I tried the hibr2dmp utility, but it fails on both my Vista possible hacking hibernation file, as well as a Vista 32-bit test hibernation file. Both contain a block of zeros at the beginning of the file.
Howard Patterson
Special Agent
Technical Services Unit
Tennessee Bureau of Investigation
615-744-4376
howard.patterson(a)tn.gov
Is anyone working on extending Volatility to work with Vista? I have a hibernation file from a Vista (32-bit) machine and am searching for possible intrusion/hacking. Don't have ram capture.
Howard Patterson
Special Agent
Technical Services Unit
Tennessee Bureau of Investigation
615-744-4376
howard.patterson(a)tn.gov
Bruce,
Change the extension from ".txt" to ".bin" or maybe even try ".dmp" and then run Volatility. It has been a while since I have done it, but I believe you will want to use ".bin".
Regards,
Chris
Chris Currier
CMT Digital Solutions, Inc.
The latest forensics challenge for The Honeynet Project involves
investigating a memory sample of an infected virtual machine. In order to
encourage research and development in the area of memory forensics, The
Order of Volatility plans to augment the prizes awarded to those
submissions in the top three which leverage The Volatility Framework. Even
if you are a Volatility power-user who doesn't find the questions
particularly interesting, we still encourage you to participate. To that
end, we are also planning to recognize the submission that extends the
Volatility Framework in the most unique or creative way (i.e., plugins,
visualizations, etc). Submissions are due by 17:00 EST, Sunday, April
18th 2010.
Shoutz to Josh Smith, a Volatility supporter, for helping to encourage
research in the area of memory forensics!
http://www.honeynet.org/challenges/2010_3_banking_troubles
I did a memory and volatile data acquisition with Helix.
While using the enscript version of volatility I found on the blog, I ran it
against the memorydump and the TCP network connections scan showed a
connection:
192.168.1.104:1142 81.169.145.x:80 3852
The strange thing is, I cant find the process accociated with processid 3852
in the enscript version with pslist.
When I run the volatility program from a linux commandline I cant see any
connection at all (with the options connscan and connscan2) and there is no
process in plist with id 3852.
In the volatile data report of Helix this connection isnt showing either.
Of course I want to know what kind of process this is, can anyone help me?
Thanks a lot,
K Bertens
Begin forwarded message:
> From: Brian Carrier <carrier(a)digital-evidence.org>
> Date: March 2, 2010 10:57:02 AM EST
> Subject: [linux_forensics] Interested in a Sleuth Kit and Open Source Forensics Users Conference?
>
> We are thinking about hosting the first ever Sleuth Kit and Open Source
> Forensics Users Conference this year on June 9 in Chantilly, VA (USA).
> It would be held in conjunction with the Basis Technology Government
> Users Conference (but it will be open to non-Government users). The goal
> of the conference would be to announce some new Sleuth Kit features,
> learn about how Sleuth Kit is integrated into other tools, learn about
> other open source forensics tools, and get some ideas on future
> directions of the tools.
>
> We have commitments from some companies who are willing to talk about
> how they are using TSK and I next wanted to get an idea about who was
> interested in attending or giving a presentation. Can you send me an
> e-mail (off list) if you would be interested in attending or presenting?
> If there is enough interest, then we'll see you in June!
>
> For those who want more location details, here is a link to the Basis
> conference site:
> http://www.basistech.com/conference/2010/directions.html
>
> thanks,
> brian
>
Just out of curiosity, was there message text in this email? I didn't
get it for some reason...
> Date: Mon, 1 Mar 2010 09:31:42 -0600
> From: "Schroeder, William" <William.Schroeder(a)cmegroup.com>
> Subject: [Vol-users] connscan ouput question
> To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org>
> Message-ID:
> <B61619049B3B8049A5F883C2822A080C0E11583318(a)SMAPEXMBX2.prod.ad.merc.chicago.cme.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Skipped content of type multipart/alternative
I think I know the answer to this, but I want to be certain.
I captured live memory with FTK Imager Lite (Current version)
I am now trying to examine the memory, and receive:
commandme : python volatility connections -f memdump.txt
/work/Volatility-1.3_Beta/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
import sha
Usage: connections [options] (see --help)
volatility: error: Unable to load image. Possible causes: invalid dtb, wrong image type, unsupported image type.
I suspect that FTK doesn't create a linear image.
I tried this on a Mac and WIndows.
If this is correct, does anyone know of an open source tool I can analyze this ftk memory dump with? I can't recreate another.
I tried wmft_0.2 but I think that this tool is in the early stages of development. I was only able to pul a lit of drivers with it.
-- Bruce D. Meyer
Analysis & Encryption
(803) 896-0469
(803) 896-1650 (SOC)
My Key Fingerprint is:
8BC3 14B5 CE77 3C83 F4A7
5353 3F27 97FF 0591 44F9
-------------------------
South Carolina Information Sharing and Analysis Center (SC-ISAC)
Department of State I.T. (D.S.I.T)
http://sc-isac.sc.gov
~-~-~-~-~-~-~-~-~-~-~-~-~-
Upload your PGP public key, download or verify mine at:
http://keys.cio.sc.gov<http://keys.cio.sc.gov/>
Has any one seen the following on the output from connscan? The connections are both external and the PID is impossibly high.
73.0.83.0:20992 69.0.71.0:21504 6029401
While running the above plugin using Vol 1.3.2 I keep getting the following
error. It runs just fine for few minutes then I get the error "Range
results has too many items." My question, is this expected? or is this a
bug? Here is the output:
root@morgan-laptop:/digitalforensics/Volatility-1.3.2# ./volatility
fileobjscan -f /home/morgan/Raw\ Memory/PhysicalMemory.bin > fileobj.txt
Traceback (most recent call last):
File "./volatility", line 219, in <module>
main()
File "./volatility", line 215, in main
command.execute()
File "/digitalforensics/Volatility-1.3.2/memory_plugins/fileobjscan.py",
line 257, in execute
scan_addr_space(search_addr_space, scanners)
File "/digitalforensics/Volatility-1.3.2/forensics/win32/scan2.py", line
218, in scan_addr_space
o.process(chunk,as_offset+poffset, metadata=metadata)
File "/digitalforensics/Volatility-1.3.2/forensics/win32/scan2.py", line
148, in process
self.process_buffer(buf,self.offset,metadata)
File "/digitalforensics/Volatility-1.3.2/forensics/win32/scan2.py", line
425, in process_buffer
self.object_action(buff,ooffset)
File "/digitalforensics/Volatility-1.3.2/memory_plugins/fileobjscan.py",
line 190, in object_action
for i in range(count):
OverflowError: range() result has too many items
Mark Morgan
