Hi all,
I was wondering if support for Windows 8 is on the Volatility roadmap?
And if there's anything I can do to help?
I'm certain I'll be of no programming help, but I could certainly provide
Windows 8 memory dumps and testing.
Thanks all,
Bridgey the Geek
Hello,
Sorry for the late notice, but tonight I will be giving a webinar on
analyzing malware in memory with Volatility. This presentation will
showcase many of Volatility's advanced capabilities related to
detecting and analyzing Windows malware. Its free to attend, but you
must pre-register:
http://www.thehackeracademy.com/tha-deep-dive-analyzing-malware-in-memory/
If you have any questions feel free to contact me directly.
Thanks,
Andrew
Hey all.
So..I have a couple questions (clearly) about procexedump and another
one about hidden processes. First, procexedump. Here's the info of the
memdump:
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x8925a808 exp3.tmp.exe 3336 1628 0 -------- 0
0 2012-12-13 15:22:46 2012-12-13 15:25:22
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
-------------------- --------------------
0x0925a808 exp3.tmp.exe 3336 1628 0x0a440480 2012-12-13
15:22:46 2012-12-13 15:25:22
I'm attempting to dump this to an exe file, but here's what I'm
getting:
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x8925a808 ---------- exp3.tmp.exe Error: PEB at 0x7ffdf000 is
paged
I won't lie in saying I don't really have a handle on the entire memory
structure of Windows XPSP3. What exactly can I do, if anything, to get
this as a sample? Next up, hidden processes:
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x09046008 192.168.0.2:1066 x.x.x.106:443 1448
0x0912f878 192.168.0.2:1071 x.x.x.8:443 1448
0x091bfa70 192.168.0.2:1069 x.x.x.106:443 1448
0x09231478 192.168.0.2:1065 x.x.x.106:443 1448
pslist, psscan, and psxview do not show this PID. How do I figure out
what and where this PID is? Thanks for any help you can provide.
James
I've got a memory dump of a clean system and a memory dump of a system infected with a piece of malware that I believe has been injected into services.exe.
When I use the vadinfo command, there are 93 memory segments associated with services.exe in the clean dump, and 234 segments in the infected dump.
Is this difference in the number of segments enough to warrant further review of services.exe? If so, is the next step to dump the extra memory segments that are in the infected dump using the vaddump command and review each of those dumps?
Thanks - any info is appreciated.
I'm a noob with Volatility, so please be patient. I am working through some samples I found online. I've identified where I think malware was injected into a process by following this tutorial:
http://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison-ivys…
My question:
once in volshell I get many errors in my python code. How do I enter a "tab" in volshell? Since Python is so dependent on indentation, I cannot follow the rest of the tutorial as I cannot get past the "for addr in addrs" line..
Thanks.
David Kovar,
I have used FTK dozens of times with images as large as 80 GB of ram. I
haven't had any strange storage issues though. I have also used mdd.exe and
.vsem files in analysis and had similar results with less issues with
larger images.
What version of FTK imager did you use?
Regards ,
Wyatt Roersma
On Dec 4, 2012 8:02 PM, <vol-users-request(a)volatilityfoundation.org> wrote:
> Send Vol-users mailing list submissions to
> vol-users(a)volatilityfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> vol-users-request(a)volatilityfoundation.org
>
> You can reach the person managing the list at
> vol-users-owner(a)volatilityfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Vol-users digest..."
>
>
> Today's Topics:
>
> 1. FTK Imager as RAM dumping tool? (David Kovar)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 4 Dec 2012 16:53:00 -0600
> From: David Kovar <dkovar(a)gmail.com>
> Subject: [Vol-users] FTK Imager as RAM dumping tool?
> To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org>
> Message-ID: <0186FBD7-BB31-4380-9B4D-4F0342BE19B1(a)gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> Good afternoon,
>
> I was just looking at a memory dump that, when compressed, went from 4GB
> to about 20MB. Something is odd here, I say. Most of the file is nulls.
>
> The dump was collected with FTK Imager. Does anyone have any opinions on
> its reliability as a memory acquisition tool?
>
> Thanks.
>
> -David
>
>
>
> ------------------------------
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> End of Vol-users Digest, Vol 54, Issue 1
> ****************************************
>
Good afternoon,
I was just looking at a memory dump that, when compressed, went from 4GB to about 20MB. Something is odd here, I say. Most of the file is nulls.
The dump was collected with FTK Imager. Does anyone have any opinions on its reliability as a memory acquisition tool?
Thanks.
-David
A review of the Linux-capable version of volatility doesn't seem to
indicate any option of performing a keyword search of captured memory.
Is this correct?
Also, I don't recall seeing an option in pmem.ko for capturing
virtual/shared memory versus physical memory. Am I missing
something?
Thanks.
Scott
Through some more research and several email responses, I discovered
the following:
I needed to create a profile and compile the volatility-2.2/tools/linux modules:
http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
but first, using Ubuntu that I had, needed to fix a known bug -
http://code.google.com/p/volatility/issues/detail?id=351
Once that compiled and I followed the rest of the steps for a
Linux-specific profile, magical results with no limitations.
Thanks to all.
Scott
My final assignment for a digital forensics class has me exploring the
capabilities of Volatility for memory review of a Linux system.
I have since learned about lime (Linux Memory Extractor) and about
Volatility's own kernel module, pmem.ko, which appears to provide
faster memory capture than lime.
The assignment initially had us visiting volatilityfoundation.org web page
which only had through version 2.1. Additional searching revealed
active work on code.google.com, which also says linux support is part
of 2.2.
So, I obtained version 2.2, and am getting very mixed results.
I am using an out-of-box version of Ubuntu 10.04 32-bit with some
updates to bring python up-to-date in a VMware Player 4.0.4 VM.
In my trials thus far, I can get some results from: python ./vol.py
connscan -f /path/to/memory.img
I've pretty much gone through many of the options provided by python
./vol.py -h and usually end up with the error:
"No suitable address space mapping found
Tried to open image as:"
Various google searches, and in reading the volatility page, really
seems to indicate the code is still very Windows-oriented.
Am I missing something? I'd like to get some decent results, if possible.
I also tried an svn update, but that most recent version yielded an
immediate python error on vol.py.
Thanks for any insights.
Scott
