May 2013 - Vol-users - volatilityfoundation.org

by Brian Keefer

I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error. chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod Volatile Systems Volatility Framework 2.3_alpha WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53 WindowsCrashDumpSpace32: Header signature invalid JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected AMD64PagedMemory: Failed valid Address Space check JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected On a hunch I checked the directory I built the profile in (copied headers & source from the target system): chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo * System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq Platform running Volatility (2.3_alpha, latest from svn): Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux Source of memory image: Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux What am I missing? -- chort

10 years, 3 months

3
6
0 0

Problem using bitmaps in overlays

by Carl Pulley

Hi all, I'm currently attempting to code up a bitmap (within an overlay) that consists of an array of 4 ulongs. With (say) a single ulong, the following works great: profile.merge_overlay({ 'XXX': [ None, ['Flags', {'target': 'unsigned long', 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]] }) However, the obvious generalisation to 4 ulongs: profile.merge_overlay({ 'XXX': [ None, ['Flags', {'target': ['array', 4, ['unsigned long']], 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]] }) fails. Looking at the source, the profile.merge_overlay calls: obj.Object(['array', 4, ['unsigned long']], offset=0, ..) and this function in turn raises an exception (i.e. TypeError: unhashable type: 'list') when it calls: vm.profile.has_type(['array', 4, ['unsigned long']]) Attempts at using obj.Array instead also flounder. Does anyone have any hints or tips as to how best to deal with bitmaps that are arrays of bytes, ulongs or similar? Is it a case of having to extend the obj.Flags class so that such things can be handled? Many thanks, Carl.

12 years

2
2
0 0

Second Week of Month of Volatility Plugins II is posted

by Andrew Case

We are writing as the second week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new and updated plugins used to analyze Windows systems. The first post discussed recovering RSA Private Keys and SSL Certificates from memory: http://volatility-labs.blogspot.com/2013/05/movp-ii-21-rsa-private-keys-and… The second post discussed recovering information about unloaded kernel modules from memory: http://volatility-labs.blogspot.com/2013/05/movp-ii-22-unloaded-windows-ker… The third post showed how to create timelines with in-memory data using Volatility: http://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-w… The fourth post demonstrated how to recover MFT entries and utilize them during investigations: http://volatility-labs.blogspot.com/2013/05/movp-ii-24-reconstructing-maste… The last post highlighted a number of new and updated plugins that are very useful during investigations: http://volatility-labs.blogspot.com/2013/05/movp-ii-25-new-and-improved-win… We hope you enjoy the posts, and the third week of posts will begin tomorrow and cover a number of new plugins to help analyze Linux and Android samples. If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

12 years, 1 month

1
0
0 0

Automated Volatility Plugin Generation with Dalvik Inspector

by Joe Sylve

Hello, We wanted to take the opportunity to point you to a blog post which gives a preview of some of the research we've been working on at 504ENSICS Labs in the area of Android memory analysis. This time we are demoing a feature that will allow automatted volatility plugin generation with our Dalvik Inspector tool. We think our results will be of great interest to the DFIR community and look forward to your feed back. We plan on releasing the tool this year at Black Hat. The blog post can be found here: http://www.504ensics.com/automated-volatility-plugin-generation-with-dalvik… --- *Joe T. Sylve, M.S.* Co-Founder 504ENSICS Labs (504) 210-8270 (Office) http://www.504ensics.com PGP Key: http://www.504ensics.com/pgp_keys/joesylve.asc

12 years, 1 month

1
0
0 0

First week of Month of Volatility Plugins II is posted

by Andrew Case

Hello, We are writing as the first week of the second installment of the Month of Volatility Plugins is now posted. Volatility 2.3 is currently in beta, and the blog posts are focusing on new features in this version. This week's posts discussed a number of new address spaces we have added to support new hardware architectures and file formats. The first one is the MachO address space used to support Mac Memory Reader: http://volatility-labs.blogspot.com/2013/05/movp-ii-11-mach-o-address-space… The second is an address space used to support VirtualBox: http://volatility-labs.blogspot.com/2013/05/movp-ii-12-virtualbox-elf64-cor… The third address space allows for analysis of VMware snapshot files (.vmss and .vmsn): http://volatility-labs.blogspot.com/2013/05/movp-ii-13-vmware-snapshot-and-… The fourth address space supports the hpak format of the HBGary Fast Dump acquisition tool: http://volatility-labs.blogspot.com/2013/05/movp-ii-14-new-hpak-address-spa… The final address space discussed adds support for the ARM architecture. This is leveraged by Volatility's Android support: http://volatility-labs.blogspot.com/2013/05/movp-ii-15-arm-address-space-vo… We hope you enjoy the posts, and the second installment of posts will begin tomorrow and cover a number of new plugins to help analyzing Windows samples. If you have any questions or comments please comment on an individual blog post or reply to this email. Thanks, Andrew (@attrc)

12 years, 1 month

1
0
0 0

netscan plugin question

by Lou LaRocca

Greetings I am looking at Win 7 x86 SP1 memory and I dont understand why I am seeing "established connections" but no PID or Process with it. 0x2d07480 TCPv4 10.22.41.40:58767 38.126.225.229:43405ESTABLISHED -------- -------------- 0x1367da70 TCPv4 10.22.41.40:59302 151.213.50.211:22031ESTABLISHED -------- -------------- In addition I am seeing stuff "listening" and it contains the PID and Process. 0xdb838178 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 996 svchost.exe 0xdb850ab0 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 1440 spoolsv.exe 0xdb855e78 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 1440 spoolsv.exe So my question is why can I see the listening processes but im not getting the Process that are established? Thanks for the help Lou

12 years, 1 month

2
1
0 0

Nice semi-old writeup

by James Lay

Might help someone on this list out: http://blog.solutionary.com/blog/bid/92402/Hunting-Malware-with-Memory-Anal… James

12 years, 1 month

1
0
0 0

Volatility News

by Jamie Levy

For those of you interested in applying memory forensics to your malware analysis and rootkit detection efforts, we've just posted a new blog with some exciting news and updates: http://volatility-labs.blogspot.com/2013/05/whats-happening-in-world-of-vol… * Volatility 2.3 will enter beta this week and we'll introduce the new features over the next four weeks (Month of Volatility Plugins II). * There are three training courses open for registration (Reston in June, Netherlands in September, Vermont in November). Email voltraining(a)memoryanalysis.net for details. * The plugin contest submissions are starting to trickle in. Enter to win over $2250 in cash or a free seat at an upcoming training. * This year's Open Memory Forensics Workshop will be in Chantilly VA on November 4th, alongside OSDFC (Open Source Digital Forensics Conference). CFP to be announced soon. All the best, Jamie / @gleeda The Volatility Project -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92

12 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users May 2013