Hi everyone,
in prior threads, Michael and Aaron pointed out changes in memory
structures when suspending a virtual machine. I think this is an
important observation and would therefore suggest moving the respective
discussion to a separate thread. I have summarized the relevant passages
below.
----
Michael H. Ligh
(http://lists.volatilityfoundation.org/pipermail/vol-users/2012-June/000441.…)
> Also, if you're analyzing a memory dump by suspending the VM, that has
> significant impact on the lifetime and availability of network
> structures. When you suspend/pause a VMware guest, VMware tools runs a
> bat script on the guest (I think its vm-suspend.bat) which forcefully
> closes TCP/UDP and frees the IP.
Jesse Bowling
(http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000470.…)
> This was a VMWare 4.1 virtual machine that was paused, and the vmss file
> copied out.
> Much later I head referenced that pausing the virtual machine actually
> causes a lot of information to be removed from memory due to the way VMWare
> prepares the OS to pause... :( (Can you or anyone speak to the truth-iness
> of this?)
AAron Walters
(http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000473.…)
> This is definitely something to take in consideration with this particular
> acquisition method. I think you are referring to a comment that MHL made
> previously about vmware tools. A similar thing happens when people
> attempt to use hibernation files. Intuitively, what does it mean to resume
> a network connection that disappeared hours, if not days, earlier? In some
> instances, it is possible to still extract associated artifacts from
> unallocated regions, a technique most debuggers don't handle very well.
----
Last year, I wrote a survey article about memory acquisition and
analysis techniques
(http://www.sciencedirect.com/science/article/pii/S1742287611000508) and
stated in a short section about virtual machines that, by suspending a
system, a memory snapshot with a high level of atomicity and correctness
could be produced. With respect to the issues raised by Michael, this
statement is maybe a bit too optimistic now?!
I have recently done a lot of research in the area of memory
acquisition, specifically with regard to software-based utilities. We
have tried to formalize criteria for sound memory imaging in a different
paper
(http://www.sciencedirect.com/science/article/pii/S1742287612000254)
and I'm currently working on a platform that may help evaluating the
correctness, impact, etc. of a utility more accurately.
As the discussion about virtual machines roughly touches my research
interests, I would like to know if there's any more information on this
topic. Specifically:
- Has anyone ever measured the impact on a memory image when suspending
a system?
- I have briefly looked at the vm-suspend-default.bat file which is
located in the folder of the VMware tools. It just includes an "ipconfig
/release" command, so it appears "only" network-related information
would be affected. Is anyone aware of any other structures that would be
changed/destroyed when going into suspensed mode?
- Is the batch script (or similar operations) actually executed every
time a machine is suspended? I have just run a quick google query on the
file and only saw that its use was optional?
I would very much appreciate if anyone had some more details on this or
could share some references.
Best regards,
Stefan
I want to check to see if my test computer is infected with Stuxnet.
I have not finished the forensics on it and do not want to know any answers. I don't want to check the behaviorial data yet because that would give too much away.
My hash and signature analysis says it is not infected. I don't want to waste time if it is not infected.
I think the simplest way to determine if it is infected is to see if the "Are you there?" mutant is there. If you know the mutant, please let me know.
There is a lot of analysis of it on the internet and I have kept away from it. No fun to get the answer from someone else.
Thanks,
Mike
I am looking at a sample of the Pilleuz worm that infects USB.
I ran malfind and was not successful extracting a sample
Is there another option for extracting injected code?
Is there a way to dump threads?
Thanks,
Mike
I've used 1.3 and 2.0 but neither gives me any "old" UDP artifacts. I know they are there because I have the pcap, so I am looking for them in memory.
Can someone tell me the format of a UDP artifact in memory please?
For example I'm looking for
from a connection UDP 192.168.136.129:1044 to 204.13.161.100:6600
I'm looking at
11 83 89 CO A8 88 81 CC 0D A1 64 04 14 19 C8
that looks like
UDP Unk Unk 192.168.136.129 204.13.161.100 1044 6600
The "Unk" means I don't know what they are (the 83 (seems to be constant) and 89 (changes slightly)).
I've found this in the kernel
01fb5017 [kernel:2180730903] UDP to 204.13.161.100
This may just be a parameter block that is passed to the OS, but it does show that there was such a packet sent.
Tell me what I need to be looking for if I am in the wrong place.
Thanks,
Mike
Hi All,
I presented a topic on "malware memory forensics" using Volatility.....the
ppt and video can be found in the below link....i hope you will like it :-)
http://goo.gl/7bRFK
Thanks,
Monnappa
Just curious whether the Volatility 2.0.1 branch is a bugfix for the
stable 2.0 branch, or is it something else entirely?
-Roman
Please cc: this address in addition to the mailing list, as I'm not
normally a subscriber.
Hi all,
I did not use apihooks for a while. Now I am playing around with that flame
sample from Mike Lambert (THX a lot!!) and miss that plugin.
It may have gone with the integration of the malware plugin directly to the
Volatility core.
Is it still available somewhere for 2.1a or do I have to reuse an older
version?
Regards
Michael
