Hello All,
I was writing to let everyone know that I will be speaking Friday at RSA
on investigating Mac malware with Volatility and Volatility's Mac
support in general. If you are going to the conference you should check
out the talk and come say 'hi' after:
http://www.rsaconference.com/speakers/andrew-case
--
Thanks,
Andrew (@attrc)
C:\Volatility>python vol.py timeliner -f
\CSATLCL\W0137018\W0137018-RAM.dd4.001 --profile=Win7SP1x86
Volatility Foundation Volatility Framework 2.3.1
Traceback (most recent call last):
File "vol.py", line 184, in <module>
main()
File "vol.py", line 175, in main
command.execute()
File "C:\Volatility\volatility\commands.py", line 122, in execute
func(outfd, data)
File "C:\Volatility\volatility\plugins\timeliner.py", line 88, in
render_text
for line in data:
File "C:\Volatility\volatility\plugins\timeliner.py", line 312, in
calculate
o)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xae' in
position 156: ordinal not in range(128)
Looks like I may have a martian character in a string somewhere...
-=[ Steve ]=-
Hello All,
We are writing to announce that we now have public trainings scheduled
in Australia, London, New York, and Virginia! The New York and London
trainings will be selling out soon so we suggest contacting us ASAP if
you wish to attend either of those.
We have also already received significant interest in the Australia
course and have a large notification list for it. Please contact us if
you would like to be added.
Finally, the team is happy to announce that we now have a dedicated
website for training at http://www.memoryanalysis.net.
For full information on each training and the new website, please see
our recent blog post:
http://volatility-labs.blogspot.com/2014/02/training-by-volatility-project-…
If you want to to learn memory forensics skills from the researchers and
developers behind Volatility then you should consider signing up for one
of our courses. Not only will you leave being an expert in Volatility
and Windows internals, but you will also be able to perform malware
analysis and incident response along side the best in the industry.
--
Thanks,
Andrew (@attrc)
I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files.
Has any one found a way of doing it?
Thank you very much in advance.
Kind regards,
Roger
Does anyone have one? Is there a writeup somewhere like there was for Stuxnet?
Ryan Gibson
GCFA, GCIH, Security +
Office: 858-651-1689
Mobile: 619-804-8736
Senior IT Security Engineer
So was the fix just to switch to lime format or did you also need the
patch? This will help us keep better documentation for future bug reports.
Also, is there a reason you need the raw sample? If you are looking for
a sample without any metadata, the best version would be 'padded' since
it zero fills the offsets between RAM sections, but note that you can
get a HUGE file, especially on 64 bit systems.
The raw version of LiME simply concatantes regions together (does not
pad), which make offsets found from virtual address translation off.
This is why Volatility (and other tools) cannot process most raw Lime dumps.
On 2/6/2014 10:45 AM, Torres, Geoff (Global Cyber Security) wrote:
> OK, we're making progress...
>
> Michael Ligh also suggested that article. I had dismissed it as not applicable because it was regarding CentOS 5.3 and the earliest I've been attempting is 5.8. My apologies for not trying it sooner.
>
> It did work for the Lime format, but not the Raw format which is ultimately what I need. Would different offsets work for the raw format? Is it possible to convert a raw format image into Lime format?
>
> Also, does this mean that I need different volatility code for different kernels?
>
> My role is to perform forensic analysis on compromised systems. I can conceivably get any type of system and I get them in large enough volume that I've been developing scripts to automate these sort of tasks.
>
> Thanks for all your help so far,
>
> Geoff
>
>
> -----Original Message-----
> From: Andrew Case [mailto:atcuno@gmail.com]
> Sent: Thursday, February 06, 2014 7:32 AM
> To: Torres, Geoff (Global Cyber Security); 'vol-users(a)volatilityfoundation.org'
> Subject: Re: [Vol-users] Difficulty creating CentOS profiles
>
> Hello,
>
> I believe you are having the same issues that we diagnosed here:
>
> http://lists.volatilityfoundation.org/pipermail/vol-users/2013-February/000…
>
> Could you please edit your code as MHL explains to account for the shift? It only requires two small changes to the existing code. Note that the line numbers may be different since the code has been update since then but if you search for the 0xffffffff80000000 number in each file you will be able to find it.
