- Vol-users - volatilityfoundation.org

by Michael Felber , Steufa Chemnitz, IT-Forensik

Hello Brendan, hello all thanks a lot for the carefree-all-around zip package. It works fine. The hiberfil.sys gets decompressed now. Thanks a lot to all other for their useful hints. I have processed a "shortened" version of the original file without the hiberfil-slack. Now both programs (vol and WinHex) did decompress the file BUT: The files have the same length but different md-5-sums because of 'some' binary differences. At the moment I don't know, which version is the 'right'. Both mapped with X-Ways Forensics generated the following results: WinHex-version: totally 1.465 objects, Volatility-version: 1.363 objects I have compared the results and found, that some minor objects in the xwf-version are duped but some objects are not found in the vol-version. I have attached a list of the "missed" objects, quick and dirty, simply sorted by name. Maybe someone has a clue what may have caused this difference. Currently I try to find a way to compare extracted objects by vol and XWF. BR Michael @Andreas: Thanks for the offer to call you, will do that but need your "Telefonnummer"... -----Ursprüngliche Nachricht----- Von: Dolan-gavitt, Brendan F [mailto:brendandg@gatech.edu] Gesendet: Donnerstag, 2. Juli 2009 20:20 An: AAron Walters Cc: Michael Felber , Steufa Chemnitz, IT-Forensik Betreff: Re: AW: Analyzing a Hiberfil.sys I did indeed--you can get it here: http://amnesia.gtisc.gatech.edu/~moyix/Volatility-SVN.zip -Brendan ----- Original Message ----- From: "AAron Walters" <awalters(a)4tphi.net> To: "Michael Felber , Steufa Chemnitz, IT-Forensik" <MichaelFelber(a)gmx.net> Cc: brendandg(a)gatech.edu Sent: Thursday, July 2, 2009 11:13:55 AM GMT -05:00 US/Canada Eastern Subject: Re: AW: Analyzing a Hiberfil.sys Michael, You will need to check out the entire repository. At one point, Brendan created a zip file. Thanks, AW On Thu, 2 Jul 2009, Michael Felber , Steufa Chemnitz, IT-Forensik wrote: > Hello Aaron, > > have downloaded most of the new files but got volatility crashed with that. > I assume I have to download ALL the new released files manually an copy them > to their destination? Or is there a new complete package available? > > Cu > > Michael > > -----Ursprüngliche Nachricht----- > Von: AAron Walters [mailto:awalters@4tphi.net] > Gesendet: Donnerstag, 2. Juli 2009 16:22 > An: Michael Felber , Steufa Chemnitz, IT-Forensik > Cc: brendandg(a)gatech.edu > Betreff: Re: Analyzing a Hiberfil.sys > > > > Michael, > > Thanks for the email. I'm glad you have found Volatility useful. You may > want to check out the latest version from the svn repository which > includes a number of bug fixes. Let me know if it generates the same > errors. > > http://code.google.com/p/volatility/source/checkout > > Thanks, > > AW > > > On Thu, 2 Jul 2009, Michael Felber , Steufa Chemnitz, IT-Forensik wrote: > >> Hello, >> >> >> >> I am new to volatility but I am very impressed by the capabilities of that >> tool collection. I have already used it in a couple of cases and found >> interesting clues for further investigation more than one time. Thanks a >> lot, great tool. >> >> >> >> I used v 1.3 Beta with Python 2.6.2. to analyze a hiberfil.sys. The try > to >> decompress it produced the following error message: >> >> >> >> C:\Micha\Forensics\Volatility>python volatility hibinfo -f >> "F:\X-Ways-Images\##bad guy##\RAM-Analyse\NB Asus, Partition >> 2\hiberfil-NB-ASUS.sys" –d "hiberfil-NB-ASUS-vol.sys" >> >> C:\Micha\Forensics\Volatility\forensics\win32\crashdump.py:31: >> DeprecationWarning: the sha module is deprecated; use the hashlib module >> instead >> >> import sha >> >> Signature: >> >> SystemTime: Thu Jan 01 00:00:00 1970 >> >> >> >> Control registers flags >> >> CR0: 000212dd >> >> CR0[PAGING]: 0 >> >> CR3: 0001d69f >> >> CR4: 00020160 >> >> CR4[PSE]: 0 >> >> CR4[PAE]: 1 >> >> Traceback (most recent call last): >> >> File "volatility", line 219, in <module> >> >> main() >> >> File "volatility", line 212, in main >> >> modules[argv[1]].execute(argv[1], argv[2:]) >> >> File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute >> >> self.cmd_execute(module, args) >> >> File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo >> >> (major,minor,build) = hiberAS.get_version() >> >> File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py", >> line 452, in get_version >> >> addr_space = IA32PagedMemoryPae(self,self.CR3) >> >> NameError: global name 'IA32PagedMemoryPae' is not defined >> >> >> >> Options –q, -t pae|nopae did not help. >> >> >> >> What went wrong? >> >> >> >> Kindest regards >> >> >> >> Michael Felber >> >> Agent in charge >> >> >> >> Michael Felber, StA >> >> Finanzamt Chemnitz-Süd >> >> Steuerfahndung >> >> IT-Forensik >> >> Paul-Bertz-Str. 1 >> >> D-09120 Chemnitz >> >> Germany >> >> >> >> Fon: +49 371 279 446 >> >> Fax. +49 371 279 421 >> >> >> >> >:

