Memory analysis

Session 1.2
Install volatility from sources
Install volatility from sources
First install git
https://github.com/git-for-windows/git/releases/download/v2.34.0.windows.1/Git-2.34.0-64-bit.exe

NEXT – NEXT – NEXT – NEXT …

Install volatility from sources
Launch a cmd.exe

Go to D: or E: or another drive

The directory will be create automatically

git clone https://github.com/volatilityfoundation/volatility.git
Install volatility from sources

Update project

Git pull origin master

Install volatility from sources
Install python 2.7

https://www.python.org/ftp/python/2.7.17/python-2.7.17.amd64.msi

Select all options

(pip, environment
variable
 Install volatility from sources
If you type python in the command prompt and you obtain the same as the
screenshot below it’s OK
 Install dependencies

The compiler python 2.7

http://www.microsoft.com/en-
us/download/details.aspx?id=44266
 Install dependencies
Update pip if necessary

python -m pip install --upgrade pip

 Install dependencies
Manipulate xlsx format

pip install openpyxl==2.1.2

 Install dependencies
Disassembler library

Pip install distorm3==3.3.4

 Install dependencies
Yara – Pattern matching

pip install yara-python==3.11

 Install dependencies
Pycrypto – Python cryptography toolkit

pip install pycrypto

 Install dependencies
PIL – Python imaging library

pip install pillow

 Install dependencies
Interactive shell

pip install ipython

 Install dependencies
Json parsing library

pip install ujson==1.35

 Install dependencies

Graphviz – Open source visualization software

https://gitlab.com/api/v4/projects/4207231/packages/generic/graphviz-
releases/2.49.3/stable_windows_10_cmake_Release_x64_graphviz-
install-2.49.3-win64.exe
 Install Volatility 3
Python 3.6 or later

git clone https://github.com/volatilityfoundation/volatility3.git

pip3 install -r requirements-minimal.txt

python3 vol.py -h
VOLATILITY
ON
LINUX
INSTALLED BY
DEFAULT
KALI LINUX
The easiest
OR
SIFT
 what is present on the hard
disk and which is a ram dump?
Hiberfil.sys
HIBERFIL.SYS
Because hiberfil is compressed
we need to convert him
Hiberfil
Transform hiberfil to RAM dump
https://arsenalrecon.com/weapons/hibernation-recon/

HibRec.exe /HiberFil=hiberfil.dmp /OutputPath=./hiberecon.dmp /Free

Or with GUI
 Hiberfil
Transform hiberfil to RAM dump :

Volatility (Windows 8) :
Vol.py –f hiberfil.sys imagecopy –O ./hiberfilTAW.raw

hibr2bin :
Hibr2Bin /PLATFORM X64 /MAJOR 6 /MINOR 1 /INPUT hiberfil.sys
/OUTPUT uncompressed.bin
Pagefile.sys
 Use foremost tool on a linux distribution
https://github.com/korczis/foremost

Extract strings with Page-brute project (Yara-Rules)

https://github.com/matonis/page_brute

page_brute-BETA.py -f F:\CloudStation\Formation-RAM\pagefile.sys -o
OUTPUT-DIR-NAME

$ strings * | less
 Foremost (linux)

Command : Foremost –a pagefile.sys

Extract some artifacts

 Belkasoft Evidence Center

Extract some artifacts

Crashdumps
Memory.dmp - Windbg
Install Windows 10 SDK to have windbg
https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk
cd "c:\Program Files (x86)\Windows Kits\10\Debuggers\x64"
kd.exe -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i
c:\Windows\System32 -z F:\MEMORY.DMP
 Example : OSINT…

Memory.dmp
 Extraction de chaines de caractères

Memory.dmp
 Extraction de chaines de caractères

Memory.dmp
 To dump a process by the hand

Procesxp64

Create full dump

Extract windows credentials from LSASS dump with
windbg
Open Windbg
File - Open crashdump
File - Symbol File Path
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
.reload /n
Download and unzip MIMIKATZ
.load F:\mimikatz_trunk\x64\mimilib.dll

kd> !process 0 0 lsass.exe

# Then switch to its context
kd> .process /r /p fffff800cbecb30
# And finally :
0: kd> !mimikatz
 Crash system
To force system to crash you can use sysinternals tool

NotMyFault
 Crashinfo
Find infos on complete crashdump

vol.py -f crash.dmp --profile=Win10x64_16299 crashinfo

Transform a complete crashdump in Raw memory

vol.py -f crash.dmp --profile=Win10x64_16299 imagecopy -O crashnew.dmp

 Search virus from memory

VolDiff permet de rechercher des menaces en RAM et les

soumets à VIRUSTOTAL

https://github.com/aim4r/VolDiff/wiki

VolDiff – https://github.com/aim4r/VolDiff/wiki
How to find the windows Profile ?

