Hi everybody,
Here's a Volatility plugin to first recover the command line for each process and
then find any suspicious ones. I wrote it to get a feel for the framework's
Object model. Please note that the current version of the framework has a (soon
to be corrected) bug that can result in a crash. Don't panic!
The plugin considers a command line to be suspicious if it contains the word
"TrueCrypt" or if it starts with a lower case drive letter. The latter is
indicative of a manually typed command line. I've found it handy to examine
TrueCrypt command lines because they can contain the filename of a mounted
protected volume.
cheers,
--
Jesse
jessek(a)speakeasy.net
Attached please find a Volatility plugin to scan for TrueCrypt passphrases using
the method described in Brian Kaplan's thesis, 'RAM is Key, Extracting Disk
Encryption Keys From Volatile Memory', pages 22-23. You can downlaod the thesis
at http://www.andrew.cmu.edu/user/bfkaplan/.
Usage:
python volatility cryptoscan -f [FILE]
The output will look like:
Found TrueCrypt passphrase "8964h khI@*TGUIG!!" at offset 0x65f8094
cheers,
--
Jesse
jessek(a)speakeasy.net
Hi,
Anybody know where we can get the sample image mentioned
xp-laptop-2005-07-04-1430.img in README.txt?
I got http://www.cfreds.nist.gov/mem/memory-images.rar, but inside I
found only an Win2003 image, and it doesnt work with 1.3-beta.
If it is not there anymore, can anybody upload the XP image somewhere
for us to try?
Thanks,
J
Hi all,
Please, is it possible to examine hiberfil.sys file (extracted from a
"dead" system) directly with volatility such as ?
python volatility pslist -f c:\tmp\hiberfil.sys => Error : Unable to
locate valid DTB in Image
or do I have to convert it before in an other format ?
Thanks
Have a good weekend
:)
Best regards
Jean Francois
Sauf indication contraire ci-dessus:/ Unless stated otherwise above:
Compagnie IBM France
Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400
Courbevoie
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 542.737.118 euros
SIREN/SIRET : 552 118 465 02430
I tried to use Volatility with pyFlag which doesn't work due to the
missing Linux analysis part in Volatility. What happend with the
directory forensics/linux in Volatility ?
chris
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
The Volatility Team is pleased to announce the release of Volatility 1.3,
the open source memory forensics framework. The framework was recently
used to help win both the DFRWS 2008 Forensics Challenge and the Forensics
Rodeo, demonstrating its power and effectiveness for augmenting digital
investigations.
The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for performing
advanced memory forensics. The extraction techniques are performed
completely independent of the system being investigated but still offer
unprecendented visibility into the run time state of the system. The
framework is intended to introduce people to the techniques and
complexities associated with extracting digital artifacts from volatile
memory samples, while providing a powerful platform for further research.
Volatility 1.3 currently supports the investigation of Microsoft Windows
XP Service Pack 2 and Service Pack 3 memory samples. Preliminary support
has also been added for the Linux operating system, making Volatility the
only cross platform memory analysis framework.
Some of the new features in Volatility 1.3 include:
* Over 14 new data view modules!
* New object model allowing easier module development and memory
exploration
* New plugin design allowing organizations to easily create, maintain, and
share modules
* New object oriented scanning infrastructure (Very Fast!)
* Process graphing capabilities
* Ability to extract open registry handles
* Ability to dump a process' addressable memory
* Ability to extract executables from memory samples
* Transparently supports a variety of sample formats (ie, CrashDump,
Hibernate, DD)
* Automated conversion between sample formats
* New scanning modules (ie, modules)
* Support for XP SP3
Special thanks to Brendan Dolan-Gavitt, Andreas Schuster, Michael Cohen,
and Matthieu Suiche.
Download the Volatility Framework from:
https://www.volatilityfoundation.org/default/volatility
Thanks,
The Volatility Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry AAron, Yahoo spam filter was a bit aggressive ! I got here in
the end :-)
What tools do peeps prefer for memory acquisition now that we have some
choices ?
Regards,
Jon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIe38XbSv1saVS9ucRAvm/AJ0R+nu5ud781uohH5bTrTKafJwZXACdGRJq
alg5C8CXQqUmvwKm/bgLWEg=
=qY5a
-----END PGP SIGNATURE-----
http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-ma…
I recently had a little extra time to dig through the Linux kernel and
thought some people may be interested. This was an excerpt from a
collaboration with the PyFlag team! I want to thank both Michael Cohen
and David Collett for letting me play along despite being on opposite
sides of the world!!
That's right Volatility now supports both Windows and Linux!
If you have questions/comments/suggestions, let me know!
Thanks,
AW
:
:: In at least one
::case they clearly were unreliable.
:
Rossetoecioccolato,
Do you really know of such a case, ... or not really?
eric
www.risk-averse.com
