Has anyone done any research about parsing prefetch files out of memory images? I was working with the latest version of volatility 2.3 and found the mftparser plugin very helpful. I was looking specifically at prefetch files and looking to possibly parse the prefetch files if they exist in memory to see what files may have been accessed by specific executables.
Just wondering if anyone has looked at this or thought about developing a plugin around this?
Dave
Hello,
Sorry for the late notice, but tonight I will be giving a webinar on
analyzing malware in memory with Volatility. This presentation will
showcase many of Volatility's advanced capabilities related to
detecting and analyzing Windows malware. Its free to attend, but you
must pre-register:
http://www.thehackeracademy.com/tha-deep-dive-analyzing-malware-in-memory/
If you have any questions feel free to contact me directly.
Thanks,
Andrew
Hey all.
So..I have a couple questions (clearly) about procexedump and another
one about hidden processes. First, procexedump. Here's the info of the
memdump:
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x8925a808 exp3.tmp.exe 3336 1628 0 -------- 0
0 2012-12-13 15:22:46 2012-12-13 15:25:22
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
-------------------- --------------------
0x0925a808 exp3.tmp.exe 3336 1628 0x0a440480 2012-12-13
15:22:46 2012-12-13 15:25:22
I'm attempting to dump this to an exe file, but here's what I'm
getting:
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x8925a808 ---------- exp3.tmp.exe Error: PEB at 0x7ffdf000 is
paged
I won't lie in saying I don't really have a handle on the entire memory
structure of Windows XPSP3. What exactly can I do, if anything, to get
this as a sample? Next up, hidden processes:
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x09046008 192.168.0.2:1066 x.x.x.106:443 1448
0x0912f878 192.168.0.2:1071 x.x.x.8:443 1448
0x091bfa70 192.168.0.2:1069 x.x.x.106:443 1448
0x09231478 192.168.0.2:1065 x.x.x.106:443 1448
pslist, psscan, and psxview do not show this PID. How do I figure out
what and where this PID is? Thanks for any help you can provide.
James
I've got a memory dump of a clean system and a memory dump of a system infected with a piece of malware that I believe has been injected into services.exe.
When I use the vadinfo command, there are 93 memory segments associated with services.exe in the clean dump, and 234 segments in the infected dump.
Is this difference in the number of segments enough to warrant further review of services.exe? If so, is the next step to dump the extra memory segments that are in the infected dump using the vaddump command and review each of those dumps?
Thanks - any info is appreciated.
I'm a noob with Volatility, so please be patient. I am working through some samples I found online. I've identified where I think malware was injected into a process by following this tutorial:
http://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison-ivys…
My question:
once in volshell I get many errors in my python code. How do I enter a "tab" in volshell? Since Python is so dependent on indentation, I cannot follow the rest of the tutorial as I cannot get past the "for addr in addrs" line..
Thanks.
David Kovar,
I have used FTK dozens of times with images as large as 80 GB of ram. I
haven't had any strange storage issues though. I have also used mdd.exe and
.vsem files in analysis and had similar results with less issues with
larger images.
What version of FTK imager did you use?
Regards ,
Wyatt Roersma
On Dec 4, 2012 8:02 PM, <vol-users-request(a)volatilityfoundation.org> wrote:
> Send Vol-users mailing list submissions to
> vol-users(a)volatilityfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> vol-users-request(a)volatilityfoundation.org
>
> You can reach the person managing the list at
> vol-users-owner(a)volatilityfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Vol-users digest..."
>
>
> Today's Topics:
>
> 1. FTK Imager as RAM dumping tool? (David Kovar)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 4 Dec 2012 16:53:00 -0600
> From: David Kovar <dkovar(a)gmail.com>
> Subject: [Vol-users] FTK Imager as RAM dumping tool?
> To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org>
> Message-ID: <0186FBD7-BB31-4380-9B4D-4F0342BE19B1(a)gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Good afternoon,
>
> I was just looking at a memory dump that, when compressed, went from 4GB
> to about 20MB. Something is odd here, I say. Most of the file is nulls.
>
> The dump was collected with FTK Imager. Does anyone have any opinions on
> its reliability as a memory acquisition tool?
>
> Thanks.
>
> -David
>
>
>
> ------------------------------
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> End of Vol-users Digest, Vol 54, Issue 1
> ****************************************
>
Good afternoon,
I was just looking at a memory dump that, when compressed, went from 4GB to about 20MB. Something is odd here, I say. Most of the file is nulls.
The dump was collected with FTK Imager. Does anyone have any opinions on its reliability as a memory acquisition tool?
Thanks.
-David