Vol.py -f dump.raw imageinfo

Volatility 3 = windows.info
 List of recent profile

OS Build Date PDB Profile

10x64 10.0.10240.17770 2018-02-10 Win10x64_10240_17770
10 x64 10.0.10586.306 2016-04-23 1AC738FB Win10x64_10586
10 x64 10.0.14393.0 2016-07-16 DD08DD42 Win10x64_14393 (Anniversary)
10 x64 10.0.15063.0 2017-04-04 Win10x64_15063 (Creators)
10 x86 10.0.10586.420 2016-05-28 44B89EEA Win10x86_10586
10 x86 10.0.14393.0 2016-07-16 9619274A Win10x86_14393 (Anniversary)
10 x86 10.0.15063.0 2017-04-04 Win10x86_15063 (Creators)
2008 R2 SP1 x64 6.1.7601.23418 2016-04-09 632B36E0 Win2008R2SP1x64_23418
2008 R2 x64 6.3.9600.18340 2016-05-13 54B5A1C6 Win2012R2x64_18340
7 SP1 x64 6.1.7601.23418 2016-04-09 632B36E0 Win7SP1x64_23418
7 SP1 x86 6.1.7601.23418 2016-04-09 BBA98F40 Win7SP1x86_23418
8 x64 6.3.9600.18340 2016-05-13 54B5A1C6 Win8SP1x64_18340
 All profiles
VistaSP0x64 - Windows Vista SP0 x64 Win2008SP2x64 - Windows 2008 SP2 x64
VistaSP0x86 - Windows Vista SP0 x86 Win2008SP2x86 - Windows 2008 SP2 x86
VistaSP1x64 - Windows Vista SP1 x64 Win2012R2x64 - Windows Server 2012 R2 x64
VistaSP1x86 - Windows Vista SP1 x86 Win2012R2x64_18340 - Windows Server 2012 R2 x64
VistaSP2x64 - Windows Vista SP2 x64 (6.3.9600.18340)
VistaSP2x86 - Windows Vista SP2 x86 Win2012x64 - Windows Server 2012 x64
Win10x64 - Windows 10 x64 Win2016x64_14393 - Windows Server 2016 x64
Win10x64_10586 - Windows 10 x64 (10.0.10586.306) (10.0.14393.0)
Win10x64_14393 - Windows 10 x64 (10.0.14393.0) Win7SP0x64 - Windows 7 SP0 x64
Win10x86 - Windows 10 x86 Win7SP0x86 - Windows 7 SP0 x86
Win10x86_10586 - Windows 10 x86 (10.0.10586.420) Win7SP1x64 - Windows 7 SP1 x64
Win10x86_14393 - Windows 10 x86 (10.0.14393.0) Win7SP1x64_23418 - Windows 7 SP1 x64
Win2003SP0x86 - Windows 2003 SP0 x86 (6.1.7601.23418)
Win2003SP1x64 - Windows 2003 SP1 x64 Win7SP1x86 - Windows 7 SP1 x86
Win2003SP1x86 - Windows 2003 SP1 x86 Win7SP1x86_23418 - Windows 7 SP1 x86
Win2003SP2x64 - Windows 2003 SP2 x64 (6.1.7601.23418)
Win2003SP2x86 - Windows 2003 SP2 x86 Win81U1x64 - Windows 8.1 Update 1 x64
Win2008R2SP0x64 - Windows 2008 R2 SP0 x64 Win81U1x86 - Windows 8.1 Update 1 x86
Win2008R2SP1x64 - Windows 2008 R2 SP1 x64 Win8SP0x64 - Windows 8 x64
Win2008R2SP1x64_23418 - Windows 2008 R2 SP1 x64 (6.1.7601.23418)Win8SP0x86 - Windows 8 x86
Win2008SP1x64 - Windows 2008 SP1 x64 Win8SP1x64 - Windows 8.1 x64
Win2008SP1x86 - Windows 2008 SP1 x86 Win8SP1x64_18340 - Windows 8.1 x64 (6.3.9600.18340)
Win8SP1x86 - Windows 8.1 x86
WinXPSP1x64 - Windows XP SP1 x64
WinXPSP2x64 - Windows XP SP2 x64
WinXPSP2x86 - Windows XP SP2 x86
WinXPSP3x86 - Windows XP SP3 x86
System
Processes
 System

Created by ntoskrnl.exe via the process manager function

No parent processes

System has a static PID of 4

System creates smss.exe

One system process running

Source : Patrick Olsen Job

Smss.exe – Session manager

Parent process is System (PPID : 4)

Base Priority of 11

Username: NT AUTHORITY\SYSTEM

Runs from %systemroot%\System32\smss.exe

Smss.exe – Session manager

Creates session 0 (OS services)

Creates session 1 (User session)
Creates csrss and winlogon then exits, which is why they
have No parent process and they both have session ids of
1

Runs within session 0

Only one smss.exe process should be running at one time.

The second smss.exe process exits, so you will only see
the one running in session 0
Csrss.exe – The client/server runtime subsystem

One csrss process per session

Path = Windows\System32
Base Priority of 13
Username: NT AUTHORITY\SYSTEM
Creates/Deletes processes and threads, Temp files, etc.
Its name is often used by malware to hide on systems
(CSSRS.EXE, CSRSSS.EXE)
Csrss.exe – The client/server runtime subsystem

Parent is not shown

In XP its used to draw text based console windows. Under
Windows 7, the conhost process now does that functionality.
For example, cmd.exe
Wininit.exe – Windows Initialization Process

Created by smss.exe, but since smss.exe exits there is no

parent to WININIT.

