Vol Team,
II've been unable to parse the Registry of a Windows system with 2.4 like I
could with 2.3 using the "-R" switch. Do you invoke Registry parsing the
same with 2.4 and Timeliner? When I remove the "-R" flag timeliner runs as
expected. Apologies if this has been discussed somewhere. I've tried with
Vol.py (compiled from source) and the Windows binary flavor of 2.4.
Here's the errors I am receiving:
C:\Users\DFIR-PC\Desktop\Mem>vol.exe -f Bad.img timeliner --output=body >
timeline.txt -R
Volatility Foundation Volatility Framework 2.4
Usage: Volatility - A memory forensics analysis platform.
vol.exe: error: no such option: -R
C:\Users\DFIR-PC\Desktop\Mem>vol.exe -f Bad.img timeliner --output=body
--output-file=timeline.txt -R
Volatility Foundation Volatility Framework 2.4
Usage: Volatility - A memory forensics analysis platform.
vol.exe: error: no such option: -R
C:\Users\DFIR-PC\Desktop\Mem>c:\volatility-master\vol.py -f Bad.img
timeliner --output=body --output-file=timeline.txt -R
Volatility Foundation Volatility Framework 2.4
Usage: Volatility - A memory forensics analysis platform.
vol.py: error: no such option: -R
Thanks!
Jared
Hi,
Sorry for the 'me too' response, but I'm having this exact same problem. However, the main difference is that I'm using a 'QEMU' memory image (Hex dump sig is QEVM in the first 4 bytes) from a cloud instance.
I've converted these in the past using the 'lqs2mem' tool written by Juerg Haefliger and Andrew Tappert and it's worked perfectly for the 'netscan' and 'ps' type plugins. However, I haven't needed to dump processes before and look for specific strings. I can locate the strings in the converted image, but it's not translating to the processes that are identified by the 'strings' plugin.
Here's the steps I've been taking -
## Memory dump info
> ll memory_dump
-rw------- 1 geoff citsirt 7579914273 Apr 27 13:36 memory_dump
> file memory_dump
memory_dump: QEMU suspend to disk image
> xxd memory_dump | head -n1
0000000: 5145 564d 0000 0003 0100 0000 0105 626c QEVM..........bl
## Convert the dump
> lqs2mem -w pc.ram memory_dump memory_dump.ram
section = pc.ram size = 8192 [MB] 8589934592 [bytes]
section = pc.bios size = 128 [KB] 131072 [bytes]
section = pc.rom size = 128 [KB] 131072 [bytes]
section = vga.vram size = 16 [MB] 16777216 [bytes]
section = 0000:00:02.0/cirrus_vga.rom size = 64 [KB] 65536 [bytes]
Wrote 8589934592 bytes from section 'pc.ram' to file memory_dump.ram
## Create the strings file
> strings -a -t d memory_dump.ram > memory_dump.ram.strings
> strings -a -t d -el memory_dump.ram >> memory_dump.ram.strings
## Create the volatility strings file
> python /data/download/apps/forensic_tools/volatility/vol.py -f memory_dump.ram --profile=Win2008SP2x64 strings -s --output-file=memory_dump.ram.vol.strings
> ll memory_dump.ram.strings memory_dump.ram.vol.strings
-rw-rw-r-- 1 geoff citsirt 2914258187 May 7 08:58 memory_dump.ram.strings
-rw-rw-r-- 1 geoff citsirt 4292775089 May 7 12:17 memory_dump.ram.vol.strings
## '<Search_String>' is found in both string files as expected
> fgrep <Search_String> memory_dump.ram.strings memory_dump.ram.vol.strings
memory_dump.ram.strings:183190042 <Search_String>
memory_dump.ram.vol.strings:183190042 [3156:0189321a] <Search_String>
## Dump process 3156 as identified by volatility
> python /data/download/apps/forensic_tools/volatility/vol.py -f memory_dump.ram --profile=Win2008SP2x64 procdump -p 3156 -D processes -m
Volatility Foundation Volatility Framework 2.4
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
0xfffffa800a4e6370 0x0000000000400000 iwproxy.exe OK: executable.3156.exe
>ll processes/executable.3156.exe
-rw-rw-r-- 1 geoff citsirt 3248128 May 7 12:35 processes/executable.3156.exe
## '<Search_String>' not found in the dumped executable
> strings -a processes/executable.3156.exe | fgrep <Search_String>
> strings -a -el processes/executable.3156.exe | fgrep <Search_String>
I've tried many different variations of the above steps and all have the same results.
