Dear vol-users,
I'm trying to get data from a volatile registry key using the regapi /
rawreg classes in volatility.
The key I'm looking for is under HKCU\Software\Classes\, and is called CLSID
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes\\CLSID"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
The requested key could not be found in the hive(s) searched
So I go up one level:
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \??\C:\Users\admin\ntuser.dat
Key name: Classes (V)
Last updated: 2015-04-11 18:04:18 UTC+0000
Subkeys:
Values:
REG_LINK SymbolicLinkValue : (V) \Registry
\User\S-1-5-21-978483858-511166411-2750856381-1000_Classes
----------------------------
Registry: \SystemRoot\System32\Config\DEFAULT
Key name: Classes (S)
Last updated: 2009-07-14 04:48:57 UTC+0000
Subkeys:
(S) Local Settings
Values:
How can I query this key and keep on drilling its subkeys ?
Also, my plugin is making extensive use of rawreg because I try to get each
individual NTUSER.dat hive, and I don't know which hive_name to pass on to
regapi. Should I use the full hive name, as in
self.hive_name(obj.Object("_CMHIVE",
vm = addr_space, offset = hive_offset)), or is there a better way of doing
it?
Any help is greatly appreciated. Have a great day!
--
Thomas Chopitea
Hello,
I am not sure why I am having trouble running vol against a Win7 memory image:
I ran the imageinfo plugin against the image and it suggests: Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64:
But when I select Win7S1x64 profile for other plugins I get following error:
Any suggestions on what I am missing? Thanks in advance.
We are very excited to announce that the lineup for BSidesNOLA 2016 is out!
The day will start with a keynote presentation from Darren Van Booven.
He is currently the CISO of Idaho National Laboratory and was previously
the CISO of the US House of Representatives. It will then continue with
three tracks of talks ranging from
application security to memory forensics to malware analysis to law.
Full information on the conference can be found at the following page:
http://www.securitybsides.com/w/page/104051753/BSidesNOLA%202016
The cost to attend is $15, and you must register through the
EventBrite link (
https://www.eventbrite.com/e/bsides-nola-2016-tickets-20569894107 ).
Last year was our third year and we had 200 people attend. We are
expecting even more this year. For those of you who attended last
year, you know that beyond just great talks and networking, we also
provide very good food and drinks. The close proximity to the French
Quarter (5-10 minute walk) also means that after the conference there
will be plenty of fun and interesting things to do for the rest of the
night.
We hope to see you there and if you have any questions please reply to
this thread or email bsidesnola [@@] gmail.com.
--
Thanks,
Andrew (@attrc)
Hello all,
I am researching the behavior of the Galileo RCS, whose source codes
leaked in July 2015. I am using volatility 2.5 on Windows 7 and the
instructions given in the blog of Joe Greenwood on 4armed.com.
I downloaded the standalone version for Windows and I run it from the
command line, but it dies immediately complaining about a missing source
file.
volatility-2.5.standalone.exe --profile=Win7SP1x64 -f test.raw -v psxview
Volatility Foundation Volatility Framework 2.5
ERROR : volatility.debug : The requested file doesn't exist
The system is Windows 7 x64 with SP1, so the profile should be correct.
Python 2.7 is installed in the system, but it should not be necessary
for a standalone version anyway.
Thank you in advance for help!
Best regards
Marian Kechlibar
We are excited to announce that our memory forensics and malware
analysis training will be headed back to NYC in June:
http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n
We have sold out rather quickly for both of our previous NYC courses, so
please let us know us ASAP if you are interested in attending.
--
Thanks,
Andrew (@attrc)
We are pleased to announce that BSidesNOLA 2016 will take place on
Saturday, April 16th in the heart of downtown New Orleans. Full details
can be found on the following page:
http://www.securitybsides.com/w/page/104051753/BSidesNOLA%202016
Our Call for Papers is currently open, and we will be accepting
submissions through February 16st. Please spend time on your CFP
submission(s) as we receive a large number each year and inevitably have
to reject some of them. You don't want to miss our speakers' party so
send us your best stuff! To see some of the accepted talks from previous
years, please see our past pages:
http://www.securitybsides.com/w/page/91550808/BSidesNOLA%202015http://www.securitybsides.com/w/page/71231585/BsidesNola2014
Please let us know if you have any questions, and if you plan to attend
you must register on the Event Brite page ($15)!
--
Thanks,
Andrew (@attrc)
vol-users,
As you know, one of the main goals of the Volatility Foundation is to
promote the use of memory analysis within the forensics community. If you
have been on this mailing list for a while or seen some of the recent
court cases, you know that one of the main challenges facing investigators
is the ability to reliably collect a sample of physical memory. The
increasing number of acquisition tools has given people a lot of options
but has also exacerbated the challenge of knowing which tool to use and
under what circumstances.
In order to address this and to reduce the amount of time we spend helping
investigators troubleshoot bad memory samples, we are working on
developing some memory acquisition guidelines for investigators. If you
have had experiences where you were unable to collect a valid sample from
a system, we would like to hear from you. This could mean that the system
crashed during collection or the collected sample couldn’t be analyzed.
In particular, we are interested in the details (hardware, software, etc)
about the system the memory was being acquired from and the version of the
tool you were using to perform the acquisition.
If you have this type of information and are able to share, please contact
me off list.
