Hi All,
I'm trying to make a profile for android device.
I did a memory dump with LiME of an HTC One X (Android 4.0.3, HTC Sense
4.0, kernel 2.6.39.4-g6b459dc).
Now, following the instruction here
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics , I was
trying to understand how to modify the makefile under
volatility/tools/linux/ , in order to point to my kernel source. The thing
is that in from my kernel source folder I couldn't find a proper value for
KDIR and KVER (although they should be pretty straightforward according to
their name) that would fit with the path for make command as from the
following source code:
pmem: pmem.c
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) modules
dwarf: module.c
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y
M=$(PWD) modules
dwarfdump -di module.ko > module.dwarf
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean
Did anyone ever created an android profile? Any hint?
I've seen in the mailing list archive a thread "Profile (ZIP) for Android
4.0.3" from Mike (in Cc), any news about that?
Thank you
P.
--
Pasquale Stirparo, MEng
GCFA, OPST, OWSE, ECCE
European Commission - JRC Joint Research Centre
Institute for the Protection and Security of the Citizen (IPSC)
Digital Citizen Security Unit
Via E. Fermi, 2749 - TP 361
21027 Ispra (VA) - Italy
PGP Key: 0x4C589FB2
Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
Disclaimer: The views expressed are purely those of the writer and may not
in any circumstance be regarded as stating an official position of the
European Commission.
On 2013-02-27 13:51, Ayers, Robert wrote:
> By name alone I'd bet a beer that this is a malicious executable
>
> 0x89152020 qegyas.exe 2364 2236 0 -------- 0
> 0 2013-02-27 15:08:35 2013-02-27 15:08:44
Thanks for the quick response. I believe that qegyas.exe is the
injector (according to my procmon at least). Also, that process has
exited, so I'm out of luck for taking a peak at it (in memory at
least...happily the malware left the file on the drive :))
James
Greetings,
I was adding OS X support to my copy of Volatility per the instructions on https://code.google.com/p/volatility/wiki/MacMemoryForensics. It went well but I thought I'd pull the most recent version while I was at it.
Mac support went away when I did so. setup.py is now missing:
"volatility.plugins.overlays.mac",
Even when I add that back, vol.py --info doesn't show the OS X profiles.
Is this intentional? Is there a different version that I should be using?
Thanks!
-David
Hi there
We are looking to collect memory on an old Windows NT box. Of course, the tools we utilize are too recent to be compatible with Windows NT. Does anyone have any workaround suggestions or tools that may assist with this memory collection?
Regards,
Terrie
Group,
I have a memory image file for a Red Hat 6.3 box with 2.6.32-279.el6.x86_x64 kernel. Is it ok to use the CentOS 6.3 x64 (2.6.32-279.el6.x86_x64) example profile, given it's for the same kernel, or do I need to build a new profile?
Thanks for the help.
Kevin Marker
ACE, CCE, CISSP, EnCE
Johnny,
I will try to answer your question to the best of my knowledge. I have also
put the volatility user's mailing list in CC to share your problem with
other users and in case somebody have a better answer than mine ;-)
*Do you know how to send the memory using a netcat session from machine A
to machine B? I tied to do the below, but it did not work.
*
*Machine B (Start Netcat on BackTrack Server)
-------------------------------------------------
root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
listening on [any] 4444 ...
Machine A (On Metasploitable Server, Trying to send image to
BackTrack[192.168.1.107])
-------------------------------------------------
root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko
"path=tcp:4444 format=raw" | nc 192.168.1.107 4444*
Unlike dd, LiME operates in kernel mode so you can't pipe it to netcat in
user mode.
I think LiME was created to listen on the target OS (Machine A in your
case) and memory acquisition needs to be started with netcat on the
acquisition PC (Machine B in your case). I have not try it, but here's how
I think it works:
1) insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=lime"
2) nc 192.168.1.107 -p 4444 > mem.lime
Also, I suggest you to use the padded format or the lime format to dump
memory because I think volatility will not be able to convert virtual to
physical addresses with a raw dump and analysis will fail (unless you pad
the dump manually).
Hope this helps!
Sebastien
On Mon, Feb 18, 2013 at 5:41 PM, Johnny Shaieb <johnny.shaieb(a)gmail.com>wrote:
> Sebastien,
>
> My name is Johnny. I am trying to figure out how to use Lime with
> Volatility.
>
> My end goal it to take and analyze the memory of a Vulnerable 8.04 VM made
> available by the Metasploitable Project.
> + Reference Link:
> http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
>
> I have been able to dump the memory (See Below)
>
> root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=/var/tmp/memory.dd format=raw"
>
> root@metasploitable:/var/tmp/LIME/src# ls -l /var/tmp/memory.dd
> -r--r--r-- 1 root root 536410112 2013-02-18 14:53 /var/tmp/memory.dd
>
>
> Do you know how to send the memory using a netcat session from machine A
> to machine B? I tied to do the below, but it did not work.
>
> *Machine B* (Start Netcat on BackTrack Server)
> -------------------------------------------------
> root@bt:/var/tmp# nc -l -vvv -p 4444 > lime.dd
> listening on [any] 4444 ...
> *Machine A *(On Metasploitable Server, Trying to send image to BackTrack[192.168.1.107])
> -------------------------------------------------
> root@metasploitable:/var/tmp/LIME/src# insmod lime-2.6.24-16-server.ko "path=tcp:4444 format=raw" | nc 192.168.1.107 4444
>
>
> Thank you for any guidance,
>
> Johnny
>
> --
> Johnny A. Shaieb
>
> http://www.computersecuritystudent.com
> http://www.studentJD.com <http://www.studentjd.com/>
> Education
> BS: Management Information Systems (Oklahoma State University)
> MS: Telecommunications (Oklahoma State University)
> MS: Computer Science / Computer Security (University of Tulsa)
>
> NSTISSI Certified
> 4011: Information Security Professional
> 4012: Designated Approving Authority
> 4013: Administration in Information Systems Security
> 4014: Information Systems Security Officer
>
On Wednesday of RSA I will be giving a talk titled:
"Memory Forensics: Defeating Disk Encryption, Skilled Attackers and Malware"
This talk will focus on three key points:
1) Showcasing the power and usefulness of memory forensics
2) Distinguishing memory forensics from disk forensics
3) Highlighting why live forensics should not be used and instead
analysts should switch to using offline memory forensics
Throughout the talk there will be many examples of powerful rootkits,
techniques of advanced attackers, looking at Android, and defeating
software-based disk encryption.
If you are interested in the talk and plan on attending, please add it
to your conference calendar:
https://ae.rsaconference.com/US13/connect/sessionDetail.ww?SESSION_ID=1885
If you have any questions about the talk or or want to meet up at RSA
then please contact me.
Hi,
I'm interested in parsing through the .vmsn files from VMware.
Vol 2.3 is slated to have the support. Any word on release date?
Has anyone tried using the plugins w/ vol 2.2? Any tips are greatly
appreciated.
TIA,
Mahesh
