Date post: | 02-Jun-2018 |
Category: |
Documents |
Upload: | shafeeque-olassery-kunnikkal |
View: | 214 times |
Download: | 0 times |
of 28
8/10/2019 Memory Fornesics Notes
1/28
Memory Forensics
Simply download DumpIt put it onto a USB drive
If you are running it on Windows 7 you will need administrators rights
if using a USB drive, ensure that enough space is there to store the memory
image.
http!!www.moonsols.com!"#$$!#7!$%!moonsols&dumpit&goes&mainstream!
'nce memory image is created we can analy(e with )olatility
http!!www.volatilityfoundation.org!*+"!c$"wa
Identifying the Profile of a Memory image
volatility imageinfo -f memimage.raw- to get the image details
he /Imageinfo0 command gives you several pieces of information,1or now, we
2ust need to 3now the profile type of the memory dump
8/10/2019 Memory Fornesics Notes
2/28
Retrieving Registry Hives Lists
4ow, we need the hive list so we can get the starting location of where the
registry information resides
volatility hivelist -f memimage.raw --profile=Win!P"#$%
&'mping Individ'al Registry Hives
We now have a list of where several 3ey items are located in the memory dump.We can use this information to find individual artifacts or we can 2ust dump the
whole hive list.
o do so, you simply need to use the /hivedump0 command and the virtual
memory address to the hive you want to view from the list recovered a5ove.
ta3e a loo3 at the Software hive, vitual offset address.
volatility --profile=Win!P"#$% -f memimage.raw hived'mp -o
(#$c)c((($
8/10/2019 Memory Fornesics Notes
3/28
Retrieving !pecific Registry *ey +al'e
Using hivedump will return a ton of registry settings, which might 5e a little morethan we need. 6ou can also search the registry 3eys for specific data
1or eample to find the name of the last logged in user you can chec3 theWin8ogon registry 3ey
volatility -f memimage.raw --profile=Win!P"#$% print,ey -*
!oftwareMicrosoftWindows /01'rrent+ersionWinlogon
8/10/2019 Memory Fornesics Notes
4/28
Password Hashes
If you can o5tain a memory image, you can get the password hashes. his is of
importance to security penetration testers 5ecause if you have the hashes, youcan then proceed to crac3 them or use them in pass the hash types of attac3s to
access other systems on the networ3.
o do this we need to 3now the starting memory locations for the System and
S9: 3eys. We loo3 in the hivelist, for this copy down the num5ers in the firstcolumn that correspond to the S9: and S6S;: locations.
8/10/2019 Memory Fornesics Notes
5/28
List of R'nning Process
4ow lets ta3e a loo3 at recovering a list of the running processes and active
networ3 connections
volatility pslist -f memimage.raw --profile=Win!P"#$%
8/10/2019 Memory Fornesics Notes
6/28
Listing R'nning Process as a 0ree
o view the process listing in tree form, use the pstree command. his
enumerates processes using the same techni@ue as pslist, so it will also not showhidden or unlin3ed processes. Ahild process are indicated using indention and
periods.
volatility pstree -f memimage.raw --profile=Win!P"#$%
8/10/2019 Memory Fornesics Notes
7/28
3n'merating Processes
o enumerate processes using pool tag scanning, use the psscan command. his
can find processes that previously terminated inactiveC and processes that have
5een hidden or unlin3ed 5y a root3it
volatility psscan -f memimage.raw --profile=Win!P"#$%
8/10/2019 Memory Fornesics Notes
8/28
Listing &LLs Loaded into Memory
o display a processs loaded D88s, use the dlllist command.
volatility dlllist -f memimage.raw 4profile=Win!P"#$%
8/10/2019 Memory Fornesics Notes
9/28
3#tract &LL from a Process5s memory
o etract a D88 from a processs memory space and dump it to dis3 for analysis,use the dlldump command.
volatility.e#e dlld'mp -f memimage.raw --profile=Win!P"#$% -r
,ernel)6 -& o't
It is possi7le d'mp all dll5s of a specific process 'sing its process id.