According to what I've read in this thread is that the issue is to make sure the original dump is properly converted. How can I do that? 'lqs2mem' has limited options.
Any ideas on what I can do differently to get this to work?
Thanks,
Geoff
Don't be afraid to tell me I'm doing something stupid... :-)
-----Original Message-----
From: vol-users-bounces(a)volatilesystems.com [mailto:vol-users-bounces@volatilesystems.com] On Behalf Of Michael Ligh
Sent: Tuesday, March 24, 2015 6:49 AM
To: Bridgey theGeek
Cc: vol-users(a)volatilesystems.com
Subject: Re: [Vol-users] Output of strings not found in memdump output
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Perfect! Glad to hear all is good in the world ;-)
MHL
On 3/24/15 5:05 AM, Bridgey theGeek wrote:
> Awesome, thanks Michael.
>
> I generated a raw dump as follows, with the vmsn and vmem files in the
> same folder: $ python vol.py -f winxp.vmem
> --profile=WinXPSP2x86 imagecopy -O winxp.raw
>
> Then ran strings again (having generated a new input text file because
> of course the offsets will be different): $ python vol.py -f winxp.raw
> --profile=WinXPSP2x86 strings -s pk.txt
>
> I was then able to find the banner at the offsets reported by strings.
> And all was good in the world.
>
> Thank you very much for the support.
>
> Adam
>
> On 23 March 2015 at 19:39, Michael Ligh <michael.ligh(a)mnin.org
> <mailto:michael.ligh@mnin.org>> wrote:
>
> Hey Adam,
>
> A few things:
>
> * Yes, vmss2core creates a windows crash dump * You can use volatility
> on the original vmem/vmss by doing the following:
>
> * make sure both vmem and vmss files are in the same dir * make sure
> they have the same base name (i.e. test.vmem and test.vmss) * run your
> volatility plugins against the vmem
>
> In this case, it would also be required to generate a raw memory dump
> before running strings. So you would use imagecopy on the vmem.
>
> LMK if that helps! Michael
>
> On 3/23/15 10:51 AM, Bridgey theGeek wrote:
>> Hi Michael,
>
>> *sigh* When will I learn to check the origin of my samples?!
>
>> The guy who provided me with the sample tells me that he took a
>> snapshot of a VMWare machine and then used vss2core to convert it. I
>> BELIEVE that makes it into a Windows Memory Core Dump..?
>
>> I got hold of the original vmem and vmsn files. Trying to use
>> imagecopy on the vmsn just replicated the input file. I think the
>> header is not what Volatility would expect: $ xxd Windows\ XP\ Pro\
>> SP2\ \(32-bit\)-Snapshot49.vmsn |head 0000000: d2be d2be
>> 0800 0000 6300 0000 4368 6563 ........c...Chec 0000010: 6b70
>> 6f69 6e74 0000 0000 0000 0000 0000 kpoint.......... 0000020:
>> 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0000040: 0000 0000 0000 0000 0000 0000 fc1e 0000 ................
>> 0000050: 0000 0000 ab03 0000 0000 0000 4775 6573 ............Gues
>> 0000060: 7456 6172 7300 0000 0000 0000 0000 0000 tVars...........
>> 0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0000090: 0000 0000 0000 0000 0000 0000 a722 0000 ............."..
>
>> Does that mean I can't use this with Volatility?
>
>> Thank you, Adam
>
>> On 23 March 2015 at 14:57, Michael Ligh <michael.ligh(a)mnin.org
>> <mailto:michael.ligh@mnin.org> <mailto:michael.ligh@mnin.org
>> <mailto:michael.ligh@mnin.org>>> wrote:
>
>> Hey Adam,
>
>> We forgot to ask if the sample was a raw memory dump. For
>> example:
>
>> $ xxd ~/Desktop/memory.dmp | less
>
>> 0000000: 5041 4745 4455 4d50 0f00 0000 280a 0000 PAGEDUMP....(...
>> 0000010: 8001 6c07 00c0 e680 a031 5580 5892 5580 ..l......1U.X.U.
>> 0000020: 4c01 0000 0100 0000 8000 0000 5444 4f00 L...........TDO.
>> 0000030: 0000 0000 0000 0000 0000 0000 5041 4745 ............PAGE
>> 0000040: 5041 4745 5041 4745 5041 4745 5041 4745 PAGEPAGEPAGEPAGE
>
>> If its something like a crash dump, hibernation, etc then the file
>> format headers throw off the offsets. You can convert those special
>> file types into a raw memory dump with the imagecopy plugin and then
>> your strings translations should be accurate.
