Hi,
Anybody know where we can get the sample image mentioned
xp-laptop-2005-07-04-1430.img in README.txt?
I got http://www.cfreds.nist.gov/mem/memory-images.rar, but inside I
found only an Win2003 image, and it doesnt work with 1.3-beta.
If it is not there anymore, can anybody upload the XP image somewhere
for us to try?
Thanks,
J
Hi all,
Please, is it possible to examine hiberfil.sys file (extracted from a
"dead" system) directly with volatility such as ?
python volatility pslist -f c:\tmp\hiberfil.sys => Error : Unable to
locate valid DTB in Image
or do I have to convert it before in an other format ?
Thanks
Have a good weekend
:)
Best regards
Jean Francois
Sauf indication contraire ci-dessus:/ Unless stated otherwise above:
Compagnie IBM France
Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400
Courbevoie
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 542.737.118 euros
SIREN/SIRET : 552 118 465 02430
I tried to use Volatility with pyFlag which doesn't work due to the
missing Linux analysis part in Volatility. What happend with the
directory forensics/linux in Volatility ?
chris
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
The Volatility Team is pleased to announce the release of Volatility 1.3,
the open source memory forensics framework. The framework was recently
used to help win both the DFRWS 2008 Forensics Challenge and the Forensics
Rodeo, demonstrating its power and effectiveness for augmenting digital
investigations.
The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for performing
advanced memory forensics. The extraction techniques are performed
completely independent of the system being investigated but still offer
unprecendented visibility into the run time state of the system. The
framework is intended to introduce people to the techniques and
complexities associated with extracting digital artifacts from volatile
memory samples, while providing a powerful platform for further research.
Volatility 1.3 currently supports the investigation of Microsoft Windows
XP Service Pack 2 and Service Pack 3 memory samples. Preliminary support
has also been added for the Linux operating system, making Volatility the
only cross platform memory analysis framework.
Some of the new features in Volatility 1.3 include:
* Over 14 new data view modules!
* New object model allowing easier module development and memory
exploration
* New plugin design allowing organizations to easily create, maintain, and
share modules
* New object oriented scanning infrastructure (Very Fast!)
* Process graphing capabilities
* Ability to extract open registry handles
* Ability to dump a process' addressable memory
* Ability to extract executables from memory samples
* Transparently supports a variety of sample formats (ie, CrashDump,
Hibernate, DD)
* Automated conversion between sample formats
* New scanning modules (ie, modules)
* Support for XP SP3
Special thanks to Brendan Dolan-Gavitt, Andreas Schuster, Michael Cohen,
and Matthieu Suiche.
Download the Volatility Framework from:
https://www.volatilityfoundation.org/default/volatility
Thanks,
The Volatility Team
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry AAron, Yahoo spam filter was a bit aggressive ! I got here in
the end :-)
What tools do peeps prefer for memory acquisition now that we have some
choices ?
Regards,
Jon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIe38XbSv1saVS9ucRAvm/AJ0R+nu5ud781uohH5bTrTKafJwZXACdGRJq
alg5C8CXQqUmvwKm/bgLWEg=
=qY5a
-----END PGP SIGNATURE-----
http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-ma…
I recently had a little extra time to dig through the Linux kernel and
thought some people may be interested. This was an excerpt from a
collaboration with the PyFlag team! I want to thank both Michael Cohen
and David Collett for letting me play along despite being on opposite
sides of the world!!
That's right Volatility now supports both Windows and Linux!
If you have questions/comments/suggestions, let me know!
Thanks,
AW
:
:: In at least one
::case they clearly were unreliable.
:
Rossetoecioccolato,
Do you really know of such a case, ... or not really?
eric
www.risk-averse.com
I know that Jon Evans at Gwent Police in the UK has demonstrated this
method. I'll be amazed if Jon doesn't subscribe to this list and so may be
able to give some more info.
More info can be found here:
http://forums.remote-exploit.org/archive/index.php/t-13922.html
The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw tool
is available on Helix. http://www.e-fense.com/helix/downloads.php
If I recall one "slight" issue with this method is the tendency to BSOD. To
quote Keith Lockhart at Access Data "This is a Bad thing!"
Jim
On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org"
<vol-users-request(a)volatilityfoundation.org> wrote:
>
> Send Vol-users mailing list submissions to
> vol-users(a)volatilityfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> vol-users-request(a)volatilityfoundation.org
>
> You can reach the person managing the list at
> vol-users-owner(a)volatilityfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Vol-users digest..."