Child : services.exe (SCM), lsass.exe and lsm.exe

Username: NT AUTHORITY\SYSTEM

%SystemRoot%\system32\wininit.exe
Wininit.exe – Windows Initialization Process

Base Priority of 13

Creates %windir%\temp

Runs within session 0

 Services.exe – Service Control Manager

Child to WININIT.EXE

Child of services such at svchost.exe, dllhost.exe,

taskhost.exe, spoolsv.exe, etc.
Services are defined in SYSTEM\CurrentControlSet\Services

%SystemRoot%\System32\wininit.exe

Username: NT AUTHORITY\SYSTEM
Services.exe – Service Control Manager

Base Priority of 9

Loads a database of services into memory

Runs within session 0

There should only be one services.exe process running

LSASS.exe – Local Security Authority

Child to WININIT.EXE

Only one lsass.exe process

%SystemRoot%\System32\lsass.exe

Responsible for local security policy to include managing

users allowed to login, password policies, writing to the
security event log, etc.
LSASS.exe – Local Security Authority

Often targeted by malware as a means to dump passwords.

Also mimicked by malware to hide on a system (lass.exe,

lssass.exe, lsasss.exe, etc.). These “fake” names will not
be a children of wininit.exe.

Base Priority of 9
LSASS.exe – Local Security Authority

Username: NT AUTHORITY\SYSTEM

Runs within session 0

It should not have child processes

Svchost.exe – Service Hosting Process

Multiple instances of svchost.exe can/do exist/run

%SystemRoot%\System32\svchost.exe

Username: Should only be one of three options:

NT AUTHORITY\SYSTEM, LOCAL SERVICE, or
NETWORK SERVICE

Parent of services.exe
Svchost.exe – Service Hosting Process

Base Priority of 8

Often mimicked (scvhost, svch0st, etc.) When they are

mimicked they will not be running as children to
services.exe.

Command Line: svchost.exe -k <name>

-k <name> values should exist within the Software\

Microsoft\Windows NT\CurrentVersion\Svchost registry key
Svchost.exe – Service Hosting Process

Often times when malware uses the actual svchost.exe

to load their malicious service they will not include -k
command line parameters and be running under a
username that does not match on of the three listed
above.

They should all be running within session 0

Lsm.exe – Load Session Manager Service

Manages the state of terminal server sessions on the local

machine. Sends the requests to smss.exe to start new
sessions.

Child to wininit.exe

%systemroot%\System32\lsm.exe
 Lsm.exe – Load Session Manager Service

Base Priority of 8

Username: NT AUTHORITY\SYSTEM

Runs within session 0

Sous Windows 10 : %systemroot\system32\svchost.exe -k

DcomLaunch
 WinLogon.exe – Windows Logon process

No parent process

Could have a child process of LogonUI if smartcard, etc.

are used to authenticate

LogonUI will terminate once the user enters their password.

Once password is entered the verification is sent over to
LSASS and it’s verified via Active Directory or SAM (the
registry hive SAM), which stores local users and group
information.
 WinLogon.exe – Windows Logon process

Loads Userinit within Software\Microsoft\Windows NT

\CurrentVersion\Winlogon

The userinit value in the registry should be: Userinit.exe,

(note the comma). Malware will sometimes add additional
values to this key, which will load malware upon
successful logons.

Userinit.exe exits once it runs so you wont see this process

running when you look.
 WinLogon.exe – Windows Logon process

Userinit initializes the user environment. This includes

running GPOs and logon scripts.

Will run Shell value located at Software\Microsoft\Windows

NT\CurrentVersion\Winlogon within the registry. The value
of shell should be Explorer.exe. Malware will also use this
sometimes to execute malware by adding values.

No parent process since Userinit.exe exits

 Explorer.exe – Windows Explorer

The value “Explorer.exe” is stored in shell value within the

registry.
The registry location is here: Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell

Base Priority of 8

Username: The logged on user account.

%Systemroot%\Explorer.exe
 Explorer.exe – Windows Explorer

This will contain multiple child processes.

This process is often targeted by malware. Malware will

often times inject this process. One indication of this is if
Explorer.exe is connecting out to the internet.
 Taskhost.exe – Task manager old version of windows

Base Priority of 8

Username: User logged or SYSTEM

Parent process : services.exe

One or more differents instances

Path : %SystemRoot%\System32\taskhost.exe
 Taskhostw.exe – Task manager

Base Priority of 8

Username: User logged or SYSTEM

Parent process : svchost.exe

One or more differents instances

Path : %SystemRoot%\System32\taskhostw.exe
https://www.youtube.com/watch?v=vpSIw-zGhhE
 Display priority of processes

Run Volshell command on volatility and put the code below

for proc in getprocs():

...: print "Pid: {0} Priority: {1} Name:
{2}".format(proc.UniqueProcessId, proc.Pcb.BasePriority,
proc.ImageFileName)
 Display process user account

vol.py -f J:\ch2.dmp --profile=Win7SP1x86 getsids -p 4

Basic process resources
Four plugins to extract processes
Tools helping to compare files

Windows

- Plugin notepad++ - Compare

https://github.com/bruderstein/nppPluginManager/releases

Linux
- Diff

- colordiff
 Pslist – Display list chained processes

Syntaxe : vol.py -f D:\dump.dmp --profile=Win10x64_15063

pslist
Module Output Options: dot, greptext, html, json, sqlite, text,
xlsx
Volatility3 : windows.pslist.PsList

vol.py -f D:\dmp.dmp --profile=Win10x64_15063 --

output=greptext pslist --output-file pslist-dmp.csv

--tz=Europe/Paris : TimeZone Paris instead of UTC

Pslist – Display list chained processes
 Psscan – Display EEPROCESS structures

Syntax : vol.py -f D:\dump.dmp --profile=Win10x64_15063

psscan

Module Output Options: dot, greptext, html, json, sqlite,

text, xlsx

vol.py -f D:\dmp.dmp --profile=Win10x64_15063 --

output=greptext psscan --output-file pslist-dmp.csv
 PStree – Display tree processes