>
>> Cheers! MHL
>
>> On 3/23/15 8:54 AM, Bridgey theGeek wrote:
>>> Hi Andrew,
>
>>> I was certain I was running the latest version, but just to be sure
>>> I grabbed the latest version. Same result, same offsets.
>
>>> I can make the sample available, but more than happy to do whatever
>>> debugging needs doing (if I can!)
>
>>> Adam
>
>>> On 23 March 2015 at 13:03, Andrew Case <atcuno(a)gmail.com
>>> <mailto:atcuno@gmail.com> <mailto:atcuno@gmail.com
>>> <mailto:atcuno@gmail.com>>
> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>>> wrote:
>
>>> Are you using the latest git checkout of Volatility or the 2.4
>>> release? Can you try the latest checkout and re-run Volatility
>>> strings (you can run it on just the offsets from PID 123 to make it
>>> faster).
>
>>> If you are already on the latest checkout then we will need to debug
>>> further.
>
>
>
>
>>> Thanks, Andrew (@attrc)
>
>>> On 03/23/2015 04:38 AM, Bridgey theGeek wrote:
>>>> Thanks Andrew:
>>>>
>>>> python vol.py --profile=WinXPSP2x86 -f memory.dmp volshell -p 123
>>>> Volatility Foundation Volatility Framework 2.4 Current context:
>>>> myapp.exe @ 0x822042f8, pid=123, ppid=392
>>> DTB=0x76c0040
>>>> Welcome to volshell! Current memory image is:
>>>> file:///home/memory.dmp To get help, type 'hh()'
>>>>>>> db(0x75b6b4d8)
>>>> 0x75b6b4d8 c3 7c 15 c7 85 00 ff ff ff 01 00 00 00 75 09 8d
>>>> .|...........u.. 0x75b6b4e8 85 0c ff ff ff 50 ff 17 39 9d
>>>> 00 ff ff ff 89 85 .....P..9....... 0x75b6b4f8 30 ff ff ff 74
>>>> 12 6a 0c 8d 85 c4 fe ff ff 50 6a 0...t.j.......Pj 0x75b6b508
>>>> 07 6a fe e8 ea 92 ff ff 83 bd 28 ff ff ff 0c 0f .j........(.....
>>>> 0x75b6b518 84 8c 59 00 00 e9 18 ff ff ff 90
>>>> 90 47 00 6c 00 ..Y.........G.l. 0x75b6b528 6f 00 62 00 61 00 6c 00
>>>> 5c 00 54 00 65 00 72 00 o.b.a.l.\.T.e.r. 0x75b6b538 6d
>>>> 00 53 00 72 00 76 00 52 00 65 00 61 00 64 00 m.S.r.v.R.e.a.d.
>>>> 0x75b6b548 79 00 45 00 76 00 65 00 6e 00 74 00 00 00 90 90
>>>> y.E.v.e.n.t.....
>>>>
>>>> Nope, still no banner. But it is identical to what I find at
>>> 0x1a34d8 in
>>>> 123.dmp. (As you'd expect.) Double-checked that I was searching
>>>> Unicode and ASCII - still no luck.
>>>>
>>>> Hmmm.
>>>>
>>>> Adam
>>>>
>>>> On 23 March 2015 at 04:02, Andrew Case <atcuno(a)gmail.com
> <mailto:atcuno@gmail.com>
>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
>>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>>
>>>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>>>> wrote:
>>>>
>>>> Can do you:
>>>>
>>>> vol.py ... volshell -p 123
>>>>
>>>> Then in volshell do:
>>>>
>>>> db(0x75b6b4d8)
>>>>
>>>> And see if you get the banner printed at the beginning?
>>>>
>>>> Also, how are you searching 123.dmp? Did you search ascii &
>>> unicode
>>>> (most common error)
>>>>
>>>> Thanks, Andrew (@attrc)
>>>>
>>>> On 03/20/2015 03:59 PM, Bridgey theGeek wrote:
>>>>> Hi all,
>>>>>
>>>>> I can't quite see what's wrong with my logic here, but I must be
>>>> missing
>>>>> something. Hoping someone can help me out.
>>>>>
>>>>> I'm looking for a private key in a memory sample (WinXPSP2x86).
>>>>> Specifically, to find out which process/es is/are accessing it.
>>>>>
>>>>> I can find the key by searching the raw memory dump
>>> (memory.dmp).
