EBP+0x8] 0x807000b 8bf0 MOV ESI, EAX 0x807000d 8d7dec LEA EDI, [EBP-0x14] 0x8070010 a5 MOVSD 0x8070011 a5 MOVSD 0x8070012 a5 MOVSD 0x8070013 a5 MOVSD 0x8070014 a5 MOVSD 0x8070015 ff75f8 PUSH DWORD [EBP-0x8] 0x8070018 ff55f4 CALL DWORD [EBP-0xc] 0x807001b ff75fc PUSH DWORD [EBP-0x4] 0x807001e 50 PUSH EAX 0x807001f ff55f0 CALL DWORD [EBP-0x10] 0x8070022 50 PUSH EAX 0x8070023 ff55ec CALL DWORD [EBP-0x14] 0x8070026 5f POP EDI 0x8070027 5e POP ESI 0x8070028 8be5 MOV ESP, EBP 0x807002a 5d POP EBP 0x807002b c20400 RET 0x4 0x807002e 8bc0 MOV EAX, EAX 0x8070030 53 PUSH EBX 0x8070031 56 PUSH ESI 0x8070032 57 PUSH EDI 0x8070033 55 PUSH EBP 0x8070034 83c4e8 ADD ESP, -0x18 0x8070037 8be9 MOV EBP, ECX 0x8070039 8bfa MOV EDI, EDX 0x807003b 8bd8 MOV EBX, EAX 0x807003d 33f6 XOR ESI, ESI 0x807003f 6800334000 PUSH DWORD 0x403300 0x8070044 6814334000 PUSH DWORD 0x403314 0x8070049 e85efaffff CALL 0x806faac 0x807004e 50 PUSH EAX 0x807004f e860faffff CALL 0x806fab4 0x8070054 8944240c MOV [ESP+0xc], EAX 0x8070058 6820334000 PUSH DWORD 0x403320 0x807005d 6814334000 PUSH DWORD 0x403314 0x8070062 e845faffff CALL 0x806faac 0x8070067 50 PUSH EAX 0x8070068 e847faffff CALL 0x806fab4 0x807006d 89442408 MOV [ESP+0x8], EAX 0x8070071 6830334000 PUSH DWORD 0x403330 0x8070076 6814334000 PUSH DWORD 0x403314 0x807007b e82cfaffff CALL 0x806faac 0x8070080 50 PUSH EAX 0x8070081 e82efaffff CALL 0x806fab4 0x8070086 89442404 MOV [ESP+0x4], EAX 0x807008a 8bd5 MOV EDX, EBP 0x807008c 8bc3 MOV EAX, EBX 0x807008e 0000 ADD [EAX], AL 0x8070090 0000 ADD [EAX], AL 0x8070092 0000 ADD [EAX], AL 0x8070094 0000 ADD [EAX], AL 0x8070096 0000 ADD [EAX], AL 0x8070098 0000 ADD [EAX], AL 0x807009a 0000 ADD [EAX], AL 0x807009c 0000 ADD [EAX], AL 0x807009e 0000 ADD [EAX], AL [snip] >>> dis(0x806faac) >>> db(0x806faac) Memory unreadable at 0806faac >>>

13 years

3
3
0 0

Volatility 1.3 cryptoscan plugin output

by Mike Lambert

Could someone send me a sample of what the output for the cryptoscan plugin output should be? Thanks, Mike

13 years

1
0
0 0

"RAM is Key, Extracting Disk Encryption Keys From Volatile Memory" paper

by Mike Lambert

Does anyone have a copy of Brian Kaplan's paper, "RAM is Key, Extracting Disk Encryption Keys From Volatile Memory" that they could email me at dragonforen(a)hotmail.com If so, thank you! Mike

13 years

2
1
0 0

decrypting the zeus config file

by malware monna

Hi, I'm using zeusscan2 module against a zeus infected memory dump, i'm able to get the rc4 keys and xor keys as mentioned in this link " http://mnin.blogspot.in/2011/09/abstract-memory-analysis-zeus.html".......i have also downloaded the zeus config file, that this sample tried to download, knowing this information, is it possible to decrypt the config file, if yes, how can i decrypt the config file or what are the steps to decrypt the config file?....and i think the zeuscan plugin is really awesome (Thanks Michael for writing such a great plugin, its really useful?).. Thanks,

13 years

1
0
0 0

Hiberfil information

by Dewhirst, Rob

Does this mean volatility can't identify the hiberfil? $ python ~/Volatility/vol.py hibinfo -f hiberfile.sys Volatile Systems Volatility Framework 2.1_alpha No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space EWFAddressSpace: No base address space provided WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space JKIA32PagedMemoryPae: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled WindowsHiberFileSpace32: No xpress signature found EWFAddressSpace: EWF signature not present WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected JKIA32PagedMemory: No valid DTB found JKIA32PagedMemoryPae: No valid DTB found IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space