15 years, 11 months

1
0
0 0

Re: [Vol-users] Analyzing a hiberfil.sys

by Matthieu Suiche

Agreed with Andreas. The first page is propably empty. I dont have the last version of XWays. Anyway, Ill release in the following months a package of useful tools for file conversion. Including a hibr2bin.exe tool with Windows 2000 support. Kind Regards, -- Matthieu Suiche On Thu, Jul 2, 2009 at 5:14 PM, Andreas Schuster<a.schuster(a)yendor.net> wrote: > Hello Michael, > >> Signature: > > I'd expect to see "hibr" here. Please check whether the file starts with the > proper magic string. Or did you already decompress the file? If so, then > please either decompress the original file using "hibinfo" or try "ident" on > the existing one. > > Regarding Matthieu's post: As far as I know, X-Ways switched to a different > implementation of the decompression algorithm after my blog post appeared. I > *think* it works as expected, but as a customer you may want to ask them for > their (internal) test results and methodology, just to be sure. > > I'll be back to my office on Tuesday. Feel free to give me a call if the > problem persists. > > Viele Gruesse, > Andreas > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >

15 years, 11 months

1
0
0 0

Volatility Plug-in for IAT/EAT/Inline Hook Detection

by AAron Walters

http://mnin.blogspot.com/2009/05/volatility-plug-in-for-iateatinline.html Michael Hale Ligh has created another new Volatility plugin for malware analysts. This plug-in called usermode_hooks.py can be used to detect IAT/EAT/Inline rootkit hooks in usermode processes. I'm sure he would appreciate testing help and any feedback you are able to provide. Shouts to MHL! Thanks, AW

16 years

1
0
0 0

Re: [Vol-users] Volatility's Network Connections

by david＠sharpebusinesssolutions.com

I concur with your point about needing to use all three tools. Each has its own strengths and weaknesses. I use HBGary Responder Pro primarily and fall over to Volatility or Mandiant Memoryze when I come across something HBGary can't do (or I don't know how to do in HBGary). To your point about analyzing network connections, I have recently observed cases where Volatility "connections" produces no output at all and HBGary does. In that situation Volatility "connscan" does find connections, but the lists doesn't 100% match HBGary. I am also a little concerned about what appears to me to be a drop in development activity around Volatility. Is Mandiant Memoryze going to take over the top slot? Right now, I see Mandiant Memoryze as third best behind HBGary and Volatility, but Volatility can't stand still. For example, does anyone know if there any plans to provide functionaility similar to HBGary's new Digital DNA in Volatility? If anyone wants to share information or experiences across all three applications or memory dump analysis in general, feel free to contact me at david(a)sharpebusinesssolutions.com. -- David --- cutaway(a)cutawaysecurity.com wrote: From: "Don C. Weber" <cutaway(a)cutawaysecurity.com> To: vol-users(a)volatilesystems.com Subject: [Vol-users] Volatility's Network Connections Date: Wed, 6 May 2009 08:48:47 -0500 I wanted to let you know that while using Volatility and several other memory analysis tools I received some conflicting information associated with network connections. I did a quick blog post on the subject that can be read here: http://www.cutawaysecurity.com/blog/archives/523 . It looks like Volatility shows more information than the others in some instances. Also, if you have additional information or detail on this please post a comment or let me know so that I can add an update to the post. -- -------------------------- Don C. Weber Information Security Consultant Cutaway Security CISSP, GIAC ######################################### Website: http://www.cutawaysecurity.com _______________________________________________ Vol-users mailing list Vol-users(a)volatilesystems.com http://lists.volatilesystems.com/mailman/listinfo/vol-users

