Agreed with Andreas. The first page is propably empty.
I dont have the last version of XWays.
Anyway, Ill release in the following months a package of useful tools
for file conversion. Including a hibr2bin.exe tool with Windows 2000
support.
Kind Regards,
--
Matthieu Suiche
On Thu, Jul 2, 2009 at 5:14 PM, Andreas Schuster<a.schuster(a)yendor.net> wrote:
> Hello Michael,
>
>> Signature:
>
> I'd expect to see "hibr" here. Please check whether the file starts with the
> proper magic string. Or did you already decompress the file? If so, then
> please either decompress the original file using "hibinfo" or try "ident" on
> the existing one.
>
> Regarding Matthieu's post: As far as I know, X-Ways switched to a different
> implementation of the decompression algorithm after my blog post appeared. I
> *think* it works as expected, but as a customer you may want to ask them for
> their (internal) test results and methodology, just to be sure.
>
> I'll be back to my office on Tuesday. Feel free to give me a call if the
> problem persists.
>
> Viele Gruesse,
> Andreas
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
http://mnin.blogspot.com/2009/05/volatility-plug-in-for-iateatinline.html
Michael Hale Ligh has created another new Volatility plugin for malware
analysts. This plug-in called usermode_hooks.py can be used to detect
IAT/EAT/Inline rootkit hooks in usermode processes. I'm sure he
would appreciate testing help and any feedback you are able to provide.
Shouts to MHL!
Thanks,
AW
I concur with your point about needing to use all three tools. Each has its own strengths and weaknesses. I use HBGary Responder Pro primarily and fall over to Volatility or Mandiant Memoryze when I come across something HBGary can't do (or I don't know how to do in HBGary).
To your point about analyzing network connections, I have recently observed cases where Volatility "connections" produces no output at all and HBGary does. In that situation Volatility "connscan" does find connections, but the lists doesn't 100% match HBGary.
I am also a little concerned about what appears to me to be a drop in development activity around Volatility. Is Mandiant Memoryze going to take over the top slot? Right now, I see Mandiant Memoryze as third best behind HBGary and Volatility, but Volatility can't stand still.
For example, does anyone know if there any plans to provide functionaility similar to HBGary's new Digital DNA in Volatility?
If anyone wants to share information or experiences across all three applications or memory dump analysis in general, feel free to contact me at david(a)sharpebusinesssolutions.com.
-- David
--- cutaway(a)cutawaysecurity.com wrote:
From: "Don C. Weber" <cutaway(a)cutawaysecurity.com>
To: vol-users(a)volatilesystems.com
Subject: [Vol-users] Volatility's Network Connections
Date: Wed, 6 May 2009 08:48:47 -0500
I wanted to let you know that while using Volatility and several other
memory analysis tools I received some conflicting information associated with
network connections. I did a quick blog post on the subject that can be read
here: http://www.cutawaysecurity.com/blog/archives/523 . It looks like
Volatility shows more information than the others in some instances.
Also, if you have additional information or detail on this please post a
comment or let me know so that I can add an update to the post.
--
--------------------------
Don C. Weber
Information Security Consultant
Cutaway Security
CISSP, GIAC
#########################################
Website: http://www.cutawaysecurity.com
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
The Volatility connscan and connscan2 output are identical byte-for-byte against the dump I am talking about. "Connections" terminates gracefully with no console output in tcb_connections in network.py after having trouble locating the right data structure to walk in my dump file.
Thank you for taking the time to respond. I wasn't really asking for help with anything in my initial reply to this thread. I was just trying to support the original author's assertion that there are differences between the various commercial and non-commercial solutions in the Windows memory dump analysis space. In my view, all three that I personally have experience with so far: Volatility, HBGary Responder, and Mandiant Memoryze all have their own strengths and weaknesses. I see this space just like hard drive or mobile device forensics - each of the leading vendors has their strong points and sometimes you need to combine the results of multiple tools to get the best results.
