I've got a memory dump of a clean system and a memory dump of a system infected with a piece of malware that I believe has been injected into services.exe.
When I use the vadinfo command, there are 93 memory segments associated with services.exe in the clean dump, and 234 segments in the infected dump.
Is this difference in the number of segments enough to warrant further review of services.exe? If so, is the next step to dump the extra memory segments that are in the infected dump using the vaddump command and review each of those dumps?
Thanks - any info is appreciated.
I'm a noob with Volatility, so please be patient. I am working through some samples I found online. I've identified where I think malware was injected into a process by following this tutorial:
http://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison-ivys…
My question:
once in volshell I get many errors in my python code. How do I enter a "tab" in volshell? Since Python is so dependent on indentation, I cannot follow the rest of the tutorial as I cannot get past the "for addr in addrs" line..
Thanks.
David Kovar,
I have used FTK dozens of times with images as large as 80 GB of ram. I
haven't had any strange storage issues though. I have also used mdd.exe and
.vsem files in analysis and had similar results with less issues with
larger images.
What version of FTK imager did you use?
Regards ,
Wyatt Roersma
On Dec 4, 2012 8:02 PM, <vol-users-request(a)volatilityfoundation.org> wrote:
> Send Vol-users mailing list submissions to
> vol-users(a)volatilityfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> vol-users-request(a)volatilityfoundation.org
>
> You can reach the person managing the list at
> vol-users-owner(a)volatilityfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Vol-users digest..."
>
>
> Today's Topics:
>
> 1. FTK Imager as RAM dumping tool? (David Kovar)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 4 Dec 2012 16:53:00 -0600
> From: David Kovar <dkovar(a)gmail.com>
> Subject: [Vol-users] FTK Imager as RAM dumping tool?
> To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org>
> Message-ID: <0186FBD7-BB31-4380-9B4D-4F0342BE19B1(a)gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Good afternoon,
>
> I was just looking at a memory dump that, when compressed, went from 4GB
> to about 20MB. Something is odd here, I say. Most of the file is nulls.
>
> The dump was collected with FTK Imager. Does anyone have any opinions on
> its reliability as a memory acquisition tool?
>
> Thanks.
>
> -David
>
>
>
> ------------------------------
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> End of Vol-users Digest, Vol 54, Issue 1
> ****************************************
>
Good afternoon,
I was just looking at a memory dump that, when compressed, went from 4GB to about 20MB. Something is odd here, I say. Most of the file is nulls.
The dump was collected with FTK Imager. Does anyone have any opinions on its reliability as a memory acquisition tool?
Thanks.
-David
A review of the Linux-capable version of volatility doesn't seem to
indicate any option of performing a keyword search of captured memory.
Is this correct?
Also, I don't recall seeing an option in pmem.ko for capturing
virtual/shared memory versus physical memory. Am I missing
something?
Thanks.
Scott
Through some more research and several email responses, I discovered
the following:
I needed to create a profile and compile the volatility-2.2/tools/linux modules:
http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
but first, using Ubuntu that I had, needed to fix a known bug -
http://code.google.com/p/volatility/issues/detail?id=351
Once that compiled and I followed the rest of the steps for a
Linux-specific profile, magical results with no limitations.
Thanks to all.
Scott
My final assignment for a digital forensics class has me exploring the
capabilities of Volatility for memory review of a Linux system.
I have since learned about lime (Linux Memory Extractor) and about
Volatility's own kernel module, pmem.ko, which appears to provide
faster memory capture than lime.
The assignment initially had us visiting volatilityfoundation.org web page
which only had through version 2.1. Additional searching revealed
active work on code.google.com, which also says linux support is part
of 2.2.
So, I obtained version 2.2, and am getting very mixed results.
I am using an out-of-box version of Ubuntu 10.04 32-bit with some
updates to bring python up-to-date in a VMware Player 4.0.4 VM.
In my trials thus far, I can get some results from: python ./vol.py
connscan -f /path/to/memory.img
I've pretty much gone through many of the options provided by python
./vol.py -h and usually end up with the error:
"No suitable address space mapping found
Tried to open image as:"
Various google searches, and in reading the volatility page, really
seems to indicate the code is still very Windows-oriented.
Am I missing something? I'd like to get some decent results, if possible.
I also tried an svn update, but that most recent version yielded an
immediate python error on vol.py.
Thanks for any insights.
Scott
Hi I am currently using volatility to retrieve truecrypt keys stored in
memory, by accessing a ram dump. Can you please help me out on how to map
the exact location of keys using volatility as i am able to list the
process running while the image was taken, and hence forth i am not able to
narrow down my search criteria , please help me out.
Thank you
Thilaknath
Hello,
We are writing to announce the public offering of our Windows Memory
Forensics for Analysts training course. This course is taught directly by
Volatility developers, and will provide intense training in memory
forensics for incident response, malware analysis, and digital forensic
investigation. Full details can be found here:
http://volatility-labs.blogspot.com/2012/11/windows-memory-forensics-traini…
Please write or comment on the post if you have any questions or comments.
Thanks,
Andrew (@attrc)
Have never seen this error when trying to dump a process. Any
suggestions? tried -u as well with the same results.
vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process AS