Syntax : vol.py -f D:\dump.dmp --profile=Win10x64_15063

pstree

Module Output Options: dot, greptext, html, json, sqlite,

text, xlsx

Pstree –v show command and path

PStree – Display tree processes
 Graphviz – DOT output

vol.py -f D:\ch2.dmp --profile=Win7SP1x86 --output=dot pslist --

output-file pslist.dot
 Alternate process listing

Thread scanning : A process manipulate at least one thread. Scan ETHREAD objects and map
their owning processes.

PspCid table : Every process' PID corresponds to its location in the PspCidTable.

CSRSS handle table : Each time we create a process the eprocess address is stored
within csrss.exe. With the exception of itself and the processes that started before it.

Session processes : member of _EPROCESS associates all processes that belong to a particular
user’s logon session.

Desktop threads: store a list of all threads attached to each desktop.

 PSXView – Compare multiple process output

vol.py -f D:\ch2.dmp --profile=Win7SP1x86 psxview

 PSXView – Compare multiple process output

vol.py -f D:\ch2.dmp --profile=Win7SP1x86 psxview --apply-rules

Processes that start before csrss.exe (including System, smss.exe and csrss.exe
itself) are not in the CSRSS handle table.

Processes that start before smss.exe (including System and smss.exe) are not in
the session process or desktop thread lists.

Processes that have terminated will not be found. Except with process scanning and
thrdproc scanning.
 Hollowprocess - Detects different types of Process Hollowing

vol.py -f ./Dumps\mem.dmp --profile=Win7SP0x86 hollowfind

https://raw.githubusercontent.com/monnappa22/HollowFind/master/hollowfind.py
 VERINFO
Prints out the version information from PE images
Syntaxe : vol.py -f ./dumps\memory.dmp --profile=Win2012R2x64_18340
verinfo

Options : --regex
vol.py -f F:\memory.dmp --profile=Win2012R2x64_18340 verinfo --regex=StickyNot.exe
 Psinfo - Displays process related information

Extra plugin :
https://raw.githubusercontent.com/monnappa22/Psinfo/master/psinfo.py

Syntaxe : vol.py -f F:\memory.dmp --profile=Win2012R2x64_18340 psinfo

https://cysinfo.com/detecting-malicious-processes-psinfo-volatility-plugin/
Procdump -
Memdump
 Memdump – Procdump - Dlldump

Procdump : Dump a process to an executable file sample

L’option –m Carve as a memory sample rather than exe/disk (Packed process)

Memdump : Dump the addressable memory for a process

Dlldump : Dump DLLs from a process address space

Syntax : vol.py -f F:\memory.dmp --profile=Win2012R2x64_18340

memdump --dump-dir=OUTDIR/

You can use --pid, --regex/--ignore-case,

process = proc()
process_space =
process.get_process_address_space()
criteria = []
criteria.append("&Email".encode("utf_16_le"))
criteria.append("&Passwd".encode("utf_16_le"))
for addr in
process.search_process_memory(criteria):
...: string = obj.object("String",
...: offset = addr, vm = process_space,
...: encoding = "utf16", length = 64)
...: print str(string)

Volshell
SIDS -
Privileges
SIDS - Privileges
 Getsids – Display Sids associated to processes

Syntax : vol.py -f F:\memory.dmp --profile=Win7SP1x64 getsids

Options :

vol.py -f memory.dmp --profile= Win7SP1x64 getsids –p PID

vol.py -f memory.dmp --profile= Win7SP1x64 getsids –n name

vol.py -f F:\ch2.dmp --cache --profile=Win7SP1x86_23418 --output=html --

output-file=F:\getsids.html getsids
Getsids – Display Sids associated to processes
 Privs – Privileges exploited commonly

There few ways to enable privileges

Enable by default : Process start with this privilege

Inheritance : Process inherit privilege of his creator (PID)

Explicit activation: using AdjusTokenprivileges API

 Privs – Privileges exploited commonly

Important privileges

SeBackupPrivilege : Access (read) to any file on the file system. Used to

copy locked files.

SeDebugPrivileges : permit to read or write to another process private

memory space.

