Professional Documents
Culture Documents
CPU
Cache
RAM
Virtual Memory
Disk
Acquisition Phase
Which data as digital evidence ????????
Goal is to save the state of digital system for analysis.
Similar to taking photographs, fingerprints, blood samples,
from a crime scene.
The allocated and unallocated areas of a hard disk are
copied known as image.
Tools are used to copy data from the suspect storage
device to a trusted device.
Tools must modify the suspect device as little as possible
and copy all data.
Capture the acquired data for identifying pieces of
evidence.
C:\win32dd.exe /l /f
mem1.vmem
Identify
Context
Find KPCR
Parse
Memory
Structure
Scan For
outliers
Volatility
versions
Supports
x86
Windows XP SP 2, 3
Windows 2003 Server SP 0, 1, 2
Windows Vista SP 0, 1, 2
Windows 2008 Server SP 1, 2
Windows 7 SP 0, 1
Windows
Running
Process
Image Date
and Time
OS Kernel
Modules
Processs addressable
Memory
Analyzing
Image Name
Parent Process
Full Path
Processes
Legitimate process?
Spelled correctly?
Matches system
context
Appropriate
path for
system
executable?
Running from
a user or
temp directory
Command Line
Executable
matches image
name?
Do arguments
make sense?
Is the parent
Process what
you would
expect?
Start Time
Volatility Commands
a)Spot hidden processes
psxview
pslist, psscan
printkey -K key
procexedump
memdump, vaddump
handles, filescan, dlllist,
mutantscan
svcscan, driverscan, modules,
modscan
connscan, connections,
sockets, sockscan, netscan
timeliner, evtlogs
malfind, apihooks
Imageinfo
Used for Knowing what type of system your image
came from.
Output shows suggested profile that you should
pass as the parameter to --profile=PROFILE.
Pslist
Use to list the processes of a system.
Walks doubly-linked list pointed by PsActiveProcessHead.
Does not detect hidden or unlinked processes.
Pstree
Used for viewing the process listing in tree form.
Enumerates processes using the same technique
as pslist.
Child process are indicated using indention and
periods.
$ volatility profile=profilename f imagename
pstree
Psscan
To enumerate processes using pool tag scanning, use
this command.
Finds processes that are previously terminated
(inactive) and hidden or unlinked by a rootkit.
Connscan
Used for finding connection structures using pool tag
scanning.
Finds artifacts from previous connections that have been
terminated.
It may find false positives sometimes, you also get the benefit
of detecting as much information as possible.
$ volatility f imagename connscan
Malfind
Used for: Finding hidden or injected code/DLLs in user mode memory,
based on characteristics such as VAD tag and page
permissions.
Locating sequence of bytes, regular expressions, ANSI
strings, or Unicode strings in user mode or kernel memory.
Apihook
Used for finding API hooks in user mode or kernel mode.
It finds IAT, EAT, Inline style hooks, and several special types of
hooks.
For Inline hooks, it detects CALLs and JMPs to direct and
indirect locations, and it detects PUSH/RET instruction
sequences.
Special types of hooks that it detects include syscall hooking
in ntdll.dll and calls to unknown code pages in kernel memory.
$ volatility f imagename apihook
Dlllist
For displaying a process's loaded DLLs, use this command.
It walks the doubly linked list of LDR_DATA_TABLE
_ENTRY structures pointed by PEB's InLoad Order Module
List.
DLLs are automatically added to this list when a process calls
LoadLibrary and they aren't removed until FreeLibrary is called
and the reference count reaches zero.
$ volatility f imageinfo dlllist
Dlldump
For extracting a DLL from a process's memory space and dump
it to disk for analysis, use this command.
We can:
Dump all DLLs from all processes .
Dump all DLLs from a specific process (with --pid=PID) .
Dump all DLLs from a hidden/unlinked process (with -offset=OFFSET) .
Dump a PE from anywhere in process memory (with -base=BASEADDR), this option is useful for extracting hidden
DLLs.