>>>>> As you might expect it's between: -----BEGIN RSA PRIVATE
>>>>> KEY----- -----END RSA PRIVATE KEY-----
>>>>>
>>>>> I generated an offset:string file by using strings. Then, using
>>>>> the strings plugin I get this output: $ python vol.py -f
>>>>> memory.dmp --profile=WinXPSP2x86 strings
>>> -s pk.txt
>>>>> Volatility Foundation Volatility Framework 2.4 188435934 [FREE
>>>>> MEMORY:-1] -----BEGIN RSA PRIVATE KEY----- 188435968 [FREE
>>>>> MEMORY:-1] -----END RSA PRIVATE KEY----- 317375704
>>>>> [kernel:d2ab24d8] -----BEGIN RSA PRIVATE KEY-----
>>>>> 317376575 [kernel:d2ab283f] -----END RSA PRIVATE KEY-----
>>>>> 417203416 [123:75b6b4d8] -----BEGIN RSA PRIVATE KEY-----
>>>>> 417204287 [123:75b6b83f] -----END RSA PRIVATE KEY-----
>>>>> 419888606 [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY-----
>>>>> 419888640 [FREE MEMORY:-1] -----END RSA PRIVATE KEY-----
>>>>>
>>>>> Lovely. So I now do a memdump of process 123: $ python vol.py -f
>>>>> memory.dmp --profile=WinXPSP2x86 memdump
>>> --pid=123
>>>>> --dump-dir=123 Volatility Foundation Volatility Framework
>>>>> 2.4
>>>>>
>>>>
>
>
> **********************************************************************
> **
>
>
>
>
>>>> Writing myapp.exe [ 123] to 123.dmp
>>>>>
>>>>> However, if I search 123.dmp neither the BEGIN or END
>>> strings are
>>>> present.
>>>>>
>>>>> So I thought I'd try and find it via the virtual address give,
>>>> 0x75b6b4d8:
>>>>> $ python vol.py -f memory.dmp --profile=WinXPSP2x86 memmap
>>> --pid=123
>>>>> Virtual Physical Size DumpFileOffset ----------
>>>>> ---------- ---------- -------------- --SNIP-- 0x75b6b000
>>>>> 0x18de0000 0x1000 0x1a3000 --SNIP--
>>>>>
>>>>> The text is indeed at 0x18de04d8 in memory.dmp, but not at
>>> 0x1a34d8 in
>>>>> 123.dmp. Again, it's no where to be found in 123.dmp.
>>>>>
>>>>> Any suggestions..??
>>>>>
>>>>> Many thanks, Adam
>>>>>
>>>>>
>>>>> _______________________________________________ Vol-users mailing
>>>>> list Vol-users(a)volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>
>> <mailto:Vol-users@volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>>
>>> <mailto:Vol-users@volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>
>> <mailto:Vol-users@volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>>>
>>> <mailto:Vol-users@volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>
>> <mailto:Vol-users@volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>>
>>> <mailto:Vol-users@volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>
>>> <mailto:Vol-users@volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>>>>
>>>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>>>>
>>>>
>>>>
>
>>>>>
>
>
>
>>> _______________________________________________ Vol-users mailing
>>> list Vol-users(a)volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>
>>> <mailto:Vol-users@volatilesystems.com
> <mailto:Vol-users@volatilesystems.com>>
>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iF4EAREKAAYFAlURazkACgkQXnt9v1O0LItfjAD/W7UeZMNiWVRMqeeJftNRaxG2
dpi/c755Qxc6X7PUKU8A/iREkToI9Ad0/GejtG32OpZMLjk0gjhj5XoMxAWuY69D
=JNEv
-----END PGP SIGNATURE-----
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
Hey everyone, I recently built a 10.10.3 Yosemite profile for 10.10.3 image I have. When I try to run mac_psxview on the image, I’m getting a bunch of errors as shown below. Any ideas?
bash-3.2# python /usr/local/bin/vol.py -f /users/msquire/desktop/share/macloginELF.dump --profile MacYosemite10_10_3_64bitx64 mac_psxview
Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 5, in <module>
pkg_resources.run_script('volatility==2.4', 'vol.py')
File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 729, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 1642, in run_script
exec(code, namespace, namespace)
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module>
main()
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/plugins/mac/common.py", line 46, in execute
commands.Command.execute(self, *args, **kwargs)
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/commands.py", line 99, in execute
if not self.is_valid_profile(profs[self._config.PROFILE]()):
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/plugins/overlays/mac/mac.py", line 1098, in __init__
obj.Profile.__init__(self, *args, **kwargs)
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 858, in __init__
self.reset()
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/plugins/overlays/mac/mac.py", line 1117, in reset
self.load_modifications()
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 940, in load_modifications
mod.modification(self)
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/plugins/overlays/mac/mac.py", line 1367, in modification
profile.merge_overlay(mac_overlay)
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1031, in merge_overlay
self.vtypes[k] = self._apply_overlay(self.vtypes[k], v)
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1081, in _apply_overlay
result.append(self._apply_overlay(type_member[i], overlay[i]))
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1068, in _apply_overlay
result[k] = self._apply_overlay(type_member[k], v)
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1081, in _apply_overlay
result.append(self._apply_overlay(type_member[i], overlay[i]))
File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1072, in _apply_overlay
if len(overlay) != len(type_member):
TypeError: object of type 'int' has no len()
Using OSXPmem to acquire the images, tried with RAW, ELF (as above), and MACHO types.