SeLoadDriverPrivilege : Load or unload kernel drivers

SeChangeNotifyPrivilege : register a callback function that gets executed

when specific files and directory change

SeShutdownPrivilege : Reboot or Shutdown system

 Privs – Display process privileges

Syntaxe : vol.py -f ./dumps\memory.dmp --profile=Win7SP1x64 privs

Options :

vol.py -f memory.dmp --profile= Win7SP1x64 getsids –p PID

vol.py -f memory.dmp --profile= Win7SP1x64 getsids –n name

vol.py -f F:\ch2.dmp --profile=Win7SP1x86_23418 --output=html --output-

file=F:\privs.html privs
Handles - Print list of open handles for each process
Handles - Print list of open handles for each process

HANDLE : reference to an open instance of a kernel object

40 differents types of kernel objects

- File

- Mutex

- Registry key
- Token, etc…
 Handles - Print list of open handles for each process

Syntax : vol.py -f dump.mem --profile=Win8SP1x64 handles

vol.py -f dump.mem --profile=Win8SP1x64 handles –p PID

vol.py -f dump.mem --profile=Win8SP1x64 handles –n Name

vol.py -f dump.mem --profile=Win8SP1x64 handles –t file

yarascan - Scan process or kernel memory with Yara signatures

vol.py -f win7_x64.dmp --profile=Win7SP0x64 yarascan

-y F:\Yarafile.yar

vol.py -f win7_x64.dmp --profile=Win7SP0x64 yarascan

-Y "/(URL |REDR|LEAK)/" -p 2580,3004

vol.py -f win7_x64.dmp --profile=Win7SP0x64 yarascan -p 3004

-Y "/[a-zA-Z0-9\-\.]+\.(com|org|net|mil|edu|biz|name|info)/"
 yarascan - Scan process or kernel memory with Yara
signatures
vol.py -f memory.dmp --profile=Win7SP1x64 yarascan -y="&Email" --wide
--case --all -s 512

Regles yara : https://blog.didierstevens.com/programs/yara-rules/

https://github.com/Yara-Rules/rules

https://github.com/godaddy/yara-rules

https://github.com/Neo23x0/signature-base/tree/master/yara

https://malwareconfig.com/yara/
 symlinkscan - Pool scanner for symlink objects

View shared networks

Syntax : vol.py -f dump.mem --profile=Win8SP1x64 symlinkscan

Extract Strings
 Strings – Command linux

Strings –el (little endian)

Strings –eb (big indian)

-n specify strings lenght

-tx (memory address in hexa)
-td (memory address in decimal)
 Strings – extraction
Linux : 1st pass : strings -td -a dump.mem > strings.txt
2nd pass : strings -td -el -a dump.mem >> strings.txt
-td specify offsets -el little-indian 16 bits encodage
-a search in all memory space

vol.py -f dump.mem --profile=Win7SP1x64 strings -s strings.txt --output-file=StringTraite.txt

Run only on RAW image not a crashdump – Use imagecopy plugin before

vol.py -f F:\dump.dmp --profile=Win10x64_14393 crash.dmp -O F:\crashRAW.bin

Sysinternals suite have a strings command

Windows : strings.exe –o image.dd > strings.txt

vol.py -f dump.mem --profile=Win7SP1x64 strings -s strings.txt --output-file=StringTraite.txt

 Strings – extraction
Extraction generates a lot of data, complicated when we do not know what we are
looking for!

Use regular expressions (regex)

Find emails :

"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"
 Strings -
Bitcoins : ^[13][a-km-zA-HJ-NP-Z0-9]{26,33}$

Cartes de crédit :

Visa: ^4[0-9]{12}(?:[0-9]{3})?$
MasterCard: ^5[1-5][0-9]{14}$
American Express: ^3[47][0-9]{13}$
Diners club : ^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Discover: ^6(?:011|5[0-9]{2})[0-9]{12}$
JCB: ^(?:2131|1800|35\d{3})\d{11}$

IP address :

\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-
9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b

Standard URL : \b(https?|ftp|file)://[-A-Za-z0-9+&@#/%?=~_|!:,.;]*[-A-Za-z0-9+&@#/%=~_|]

URL .onion : (?:https?:\/\/)?(?:www)?(\S*?\.onion)\b

 GREP – Command linux

Egrep –i (ignore case)

Egrep –v (show what doesn’t match)

Egrep –A 5 (show 5 lines after the pattern matching)

Egrep –B 5 (show 5 lines before the pattern matching)

Egrep –C 5 (5 lines before and after)

 Editbox - extracts the text from Windows Edit controls

vol.py -f ./Dumps\dump.dmp --profile=Win7SP0x86 editbox

vol.py -f ./Dumps\dump.dmp --profile=Win7SP0x86 editbox -D E:\

Extract
MFT
Mftparser - Scans for and parses MFT entries

In MFT everything is a FILE

A record for every file and directory

MFT record is never removed from the MFT, it is

reused

On the HDD, $MFT contain the mft’s records.

A copy resides in RAM

 Mftparser - Scans for and parses MFT entries

Basic command : vol.py -f F:\Dump.bin --

profile=Win10x64_14393 mftparser
vol.py -f F:\Dump.bin --profile=Win10x64_14393
mftparser --output=body --output-
file=F:\MFTbodyMtime.txt --machine=NAMEMACHINE

#mactime -b mft.body -d > mft.txt

We can grep on the fly the MFT file :

grep -i "pattern" MFTBody.txt | grep FILE_NAME |

mactime -d
 $USN extra plugin

Extract $USN

https://github.com/tomspencer/volatility/raw/master/usnparser/usnparser.py
 The NTFS change journal ($UsnJrnl) is an operating system file that
records changes made to files and directories.

