Hey all,
Using 2.4...not able to get xlsx output...greeted with:
Volatility Foundation Volatility Framework 2.4
ERROR : volatility.plugins.timeliner: You must install OpenPyxl for
xlsx format:
https://bitbucket.org/ericgazoni/openpyxl/wiki/Home
My install method for volatility was download, extract, move to
/opt/volatility, and python vol.py from there.
My install method for openpyxl was:
hg clone https://bitbucket.org/openpyxl/openpyxl
cd openpyxl
python setup.py build
sudo python setup.py install
Is there anything else I need to check? I see a slew of items in:
/usr/local/lib/python2.7/dist-packages/openpyxl-2.1.4-py2.7.egg/
Thank you.
James
I have some processes listed in pslist and psscan that are unable to be dumped using procdump by either the pid or the offset.
Are there other approaches that can be used to dump these processes? Not in front of computer right now but error was something like unable to parse the peb.
I can get the exact error message later if it helps. All other plugins work just find so memory image is not in question.
Sent from my iPhone
Dnardoni(a)gmail.com
Ciao Guys
I want to use from volatility to analyze a linux memory data. So I created a profile of that kernel, transfered it to volatility directory on my computer, now I want to run the plugins but I can not run any of the plugins as It throughs various errors in one case pslist there is no output, other cases it says the command is not suppoerted for this profile, did anyone had the same experience?
Regards
Reza
We are excited to announce that on next Monday, December 15th, from
9AM-11AM PST, the Art of Memory Forensics authors will be doing an AMA
(Ask Me Anything) on Reddit's netsec.
This is a chance to ask us non-technical questions, comment on or ask
about the book, or anything else related to Volatility and memory
forensics.
The last book AMA on Reddit was for the Android Hacker's Handbook and it
will really well with over 300 comments (
https://www.reddit.com/r/netsec/comments/27zdxc/android_hackers_handbook_ama
) . We are hoping to have ours be big as well so please try to attend
and spread the word!
--
Thanks,
Andrew (@attrc)
So here's what I got all...an image of a laptop running Windows 7 64
bit...image was captured using DumpIt in an admin console:
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x64, Win7SP1x64,
Win2008R2SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/jlay/Forensics/FMCCOMBS-20141203-153133.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0x1b430010a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80003002d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2014-12-03 15:31:47 UTC+0000
Image local date and time : 2014-12-03 08:31:47 -0700
Running "python vol.py -f ~/Forensics/FMCCOMBS-20141203-153133.raw
--profile Win7SP1x64 pslist"
gets me:
Offset(V) Name PID PPID Thds
Hnds Sess Wow64 Start Exit
0xfffffa800694ab30 System 4 0 141
-1 1191132111 0 2014-12-01 15:40:49 UTC+0000
0xfffffa800ae934f0 ?b?_?b?_?b?_?b?_ 1606836934 1606836934 1606836934
-1 -1 1 -
And that's it. Any hints on just why this isn't showing any processes?
Volatility version is 2.4 running on Ubuntu 14 64 bit. Thank you.
James
We are happy to announce that we now have several 2015 public trainings
scheduled across the USA as well as in Europe. Full details can be found
at the following link:
http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n
Our schedule for next year is getting pretty full so please contact ASAP
if you are interested in a private training or us hosting a public
training in your area.
--
Thanks,
Andrew (@attrc)
Link: http://2014.video.sector.ca/video/110388398
In the presentation I give an introduction to memory forensics and then
spend the rest of the time looking at Careto through the eyes of memory
forensics. Careto went undetected for over 7 years by the AV industry,
but in the talk you can see that memory forensics finds it over and over
again in only a few minutes.
PS: I gave a focused and more in-depth version of this talk at OMFW
(without the intro and hunting parts)
--
Thanks,
Andrew (@attrc)
We are happy to announce that the results of the 2014 Volatility plugin
contest are now available:
http://volatility-labs.blogspot.com/2014/10/announcing-2014-volatility-plug…
Congrats to the winners and we would like to again thank Facebook for
their donation that doubled the contest's prize money!
--
Thanks,
Andrew (@attrc)
I've used malfind and memscan on a suspected POS infected system and I get a ton of false positive hits on AV processes. Any way to white list some of these or use --silent to filter out some of these false positives? On the other side, is it likely malware is using AV processes to do their deed?
Mike
Det. Michael Chaves
Monroe Police Department
7 Fan Hill Road
Monroe, CT 06468
203.452.2831 x1307 (desk)
203.261.3622 (w)
203.650.7997 (c)
*** NOTE: If you are sending me an attachment, rename the extension to .txt or .jpg, otherwise, due to filters, I will not get it ***
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org [mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of vol-users-request(a)volatilityfoundation.org
Sent: Tuesday, October 28, 2014 1:00 PM
To: vol-users(a)volatilityfoundation.org
Subject: [BULK] Vol-users Digest, Vol 76, Issue 6
Send Vol-users mailing list submissions to
vol-users(a)volatilityfoundation.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
or, via email, send a message with subject or body 'help' to
vol-users-request(a)volatilityfoundation.org
You can reach the person managing the list at
vol-users-owner(a)volatilityfoundation.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Vol-users digest..."