Happy holidays and hope we can catch up in the New Year!
AAron Walters
The Volatility Foundation
Hello list,
This is my first post to this list. My name is Rob, I'm located in the
Netherlands and am looking for some help in dumping the memory of an
Android phone so I can inspect it in Volatility. A bit of background as to
where I'm currently at with Volatility.
I've successfully compiled LiME against a standard linux kernel running on
Intel, created a profile with dwarfdump etc., dumped the memory and can use
the plugins successfully.
I've also installed Cyanogenmod 12.1 on a GalaxyS2 and can run LiMe on it
and dump the RAM. I have a problem with the profile not loading in
Volatility but that's for another post :-) I can run strings on the dump
and recover meaningful information though.
Cutting to the chase...
My target phone is a stock Samsung Galaxy S3. I've looked at the device
settings and have downloaded the matching kernel source code from Samsungs
opensource website, taking care to make sure the build versions string
matches. The phone has developer settings and usb debugging enabled. I have
also rooted the phone and the SuperSU binary is installed and configured to
grant root always without prompting.
I've tried using toolchain versions 4.9 and 4.8 but the Samsung source code
will not compile without modifications to the makefile relating to warnings
being interpreted as errors. I'm therefore using version 4.7.
I've compiled the kernel modules which generated a module.symvers:
***
0x82d9772c bcmsdh_remove drivers/net/wireless/bcmdhd/dhd
EXPORT_SYMBOL
0x9cad0f4b bcmsdh_probe drivers/net/wireless/bcmdhd/dhd
EXPORT_SYMBOL
***
I then compiled LiME with this make file...
***
obj-m := lime.o
lime-objs := tcp.o disk.o main.o
KDIR :=~/ANDROID/S3Kernel/Kernel
PWD := $(shell pwd)
CROSS_COMPILE :=
/home/dfir/ANDROID/android-ndk-r10e/toolchains/arm-linux-androideabi-4.7/bin/arm-linux-androideabi-
ARCH := arm
.PHONY: modules modules_install clean distclen help
default:
$(MAKE) ARCH=arm SUBARCH=arm -C $(KDIR) M=$(PWD)
CROSS_COMPILE=$(CROSS_COMPILE) EXTRA_CFLAGS=-fno-pic modules
mv lime.ko limeS3.ko
***
...and this generates the following output
***
dfir@ThinkPad-T420:~/ANDROID/S3Kernel/LiME/src$ make
make ARCH=arm SUBARCH=arm -C ~/ANDROID/S3Kernel/Kernel
M=/home/dfir/ANDROID/S3Kernel/LiME/src
CROSS_COMPILE=/home/dfir/ANDROID/android-ndk-r10e/toolchains/arm-linux-androideabi-4.7/bin/arm-linux-androideabi-
EXTRA_CFLAGS=-fno-pic modules
make[1]: Entering directory `/home/dfir/ANDROID/S3Kernel/Kernel'
CC [M] /home/dfir/ANDROID/S3Kernel/LiME/src/tcp.o
CC [M] /home/dfir/ANDROID/S3Kernel/LiME/src/disk.o
CC [M] /home/dfir/ANDROID/S3Kernel/LiME/src/main.o
LD [M] /home/dfir/ANDROID/S3Kernel/LiME/src/lime.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/dfir/ANDROID/S3Kernel/LiME/src/lime.mod.o
LD [M] /home/dfir/ANDROID/S3Kernel/LiME/src/lime.ko
make[1]: Leaving directory `/home/dfir/ANDROID/S3Kernel/Kernel'
mv lime.ko limeS3.ko
***
After successfully compilation there is also a module.symvers file located
in LiME directory but it is empty. I wonder if this is indicative of my
problem?
I then move limeS3.ko to my phone and connect to it with adb
adb forward tcp:4444 tcp:4444
adb shell
su
this gets me to a root prompt on the device and I can move freely around
the file system.
I then move to the location where limeS3.ko is installed and enter the
command
root@m0:/storage/extSdCard # insmod ./limeS3.ko "path=tcp:4444
format=lime"
which gives the following error.
insmod: init_module './limeS3.ko' failed (Exec format error)
I've searched for this error and ensured the kernel version is correct.
Can anyone tell me what I'm doing wrong so I can get the driver loaded?
I realize that this was a long first post. Thank-you for taking the time to
read this far. I hope someone can point me in the right direction.
regards,
Rob
We are excited to announce that Volatility 2.5 and the results of the
2015 Volatility Plugin Contest are both now available.
Volatility 2.5 includes many new features including support for Windows
10, Mac OS X El Capitan, and Linux 4.2.3. There are also a number of new
plugins, features, and bug fixes.
On the contest side, we received some very strong submissions this year.
These included recovery of the fully update-to-date shim cache from
memory (no need to wait on a reboot), the Evole GUI, memory analysis of
VMotion VM transfers, and more.
Full information on the release and contest can be found at these links:
http://volatility-labs.blogspot.com/2015/11/plugx-memory-forensics-lifecycl…http://volatility-labs.blogspot.com/2015/10/results-from-2015-volatility-pl…http://www.volatilityfoundation.org/#!25/c1f29
Please let us know if you have any issues or questions and enjoy the new
memory forensics capabilities!
--
Thanks,
Andrew (@attrc)
