July 2009 - Vol-users - volatilityfoundation.org

by Mark Morgan

I am using WIN XP SP 2, python 2.6.2 and the 1.3 beta of volatility. I can get all the scripts to work just fine except those that require a dump. I am trying to dump the mods out of memory using the following syntax: python volatility moddump -f /c/memory.img > /f/dumps I have also tried with the backslash and forward slash but I either get the error: "File exists" or "Access Denied" Any help would be appreciated. Mark Morgan DOE/CIRC Las Vegas, NV

15 years, 3 months

5
4
0 0

New and Updated Volatility Plug-ins

by AAron Walters

http://mnin.blogspot.com/2009/07/new-and-updated-volatility-plug-ins.html Volatility contributor Michael Hale Ligh has recently released a number of new and updated plugins. * idt.py: printing the Interrupt Descriptor Table (IDT) addresses * driverirp.py: printing driver IRP function addresses * usermode_hooks2.py: updated usermode hook detection plug-in * kernel_hooks.py: detects IAT, EAT, and in-line hooks in kernel drivers * orphan_threads.py: detects hidden system/kernel threads * malfind2.py: updated plugin for detecting hidden/injected code in usermode processes His blog post also demonstrates how each plugin can be useful for detecting different types of malware. Please take some time to test these plugins and send Michael any feedback you may have. Shouts to MHL for his contributions to the Volatility community! Thanks, AW

15 years, 3 months

1
0
0 0

Unexplained Errors

by Robert Miller

Hello Everyone, I have been dumping memory on a few systems and when I go to process the memory images I get different errors, some of these I think I've found the answers but not sure on others. Here are the errors I have seen: procdump: ======= Memory Not Accessible: Virtual Address: 0x4ad50000 File Offset: 0x50000 Size: 0x1000 pslist: ==== volatility_v1.3/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha *** Unable to load module malfind: No module named pydasm *** Unable to load module malfind: No module named pydasm datetime: ====== /volatility_v1.3/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha *** Unable to load module malfind: No module named pydasm *** Unable to load module malfind: No module named pydasm I believe the DeprecationWarning is due to the version of Python, which is 2.6.2 The malfind module, not sure why I downloaded the module and have not looked into it, however there should not be an issue, but there is. Any Advice? Thanks, Robert

15 years, 4 months

2
1
0 0

decompression of hyberfil.sys

by Michael Felber , Steufa Chemnitz, IT-Forensik

Hello all, I have posted this twice because the decompression issue should be moved to vol-dev as Aaron suggested. yesterday Andreas did provide a hiberfil.sys for decompression testing. Thanks a lot again. I have processed it twice with X-Ways-Forensics 15.3 SR3 and Volatility (SVN-release). The good news: Both result files are identical. The bad news: I dont have any clue why the decompression of my case relevant hiberfil.sys did not properly work with volatility but did with XWF. If anyone other needs a hiberfil.sys decompressed with XWF for testing, do not hesitate to ask me. We have the most recent releases here. (I am back on the 29th of July) I did compare the vol and the XWF-version of my case files but I cant interpret or explain the differences. What should I look for? BR Michael Michael Felber, StA Finanzamt Chemnitz-Süd Steuerfahndung IT-Forensik Paul-Bertz-Str. 1 D-09120 Chemnitz Germany Fon: +49 371 279 446 Fax. +49 371 279 421

15 years, 4 months

1
0
0 0

Re: [Vol-users] Volatility Call for Bugs

by Andreas Schuster

All, Maybe I can help with the test case. I could reactivate the VM that I created to research the non-paged pool persistence about a year ago. It's a clean install of Windows XP, 32 bit, Service Pack 2, and only a few background services running. What are your opinions on the following test plan: 1. start VM, boot Windows 2. enable hibernation 3. suspend VM 4. copy VMEM to prehib.vmem 5. resume VM 6. cause system to hibernate, VM stops 7. map system disk 8. copy hiberfil.sys 9. unmap system disk 10. start VM, resume Windows 11. suspend VM 12. copy VMEM to posthib.vmem 13. Compare prehib.vmem and posthib.vmem page by page (assuming a page size of 4kiB, and neglecting large pages here). Assume, that identical pages also were unchanged at time of hibernation. 14. Process hiberfil.sys by tool of choice. Verify, that unchanged pages (step 13) match. This would give us a first estimate of quality. A thorough test would require a hiberfil.sys that has been constructed such that every possible code path (in the original algorithm) is executed at least once. But, unfortunately, that exceeds my abilities. Cheers, Andreas