This has been killing me, any help would be greatly appreciated!
Thank you!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi folks,
If you're in the NY area next week, hook up with us and some other
@volatility users for a few drinks on Wednesday night (13th). Request
details off list.
Also just a heads up for the next Malware and Memory Forensics
training classes...we'll be in Amsterdam Aug 31 - Sept 4 and then back
in Reston, VA October 5 - 9. We hope to see some of you there!
MHL
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iF4EAREKAAYFAlVOL/8ACgkQXnt9v1O0LIsTOAD/RAAqA2H0UHLht6daYd1LRVSg
5Wie9xEysWHJx5o42MgBAIrHRvTvUiGXWfBW9IdrDE522taJjmoxftRc6P1OpN8a
=SOEJ
-----END PGP SIGNATURE-----
Hello All,
We are writing as BSidesNOLA is roughly one month away, and we would
like to see everyone there.
We have put together our best speaker lineup yet, and we want to get as
big a crowd as possible for learning, networking, and a day of fun.
Registration is only $10, but you must pre-register through Eventbrite:
https://www.eventbrite.com/e/bsides-nola-2015-tickets-9621601469.
Full information on the conference, including the keynote and 18
technical presentations, can be found here:
http://www.securitybsides.com/w/page/91550808/BSidesNOLA%202015
We hope to see everyone there, and please don’t be shy of spreading the
word!
Thanks,
The BSidesNOLA Team
Open Source Digital Forensics Conference - Call For Presentations and Workshops
The 6th Annual Open Source Digital Forensics Conference (OSDFCon) will be held on October 28, 2015 in Herndon, VA. All users and developers are invited to submit a presentation or workshop topic by June 1, 2015. This is a unique opportunity to present your work and experiences to over 400 people.
The conference will be attended by both digital forensic investigators and developers. This event is a great opportunity to make investigators aware of your tools, get feedback from users, meet fellow developers and users, and help direct the future of open source digital forensics software.
To receive updates about the conference, sign up for e-mail updates (http://www.osdfcon.org) or watch #osdfcon on twitter.
TOPICS
We are looking for 35-minute talks on a variety of topics about using open source tools, including:
* New tools and analysis techniques
* New features to mature tools
* Open, plug-in analysis framework designs and experiences
* Automated analysis
* Hard drive analysis and triage
* Memory and network forensics
* Mobile device forensics
* Analyzing application-level artifacts
* Cyber incident response
* User experiences
* Case studies
We also have openings for half-day workshops on the day before the conference (October 27, 2015). The workshops should teach people how to use or develop open source tools by providing hands-on guidance.
SUBMISSION INSTRUCTIONS
Topics can be submitted using an online form:
http://www.osdfcon.org
Submissions are due June 1, 2015. Our plan this year is to do an initial pass of the submissions and then use crowd sourcing to choose the final set of topics.
E-mail submissions2015 [at] osdfcon [dot] org with any questions.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi folks,
There's one week left to register for the upcoming Reston class (April
13-17). If you're from Reston or will be there working during the
time, drop us a note and we'll include you in the "night out"
announcement so you can come have some drinks with other Volatility
users.
Same applies to the New York class during the week of May 11-15, UK
June 1-5 and Amsterdam August 31-September 4.
We hope to see some of guys there!
MHL
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iF4EAREKAAYFAlUb84YACgkQXnt9v1O0LIv08gEAlz1YdHOV2NfMQzOzDegIguFI
EkVTkFR6kFSDo2z1oRgBAJWc+SJyUJ+wP93ULd8pFw9d97QqCr8y+aQnEsKlVn3A
=W35+
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Perfect! Glad to hear all is good in the world ;-)
MHL
On 3/24/15 5:05 AM, Bridgey theGeek wrote:
> Awesome, thanks Michael.
