Re: Rép. : Re: [Vol-users] Alternate Data Stream and Volatility
Jamie Levy
25 Jul
2013
25 Jul
'13
10:50 a.m.
We are about to release the new dumpfiles plugin that will allow you
to recover the $Mft file. We are in the final stages of testing, so
it should be released soon I believe.
Out of curiosity, what system are you analyzing?
On Thu, Jul 25, 2013 at 10:16 AM, FRANCIS PROVENCHER
<FRANCIS.PROVENCHER(a)msp.gouv.qc.ca> wrote:
Thanks you so much guys for this answer!
(Keep in mind, im pretty newbee with volatility.)
I didnt find in version; Volatile Systems Volatility Framework 2.1 any
automatic plugin to dump the $MFT file,
I "filescan" and find the $Mft file is foundable at offset;
0x0253e5e0 3 0 RWD--- \$Mft
How can i extract this file from the memory, its the good way to do this?
Thanks alot all for your help!
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>> Jamie Levy <jamie.levy(a)gmail.com>
25/07/13 9:56 >>>
That's definitely one way that you can do it.
I think someone was going to extend the mftparser plugin to extract
ADS as well, or at least someone had approached me about it. It is
possible to extend that plugin to do it without having to use other
tools, I think I might already have the vtypes defined as well though
I'm not sure. I don't have the time to extend it myself until
sometime after blackhat is over, however.
All the best,
-gleeda
On Thu, Jul 25, 2013 at 9:03 AM, David Kovar <dkovar(a)gmail.com> wrote:
Good morning,
The latest version of Volatility can extract MFT records:
" • new plugins to parse IE history/index.dat URLs, recover shellbags
data,
dump cached files (exe/pdf/doc/etc), extract the MBR and MFT records,
explore recently unloaded kernel modules, dump SSL private and public
keys/certs, and display details on process privileges"
The latest version of analyzeMFT can find ADS files in MFT records:
"Added ADS support.
This is probably a work in progress but it seems to be working so I’ll
push
this out. Whenever analyzeMFT encounters a resident $DATA record, it
stores
a copy of the contents away for later use. If it encounters a named $DATA
record, it does two things:
• A duplicate of the parent record is created and the filename is changed
to
be <parent filename>:<ADS filename>.
• All ADS records, parent and children, get a flag set in the new ADS
column"
As my CS prof used to say, it is an exercise left to the reader to figure
out how to combine those.....
-David
On Jul 24, 2013, at 8:10 PM, "FRANCIS PROVENCHER"
<FRANCIS.PROVENCHER(a)msp.gouv.qc.ca> wrote:
Hi all,
I'v have a memory dump has an evidence for a case.
Volatility can help me to discover "Alternate data stream" file on the
system?
Thanks for your help!
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users