Basic syntax : vol.py -f F:\Dump.bin --profile=Win10x64_14393

usnparser

vol.py -f F:\Dump.bin --profile=Win10x64_14393 usnparser --output=body

--output-file=F:\USNbodyMtime.txt --machine=NAMEMACHINE

#mactime -b USNbodyMtime.txt -d > USN.txt

Docs-USN

Usnparser - Scans for and parses MFT entries

Shellbags
Shellbags - Prints ShellBags info

We find shellbags in the registry

Maintain the size, view, icon, and position of a folder when using Explorer

They can be used to enumerate past mounted volumes, deleted files, and user
actions

vol.py -f F:\Dump.bin --profile=Win10x64_14393 shellbags --output=body --output-

file=F:\shellbags.txt --machine=NAMEMACHINE

#mactime -b shellbags.txt -d > shellbags-mactime.txt

Timeline
 Timeliner - Creates a timeline from various artifacts in
memory

vol.py -f dump.bin --cache --profile=Win7SP1x64 timeliner --output=body

--output-file=timeline.txt

mactime -b timeline.txt -d > mactime.txt

vol.py -f dump.mem --cache --profile=Win7SP1x64 timeliner --output=xlsx

--output-file=timeline.xlsx
 On peut faire la même chose avec les plugins :

- Mftparser
- Shellbags

- On peut concaténer les résultat avant le mactime :

cat timeline.txt mft.txt shellbags.txt >> concat.txt

mactime -b concat.txt -d > mactime.txt

Timeliner - Creates a timeline from various artifacts

in memory
FileScan
 filescan - Pool scanner for file objects

Basic syntax :

vol.py -f F:\Dump.bin --profile=Win10x64_14393 filescan

Dumpfiles - Extract memory mapped & cached files
Basic syntax :

vol.py -f F:\Dump.bin --profile=Win10x64_14393 dumpfiles -Q

0x000000001d74b3b0 -D F:\

strings -a file.None.0x8888b470.dat > MSN

strings -a -el file.None.0x8888b470.dat >> MSN

Dumpfiles - Extract memory mapped & cached files

Extract all .doc from memory

vol.py -f F:\Dump.bin --profile=Win10x64_14393 dumpfiles -D F:\ -i -r

.doc$
Registry
 HiveList – Print list of registry hives

vol.py -f F:\dump.dmp --profile=Win7SP1x86 hivelist

 hivedump – Prints out a hive

vol.py -f F:\dump.dmp --profile=Win7SP1x86 hivedump --hive-

offset=HIVE_OFFSET(V)
 Printkey – Displays keys in the windows registry

vol.py -f F:\dump.dmp --profile=Win7SP1x86 printkey -K

"SAM\Domains\Account\Users\Names"

vol.py -f F:\dump.dmp --profile=Win7SP1x86 printkey -o 0x901de008 -K

"SAM\Domains\Account"
 Printkey – Displays keys in the windows registry

vol.py -f F:\dump.dmp --profile=Win7SP1x86 printkey -K “MountedDevices"

userassist – Print userassist registry keys and information

The UserAssist utility displays a table of programs executed on a

Windows machine, complete with running count and last execution date
and time.

vol.py -f F:\dump.dmp --profile=Win7SP1x86 userassist

 shimcache – Parses the Application Compatibility Shim
Cache registry key
The shimcache information is retained in memory and is only written to
the registry when the system is shutdown

vol.py -f F:\dump.dmp --profile=Win7SP1x86 shimcache

shimcachemem – https://github.com/fireeye/Volatility-
Plugins
vol.py -f F:\dump.dmp --profile=Win7SP1x86 shimcachemem
 Trustrecords – Dave lasalle plugin
Download : https://github.com/superponible/volatility-plugins

vol.py -f dumppourmimikatz.mem --cache --profile=Win7SP1x64 trustrecords

- Search on this key : Software\Microsoft\Office\14.0\Word\Security\Trusted

Documents\TrustRecords

- Are mentioned here the documents that the system has recognized
unreliable, but that the human has trusted
 hashdump – Dumps passwords hashes (LM/NTLM)
from memory
vol.py -f F:\dump.dmp --profile=Win7SP1x86 hashdump

https://crackstation.net/

http://finder.insidepro.com/

hashcat64.exe -w 3 -a 3 -m 1000 ntlm.txt -1 ?l?d ?1?1?1?1?1?1?1?1 -o

password.txt
cachedump – Dumps cache domain controller password

vol.py -f F:\dump.dmp --profile=Win7SP1x86 cachedump

 mimikatz – Extract secrets from LSASS

Téléchargement :
https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimik
atz.py

Installation : copy this file in /volatility_Directory/volatility/plugins

Dependance : pip install construct

Vol.py –f ./monfichier.mem --profile=Win7SP1x64 mimikatz

 mimikatz – Live on computer

Téléchargement : https://github.com/gentilkiwi/mimikatz/releases/latest
 Usbstor –

Usbstor – Scans registries for values relating to USB

devices plugged in to the system
Extra plugin :
https://raw.githubusercontent.com/kevthehermit/volatility_plugins/master/
usbstor/usbstor.py

vol.py -f F:\dump.dmp --profile=Win7SP1x86 usbstor

Remote
connections
Netscan – Scan a Vista (or later) image for connections

Shows all network connections, including the process name, source and
destination IP addresses – including ports.

