[Vol-users] (win7x64) : creating images for volatility

Michael Hale Ligh michael.hale at gmail.com
Wed Oct 23 10:37:08 CDT 2013


Boudewijn,

I agree, it looks like your memory dump is corrupted. To answer your
question about internet explorer history, that is the iehistory plugin [1]
[2], which is provided with volatility 2.3.

[1].
http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html
[2].
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/iehistory.py

Michael


On Wed, Oct 23, 2013 at 11:30 AM, Andrew Case <atcuno at gmail.com> wrote:

> Nice to hear from someone from our class =)
>
> A few things about your post...
>
> 8GB on x64 is where several acquisition tools seem to break, so it is
> may be that and your output seems to indicate so.
>
> Also, you are using Volatility 2.2 which is quite old at this point. I
> would recommend using the latest through SVN. Not only is there many
> bugfixes, but also new plugins, such as iehistory that will help you
> recover the IE data you want and is the one we used in class.
>
> Also, we have full support for networking information on Windows 7
> x64, you just have to use the netscan plugin and not the others
> (sockets, sockscan, etc.).
>
> Do you have any other acquisition tools you can use or are your
> machines virtualized?
>
> On Wed, Oct 23, 2013 at 9:21 AM, Boudewijn Ector
> <boudewijn at boudewijnector.nl> wrote:
> > Hi guys,
> >
> >
> > Currently I've got a sample of an infected win7 machine with enough
> > memory (8gb) which is not being used by anything except for 'the
> > malware'  (no running office etc) so quite a lot of stuff should not
> > have been swapped out of memory yet.
> >
> >
> > Strangely, I can't dump the process:
> >
> > ; vol.py  -f dump.raw --profile=Win7SP1x64 procexedump -p 4932
> > --dump-dir results/4932.bin
> > Volatile Systems Volatility Framework 2.2
> > Process(V)         ImageBase          Name                 Result
> > ------------------ ------------------ -------------------- ------
> >
> >
> > Okay so it might be not in memory anymore... fine. So let's scan for
> > network activity using connscan.
> > This does not yield any results either.... just like svcscan.
> >
> > Also the image is very very slow... on a regular machine (core i5 2400,
> > 20gb mem) running imageinfo on the 8gb images takes about 10 minutes.
> >
> > Also malfind mentions :
> >
> > WARNING : volatility.obj      : NoneObject as string: Invalid Address
> > 0x05140000, instantiating _MMADDRESS_NODE
> > WARNING : volatility.obj      : NoneObject as string: Invalid Address
> > 0x05140000, instantiating _MMADDRESS_NODE
> > WARNING : volatility.obj      : NoneObject as string: Invalid Address
> > 0x21A4C320A, instantiating _MMADDRESS_NODE
> > WARNING : volatility.obj      : NoneObject as string: Invalid Address
> > 0x21A4C320A, instantiating _MMADDRESS_NODE
> >
> >
> > Psxview says al processes are like this:
> >
> > 0x000000021a841060 <PROCESSNAME>            6640 False  True   False
> > False   False
> >
> > Isn't that just weird? (yes it's because psscan is the only module being
> > able to retrieve data from memory... but isn't that strange)
> >
> >
> > This makes me presume my memory images are broken.  My collaegue
> > probably (!) used winpmem -f for doing this. What's the best way to
> > create a memory image on a windows7 x64 box without having admin? (these
> > boxes are remotely managed and it takes a looooot of time to make sure
> > an admin will do something).
> > Or is this just perfectly normal behaviour and is win7x64 just being
> > badly supported by volatility? (I know the networkbased plugins don't
> > work but that's okay... it's being mentioned in the docs)
> >
> >
> > Furthermore: during our recent volatility training (in amsterdam), we
> > used a plugin for getting data from internet explorer history. I had a
> > look online and didn't find it, is it non-public?
> >
> > Cheers,
> >
> > Boudewijn Ector
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131023/e27336f1/attachment.html


More information about the Vol-users mailing list