So here's what I got all...an image of a laptop running Windows 7 64
bit...image was captured using DumpIt in an admin console:
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x64, Win7SP1x64,
Win2008R2SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/jlay/Forensics/FMCCOMBS-20141203-153133.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0x1b430010a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80003002d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2014-12-03 15:31:47 UTC+0000
Image local date and time : 2014-12-03 08:31:47 -0700
Running "python vol.py -f ~/Forensics/FMCCOMBS-20141203-153133.raw
--profile Win7SP1x64 pslist"
gets me:
Offset(V) Name PID PPID Thds
Hnds Sess Wow64 Start Exit
0xfffffa800694ab30 System 4 0 141
-1 1191132111 0 2014-12-01 15:40:49 UTC+0000
0xfffffa800ae934f0 ?b?_?b?_?b?_?b?_ 1606836934 1606836934 1606836934
-1 -1 1 -
And that's it. Any hints on just why this isn't showing any processes?
Volatility version is 2.4 running on Ubuntu 14 64 bit. Thank you.
James
We are happy to announce that we now have several 2015 public trainings
scheduled across the USA as well as in Europe. Full details can be found
at the following link:
http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n
Our schedule for next year is getting pretty full so please contact ASAP
if you are interested in a private training or us hosting a public
training in your area.
--
Thanks,
Andrew (@attrc)
Link: http://2014.video.sector.ca/video/110388398
In the presentation I give an introduction to memory forensics and then
spend the rest of the time looking at Careto through the eyes of memory
forensics. Careto went undetected for over 7 years by the AV industry,
but in the talk you can see that memory forensics finds it over and over
again in only a few minutes.
PS: I gave a focused and more in-depth version of this talk at OMFW
(without the intro and hunting parts)
--
Thanks,
Andrew (@attrc)
We are happy to announce that the results of the 2014 Volatility plugin
contest are now available:
http://volatility-labs.blogspot.com/2014/10/announcing-2014-volatility-plug…
Congrats to the winners and we would like to again thank Facebook for
their donation that doubled the contest's prize money!
--
Thanks,
Andrew (@attrc)
I've used malfind and memscan on a suspected POS infected system and I get a ton of false positive hits on AV processes. Any way to white list some of these or use --silent to filter out some of these false positives? On the other side, is it likely malware is using AV processes to do their deed?
Mike
Det. Michael Chaves
Monroe Police Department
7 Fan Hill Road
Monroe, CT 06468
203.452.2831 x1307 (desk)
203.261.3622 (w)
203.650.7997 (c)
*** NOTE: If you are sending me an attachment, rename the extension to .txt or .jpg, otherwise, due to filters, I will not get it ***
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org [mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of vol-users-request(a)volatilityfoundation.org
Sent: Tuesday, October 28, 2014 1:00 PM
To: vol-users(a)volatilityfoundation.org
Subject: [BULK] Vol-users Digest, Vol 76, Issue 6
Send Vol-users mailing list submissions to
vol-users(a)volatilityfoundation.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
or, via email, send a message with subject or body 'help' to
vol-users-request(a)volatilityfoundation.org
You can reach the person managing the list at
vol-users-owner(a)volatilityfoundation.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Vol-users digest..."
Today's Topics:
1. Detailed analysis of Kaspersky hooks including analysis with
Volatility (Andrew Case)
----------------------------------------------------------------------
Message: 1
Date: Tue, 28 Oct 2014 02:16:58 -0500
From: Andrew Case <atcuno(a)gmail.com>
Subject: [Vol-users] Detailed analysis of Kaspersky hooks including
analysis with Volatility
To: "'vol-users(a)volatilityfoundation.org'" <vol-users(a)volatilityfoundation.org>
Message-ID: <544F42EA.9020500(a)gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
A really well done writeup & analysis:
https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/
--
Thanks,
Andrew (@attrc)
------------------------------
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
End of Vol-users Digest, Vol 76, Issue 6
****************************************
Hi,
I'm trying to compile LiME for a given Android Virtual Device (AVD)
Platform 4.4.2
API Level 19
CPU Intel Atom (x86)
I have no information about how the AVD was created.
Does in this case investigation with LiME/Volatility make sense at all?
Should LiME be able to handle the Atom-Processor?
If yes: Should Volatility be able to handle the LiME dump?
If any answer up to now was no:
No further reading necessary. :-(
But please enlighten me. ;-)
If this in principle is not an impossible plan then how do I have to
handle the following warnings/errors?
(a) LiME compiles but gives me a
WARNING:
Symbol version dump ~/android/kernel/goldfish/Module.symvers
is missing; modules will have no dependencies and modversions.
(b) insmod fails
insmod: init_module '/sdcard/lime.ko' failed (No such file
or directory)
(but of course there is a '/sdcard/lime.ko')
(c) dmesg reports
lime: Unknown symbol _GLOBAL_OFFSET_TABLE_ (err 0)
lime: Unknown symbol kmap (err 0)
lime: Unknown symbol kunmap (err 0)
Is it correct to expect, that (b) and (c) are a result from (a)?
What is to be done?
Compiling the kernel and hope the Module.symvers fits to the AVD
symbols? The LiME documentation does not mention a need for compiling
the Android kernel.