16 years

7
6
0 0

Re: [Vol-users] Volatility's Network Connections

by david＠sharpebusinesssolutions.com

The Volatility connscan and connscan2 output are identical byte-for-byte against the dump I am talking about. "Connections" terminates gracefully with no console output in tcb_connections in network.py after having trouble locating the right data structure to walk in my dump file. Thank you for taking the time to respond. I wasn't really asking for help with anything in my initial reply to this thread. I was just trying to support the original author's assertion that there are differences between the various commercial and non-commercial solutions in the Windows memory dump analysis space. In my view, all three that I personally have experience with so far: Volatility, HBGary Responder, and Mandiant Memoryze all have their own strengths and weaknesses. I see this space just like hard drive or mobile device forensics - each of the leading vendors has their strong points and sometimes you need to combine the results of multiple tools to get the best results. -- David --- taosecurity(a)gmail.com wrote: From: Richard Bejtlich <taosecurity(a)gmail.com> To: david(a)sharpebusinesssolutions.com Cc: "Don C. Weber" <cutaway(a)cutawaysecurity.com>, vol-users(a)volatilesystems.com Subject: Re: [Vol-users] Volatility's Network Connections Date: Mon, 11 May 2009 10:15:48 -0400 On Thu, May 7, 2009 at 10:12 AM, <david(a)sharpebusinesssolutions.com> wrote: > > > I concur with your point about needing to use all three tools. Each has its own strengths and weaknesses. I use HBGary Responder Pro primarily and fall over to Volatility or Mandiant Memoryze when I come across something HBGary can't do (or I don't know how to do in HBGary). > > To your point about analyzing network connections, I have recently observed cases where Volatility "connections" produces no output at all and HBGary does. In that situation Volatility "connscan" does find connections, but the lists doesn't 100% match HBGary. > Hi David, When you say "connscan", have you also used "connscan2"? Thank you, Richard _______________________________________________ Vol-users mailing list Vol-users(a)volatilesystems.com http://lists.volatilesystems.com/mailman/listinfo/vol-users

16 years

1
0
0 0

Volatility's Network Connections

by Don C. Weber

I wanted to let you know that while using Volatility and several other memory analysis tools I received some conflicting information associated with network connections. I did a quick blog post on the subject that can be read here: http://www.cutawaysecurity.com/blog/archives/523 . It looks like Volatility shows more information than the others in some instances. Also, if you have additional information or detail on this please post a comment or let me know so that I can add an update to the post. -- -------------------------- Don C. Weber Information Security Consultant Cutaway Security CISSP, GIAC ######################################### Website: http://www.cutawaysecurity.com

16 years

2
2
0 0

Acquiring data and support for Win2k3.

by Richard Miles

Hello volatile users, It's my first post, I'm not in the forensics Industry, I'm more like a curious... I'm very impressed with volatile system. Amazing project. Someone know if there any any plan to add support to Windows 2003 in Volatility? It should be awesome. Speaking a bit about acquiring data. I use mdd in general. However I always only copy a small amount of ram (256 mb in average), because try copy the whole system memory result in crashes. There is anyway to copy most data as possible without disrupt windows? In general, how do you deal with this problem? Thank you. R.

16 years, 2 months

1
0
0 0

Volatility as an executable program

by Hermann Lizelfelner

Hallo! I'm currently working on a forensic aquisition tool to get live data from a running system. I want to extend the tool with volatility and therefore make the tool independent from an installed python on the system volatility is executed. What's the best possibility to have a "mobile" volatility? I tried py2exe but it is not trivial to include all the needed modules and dlls needed to run volitility correct. Currently the volatility-exe created with py2exe is only running when python is installed on the system. Has somebody a better idea to create a mobile volatility or a setup.py for py2exe that works? best regards hermann -- Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a

16 years, 2 months

2
1
0 0

Getting network info from XP-SP3 image

by Doug Collins

Perhaps I'm off target here. I know that I was successfully obtaining open ports and IP addresses from my memory dumps before. But I haven't seen any output from the connections module or sockets for the last while. I have compared the results using the same image file, in Memoryze/Audit Viewer and am getting the correct network info. I'm wondering if this is a result of SP3? Or have I missed something. Thanks. Doug C.

16 years, 3 months

2
1
0 0

Volatile Week (New Plugins)

by AAron Walters

vol-users, In case any subscribers don't follow the Volatility tumblr (http://volatility.tumblr.com/) I wanted to highlight some new tools/plugins. Michael Hale Ligh just released a new Volatility plug-in, malfind.py to find and extract hidden and/or injected code from physical memory samples. He even provides a video demonstrating how it works. Shouts to MHL! http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html http://www.mnin.org/code/malfind.py http://www.mnin.org/video/malfind/malfind.html Brendan Dolan-Gavitt released a new plugin for Volatility called moddump. Moddump allows a memory forensics analyst to extract kernel modules from physical memory. Simply add it to your memory_plugins directory and start dumping kernel modules. Shouts to Brendan! http://moyix.blogspot.com/2008/10/plugin-post-moddump.html http://kurtz.cs.wesleyan.edu/~bdolangavitt/memory/moddump.py Finally, Gleeda publicly released vol2html. vol2html is a Perl script that takes the output of Volatility and creates an html report. Shouts to Gleeda! http://gleeda.blogspot.com/2008/11/vol2html-perl-script.html Thanks, AW

16 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users