>
> I generated a raw dump as follows, with the vmsn and vmem files in
> the same folder: $ python vol.py -f winxp.vmem
> --profile=WinXPSP2x86 imagecopy -O winxp.raw
>
> Then ran strings again (having generated a new input text file
> because of course the offsets will be different): $ python vol.py
> -f winxp.raw --profile=WinXPSP2x86 strings -s pk.txt
>
> I was then able to find the banner at the offsets reported by
> strings. And all was good in the world.
>
> Thank you very much for the support.
>
> Adam
>
> On 23 March 2015 at 19:39, Michael Ligh <michael.ligh(a)mnin.org
> <mailto:michael.ligh@mnin.org>> wrote:
>
> Hey Adam,
>
> A few things:
>
> * Yes, vmss2core creates a windows crash dump * You can use
> volatility on the original vmem/vmss by doing the following:
>
> * make sure both vmem and vmss files are in the same dir * make
> sure they have the same base name (i.e. test.vmem and test.vmss) *
> run your volatility plugins against the vmem
>
> In this case, it would also be required to generate a raw memory
> dump before running strings. So you would use imagecopy on the
> vmem.
>
> LMK if that helps! Michael
>
> On 3/23/15 10:51 AM, Bridgey theGeek wrote:
>> Hi Michael,
>
>> *sigh* When will I learn to check the origin of my samples?!
>
>> The guy who provided me with the sample tells me that he took a
>> snapshot of a VMWare machine and then used vss2core to convert
>> it. I BELIEVE that makes it into a Windows Memory Core Dump..?
>
>> I got hold of the original vmem and vmsn files. Trying to use
>> imagecopy on the vmsn just replicated the input file. I think
>> the header is not what Volatility would expect: $ xxd Windows\
>> XP\ Pro\ SP2\ \(32-bit\)-Snapshot49.vmsn |head 0000000: d2be d2be
>> 0800 0000 6300 0000 4368 6563 ........c...Chec 0000010: 6b70
>> 6f69 6e74 0000 0000 0000 0000 0000 kpoint.......... 0000020:
>> 0000 0000 0000 0000 0000 0000 0000 0000 ................
>> 0000030: 0000 0000 0000 0000 0000 0000 0000 0000
>> ................ 0000040: 0000 0000 0000 0000 0000 0000 fc1e 0000
>> ................ 0000050: 0000 0000 ab03 0000 0000 0000 4775 6573
>> ............Gues 0000060: 7456 6172 7300 0000 0000 0000 0000 0000
>> tVars........... 0000070: 0000 0000 0000 0000 0000 0000 0000 0000
>> ................ 0000080: 0000 0000 0000 0000 0000 0000 0000 0000
>> ................ 0000090: 0000 0000 0000 0000 0000 0000 a722 0000
>> ............."..
>
>> Does that mean I can't use this with Volatility?
>
>> Thank you, Adam
>
>> On 23 March 2015 at 14:57, Michael Ligh <michael.ligh(a)mnin.org
>> <mailto:michael.ligh@mnin.org> <mailto:michael.ligh@mnin.org
>> <mailto:michael.ligh@mnin.org>>> wrote:
>
>> Hey Adam,
>
>> We forgot to ask if the sample was a raw memory dump. For
>> example:
>
>> $ xxd ~/Desktop/memory.dmp | less
>
>> 0000000: 5041 4745 4455 4d50 0f00 0000 280a 0000
>> PAGEDUMP....(... 0000010: 8001 6c07 00c0 e680 a031 5580 5892 5580
>> ..l......1U.X.U. 0000020: 4c01 0000 0100 0000 8000 0000 5444 4f00
>> L...........TDO. 0000030: 0000 0000 0000 0000 0000 0000 5041 4745
>> ............PAGE 0000040: 5041 4745 5041 4745 5041 4745 5041 4745
>> PAGEPAGEPAGEPAGE
>
>> If its something like a crash dump, hibernation, etc then the
>> file format headers throw off the offsets. You can convert those
>> special file types into a raw memory dump with the imagecopy
>> plugin and then your strings translations should be accurate.
>
>> Cheers! MHL
>
>> On 3/23/15 8:54 AM, Bridgey theGeek wrote:
>>> Hi Andrew,
>
>>> I was certain I was running the latest version, but just to be
>>> sure I grabbed the latest version. Same result, same offsets.
>
>>> I can make the sample available, but more than happy to do
>>> whatever debugging needs doing (if I can!)