>
> Also we would recommend acquiring in the lime format "format=lime"
> instead of acquiring in the raw one.
>
> Let me know how it goes.
>
> Thanks,
> Andrew (@attrc)
>
>
> On 2/5/2014 5:26 PM, Torres, Geoff (Global Cyber Security) wrote:
>> Hi,
>>
>>
>>
>> I've been unable to create a working Linux profile for any version of
>> CentOS. It compiles fine but gives a 'No suitable address space
>> mapping found' error when ran against the memory image.
>>
>>
>>
>> I've been successful creating various Debian and Ubuntu profiles, but
>> CentOS has yet to work. I'm sure it's something simple but I can't
>> figure it out. I'm certain that I'm matching kernel versions
>> correctly and that the build process is the same as I use for the Ubuntu versions.
>>
>>
>>
>> I've attached the details of my most recent attempt. It's a vanilla
>> CentOS 5.10 install on VmWare. The memory image is available (250Mb
>> zip) if necessary.
>>
>>
>>
>> Any ideas? None of the solutions I found in Google seem to address my
>> issue.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Geoff
>>
>>
>>
>> BTW - I'm not a kernel programmer so please be detailed if there's
>> something you'd like me to try.
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
Hi,
I've been unable to create a working Linux profile for any version of CentOS. It compiles fine but gives a 'No suitable address space mapping found' error when ran against the memory image.
I've been successful creating various Debian and Ubuntu profiles, but CentOS has yet to work. I'm sure it's something simple but I can't figure it out. I'm certain that I'm matching kernel versions correctly and that the build process is the same as I use for the Ubuntu versions.
I've attached the details of my most recent attempt. It's a vanilla CentOS 5.10 install on VmWare. The memory image is available (250Mb zip) if necessary.
Any ideas? None of the solutions I found in Google seem to address my issue.
Thanks,
Geoff
BTW - I'm not a kernel programmer so please be detailed if there's something you'd like me to try.
Hello list!
I'm currently looking into the way in which _FILE_OBJECTS are created and handled by Windows 7, and I'm a little bit confused over something I've observed.
When using notepad.exe to open a file, a file handle to the opened file never seems to get added to the object table within the _EPROCESS structure (monitored using SystemInternal's ProcExplorer). I believe this is because notepad does not leave the handle open, it simply opens the file, reads in the data, and then closes the file, without adding the file object to the handle table.
However, after opening the file, if I dump the memory of the system (this is being performed on a VM), and use Volaility's filescan to scan for all _FILE_OBJECTS, I see that there is indeed still a _FILE_OBJECT associated with the file I opened. However it's handle count is zero.
This makes sense, as with a handle count of zero, it shouldn't be listed in any of the handle tables for any processes. However, it's pointer, or reference count is still valid, often having 16 pointers.
My question is this, if the handle count is zero, but the pointer/reference count is still valid, where is this _FILE_OBJECT actually being stored? Is there some kind of kernel-based list/table that holds these open references? Or is this _FILE_OBJECT just floating around in some kind of cache, waiting to be destroyed?
Any input or advice would be greatly appreciated.
Thanks
Hi everyone,
I've got a snapshot from a Red Hat VM that I'd like to analyze. I've noticed that imagecopy is in the Windows section of the documentation. Is imagecopy supported for Linux snapshots?
Thanks,
Kasia Olejnik
I case anyone is interested I wrote a blog post of the memory analysis I
did on Jake Williams ADD tool he presented at Shmoocon. It can be found
here http://blog.handlerdiaries.com/?p=363
Thanks,
Jack Crook
