Acquistion of Memory
win32dd-This is the easiest of the command line tools and probably one of the most used “open source” tools out there. The basic syntax is as follows:
win32dd (output file)
That’s it, all you need to do is provide the name of the output file and where you want it saved.
There are also some “commercial” products out there like (Encase and FTK) but I will only be discussing “open source” tools in this blog.
Analysis of Memory
The following tools are the ones that I have used in the past and I realize there are probably more out there.
Memparser-This is a python script and can be found in the SANS Sift Workstation and is only used against Windows 2000 machines.
Memoryze-This tool was created by Kevin Mandia’s company “Mandiant” and is a free dowload. This tool will only work on Windows XP SP2 and SP3, Windows Vista and Windows 2003 SP2. There is a very good paper out there on how to use this tool at http://www.issa.org/Library/Journals/2009/February/McRee-toolsmith.pdf.
Volatility 1.3-This is a command line tool and is open source and contains “plugins” written by the community to parse through Windows XP SP2 and SP3 memory dump only. This tool can be downloaded using SVN and the url is http://volatiltiy.googlecode.com.
Volatility 1.4_RC1-This is the latest version of volatility and has not been officially released yet but it can still be downloaded and used against Window 7 memory dumps only. There is no documentation as of yet but should be available this summer.
Basic Use of Volatility
Once you have it downloaded the tool you will need to also download all the 3rd party plugins. A bash script is available that will download all the plugins and place them in the appropriate folder. It will also download the most current released version of volatility and install all perl modules needed to ensure the tool works properly. This script can be dowloaded HERE. Once all that is done then you can execute the following syntax to get a listing of available plugins:
python volatility –help
|Plugin||Description||Primary Maintainer||Core Vote|
|apihooks||Find API hooks||MHL||.|
|bioskbd||Reads the keyboard buffer from Real Mode memory||MA||Yes|
|connections||Print list of open connections||.||Yes|
|connscan2||Scan Physical memory for TCPT_OBJECT objects (tcp connections)||.||Yes|
|crashdump||Dumps the crashdump file to a raw file||.||Yes|
|crashinfo||Dump crash-dump information||.||Yes|
|csrpslist||Find hidden processes with csrss handles and CsrRootProcess||MHL||.|
|datetime||Get date/time information for image||MA||Yes|
|dlllist||Print list of loaded dlls for each process||.||Yes|
|dlldump||Dump a DLL from a process address space||MHL||Yes (in contrib folder)|
|driverirp||Driver IRP hook detection||MHL||.|
|driverscan||Scan for driver objects DRIVER_OBJECT||.||.|
|files||Print list of open files for each process||.||Yes|
|filescan||Scan Physical memory for FILE_OBJECT pool allocations||.||.|
|getsids||Print the SIDs owning each process||moyix||Yes|
|hashdump||Dumps passwords hashes (LM/NTLM) from memory||moyix||Yes|
|hibdump||Dumps the hibernation file to a raw file||.||Yes|
|hibinfo||Dump hibernation file information||.||Yes|
|hivedump||Prints out a hive||moyix||Yes|
|hivelist||Print list of registry hives.||moyix||Yes|
|hivescan||Scan Physical memory for CMHIVE objects (registry hives)||moyix||Yes|
|idt||Display Interrupt Descriptor Table||MHL||.|
|imageinfo||Identify information for the image||MA||Yes|
|impscan||Scan a module for imports (API calls)||MHL||.|
|ldrmodules||Detect unlinked DLLs||MHL||.|
|kpcrscan||Search for and dump potential KPCR values||scudette||Yes|
|lsadump||Dump (decrypted) LSA secrets from the registry||moyix||Yes|
|malfind||Find hidden and injected code||MHL||.|
|memdump||Dump the addressable memory for a process||.||Yes|
|memmap||Print the memory map||.||Yes|
|moddump||Dump out a kernel module (aka driver)||.||Yes (in contrib folder)|
|modscan2||Scan Physical memory for LDR_DATA_TABLE_ENTRY objects||.||Yes|
|modules||Print list of loaded modules||MA||.|
|mutantscan||Scan for mutant objects KMUTANT||.||.|
|mutantscandb||mutantscan extension for highlighting suspicious mutexes||MHL||.|
|notifyroutines||Print system-wide notification routines||MHL||.|
|orphanthread||Locate hidden threads||MHL||.|
|patcher||Patches memory based on page scans||MA||Yes|
|printkey||Print a registry key, and its subkeys and values||moyix||Yes|
|procexedump||Dump a process to an executable file sample||.||Yes|
|procmemdump||Dump a process to an executable memory sample||.||Yes|
|pslist||print all running processes by following the EPROCESS lists||.||Yes|
|psscan||Scan Physical memory for EPROCESS objects||.||Yes|
|pstree||Print process list as a tree||scudette||Yes|
|regobjkeys||Print list of open regkeys for each process||MA||.|
|sockets||Print list of open sockets||.||Yes|
|sockscan||Scan Physical memory for ADDRESS_OBJECT objects (tcp sockets)||.||Yes|
|ssdt||Display SSDT entries||moyix||Yes|
|ssdt_by_threads||SSDT hooks by thread||MHL||.|
|ssdt_ex||SSDT Hook Explorer for IDA Pro (and SSDT by thread)||MHL||.|
|strings||Match physical offsets to virtual addresses (may take a while, VERY verbose)||.||.|
|svcscan||Scan for Windows services||MHL||.|
|thrdscan||Scan Physical memory for ETHREAD objects||.||Yes|
|thrdscan2||Scan physical memory for ETHREAD objects||.||Yes|
|vaddump||Dumps out the vad sections to a file||.||.|
|vadinfo||Dump the VAD info||.||.|
|vadtree||Walk the VAD tree and display in tree format||.||.|
|vadwalk||Walk the VAD tree||.||.|
The above table shows all the current plugins for Volatility 1.4.
The above table shows all the plugins available for Volatiltiy 1.3. There are also plenty of documentation on how to use this product, in fact, I wrote the manual on the use of this product which is located in the document library on this forum. To view this manual click HERE.
One of the questions I always get from someone that is just starting out using this tool is “Which plugins do I use first and in what order.” There is no right and wrong answer here but here is a list of some basic plugins I use just to see what is going on.
Date/TIme-This will give you the date and time of when the memory image was taken.
Ident-This will tell you about what operating system it came from.
Connscan-This will list the connections.
pstree and pslist-This will list all the processes in use at the time of the memory dump. This is where you need to pay attention to the PID numbers and what service spawned what. Once you find a suspected file or malware being spawned by for example “services.exe” then you would move on to the next plugin.
procdump-This will dump the process (exe) of the PID that you provide, so you need to make sure you give it the right PID number.
As with anything this tool requires the user to practice and become familiar with the plugins and what they can do. Please take a look at some of the external links on the Training wiki to forensic challenges.
The last thing I want to discuss is the hiberfil.sys file. This file will be found on a laptop computer that has gone into “hibernation mode” at some point. The contents of the memory is dumped into the file in a compressed state. So you need a tool to uncompress the memory so you can run these tools against it. And it so happens that Volatility has a plugin that will do that for you. That plugin is Hibinfo and the syntax is as follows:
Python volatility hibinfo -f (path to image) -d (path and name of the output file ie memory.dd)
Once that is done then you can use volatility or whatever tool you like against the dump file.