15 years, 4 months

2
1
0 0

Volatility Call for Bugs

by AAron Walters

Jesse Kornblum, our favorite geek raised by wolves, has graciously agreed to help prepare the next release of Volatility. Please take some time and report any bugs you may have encountered. It's great to see people willing to step up and contribute back to the community! Remember, Volatility is powered by the people! If you are waiting for something to get worked on, it will get done a lot faster the more you are willing to contribute. Shouts to Jesse! http://jessekornblum.livejournal.com/253092.html Thanks, AW

15 years, 4 months

2
2
0 0

Analyzing a hiberfil.sys

by Michael Felber , Steufa Chemnitz, IT-Forensik

Hello folks, I am new to volatility but used it successfully several times. Thank to all contributors. Today I wanted to analyze some hibernation files with it but had no success: python volatility hibinfo -f "G:\X-Ways-Images\##bad guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack.sys" -d "g:\X-Ways-Images\##bad guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack-decom-vola.sys" C:\Micha\Forensics\Volatility\forensics\win32\crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 80010031 CR0[PAGING]: 1 CR3: 0a338080 CR4: 000006f9 CR4[PSE]: 1 CR4[PAE]: 1 Traceback (most recent call last): File "volatility", line 219, in <module> main() File "volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py", line 452, in get_version addr_space = IA32PagedMemoryPae(self,self.CR3) NameError: global name 'IA32PagedMemoryPae' is not defined The OS to be analyzed is WinXP SP 2. I used X-Ways-Forensics to cut the slack of the hiberfil.sys off. XWF did successfully decompress the so cutted file and interpret it as a virtual RAM-filesystem. I had more than one hiberfil to look at but non did work with volatility hibinfo. Has anyone made experiences with that? Any help appreciated. Regards Michael Felber Special agent Germany