13 years, 1 month

3
8
0 0

Failed to import errors on last few revisions

by Tom Yarrish

Hello, Over the last week or so, when I've done an svn update on the 2.1_alpha code, I've been receiving the following errors: Volatile Systems Volatility Framework 2.1_alpha *** Failed to import volatility.plugins.overlays.windows.win2k3_sp2_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win7_sp0_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.zeusscan1 (AttributeError: 'module' object has no attribute 'ImpScan') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp1_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.zeusscan2 (AttributeError: 'module' object has no attribute 'ApiHooks') *** Failed to import volatility.plugins.overlays.windows.vista_sp1_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win7_sp1_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.vista_sp2_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp1_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.xp_sp3_x86 (AttributeError: 'module' object has no attribute 'nt_types') *** Failed to import volatility.plugins.evtlogs (AttributeError: 'module' object has no attribute 'LdrModules') *** Failed to import volatility.plugins.overlays.windows.vista_sp1_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp0_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win7_sp1_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win2k3_sp2_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.vista_sp0_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.vista_sp2_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.xp_sp2_x86 (AttributeError: 'module' object has no attribute 'nt_types') *** Failed to import volatility.plugins.timeliner (AttributeError: 'module' object has no attribute 'LdrModules') *** Failed to import volatility.plugins.overlays.windows.vista_sp0_x86 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') *** Failed to import volatility.plugins.overlays.windows.win7_sp0_x64 (AttributeError: 'module' object has no attribute 'AbstractWindowsX86') (This is with revision 1558) This is just from doing an imageinfo. I was thinking since it includes plugins that some plugins need to be updated for 2.1, but I didn't want to make the assumption. It does finish the KDBG search and give me the correct profile, so it's parsing the dump. Just wasn't sure about the errors. Thanks, Tom

13 years, 1 month

3
4
0 0

V2.0 connscan

by Mike Lambert

I have found an interesting result and have a fair amount of data to share. Bottom line is that connscan may have missed (and miss reported) some connections (see memory image). 2 IPs are missing and note the ports recorded by cports and those reported by V2.0 connscan. Check the attached xls search hits, where did port 1088 and 1064 come from? I can provide a copy of the memory image! Imager is win32dd.exe. Here is the IP connection record I have from cports: Date Time Log action PID Program Name Proto Source IP Destination IP 3/12/2012 3:53:10 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1063 212.117.175.34:80 3/12/2012 3:53:10 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1065 98.142.243.60:80 3/12/2012 3:53:10 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1066 98.142.243.60:80 3/12/2012 3:53:11 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1065 98.142.243.60:80 3/12/2012 3:53:11 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1066 98.142.243.60:80 3/12/2012 3:53:45 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1078 92.123.68.97:80 3/12/2012 3:54:06 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1080 98.142.243.60:80 3/12/2012 3:54:06 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1078 92.123.68.97:80 3/12/2012 3:54:27 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1080 98.142.243.60:80 3/12/2012 3:54:30 PM Added 1344 fix_pack.exe TCP 192.168.1.44:1087 98.142.243.60:80 3/12/2012 3:54:31 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1063 212.117.175.34:80 3/12/2012 3:54:31 PM Removed 1344 fix_pack.exe TCP 192.168.1.44:1087 98.142.243.60:80 Here is the result of V2.0 connscan: Scan for connection objects (connscan): Offset Local Address Remote Address Pid ---------- ------------------------- ------------------------- ------ 0x041484c0 192.168.1.44:1088 98.142.243.60:80 1344 0x04193278 192.168.1.44:1093 65.54.51.29:443 3756 0x041cdc40 192.168.1.44:1064 98.142.243.60:80 1344 Attached is search results of the memory image, with memory offsets. (A few are dups and that may be the Win32dd imager) Where did ports 1088 and 1064 come from? If anyone wants a copy of the memory image, it is 115 MB Mike

13 years, 1 month

2
1
0 0

: v1.3 plugin installation

by Mike Lambert

When clicking on the list of Volatility plugins, I go to http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins >From the web page "Here is a list of the published plugins for the Volatility 1.3 framework" I do not see any "installation instructions" Do these plugins just get copied to C:\Python27\Volatility-1.3_Beta\memory_plugins ? Also, is there a like page for v2.0 ? >From http://code.google.com/p/volatility/wiki/FAQ#Where_do_I_find_the_"malware"_plugins there is a link to http://malwarecookbook.googlecode.com/svn/trunk/malware.py what Volatility version is the plugin for? I do not see Volatility version number in .py files so I get a little confused which is for which. Will plugins have "for Volaitility vX" in the future? Maybe I'm just not getting it. Sorry, Mike

13 years, 1 month

1
1
0 0

Fwd: Re: [Vol-users] BSOD while collecting a memory image

by George M. Garner J.r (online)

Meant to send this to the list not just the OP. -------- Original Message -------- Subject: Re: [Vol-users] BSOD while collecting a memory image Date: Sun, 11 Mar 2012 11:07:54 -0400 From: George M. Garner Jr. <ggarner_online(a)gmgsystemsinc.com> To: Mike Lambert <dragonforen(a)hotmail.com> Mike, > Is there malware that stops all imaging programs.. < Don't know about ALL imaging programs. There is anecdotal evidence of malware that stops some imaging programs and then allows others to run. Smart malware doesn't stop anything from running. Everything appears to be normal. Welcome to the matrix. Malware has for a long time sought to identify "white hat" software. Until recently this has been almost exclusively based on the file names of common anti-rootkit and IR packages. You could effectively defeat the anti-forensic techniques simply by renaming your tools. More recently, however, rootkits have begun to use other information to identify IR tools, in particular, the certificate info for signed PE executables. This is much more problematic. Particularly with the widespread adoption of 64-bit Windows, all device drivers must be signed and the signature can be used to identify your tools in an unambiguous way. There is a paper that will be published in the near future on developing a blackhat scanner. If you investigate sophisticated malware you should be thinking about getting your own code signing certificate(s). I believe that Sinowal was/is a "public" rootkit that attempts to remove itself from memory during hibernation. Whether a rootkit successfully removes all traces of itself from a hibernation file is another matter. Regards, g.

13 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users