Dear vol-users,
I'm trying to get data from a volatile registry key using the regapi /
rawreg classes in volatility.
The key I'm looking for is under HKCU\Software\Classes\, and is called CLSID
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes\\CLSID"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
The requested key could not be found in the hive(s) searched
So I go up one level:
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \??\C:\Users\admin\ntuser.dat
Key name: Classes (V)
Last updated: 2015-04-11 18:04:18 UTC+0000
Subkeys:
Values:
REG_LINK SymbolicLinkValue : (V) \Registry
\User\S-1-5-21-978483858-511166411-2750856381-1000_Classes
----------------------------
Registry: \SystemRoot\System32\Config\DEFAULT
Key name: Classes (S)
Last updated: 2009-07-14 04:48:57 UTC+0000
Subkeys:
(S) Local Settings
Values:
How can I query this key and keep on drilling its subkeys ?
Also, my plugin is making extensive use of rawreg because I try to get each
individual NTUSER.dat hive, and I don't know which hive_name to pass on to
regapi. Should I use the full hive name, as in
self.hive_name(obj.Object("_CMHIVE",
vm = addr_space, offset = hive_offset)), or is there a better way of doing
it?
Any help is greatly appreciated. Have a great day!
--
Thomas Chopitea
We are very excited to announce that the lineup for BSidesNOLA 2016 is out!
The day will start with a keynote presentation from Darren Van Booven.
He is currently the CISO of Idaho National Laboratory and was previously
the CISO of the US House of Representatives. It will then continue with
three tracks of talks ranging from
application security to memory forensics to malware analysis to law.
Full information on the conference can be found at the following page:
http://www.securitybsides.com/w/page/104051753/BSidesNOLA%202016
The cost to attend is $15, and you must register through the
EventBrite link (
https://www.eventbrite.com/e/bsides-nola-2016-tickets-20569894107 ).
Last year was our third year and we had 200 people attend. We are
expecting even more this year. For those of you who attended last
year, you know that beyond just great talks and networking, we also
provide very good food and drinks. The close proximity to the French
Quarter (5-10 minute walk) also means that after the conference there
will be plenty of fun and interesting things to do for the rest of the
night.
We hope to see you there and if you have any questions please reply to
this thread or email bsidesnola [@@] gmail.com.
--
Thanks,
Andrew (@attrc)
Hello all,
I am researching the behavior of the Galileo RCS, whose source codes
leaked in July 2015. I am using volatility 2.5 on Windows 7 and the
instructions given in the blog of Joe Greenwood on 4armed.com.
I downloaded the standalone version for Windows and I run it from the
command line, but it dies immediately complaining about a missing source
file.
volatility-2.5.standalone.exe --profile=Win7SP1x64 -f test.raw -v psxview
Volatility Foundation Volatility Framework 2.5
ERROR : volatility.debug : The requested file doesn't exist
The system is Windows 7 x64 with SP1, so the profile should be correct.
Python 2.7 is installed in the system, but it should not be necessary
for a standalone version anyway.
Thank you in advance for help!
Best regards
Marian Kechlibar
We are excited to announce that our memory forensics and malware
analysis training will be headed back to NYC in June:
http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n
We have sold out rather quickly for both of our previous NYC courses, so
please let us know us ASAP if you are interested in attending.
--
Thanks,
Andrew (@attrc)