Protocol

Source IP addresses including ports

Destination IP addresses including ports

Communication state

Process name

PID of process

Date of creation of the process

Netscan – Scan a Vista (or later) image for connections

Basics : vol.py -f F:\dump.dmp --profile=Win7SP1x86 netscan

vol.py -f F:\dump.dmp --profile=Win7SP1x86 netscan --output=html --

output-file=OUTPUT_FILE

vol.py -f F:\dump.dmp --profile=Win7SP1x86 netscan --output=xlsx --

output-file=OUTPUT_FILE

vol.py -f F:\dump.dmp --profile=Win7SP1x86 netscan --output=greptext --

output-file=OUTPUT_FILE
Connscan – Scan a XP image for connections

Basics : vol.py -f F:\dump.dmp --profile=Win7SP1x86 connscan

vol.py -f F:\dump.dmp --profile=Win7SP1x86 connscan --output=html --

output-file=OUTPUT_FILE

vol.py -f F:\dump.dmp --profile=Win7SP1x86 connscan --output=xlsx --

output-file=OUTPUT_FILE

vol.py -f F:\dump.dmp --profile=Win7SP1x86 connscan --output=greptext --

output-file=OUTPUT_FILE
 ndispktscan – Carve ethernet packets
https://raw.githubusercontent.com/bridgeythegeek/ndispktscan/master/ndispkt
scan.py

Basics : vol.py -f F:\dump.dmp --profile=Win7SP1x86 ndispktscan

vol.py –f memory.dmp --profile Win7SP1x64 ndispktscan --pcap out.pcap --

dsts ips.txt

vol.py -f memory.dmp --profile Win7SP1x64 ndispktscan --slack

ethscan – Scans and dumps complete ethernet frames from
memory while validating legitimate ipv4/ipv6 packets

Extra plugins : Jamaal-Project-Plugins directory

https://raw.githubusercontent.com/byt3bl33d3r/jamaal-re-
tools/master/volplugins/ethscan.py

Dependences : pip install dpkt

vol.py -f F:\dump.dmp --profile=Win7SP1x86 ethscan --output=html --

output-file=OUTPUT_FILE
vol.py -f F:\dump.dmp --profile=Win7SP1x86 ethscan –C sortie.pcap --
dump-dir=Output-directory

Open pcap with wireshark or tshark

 BulkExtractor –
https://github.com/simsong/bulk_extractor

Windows : Download BULK extractor :

http://digitalcorpora.org/downloads/bulk_extractor/newer_dev/bulk_extractor-1.6.0-dev-windowsinstaller.exe

Ou bulk_extractor -x all -e net -o Dump.raw

 sessions – List details on _MM_SESSION_SPACE (user logon sessions)

vol.py -f F:\dump.dmp --profile=Win7SP1x86

sessions
 screenshot – Save a pseudo-screenshot based on GDI windows

vol.py -f F:\dump.dmp --cache --profile=Win7SP1x86 screenshot --dump-

dir=F:\
Consoles – Extract command history by scanning for
_CONSOLE_INFORMATION

vol.py -f F:\dump.dmp --profile=Win7SP1x86 consoles

Cmdscan – Extract command history by scanning for
_COMMAND_HISTORY

vol.py -f F:\dump.dmp --profile=Win7SP1x86 cmdscan

Cmdline – Display process command-line arguments

vol.py -f F:\dump.dmp --profile=Win7SP1x86 cmdline

vol.py -f F:\dump.dmp --profile=Win7SP1x86 cmdline –p PID

Clipboard – Extract the contents of the windows
clipboard

vol.py -f F:\dump.dmp --profile=Win7SP1x86 clipboard

 Memdump Conhost – CSRSS.exe

If consoles or cmdscan commands fails it’s possible to do a memdump on

conhost or csrss.exe process.

Then do a strings extraction on memdump processes

 envars – Display process environment variables

vol.py -f F:\dump.dmp --profile=Win7SP1x86 envars

invterojithash – Use the public free inVtero JIT Page hash
server to respond with integrity information

Extra plugin :
https://raw.githubusercontent.com/K2/Scripting/master/inVteroJitHash.py

Dependences :

pip install getevent

pip install urllib3
pip install retry
pip install certifi
pip install colored
pip install tqdm
Pip install requests

vol.py -f F:\dump.dmp --profile=Win7SP1x86 invterojithash –x -D E:\

 Truecrypt Contraintes

•Le suspect utilise :

- Une machine sous Windows 8, 8.1 ou server 2012

- Truecrypt bien sur (Dernière version 7.1a)
truecryptpassphrase – TrueCrypt Cached Passphrase
Finder
truecryptsummary – TrueCrypt Summary
Truecrypt masterkey

Can extract keys with

- Aeskeyfind mondump.raw (LINUX)

- Findaes monfichier.raw (WINDOWS)
- Bulkextractor

Can uncrypt with

https://github.com/4144414D/pytruecrypt
 Bitlocker

https://github.com/tribalchicken/volatility-bitlocker

Updated

https://raw.githubusercontent.com/elceef/bitlocker/master/bitlocker
.py
 Bitlocker

Extract the master key

vol.py -f j:\memory.dmp --profile=Win7SP1x64 bitlocker

Address : 0xfa80018be720
Cipher : AES-128
FVEK : eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
TWEAK : bbbbbbbbbbbbbbbbbbbbbbbbbbbb
 Bitlocker