8/10/2019 Memory Fornesics Notes
10/28
Retrieving 1ommands typed in 1ommand Prompt
9nother interesting command we can run is /cmdscan0. his plug&in allows us to
see what commands, if any, were run from the command prompt
volatility cmdscan &f memimage.raw &&profileEWin7S
8/10/2019 Memory Fornesics Notes
11/28
volatility netscan &f memimage.raw &&profileEWin7S
8/10/2019 Memory Fornesics Notes
12/28
8/10/2019 Memory Fornesics Notes
13/28
Root,it detection 'sing +olatility
?idden process are revealed through volatility pslist, psscan module
volatility.ee pslist &f infected&winp.raw -profileEWin
8/10/2019 Memory Fornesics Notes
14/28
volatility.e#e psscan -f infected-win#p.raw 4profile=Win8P!P)#$%
Drivers loaded 5y the ?ac3erdefender root3it is revealed 5y the module
driverscan
volatility.e#e driverscan -f infected-win#p.raw --profile=Win8P!P)#$%
8/10/2019 Memory Fornesics Notes
15/28
:odules running on the infected system can 5e revealed 5y modules and
modscan"
volatility.e#e mod'les -f infected-win#p.raw --profile=Win8P!P)#$%
o scan physical memory for 3ernel modules, use the modscan command. his
can pic3 up previously unloaded drivers and drivers that have 5eenhidden!unlin3ed 5y root3its. Included in the output is the offset of the module,
which is a physical address
volatility.e#e modscan -f infected-win#p.raw --profile=Win8P!P)#$%
8/10/2019 Memory Fornesics Notes
16/28
&'mp the s'spicio's process into a directory.
volatility.ee malfind &f infected&winp.raw &&profileEWin
8/10/2019 Memory Fornesics Notes
17/28
Upload the dumped process to the virus total for anlysis.
8/10/2019 Memory Fornesics Notes
18/28
9asic Malware :nalysis 'sing +olatility
http!!malwarecoo35oo3.googlecode.com!svn&history!r"F!trun3!$7!$!(eus.vmem.(ip
Download the a5ove memory dump, which is infected with a Jeus :alware.
Determine the 'S of the memory snapshot were ta3en, use imageinfo command.
volatility imageinfo -f ;e's.vmem
8ist out the processes which were running during the snapshot are ta3en. Use the
pslist command.
volatility pslist -f ;e's.vmem --profile=Win8P!P6#$%
8/10/2019 Memory Fornesics Notes
19/28
8ist the open A< connections using the connscan command.
volatility connscan -f ;e's.vmem --profile=Win8P!P6#$%
Do a whois on the o5tained I< address from the a5ove step.
Whois "
8/10/2019 Memory Fornesics Notes
20/28
8/10/2019 Memory Fornesics Notes
21/28
8istout the registry hives loaded into memory. Use hivelist command.
volatility hivelist -f ;e's.vmem --profile=Win8P!P6#$%
he 3ey KUserInit specifies what program should 5e launched right after a userlogs into Windows.
he default program for this 3ey is ALwindowsLsystemH"Luserinit.ee.
Userinit.ee is a program that restores your profile, fonts, colors, etc. for your
username.
It is possi5le to add further programs that will launch from this 3ey 5y separating
the programs with a comma. Its is a common place for tro2ans
volatility print,ey -f ;e's.vmem 4profile=Win8P!P6#$% -o (#e">)a7%(-* ?MicrosoftWindows /01'rrent+ersionWinlogon@
8/10/2019 Memory Fornesics Notes
22/28
8ist the process in tree form using the pstree command. his plugin print process
list as a tree so we can visuali(e the parent!child relationships.
volatility pstree -f ;e's.vmem --profile=Win8P!P6#$%
8/10/2019 Memory Fornesics Notes
23/28
We did notice that winlogon.ee launched sdraF.ee and that the system process
svchost.ee %
8/10/2019 Memory Fornesics Notes
24/28
8/10/2019 Memory Fornesics Notes
25/28
8/10/2019 Memory Fornesics Notes
26/28
4ow run the malfind plugin. Areate a directory called out let the malfind module
dumps the em5edded program in the process id %MF.
volatility malfind -f ;e's.vmem 4profile=Win8P!P6#$% -p $>% -& o't
8/10/2019 Memory Fornesics Notes
27/28
4ow upload the etracted dump from out directory to )irus otal, you can seethat it is 5eing detected as a J5ot.
8/10/2019 Memory Fornesics Notes
28/28
>eference
https!!code.google.com!p!volatility!wi3i!Aommand>eference*connections