>
>
> Today's Topics:
>
> 1. RE: Memory imaging (Jamie Levy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 7 Jul 2008 14:57:33 -0400
> From: "Jamie Levy" <jamie.levy(a)gmail.com>
> Subject: RE: [Vol-users] Memory imaging
> To: vol-users(a)volatilityfoundation.org
> Message-ID:
> <cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi evb,
>
> I'm not sure, but maybe this will help (maybe someone else on here
> knows better than I do):
>
> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html
>
> I've never tried memory acquisition using firewire, but it sounds like
> it might be worth a try.
>
> All the best,
>
> -Jamie
>
>
> ------------------------------
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> End of Vol-users Digest, Vol 10, Issue 4
> ****************************************
If this is a managed system, then if you have a software deployment tool like SMS, Tivoli, or Unicenter can you just send down a job that runs something like Mantech's new MDD.exe tool and write the RAM dump out to a \\servername\sharename\filename?
Otherwise, if you have admin access to the machine, can you psexec the MDD.exe tool on the machine and write the RAM dump out to a \\servername\sharename share (mdd -o \\servername\sharename\filename.dd)?
Doing either of the above would definitely alter the target machine more than the Firewire method, but might be good enough depending on your situation.
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of AAron
Walters
Sent: Tuesday, July 08, 2008 4:29 PM
To: Jim Gordon
Cc: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Memory Imaging Using Firewire
evb,
There a number of potential techniques that are being used to deal with
locked machines. Though I must give my usual caveats that I would make
sure you know what you are doing and actually have experience with the
acquisition method before trying it as part of a real investigation.
Some of the techniques are hardware dependent, have the potential to
BSOD the machine, or are potentially destructive, so you may only get
one attempt. In some instances, it may be useful to get outside help.
As Jim and Jamie mentioned, performing acquisition via firewire is a
potential option. Details about this technique can be found on the
follow
site: http://storm.net.nz/projects/16. They even mention using a
CardBus firwire card. Others have successfully used techniques similar
to those presented in the Cold Boot paper
(http://citp.princeton.edu/memory/) or similarly, msramdmp:
(http://mcgrewsecurity.com/projects/msramdmp/)
Depending on how the laptop is configured, the hibernation file is
another alternative. There are also other hardware solutions but they
are very expensive.
Regards,
AW
On Tue, 8 Jul 2008, Jim Gordon wrote:
>
> I know that Jon Evans at Gwent Police in the UK has demonstrated this
> method. I'll be amazed if Jon doesn't subscribe to this list and so
> may be able to give some more info.
>
> More info can be found here:
>
> http://forums.remote-exploit.org/archive/index.php/t-13922.html
>
> The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw
> tool is available on Helix.
> http://www.e-fense.com/helix/downloads.php
>
> If I recall one "slight" issue with this method is the tendency to
> BSOD. To quote Keith Lockhart at Access Data "This is a Bad thing!"
>
> Jim
>
>
>
>
> On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org"
> <vol-users-request(a)volatilityfoundation.org> wrote:
>
>>
>> Send Vol-users mailing list submissions to
>> vol-users(a)volatilityfoundation.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> or, via email, send a message with subject or body 'help' to
>> vol-users-request(a)volatilityfoundation.org
>>
>> You can reach the person managing the list at
>> vol-users-owner(a)volatilityfoundation.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Vol-users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. RE: Memory imaging (Jamie Levy)
>>
>>
>> ---------------------------------------------------------------------
>> -
>>
>> Message: 1
>> Date: Mon, 7 Jul 2008 14:57:33 -0400
>> From: "Jamie Levy" <jamie.levy(a)gmail.com>
>> Subject: RE: [Vol-users] Memory imaging
>> To: vol-users(a)volatilityfoundation.org
>> Message-ID:
>> <cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Hi evb,
>>
>> I'm not sure, but maybe this will help (maybe someone else on here
>> knows better than I do):
>>
>> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.htm
>> l
>>
>> I've never tried memory acquisition using firewire, but it sounds
>> like it might be worth a try.
>>
>> All the best,
>>
>> -Jamie
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>> End of Vol-users Digest, Vol 10, Issue 4
>> ****************************************
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
