Hacking Articles » Cyber Forensics

Volatility – An advanced memory forensics framework

Raj Chandel — Mon, 14 Jan 2013 12:59:01 +0000

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Windows Features

Basic / Informational

Current date, time, CPU count, CPU speed, service pack
Current thread and idle thread
Addresses of the KDBG, KPCR, DTB, PsActiveProcessHead, PsLoadedModuleList, etc

Processes

List active processes (column or tree view)
Scan for hidden or terminated _EPROCESS objects (using pool tags or _DISPATCHER_HEADER)
Enumerate DLLs in the PEB LDR lists
Rebuild/extract DLLs or EXEs to disk based on name, base address, or physical offset
Print open handles to files, registry keys, mutexes, threads, processes, etc
List security identifiers (SIDs) for processes
Scan for cmd.exe command history and full console input/output buffers
List process environment variables
Print PE version information from processes or DLLs (file version, company name, etc)
Enumerate imported and exported API functions anywhere in process or kernel memory
Show a list of virtual and physical mappings of all pages available to a process
Dump process address space to disk as a single file
Analyze Virtual Address Descriptor (VAD) nodes, show page protection, flags, and mapped files
Represent the VAD in tree form or Graphviz .dot graphs
Dump each VAD range to disk for inspecting with external tools
Parse XP/2003 event log records

Kernel Memory

List loaded kernel modules and scan for hidden/unloaded module structures
Extract PE files including drivers from anywhere in kernel memory
Dump the SSDT for all 32- and 64-bit windows systems
Scan for driver objects, print IRP major function tables
Show devices and device tree layout
Scan for file objects (can show deleted files, closed handles, etc)
Scan for threads, mutex objects and symbolic links

GUI Memory

Analyze logon sessions and the processes and mapped images belonging to the session
Scan for window stations and clipboard artifacts (clipboard snooping malware)
Scan for desktops, analyze desktop heaps and attached GUI threads
Locate and parse atom tables (class names, DLL injection paths, etc)
Extract the contents of the windows clipboard
Analyze message hooks and event hooks, show the injected DLL and function address
Dump all USER object types, pool tags, and flags from the gahti
Print all open USER handles, associated threads or processes, and object offsets
Display details on all windows, such as coordiates, window title, class, procedure address, etc
Take screen shots from memory dumps (requires PIL)

Malware Analysis

Find injected code and DLLs, unpacker stubs, and decrypted configurations, etc
Scan process or kernel memory for any string, regular expression, byte pattern, URL, etc
Analyze services, their status (running, stopped, etc) and associated process or driver
Cross-reference memory mapped executable files with PEB lists to find injected code
Scan for imported functions in process or kernel memory (without using import tables)
Detect API hooks (Inline, IAT, EAT), hooked winsock tables, syscall hooks, etc
Analyze the IDT and GDT for each CPU, alert on hooks and disassemble code
Dump details of threads, such as hardware breakpoints, context registers, etc
Enumerate kernel callbacks for process creation, thread creation, and image loading
Display FS registration, registry, shutdown, bugcheck, and debug print callbacks
Detect hidden processes with alternate process listings (6+ sources)
Analyze kernel timers and their DPC routine functions

Networking

Walk the list of connection and socket objects for XP/2003 systems
Scan physical memory for network information (recover closed/terminated artifacts)
Determine if listening sockets are IPv4, IPv6, etc and link to their owning processes
Registry
Scan for registry hives in memory
Parse and print any value or key cached in kernel memory, with timestamps
Dump an entire registry hive recursively
Extract cached domain credentials from the registry
Locate and decrypt NT/NTLM hashes and LSA secrets
Analyze user assist keys, the shimcache, and shellbags
Crash Dumps, Hibernation, Conversion
Print crash dump and hibernation file header information
Run any plugin on a crash dump or hibernation file (hiberfil.sys)
Convert a raw memory dump to a crash dump for opening in !WinDBG
Convert a crash dump or hibernation file to a raw memory dump

Miscellaneous

Link strings found at physical offsets to their owning kernel address or process
Interactive shell with disassembly, type display, hexdumps, etc

How to use Volatility Framework

Before you can conduct victim system analysis you need to capture memory.

Step 1: First Download dumpit and capture victim pc memory (How to use Dumpit)

Step2: Download Volatility for windows PC from here

Step3: Now Open Volatility from command prompt and use the Following Commands

Imageinfo

If you don’t know what type of system your image came from, use the imageinfo command

volatility.exe –f (Windows Dump Path) imageinfo

pslist

To list the processes of a system, use the pslist command. This walks the doubly-linked list pointed to by PsActive Process Head. It does not detect hidden or unlinked processes.

volatility.exe –f (Windows Dump Path) pslist

psscan

To enumerate processes using pool tag scanning, use the psscan command. This can find processes that previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit.