15 years, 4 months

3
3
0 0

AW: AW: Analyzing a Hiberfil.sys

by Michael Felber , Steufa Chemnitz, IT-Forensik

Hello Brendan, hello all thanks a lot for the carefree-all-around zip package. It works fine. The hiberfil.sys gets decompressed now. Thanks a lot to all other for their useful hints. I have processed a "shortened" version of the original file without the hiberfil-slack. Now both programs (vol and WinHex) did decompress the file BUT: The files have the same length but different md-5-sums because of 'some' binary differences. At the moment I don't know, which version is the 'right'. Both mapped with X-Ways Forensics generated the following results: WinHex-version: totally 1.465 objects, Volatility-version: 1.363 objects I have compared the results and found, that some minor objects in the xwf-version are duped but some objects are not found in the vol-version. I have attached a list of the "missed" objects, quick and dirty, simply sorted by name. Maybe someone has a clue what may have caused this difference. Currently I try to find a way to compare extracted objects by vol and XWF. BR Michael @Andreas: Thanks for the offer to call you, will do that but need your "Telefonnummer"... -----Ursprüngliche Nachricht----- Von: Dolan-gavitt, Brendan F [mailto:brendandg@gatech.edu] Gesendet: Donnerstag, 2. Juli 2009 20:20 An: AAron Walters Cc: Michael Felber , Steufa Chemnitz, IT-Forensik Betreff: Re: AW: Analyzing a Hiberfil.sys I did indeed--you can get it here: http://amnesia.gtisc.gatech.edu/~moyix/Volatility-SVN.zip -Brendan ----- Original Message ----- From: "AAron Walters" <awalters(a)4tphi.net> To: "Michael Felber , Steufa Chemnitz, IT-Forensik" <MichaelFelber(a)gmx.net> Cc: brendandg(a)gatech.edu Sent: Thursday, July 2, 2009 11:13:55 AM GMT -05:00 US/Canada Eastern Subject: Re: AW: Analyzing a Hiberfil.sys Michael, You will need to check out the entire repository. At one point, Brendan created a zip file. Thanks, AW On Thu, 2 Jul 2009, Michael Felber , Steufa Chemnitz, IT-Forensik wrote: > Hello Aaron, > > have downloaded most of the new files but got volatility crashed with that. > I assume I have to download ALL the new released files manually an copy them > to their destination? Or is there a new complete package available? > > Cu > > Michael > > -----Ursprüngliche Nachricht----- > Von: AAron Walters [mailto:awalters@4tphi.net] > Gesendet: Donnerstag, 2. Juli 2009 16:22 > An: Michael Felber , Steufa Chemnitz, IT-Forensik > Cc: brendandg(a)gatech.edu > Betreff: Re: Analyzing a Hiberfil.sys > > > > Michael, > > Thanks for the email. I'm glad you have found Volatility useful. You may > want to check out the latest version from the svn repository which > includes a number of bug fixes. Let me know if it generates the same > errors. > > http://code.google.com/p/volatility/source/checkout > > Thanks, > > AW > > > On Thu, 2 Jul 2009, Michael Felber , Steufa Chemnitz, IT-Forensik wrote: > >> Hello, >> >> >> >> I am new to volatility but I am very impressed by the capabilities of that >> tool collection. I have already used it in a couple of cases and found >> interesting clues for further investigation more than one time. Thanks a >> lot, great tool. >> >> >> >> I used v 1.3 Beta with Python 2.6.2. to analyze a hiberfil.sys. The try > to >> decompress it produced the following error message: >> >> >> >> C:\Micha\Forensics\Volatility>python volatility hibinfo -f >> "F:\X-Ways-Images\##bad guy##\RAM-Analyse\NB Asus, Partition >> 2\hiberfil-NB-ASUS.sys" –d "hiberfil-NB-ASUS-vol.sys" >> >> C:\Micha\Forensics\Volatility\forensics\win32\crashdump.py:31: >> DeprecationWarning: the sha module is deprecated; use the hashlib module >> instead >> >> import sha >> >> Signature: >> >> SystemTime: Thu Jan 01 00:00:00 1970 >> >> >> >> Control registers flags >> >> CR0: 000212dd >> >> CR0[PAGING]: 0 >> >> CR3: 0001d69f >> >> CR4: 00020160 >> >> CR4[PSE]: 0 >> >> CR4[PAE]: 1 >> >> Traceback (most recent call last): >> >> File "volatility", line 219, in <module> >> >> main() >> >> File "volatility", line 212, in main >> >> modules[argv[1]].execute(argv[1], argv[2:]) >> >> File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute >> >> self.cmd_execute(module, args) >> >> File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo >> >> (major,minor,build) = hiberAS.get_version() >> >> File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py", >> line 452, in get_version >> >> addr_space = IA32PagedMemoryPae(self,self.CR3) >> >> NameError: global name 'IA32PagedMemoryPae' is not defined >> >> >> >> Options –q, -t pae|nopae did not help. >> >> >> >> What went wrong? >> >> >> >> Kindest regards >> >> >> >> Michael Felber >> >> Agent in charge >> >> >> >> Michael Felber, StA >> >> Finanzamt Chemnitz-Süd >> >> Steuerfahndung >> >> IT-Forensik >> >> Paul-Bertz-Str. 1 >> >> D-09120 Chemnitz >> >> Germany >> >> >> >> Fon: +49 371 279 446 >> >> Fax. +49 371 279 421 >> >> >> >> >:

15 years, 4 months

1
0
0 0

Re: [Vol-users] Analyzing a hiberfil.sys

by Matthieu Suiche

Agreed with Andreas. The first page is propably empty. I dont have the last version of XWays. Anyway, Ill release in the following months a package of useful tools for file conversion. Including a hibr2bin.exe tool with Windows 2000 support. Kind Regards, -- Matthieu Suiche On Thu, Jul 2, 2009 at 5:14 PM, Andreas Schuster<a.schuster(a)yendor.net> wrote: > Hello Michael, > >> Signature: > > I'd expect to see "hibr" here. Please check whether the file starts with the > proper magic string. Or did you already decompress the file? If so, then > please either decompress the original file using "hibinfo" or try "ident" on > the existing one. > > Regarding Matthieu's post: As far as I know, X-Ways switched to a different > implementation of the decompression algorithm after my blog post appeared. I > *think* it works as expected, but as a customer you may want to ask them for > their (internal) test results and methodology, just to be sure. > > I'll be back to my office on Tuesday. Feel free to give me a call if the > problem persists. > > Viele Gruesse, > Andreas > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

15 years, 4 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users July 2009