>
>>> Adam
>
>>> On 23 March 2015 at 13:03, Andrew Case <atcuno(a)gmail.com
>>> <mailto:atcuno@gmail.com> <mailto:atcuno@gmail.com
>>> <mailto:atcuno@gmail.com>>
> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
>>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>>> wrote:
>
>>> Are you using the latest git checkout of Volatility or the 2.4
>>> release? Can you try the latest checkout and re-run Volatility
>>> strings (you can run it on just the offsets from PID 123 to
>>> make it faster).
>
>>> If you are already on the latest checkout then we will need to
>>> debug further.
>
>
>
>
>>> Thanks, Andrew (@attrc)
>
>>> On 03/23/2015 04:38 AM, Bridgey theGeek wrote:
>>>> Thanks Andrew:
>>>>
>>>> python vol.py --profile=WinXPSP2x86 -f memory.dmp volshell
>>>> -p 123 Volatility Foundation Volatility Framework 2.4
>>>> Current context: myapp.exe @ 0x822042f8, pid=123, ppid=392
>>> DTB=0x76c0040
>>>> Welcome to volshell! Current memory image is:
>>>> file:///home/memory.dmp To get help, type 'hh()'
>>>>>>> db(0x75b6b4d8)
>>>> 0x75b6b4d8 c3 7c 15 c7 85 00 ff ff ff 01 00 00 00 75 09 8d
>>>> .|...........u.. 0x75b6b4e8 85 0c ff ff ff 50 ff 17 39 9d
>>>> 00 ff ff ff 89 85 .....P..9....... 0x75b6b4f8 30 ff ff ff 74
>>>> 12 6a 0c 8d 85 c4 fe ff ff 50 6a 0...t.j.......Pj 0x75b6b508
>>>> 07 6a fe e8 ea 92 ff ff 83 bd 28 ff ff ff 0c 0f
>>>> .j........(..... 0x75b6b518 84 8c 59 00 00 e9 18 ff ff ff 90
>>>> 90 47 00 6c 00 ..Y.........G.l. 0x75b6b528 6f 00 62 00 61 00
>>>> 6c 00 5c 00 54 00 65 00 72 00 o.b.a.l.\.T.e.r. 0x75b6b538 6d
>>>> 00 53 00 72 00 76 00 52 00 65 00 61 00 64 00 m.S.r.v.R.e.a.d.
>>>> 0x75b6b548 79 00 45 00 76 00 65 00 6e 00 74 00 00 00 90 90
>>>> y.E.v.e.n.t.....
>>>>
>>>> Nope, still no banner. But it is identical to what I find at
>>> 0x1a34d8 in
>>>> 123.dmp. (As you'd expect.) Double-checked that I was
>>>> searching Unicode and ASCII - still no luck.
>>>>
>>>> Hmmm.
>>>>
>>>> Adam
>>>>
>>>> On 23 March 2015 at 04:02, Andrew Case <atcuno(a)gmail.com
> <mailto:atcuno@gmail.com>
>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
>>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>>
>>>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>
>> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>
> <mailto:atcuno@gmail.com <mailto:atcuno@gmail.com>>>>> wrote:
>>>>
>>>> Can do you:
>>>>
>>>> vol.py ... volshell -p 123
>>>>
>>>> Then in volshell do:
>>>>
>>>> db(0x75b6b4d8)
>>>>
>>>> And see if you get the banner printed at the beginning?
>>>>
>>>> Also, how are you searching 123.dmp? Did you search ascii &
>>> unicode
>>>> (most common error)
>>>>
>>>> Thanks, Andrew (@attrc)
>>>>
>>>> On 03/20/2015 03:59 PM, Bridgey theGeek wrote:
>>>>> Hi all,
>>>>>
>>>>> I can't quite see what's wrong with my logic here, but I
>>>>> must be
>>>> missing
>>>>> something. Hoping someone can help me out.
>>>>>
>>>>> I'm looking for a private key in a memory sample
>>>>> (WinXPSP2x86). Specifically, to find out which process/es
>>>>> is/are accessing it.
>>>>>
>>>>> I can find the key by searching the raw memory dump
>>> (memory.dmp).
