Volatility

Report
Memory Forensics
• Key component in DFIR
• Consider a second hobby (knitting)
• Get a rocking chair
• You still want to do this?
• Fine.....
Stuff to keep in mind
• If the machine is x64 use the right imager
– If you BSOD the machine you destroyed the info
Get memory image
• F-Response
– I have yet to play with this
– If you have... I dislike you
– Uses iSCSI protocol – blocks write operations
– Allows you to use other tools to get image
– What other tools? Glad you asked...
Win32dd/Moonsols
• Started life as Win32dd
• Hashes – MD5, SHA-1 and SHA-256
• You can set up a listener on your system
– Default is port 1337
• Will convert memory to MS crashdump
Mandiant
• Memoryze – will acquire and analyze
• You can analyze a saved image
• Also required Audit Viewer
• Mandiant has a newer product...
Redline
• By Mandiant
• Free to use
• www.mandiant.com/resources/downloads
• Pretty slick / Sloooooooooooooooow at times
And a bunch more
• WinPmem – this is very good: Windows XP to
Windows 8, both 32 and 64 bit
• Dumpit – eh not bad we like ^^ better
Volatility
• We like this...
• Written in Python
– Has API so you can make stuff with it
– Has plugins that are pretty cool
– Works fairly fast
– Not as nice as Redline but a lot of options
Volatility – Install
• Stand alone exe for Windows
– You’re not left out 
– Easy install for Linux
•
•
•
•
•
Download install:
Distorm3 – https://code.google.com/p/distorm
Yara - https://code.google.com/p/yara-project/
PyCrypto - https://www.dlitz.net/software/pycrypto/
PIL - http://www.pythonware.com/products/pil/
Volatility – Install
• sudo python setup.py install
• Flipping hard huh?
Volatility – Using
• When in doubt --help it out
• Python vol.py –h
• Mmmmkey so?!?
Volatility – Do eeeet
• What OS was image from:
• Python vol.py –f <imagename> -imageinfo
– It will do best guess, you should know already
– Some tools only work on Vista/2003
– You can get modules from the community
– Use an verbose and output file
• –v –output-file=$path
Volatility – Still waiting to do eeet
• To save typing assume all commands are
prefaced with –
• python vol.py –f <name path of memory
image> --profile=<OS>
• .............
Volatility – XP/2003/Vista
•
•
•
•
•
Network connections:
Connections (Standard netstat –an info)
Connscan (looks for _TCPT_OBJECTS)
Look to see what is running:
Pslist – typical tasklist
– not cool like tasklist /SVC
– Name, Pid, Ppid, Threads, handles, time
Volatility
•
•
•
•
Look for:
svchost and != svchosts/svch0st/scvhost
lsass != Lssas etc
Csrss != cssrs etc
Wanna see something dirty?
• 0x01795c18 jqs.exe
1720 676
0x098c01a0 2010-02-03 20
• 0x01797020 nc.exe
1508 1124
0x098c0200 2010-02-03 20
• 0x01842900 nc.exe
1888 1124
0x098c03c0 2010-02-03 20
• 0x0185a2d0 hot_pics.exe
1124 380
0x098c03a0 2010-02-03 20
psscan
• Uses _EPROCESS structure different
• Can find stuff that is not double linked or
unlinked
Dlllist
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
If you see a process you want to know more about
Take the PID:
Dlllist –p 420
Will show you Base Addy, size, path:
Base
Size
Path
0x1000000 0x6000
C:\WINDOWS\system32\svchost.exe
0x7c900000 0xb0000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 0xf4000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x9b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 0x91000 C:\WINDOWS\system32\RPCRT4.dll
0x5cb70000 0x26000 C:\WINDOWS\system32\ShimEng.dll
0x6f880000 0x1ca000 C:\WINDOWS\AppPatch\AcGenral.DLL
0x77d40000 0x90000 C:\WINDOWS\system32\USER32.dll
0x77f10000 0x46000 C:\WINDOWS\system32\GDI32.dll
0x76b40000 0x2d000 C:\WINDOWS\system32\WINMM.dll
0x774e0000 0x13c000 C:\WINDOWS\system32\ole32.dll
Win7/2008
• Ton more stuff we can do:
• Malfind - The second memory segment (starting at
0x015D0000) was detected because it contained an
executable that isn't listed in the PEB's module lists.
• If you want to save extracted copies of the memory
segments identified by malfind, just supply an output
directory with -D or --dump-dir=DIR. In this case, an
unpacked copy of the Zeus binary that was injected into
explorer.exe would be written to disk.
• ---- From WIKI -----• While there read – Yarascan, Svcscan, Ldrmodules,
Apihooks, psxview
Way more stuff
• https://code.google.com/p/volatility/
• http://www.mandiant.com/resources/downlo
ads/
L2Read
• Malware Analyst's Cookbook: Tools and
Techniques for Fighting Malicious Code
• Practical Malware Analysis: The Hands-On
Guide to Dissecting Malicious Software
• A Bug Hunter's Diary: A Guided Tour Through
the Wilds of Software Security
• Windows Forensic Analysis Toolkit: Advanced
Analysis Techniques for Windows 7, Third
Edition
Well screw it... L2listen
• Forensics • SANS – sans.org d’uh you know they got some
good stuff
• Security in general:
• Exotic Liability – can be spotty F’ing good in
general
• Pauldotcom – not so much forensics but in
general

similar documents