Today's Topics:
1. Detailed analysis of Kaspersky hooks including analysis with
Volatility (Andrew Case)
----------------------------------------------------------------------
Message: 1
Date: Tue, 28 Oct 2014 02:16:58 -0500
From: Andrew Case <atcuno(a)gmail.com>
Subject: [Vol-users] Detailed analysis of Kaspersky hooks including
analysis with Volatility
To: "'vol-users(a)volatilityfoundation.org'" <vol-users(a)volatilityfoundation.org>
Message-ID: <544F42EA.9020500(a)gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
A really well done writeup & analysis:
https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
--
Thanks,
Andrew (@attrc)
------------------------------
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
End of Vol-users Digest, Vol 76, Issue 6
****************************************
Hi,
I'm trying to compile LiME for a given Android Virtual Device (AVD)
Platform 4.4.2
API Level 19
CPU Intel Atom (x86)
I have no information about how the AVD was created.
Does in this case investigation with LiME/Volatility make sense at all?
Should LiME be able to handle the Atom-Processor?
If yes: Should Volatility be able to handle the LiME dump?
If any answer up to now was no:
No further reading necessary. :-(
But please enlighten me. ;-)
If this in principle is not an impossible plan then how do I have to
handle the following warnings/errors?
(a) LiME compiles but gives me a
WARNING:
Symbol version dump ~/android/kernel/goldfish/Module.symvers
is missing; modules will have no dependencies and modversions.
(b) insmod fails
insmod: init_module '/sdcard/lime.ko' failed (No such file
or directory)
(but of course there is a '/sdcard/lime.ko')
(c) dmesg reports
lime: Unknown symbol _GLOBAL_OFFSET_TABLE_ (err 0)
lime: Unknown symbol kmap (err 0)
lime: Unknown symbol kunmap (err 0)
Is it correct to expect, that (b) and (c) are a result from (a)?
What is to be done?
Compiling the kernel and hope the Module.symvers fits to the AVD
symbols? The LiME documentation does not mention a need for compiling
the Android kernel.
Or do I have to work on the kernel's .config?
As always there is no /proc/config.gz on the phone/AVD. (At least I have
not seen any /proc/config.gz on my devices so far.)
Instead in this case I worked on the
goldfish/arch/x86/configs/i386_defconfig until the AVD accepted the
version magic.
Just in case it is useful, here is in detail what I did so far:
________________________________________
### the AVD ###
cat /proc/version
Linux version 3.4.0+ (nnk(a)nnk.mtv.corp.google.com) (gcc version 4.7
(GCC) ) #1 PREEMPT Wed Jul 10 09:55:37 PDT 2013
________________________________________
### Goldfish kernel 3.4.0+ for LiME compilation ###
$ mkdir -p ~/android/kernel && cd $_
$ git clone https://android.googlesource.com/kernel/goldfish.git
$ cd goldfish
$ git branch -a
$ git checkout origin/android-goldfish-3.4 -b goldfish-3.4
$ git log --pretty=oneline | grep -i 'linux 3.4$'
$ git checkout 76e10d1 -b goldfish-3.4-76e10d1
$ cp arch/x86/configs/i386_defconfig .config
________________________________________
### modify .config in order to get correct version ###
### magic: '3.4.0+ preempt mod_unload CORE2 ' ###
$ diff arch/x86/configs/i386_defconfig .config
39c39,41
< CONFIG_SMP=y
---
> CONFIG_SMP=n
> CONFIG_MCORE2=y
> CONFIG_PREEMPT=y
43c45
< CONFIG_PREEMPT_VOLUNTARY=y
---
> CONFIG_PREEMPT_VOLUNTARY=n
________________________________________
### prepare kernel for module compilation ###
$ make ARCH=x86 CROSS_COMPILE=~/android/ndk/toolchains/
x86-4.9/prebuilt/linux-x86_64/bin/i686-linux-android-
modules_prepare
________________________________________
### LiME Makefile ###
obj-m := lime.o
lime-objs := tcp.o disk.o main.o
KDIR_GOLD := ~/android/kernel/goldfish/
CCPATH := ~/android/ndk/toolchains/x86-4.9/prebuilt/linux-x86_64/bin
PWD := $(shell pwd)
default:
# cross-compile for Android emulator
$(MAKE) ARCH=x86 CROSS_COMPILE=$(CCPATH)/i686-linux-android-
-C $(KDIR_GOLD) M=$(PWD) modules
$(CCPATH)/i686-linux-android-strip --strip-unneeded lime.ko
mv lime.ko lime-goldfish.ko
$(MAKE) tidy
tidy:
rm -f *.o *.mod.c Module.symvers Module.markers modules.order
\.*.o.cmd \.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions
clean:
$(MAKE) tidy
rm -f *.ko
________________________________________
Thanks,
Philipp