volatility.exe –f (Windows Dump Path) psscan

dlllist

To display a process’s loaded DLLs, use the dlllist command. It walks the doubly-linked list of LDR_DATA_TABLE_ENTRY structures which is pointed to by the PEB’s In Load Order Module List. DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll) and they aren’t removed until Free Library is called and the reference count reaches zero.

volatility.exe –f (Windows Dump Path) dlllist

getsids

To view the SIDs (Security Identifiers) associated with a process, use the getsids command. Among other things, this can help you identify processes which have maliciously escalated privileges.

volatility.exe –f (Windows Dump Path) getsids

sockets

To detect listening sockets for any protocol (TCP, UDP, RAW, etc), use the sockets command. This walks a singly-linked list of socket structures which is pointed to by a non-exported symbol in the tcpip.sys module. This command is for Windows XP and Windows 2003 Server only.

volatility.exe –f (Windows Dump Path) sockets

hivelist

To locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk, use the hivelist command.

volatility.exe –f (Windows Dump Path) hivelist

userassist

To get the UserAssist keys from a sample you can use the userassist plugin.

volatility.exe –f (Windows Dump Path) userassist

svcscan

Volatility is the only memory forensics framework with the ability to list Windows services. To see which services are registered on your memory image, use the svcscan command. The output shows the process ID of each service (if its active and pertains to a usermode process), the service name, service display name, service type, and current status. It also shows the binary path for the registered service – which will be an EXE for usermode services and a driver name for services that run from kernel mode

volatility.exe –f (Windows Dump Path) svcscan

Command Reference & More Commands Visit:

http://code.google.com/p/volatility/wiki/CommandReference

DumpIt – RAM Capture Tool

Raj Chandel — Mon, 14 Jan 2013 00:41:37 +0000

This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines. The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting. Perfect to deploy the executable on USB keys, for quick incident responses needs.

First Download Dumpit from Here and Save in Your Desktop

Now run Dumpit.exe file the raw memory dump will be generated and save to the same directory

How to View Last Activity of Your PC

Raj Chandel — Mon, 29 Oct 2012 07:00:36 +0000

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer.

Download

How to view Date & Time of any Captured JPEG Image

Raj Chandel — Fri, 22 Jun 2012 11:41:00 +0000

ExifDataView

ExifDataView is a small utility that reads and displays the Exif data stored inside .jpg image files generated by digital cameras. The EXIF data includes the name of the company created the camera, camera model, the date/time that the photograph was taken, Exposure Time, ISO Speed, GPS information (for digital cameras with GPS), and more.

Download

Photo Studio

Photo Studio is a useful tool for exploring the Meta data stored along with your image files. The program supports a wide variety of Meta data standards, including EXIF, CIFF, Olympus, JFIF and Photoshop. EXIF data will be of particular interest to digital camera users – it is the format used by most digital cameras to store camera settings along with an image.

Download

In Windows PC

Right Click on Your Image then click on properties

In properties tab click on Details

Antivirus Forensics Tools

Raj Chandel — Sun, 04 Mar 2012 19:48:01 +0000

Chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. Chkrootkit is a powerful tool to scan your Linux server for Trojans.

Download

Rkhunter

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware.

Download

BFT (Browser Forensic Tool )

Raj Chandel — Sun, 19 Feb 2012 13:51:09 +0000

Browser forensic tool is software that will search in all kind of browser history (even archived) in a few seconds. It will retrieve URLS and Title with the chosen keywords of all matching search.

Download

How to View Windows system reboot Date and Time (Windows Forensics)

Raj Chandel — Wed, 02 Nov 2011 18:51:06 +0000

Open command prompt and type

Systeminfo | find /i “boot time”

This will show the time when you last rebooted the computer.

Other method

Start Windows Task Manager Press (Alt+Ctrl+Del) in this window, click on the Performance tab.

Hacking Computer forensics Exposed

Raj Chandel — Mon, 29 Aug 2011 05:06:19 +0000

Download

List of Computer Forensics Tools (Part 1)

Raj Chandel — Sat, 06 Aug 2011 08:23:06 +0000

Process Explorer: The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

Autoruns: Autoruns shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys.

Irfan View : IrfanView is a very fast, small, compact and innovative Freeware (for non-commercial use) graphic viewer for Windows.

Fport :fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the ‘netstat -an’ command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.

Adapterwatch: AdapterWatch displays useful information about your network adapters: IP addresses, Hardware address, WINS servers, DNS servers, MTU value, Number of bytes received or sent, The current transfer speed, and more. In addition, it displays general TCP/IP/UDP/ICMP statistics for your local computer.

Visual TimeAnalyzer: Visual TimeAnalyzer automatically tracks all computer usage and presents detailed, richly illustrated reports.

SIW: SIW is an advanced System Information for Windows tool that analyzes your computer and gathers detailed information about system properties and settings and displays it in an extremely comprehensible manner.

Find Last Connected USB on your system (USB Forensics)

Raj Chandel — Sat, 06 Aug 2011 05:11:15 +0000

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.
For each USB device, exteneded information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more…
USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.