Or do I have to work on the kernel's .config?
As always there is no /proc/config.gz on the phone/AVD. (At least I have
not seen any /proc/config.gz on my devices so far.)
Instead in this case I worked on the
goldfish/arch/x86/configs/i386_defconfig until the AVD accepted the
version magic.
Just in case it is useful, here is in detail what I did so far:
________________________________________
### the AVD ###
cat /proc/version
Linux version 3.4.0+ (nnk(a)nnk.mtv.corp.google.com) (gcc version 4.7
(GCC) ) #1 PREEMPT Wed Jul 10 09:55:37 PDT 2013
________________________________________
### Goldfish kernel 3.4.0+ for LiME compilation ###
$ mkdir -p ~/android/kernel && cd $_
$ git clone https://android.googlesource.com/kernel/goldfish.git
$ cd goldfish
$ git branch -a
$ git checkout origin/android-goldfish-3.4 -b goldfish-3.4
$ git log --pretty=oneline | grep -i 'linux 3.4$'
$ git checkout 76e10d1 -b goldfish-3.4-76e10d1
$ cp arch/x86/configs/i386_defconfig .config
________________________________________
### modify .config in order to get correct version ###
### magic: '3.4.0+ preempt mod_unload CORE2 ' ###
$ diff arch/x86/configs/i386_defconfig .config
39c39,41
< CONFIG_SMP=y
---
> CONFIG_SMP=n
> CONFIG_MCORE2=y
> CONFIG_PREEMPT=y
43c45
< CONFIG_PREEMPT_VOLUNTARY=y
---
> CONFIG_PREEMPT_VOLUNTARY=n
________________________________________
### prepare kernel for module compilation ###
$ make ARCH=x86 CROSS_COMPILE=~/android/ndk/toolchains/
x86-4.9/prebuilt/linux-x86_64/bin/i686-linux-android-
modules_prepare
________________________________________
### LiME Makefile ###
obj-m := lime.o
lime-objs := tcp.o disk.o main.o
KDIR_GOLD := ~/android/kernel/goldfish/
CCPATH := ~/android/ndk/toolchains/x86-4.9/prebuilt/linux-x86_64/bin
PWD := $(shell pwd)
default:
# cross-compile for Android emulator
$(MAKE) ARCH=x86 CROSS_COMPILE=$(CCPATH)/i686-linux-android-
-C $(KDIR_GOLD) M=$(PWD) modules
$(CCPATH)/i686-linux-android-strip --strip-unneeded lime.ko
mv lime.ko lime-goldfish.ko
$(MAKE) tidy
tidy:
rm -f *.o *.mod.c Module.symvers Module.markers modules.order
\.*.o.cmd \.*.ko.cmd \.*.o.d
rm -rf \.tmp_versions
clean:
$(MAKE) tidy
rm -f *.ko
________________________________________
Thanks,
Philipp
Hello Group,
So am not sure, if I understood, the working of ldrmodules correctly, but
in short, for each process, I imagine it looks at the VAD; and for each dll
found there compares it with the 3 lists in the process PEB and reports
back on any discrepancy.
A snippet, from vadinfo for a process with pid 12128, I can see a dll mapped
VAD node @ 0xfffffa80088378c0 Start 0x0000000000040000 End
0x0000000000040fff Tag Vad
Flags: Protection: 7, VadType: 2
Protection: PAGE_EXECUTE_WRITECOPY
Vad Type: VadImageMap
ControlArea @fffffa8006a86c40 Segment fffff8a00021d4e0
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences: 1 NumberOfPfnReferences: 1
NumberOfMappedViews: 119 NumberOfUserReferences: 120
WaitingForDeletion Event: 00000000
Control Flags: File: 1, Image: 1
FileObject @fffffa80069c5250, Name: \Windows\System32\apisetschema.dll
First prototype PTE: fffff8a00021d5a8 Last contiguous PTE: fffffffffffffffc
Flags2: Inherit: 1
But ldrmodules (or dlllist) over the image, does not show that dll.
cat ldrmodules.txt | grep -i apiset
cat dlllist.txt | grep -i apiset
The process in question has a pid of 12128, so on a frequency count, there
is a large discrepancy, that I don't understand why.
cat ldrmodules.txt | grep 12128 | wc -l
54
cat vadinfo-12128.txt | grep dll | wc -l
130
Any pointers to a link I should read up on to understand the concepts here.
Should not have ldrmodules, reported on all the dlls that were found as
mapped files in the VAD ?
Thanks,
JB
Does Volatility support the analysis of Mac /var/vm/sleepimage?
I did not see it mentioned in "The Art of Memory Forensics", and I
seem to have trouble even doing a simple mac_pslist against it...
--
Jarle Thorsen
vol-users,
The registration for the Open Memory Forensics Workshop (OMFW) 2014 closes
on Oct 24. If you are still planning to attend, I recommend sending a
request as soon as possible. There are less than 10 open seats remaining!
For those who have already requested an invitation, please let us know if
you have not received your registration details.
Reserve your seat by sending an email to info [at]
volatilityfoundation.org or using the contact form on the Foundation's
website.
Thanks,
The Volatility Foundation
www.volatilityfoundation.org
