Hi there,
I'm trying to code an small tool to interact with users, hash modules
and dump them... but this last part is not working properly. I have in
my code something like:
(self.addr_space, self.symtab, self.types) =
vutils.load_and_identify_image(self.op, self.opts)
...
for module in modules_list(self.addr_space, self.types, self.symtab):
...
driver_base = module_baseaddr(self.addr_space, self.types, module)
driver_size = module_imagesize(self.addr_space, self.types, module)
data = self.addr_space.read(driver_base, driver_size)
The problem is that using this code, data is always None. Tracing a
bit I found that is because at some point, one of the pages cannot be
read because a call to vtop return None (PTE = 0 for that page, but it
shouldn't be). I've been testing the code with different memory images
and I even get the same behaviour when testing it with NIST's
xp-laptop dumps, so I'm quite sure it's not because a weird memory
dump.
So, any ideas of what I'm doing wrong? Also any hint about the best
way of use the API would be nice. I mean, I'm using calls to
module_baseaddr while other code I saw (moddump by moyix) uses things
like mod.BaseAddress.v()
Thanks,
Tora
Hi Mark,
Did you install the registry plugins (that contain hivescan)? Make
sure you get all supporting libraries installed. You can check
Moyix's blogpost
(http://moyix.blogspot.com/2009/01/memory-registry-tools.html) on how
to install/use it and there are also installation manuals on the
Documentation wiki that cover it as well
(http://code.google.com/p/volatility/wiki/DocFiles) Also, you may
want to use the framework from the SVN
(http://code.google.com/p/volatility/source/checkout) if you haven't
already (there's also documentation on how to use SVN on the
documenation wiki)...
As Darren also said, the forensics wiki
(http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins) has a
pretty good list of current Volatility plugins.
All the best,
-gleeda
> Date: Mon, 28 Jun 2010 22:09:02 +0000 (UTC)
> From: mark-wade(a)comcast.net
> Subject: [Vol-users] Third Party plugins
> To: vol-users(a)volatilityfoundation.org
> Message-ID:
> <1973170622.78668.1277762942105.JavaMail.root(a)sz0109a.westchester.pa.mail.comcast.net>
>
> Content-Type: text/plain; charset="utf-8"
>
>
>
> Hello,
>
>
>
> I am trying to see if there is a list or repository anywhere for third party plugins . Also, I am running the hivescan with the1.3 Beta. I dumped the hivescan plugin package in the Volatility directory, but when I run it I am getting the message: Error: Invalid module [ hivescan ]. Are there any docs to address running third party apps with Volatility ? I am running it on Windows.
>
>
>
> Thanks
Hello,
I am trying to see if there is a list or repository anywhere for third party plugins . Also, I am running the hivescan with the1.3 Beta. I dumped the hivescan plugin package in the Volatility directory, but when I run it I am getting the message: Error: Invalid module [ hivescan ]. Are there any docs to address running third party apps with Volatility ? I am running it on Windows.
Thanks
I tried the hibr2dmp utility, but it fails on both my Vista possible hacking hibernation file, as well as a Vista 32-bit test hibernation file. Both contain a block of zeros at the beginning of the file.
Howard Patterson
Special Agent
Technical Services Unit
Tennessee Bureau of Investigation
615-744-4376
howard.patterson(a)tn.gov
Is anyone working on extending Volatility to work with Vista? I have a hibernation file from a Vista (32-bit) machine and am searching for possible intrusion/hacking. Don't have ram capture.
Howard Patterson
Special Agent
Technical Services Unit
Tennessee Bureau of Investigation
615-744-4376
howard.patterson(a)tn.gov
Bruce,
Change the extension from ".txt" to ".bin" or maybe even try ".dmp" and then run Volatility. It has been a while since I have done it, but I believe you will want to use ".bin".
Regards,
Chris
Chris Currier
CMT Digital Solutions, Inc.
The latest forensics challenge for The Honeynet Project involves
investigating a memory sample of an infected virtual machine. In order to
encourage research and development in the area of memory forensics, The
Order of Volatility plans to augment the prizes awarded to those
submissions in the top three which leverage The Volatility Framework. Even
if you are a Volatility power-user who doesn't find the questions
particularly interesting, we still encourage you to participate. To that
end, we are also planning to recognize the submission that extends the
Volatility Framework in the most unique or creative way (i.e., plugins,
visualizations, etc). Submissions are due by 17:00 EST, Sunday, April
18th 2010.
Shoutz to Josh Smith, a Volatility supporter, for helping to encourage
research in the area of memory forensics!
http://www.honeynet.org/challenges/2010_3_banking_troubles
I did a memory and volatile data acquisition with Helix.
While using the enscript version of volatility I found on the blog, I ran it
against the memorydump and the TCP network connections scan showed a
connection:
192.168.1.104:1142 81.169.145.x:80 3852
The strange thing is, I cant find the process accociated with processid 3852
in the enscript version with pslist.
When I run the volatility program from a linux commandline I cant see any
connection at all (with the options connscan and connscan2) and there is no
process in plist with id 3852.
In the volatile data report of Helix this connection isnt showing either.
Of course I want to know what kind of process this is, can anyone help me?
Thanks a lot,
K Bertens
Begin forwarded message:
> From: Brian Carrier <carrier(a)digital-evidence.org>
> Date: March 2, 2010 10:57:02 AM EST
> Subject: [linux_forensics] Interested in a Sleuth Kit and Open Source Forensics Users Conference?
>
> We are thinking about hosting the first ever Sleuth Kit and Open Source
> Forensics Users Conference this year on June 9 in Chantilly, VA (USA).
> It would be held in conjunction with the Basis Technology Government
> Users Conference (but it will be open to non-Government users). The goal
> of the conference would be to announce some new Sleuth Kit features,
> learn about how Sleuth Kit is integrated into other tools, learn about
> other open source forensics tools, and get some ideas on future
> directions of the tools.
>
> We have commitments from some companies who are willing to talk about
> how they are using TSK and I next wanted to get an idea about who was
> interested in attending or giving a presentation. Can you send me an
> e-mail (off list) if you would be interested in attending or presenting?
> If there is enough interest, then we'll see you in June!
>
> For those who want more location details, here is a link to the Basis
> conference site:
> http://www.basistech.com/conference/2010/directions.html
>
> thanks,
> brian
>
Just out of curiosity, was there message text in this email? I didn't
get it for some reason...
> Date: Mon, 1 Mar 2010 09:31:42 -0600
> From: "Schroeder, William" <William.Schroeder(a)cmegroup.com>
> Subject: [Vol-users] connscan ouput question
> To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org>
> Message-ID:
> <B61619049B3B8049A5F883C2822A080C0E11583318(a)SMAPEXMBX2.prod.ad.merc.chicago.cme.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Skipped content of type multipart/alternative