Decrypt the disk

# bdemount -k
eeeeeeeeeeeeeeeeeeeeeeeee:bbbbbbbbbbbbbbbbbbbbbb -o
$((128*512)) image.dd /mnt/bde/

Mount the disk

# mount -o loop,ro /mnt/bde/bde1 /mnt/windows_mount

Or # mount -t ntfs-3g /mnt/bde/bde1 /mnt/windows_mount

SCHTASKS – Extract planned task from memory

vol.py -f ./Dumps\dump.dmp --profile=Win7SP0x86 schtasks

https://raw.githubusercontent.com/binglot/misc/master/schtasks.py
WEB HISTORY
iehistory – Reconstruct Internet Explorer cache / history
python vol.py -f win7_x64.dmp --profile=Win7SP0x64 iehistory

python vol.py -f win7_x64.dmp --profile=Win7SP0x64 iehistory --leak --

redr
Extra plugins : https://github.com/superponible/volatility-plugins

Chrome

Firefox

Prefetch

IdxParser

Trustrecords
chromehistory – Scans for and parses potential Chrome
url history
python vol.py -f win7_x64.dmp --profile=Win7SP0x64 chromehistory
chromedownloads - Scans for and parses potential
Chrome download records
python vol.py -f win7_x64.dmp --profile=Win7SP0x64 chromedownloads
Chromedownloadchains - Scans for and parses potential
Chrome download chain records

python vol.py -f win7_x64.dmp --profile=Win7SP0x64 chromedownloadchains

chromesearchterms - Scans for and parses potential
Chrome keyword search terms
python vol.py -f win7_x64.dmp --profile=Win7SP0x64 chromesearchterms
chromevisits - Scans for and parses potential Chrome url
visits data -- VERY SLOW, see -Q option

python vol.py -f win7_x64.dmp --profile=Win7SP0x64 chromevisits

Chrome Ragamuffin - Volatility plugin designed to
extract useful information from Google Chrome's
address space.

Vol.py --plugins $PATH_TO_RAGAMUFFIN_DIR --profile Win10x64_14393 -f dump1.vmem

chrome_ragamuffin --anaysis history

https://github.com/cube0x8/chrome_ragamuffin
firefoxhistory - Scans for and parses potential Firefox url
history (places.sqlite moz_places table)

python vol.py -f win7_x64.dmp --profile=Win7SP0x64 firefoxhistory

Firefoxdownloads - Scans for and parses potential Firefox
download records -- downloads.sqlite moz_downloads

python vol.py -f win7_x64.dmp --profile=Win7SP0x64 firefoxdownloads

firefoxcookies - Scans for and parses potential Firefox
cookies (cookies.sqlite moz_cookies table

python vol.py -f win7_x64.dmp --profile=Win7SP0x64 firefoxcookies

Lastpass - Read browser memory space and attempt to
recover any resident artefact's

Extra plugin :
https://raw.githubusercontent.com/kevthehermit/volatility_plugins/master
/lastpass/lastpass.py

python vol.py -f win7_x64.dmp --profile=Win7SP0x64 lastpass

autoruns - Searches the registry and memory space for
applications running at system startup and maps them to
running processes

Téléchargement :
https://github.com/tomchop/volatility-autoruns

vol.py -f dumppourmimikatz.mem --cache --profile=Win7SP1x64

autoruns
msdecompress - Carves and dumps Lznt1, Xpress and Xpress
huffman Compressioned data blocks in a processes
pagespace

Download :
https://raw.githubusercontent.com/volatilityfoundation/community/master
/JamaalSpeights/msdecompress.py

http://downloads.volatilityfoundation.org/contest/2014/JamaalSpeights_MsDeco
mpress.zip

vol.py -f /home/dump/dump.bin --profile=Win7SP1x64 msdecompress –D

/home/dumps -A lznt1 -P /home/dumps/libMSCompression.so

Used to find compressed data with lznt1 algorithm. Show the process who
use this algorithm.

API RtlDecompressBuffer is used by many malwares to compress data to

reduce the traffic.
 openvpn – Extract password from openvpn connexion

EXTRA PLUGIN :
https://raw.githubusercontent.com/Phaeilo/vol-openvpn/master/openvpn.py

python vol.py -f win7_x64.dmp --profile=Win7SP0x64 openvpn

Extract password from teamviewer live process
https://github.com/vah13/extractTVpasswords

Not a volatility plugin

Plugins developped by the community :

https://github.com/volatilityfoundation/community

Plugins contest : http://www.volatilityfoundation.org/contest

VOLUTILITY
INSTALLATION
Git clone https://github.com/kevthehermit/VolUtility.git

$ sudo apt-get update && sudo apt-get upgrade

$ sudo pip install pymongo django

Volutility
 Install MONGODB
sudo apt-key adv --keyserver
hkp://keyserver.ubuntu.com:80 --recv EA312927
Ubuntu 16.04

echo "deb http://repo.mongodb.org/apt/ubuntu

xenial/mongodb-org/3.2 multiverse" | sudo tee
/etc/apt/sources.list.d/mongodb-org-3.2.list
sudo apt-get update

sudo apt-get install -y mongodb-org

sudo service mongod start

 Run Volutility server

./manage.py runserver 0.0.0.0:8000

Volutility
 memcompress

https://github.com/fireeye/win10_volatility

Récupérer les 4 fichiers ci-dessous dans le projet fireeye et collez les dans volatility

• volatility/plugins/addrspaces/win10_memcompression.py
• volatility/plugins/overlays/windows/win10_memcompression.py
• volatility/plugins/win10deflate.py
• volatility/plugins/win10smglobals.py
Questions?

Please ask!