Re: [Vol-users] (win7x64) : creating images for volatility
23 Oct
2013
23 Oct
'13
11:37 a.m.
Boudewijn,
I agree, it looks like your memory dump is corrupted. To answer your
question about internet explorer history, that is the iehistory plugin [1]
[2], which is provided with volatility 2.3.
[1].
http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehi…
[2].
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins…
Michael
On Wed, Oct 23, 2013 at 11:30 AM, Andrew Case <atcuno(a)gmail.com> wrote:
Nice to hear from someone from our class =)
A few things about your post...
8GB on x64 is where several acquisition tools seem to break, so it is
may be that and your output seems to indicate so.
Also, you are using Volatility 2.2 which is quite old at this point. I
would recommend using the latest through SVN. Not only is there many
bugfixes, but also new plugins, such as iehistory that will help you
recover the IE data you want and is the one we used in class.
Also, we have full support for networking information on Windows 7
x64, you just have to use the netscan plugin and not the others
(sockets, sockscan, etc.).
Do you have any other acquisition tools you can use or are your
machines virtualized?
On Wed, Oct 23, 2013 at 9:21 AM, Boudewijn Ector
<boudewijn(a)boudewijnector.nl> wrote:
Hi guys,
Currently I've got a sample of an infected win7 machine with enough
memory (8gb) which is not being used by anything except for 'the
malware' (no running office etc) so quite a lot of stuff should not
have been swapped out of memory yet.
Strangely, I can't dump the process:
; vol.py -f dump.raw --profile=Win7SP1x64 procexedump -p 4932
--dump-dir results/4932.bin
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
Okay so it might be not in memory anymore... fine. So let's scan for
network activity using connscan.
This does not yield any results either.... just like svcscan.
Also the image is very very slow... on a regular machine (core i5 2400,
20gb mem) running imageinfo on the 8gb images takes about 10 minutes.
Also malfind mentions :
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x05140000, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
WARNING : volatility.obj : NoneObject as string: Invalid Address
0x21A4C320A, instantiating _MMADDRESS_NODE
Psxview says al processes are like this:
0x000000021a841060 <PROCESSNAME> 6640 False True False
False False
Isn't that just weird? (yes it's because psscan is the only module being
able to retrieve data from memory... but isn't that strange)
This makes me presume my memory images are broken. My collaegue
probably (!) used winpmem -f for doing this. What's the best way to
create a memory image on a windows7 x64 box without having admin? (these
boxes are remotely managed and it takes a looooot of time to make sure
an admin will do something).
Or is this just perfectly normal behaviour and is win7x64 just being
badly supported by volatility? (I know the networkbased plugins don't
work but that's okay... it's being mentioned in the docs)
Furthermore: during our recent volatility training (in amsterdam), we
used a plugin for getting data from internet explorer history. I had a
look online and didn't find it, is it non-public?
Cheers,
Boudewijn Ector
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 6.7 KB)