-- David
--- taosecurity(a)gmail.com wrote:
From: Richard Bejtlich <taosecurity(a)gmail.com>
To: david(a)sharpebusinesssolutions.com
Cc: "Don C. Weber" <cutaway(a)cutawaysecurity.com>, vol-users(a)volatilesystems.com
Subject: Re: [Vol-users] Volatility's Network Connections
Date: Mon, 11 May 2009 10:15:48 -0400
On Thu, May 7, 2009 at 10:12 AM, <david(a)sharpebusinesssolutions.com> wrote:
>
>
> I concur with your point about needing to use all three tools. Each has its own strengths and weaknesses. I use HBGary Responder Pro primarily and fall over to Volatility or Mandiant Memoryze when I come across something HBGary can't do (or I don't know how to do in HBGary).
>
> To your point about analyzing network connections, I have recently observed cases where Volatility "connections" produces no output at all and HBGary does. In that situation Volatility "connscan" does find connections, but the lists doesn't 100% match HBGary.
>
Hi David,
When you say "connscan", have you also used "connscan2"?
Thank you,
Richard
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
I wanted to let you know that while using Volatility and several other
memory analysis tools I received some conflicting information associated with
network connections. I did a quick blog post on the subject that can be read
here: http://www.cutawaysecurity.com/blog/archives/523 . It looks like
Volatility shows more information than the others in some instances.
Also, if you have additional information or detail on this please post a
comment or let me know so that I can add an update to the post.
--
--------------------------
Don C. Weber
Information Security Consultant
Cutaway Security
CISSP, GIAC
#########################################
Website: http://www.cutawaysecurity.com
Hello volatile users,
It's my first post, I'm not in the forensics Industry, I'm more like a
curious...
I'm very impressed with volatile system. Amazing project.
Someone know if there any any plan to add support to Windows 2003 in
Volatility? It should be awesome.
Speaking a bit about acquiring data. I use mdd in general. However I
always only copy a small amount of ram (256 mb in average), because
try copy the whole system memory result in crashes. There is anyway to
copy most data as possible without disrupt windows? In general, how do
you deal with this problem?
Thank you.
R.
Hallo!
I'm currently working on a forensic aquisition tool to get live data from a running system. I want to extend the tool with volatility and therefore make the tool independent from an installed python on the system volatility is executed. What's the best possibility to have a "mobile" volatility? I tried py2exe but it is not trivial to include all the needed modules and dlls needed to run volitility correct. Currently the volatility-exe created with py2exe is only running when python is installed on the system. Has somebody a better idea to create a mobile volatility or a setup.py for py2exe that works?
best regards
hermann
--
Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a
Perhaps I'm off target here. I know that I was successfully obtaining
open ports and IP addresses from my memory dumps before. But I haven't
seen any output from the connections module or sockets for the last
while.
I have compared the results using the same image file, in
Memoryze/Audit Viewer and am getting the correct network info.
I'm wondering if this is a result of SP3? Or have I missed something.
Thanks.
Doug C.
Hi Brian,
There is no such thing as a stupid question; don't worry. To my knowledge nobody
has published much information about doing memory analysis on 64-bit systems, so
the following is mostly conjecture.
When working in 64-bit mode Intel processors use a different method of
translating the virtual addresses used by programs and the operating system into
the physical addresses in RAM where data really lives. As such there are going to
be several differences in the operating system for a) keeping track of where data
lives and b) virtual to physical address translation. You can read much more
about these difference in the Intel Architecture Software Developer's Manuals,
http://www.intel.com/products/processor/manuals/. BTW, Intel will mail you hard
copies of those books for free. Really! As many as you'd like of whichever ones
you'd like. Enjoy!
As for the differences in anything else, like I said, I don't think anybody has
published on those yet. You could be the first!
cheers,
--
Jesse
jessek(a)speakeasy.net