>>>>> As you might expect it's between: -----BEGIN RSA PRIVATE
>>>>> KEY----- -----END RSA PRIVATE KEY-----
>>>>>
>>>>> I generated an offset:string file by using strings. Then,
>>>>> using the strings plugin I get this output: $ python
>>>>> vol.py -f memory.dmp --profile=WinXPSP2x86 strings
>>> -s pk.txt
>>>>> Volatility Foundation Volatility Framework 2.4 188435934
>>>>> [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY----- 188435968
>>>>> [FREE MEMORY:-1] -----END RSA PRIVATE KEY----- 317375704
>>>>> [kernel:d2ab24d8] -----BEGIN RSA PRIVATE KEY-----
>>>>> 317376575 [kernel:d2ab283f] -----END RSA PRIVATE KEY-----
>>>>> 417203416 [123:75b6b4d8] -----BEGIN RSA PRIVATE KEY-----
>>>>> 417204287 [123:75b6b83f] -----END RSA PRIVATE KEY-----
>>>>> 419888606 [FREE MEMORY:-1] -----BEGIN RSA PRIVATE KEY-----
>>>>> 419888640 [FREE MEMORY:-1] -----END RSA PRIVATE KEY-----
>>>>>
>>>>> Lovely. So I now do a memdump of process 123: $ python
>>>>> vol.py -f memory.dmp --profile=WinXPSP2x86 memdump
>>> --pid=123
>>>>> --dump-dir=123 Volatility Foundation Volatility Framework
>>>>> 2.4
>>>>>
>>>>
>
>
> ************************************************************************
>
>
>
>
>>>> Writing myapp.exe [ 123] to 123.dmp
>>>>>
>>>>> However, if I search 123.dmp neither the BEGIN or END
>>> strings are
>>>> present.
>>>>>
>>>>> So I thought I'd try and find it via the virtual address
>>>>> give,
>>>> 0x75b6b4d8:
>>>>> $ python vol.py -f memory.dmp --profile=WinXPSP2x86 memmap
>>> --pid=123
>>>>> Virtual Physical Size DumpFileOffset ----------
>>>>> ---------- ---------- -------------- --SNIP-- 0x75b6b000
>>>>> 0x18de0000 0x1000 0x1a3000 --SNIP--
>>>>>
>>>>> The text is indeed at 0x18de04d8 in memory.dmp, but not at
>>> 0x1a34d8 in
>>>>> 123.dmp. Again, it's no where to be found in 123.dmp.
>>>>>
>>>>> Any suggestions..??
>>>>>
>>>>> Many thanks, Adam
>>>>>
>>>>>
>>>>> _______________________________________________ Vol-users
>>>>> mailing list Vol-users(a)volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>
>> <mailto:Vol-users@volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>>
>>> <mailto:Vol-users@volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>
>> <mailto:Vol-users@volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>>>
>>> <mailto:Vol-users@volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>
>> <mailto:Vol-users@volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>>
>>> <mailto:Vol-users@volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>
>>> <mailto:Vol-users@volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>>>>
>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>
>>>>
>>>>
>
>>>>>
>
>
>
>>> _______________________________________________ Vol-users
>>> mailing list Vol-users(a)volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>
>>> <mailto:Vol-users@volatilityfoundation.org
> <mailto:Vol-users@volatilityfoundation.org>>
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
iF4EAREKAAYFAlURazkACgkQXnt9v1O0LItfjAD/W7UeZMNiWVRMqeeJftNRaxG2
dpi/c755Qxc6X7PUKU8A/iREkToI9Ad0/GejtG32OpZMLjk0gjhj5XoMxAWuY69D
=JNEv
-----END PGP SIGNATURE-----
I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error.
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
AMD64PagedMemory: Failed valid Address Space check
JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
On a hunch I checked the directory I built the profile in (copied headers & source from the target system):
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
Platform running Volatility (2.3_alpha, latest from svn):
Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Source of memory image:
Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
What am I missing?
--
chort
I noticed there’s a special ifdef for 2.6.18 kernels, which this is. The alleged redefinitions also appear to be inside of a struct, in which case is that really an error? This compiler (gcc-4.1.2) evidently thinks it is.
make -C //lib/modules/2.6.18-308.4.1.el5.P1/build CONFIG_DEBUG_INFO=y M="/root/scratch/vol-linux" modules
make[1]: Entering directory `/usr/src/kernels/2.6.18-308.4.1.el5.P1-x86_64'
CC [M] /root/scratch/vol-linux/module.o
/root/scratch/vol-linux/module.c:204: error: redefinition of ‘struct module_sect_attr’
/root/scratch/vol-linux/module.c:211: error: redefinition of ‘struct module_sect_attrs’
/root/scratch/vol-linux/module.c:353:5: warning: "STATS" is not defined
/root/scratch/vol-linux/module.c:369:5: warning: "DEBUG" is not defined
make[2]: *** [/root/scratch/vol-linux/module.o] Error 1
make[1]: *** [_module_/root/scratch/vol-linux] Error 2
make[1]: Leaving directory `/usr/src/kernels/2.6.18-308.4.1.el5.P1-x86_64'
make: *** [dwarf] Error 2
--
bk