$ volatility f imagename dlldump D directoryname
Handles
Used for displaying the open handles in a process.
Process obtains a file handle by calling functions such as
CreateFile, and the handle will stay valid until CloseHandle
is called. This concept applies for registry keys, mutexes,
named pipes, events, window stations, desktops, threads,
and all other types of objects.
Getsids
For viewing the SIDs (Security Identifiers)
associated with a process, use this command.
It helps you to identify processes which have
maliciously escalated privileges.
Memmap
For a brief inspection of the addressable memory
pages in a process use this command.
Memdump
Procmemdump
o For dumping a process's executable (including the slack
space), use the procmemdump command.
o Optionally, pass the --unsafe or -u flags to bypass certain
sanity checks used when parsing the PE header.
o Some malware will intentionally forge size fields in the PE
header so that memory dumping tools fail.
Procexedump
To dump a process's executable (not including the
slack space), use the procexedump command.
Vadinfo
The vadinfo command displays extended information about a
process's VAD nodes. In particular, it shows:
The address of the MMVAD structure in kernel memory.
The starting and ending virtual addresses in process memory.
The VAD Tag.
The name of the memory mapped file (if one exists) .
The memory protection constant (permissions).
Modules
To view the list of kernel drivers loaded on the system,
use the modules command.
This walks the doubly-linked list of LDR_DATA_TABLE
_ENTRY structures pointed to by
PsLoadedModuleList. It cannot find hidden/unlinked
kernel drivers.
$ volatility --profile=Win7SP0x86 -f imagename modules
modscan
For scanning physical memory for kernel modules, use
this command.
It can pick up previously unloaded drivers and drivers
that have been hidden/unlinked by rootkits.
Ssdt
To list the functions in the Native and GUI SSDTs, use the ssdt command.
It displays the index, function name, and owning driver for each entry in the
SSDT.
Some important points: Windows has 4 SSDTs by default (you can add more with
KeAddSystemServiceTable), but only 2 of them are used - one for Native
functions in the NT module, and one for GUI functions in the win32k.sys
module.
Multiple ways to locate the SSDTs in memory:o
Some tools do it by finding the exported KeServiceDescriptorTable
symbol in the NT module.
o
Volatility scans for ETHREAD objects and gathers all unique
ETHREAD.Tcb.ServiceTable pointers.It is more robust and complete,
as it can detect when rootkits make copies of the existing SSDTs and
assign them to particular threads.
$ volatility --profile=Win7SP0x86 -f imagename ssdt
Driverscan
For scaning DRIVER_OBJECTs in physical memory, use this
command.
The DRIVER_OBJECT contains the 28 IRP (Major Function)
tables.
Hivescan
To find the physical addresses of CMHIVEs (registry
hives) in memory, use the hivescan command.
Hivelist
To locate the virtual addresses of registry hives in memory, and
the full paths to the corresponding hive on disk, use this
command.
Printkey
For displaying the subkeys, values, data, and data types
contained within a specified registry key, use this
command.
By default it will search all hives and print the key
information (if found) for the requested key. Therefore, if
the key is located in more than one hive, the information
for the key will be printed for each hive that contains it.
Idt
To print the system's IDT (Interrupt Descriptor Table),
use the idt command.
It displays the purpose of the interrupts, along with the
current address and owning module.
Some rootkits hook the IDT entry for KiSystemService,
but point it at a routine inside the NT module (where
KiSystemService should point). However, at that
address, there is an Inline hook detected by Idt.
$ volatility idt -f imagename
Gdt
To print the system's GDT (Global Descriptor
Table), use the gdt command.
It is useful for detecting rootkits like Alipop that
install a call gate so that user mode programs can
call directly into kernel mode (using a CALL FAR
instruction).
$ volatility -f imagename gdt
Conclusion
Volatility is a very powerful tool, which is able to detect
even the most advanced rootkits if its being used properly.
The analyst should have good windows knowledge to
combine the different functions in a smart way and
draw the right conclusions
False positives could be caused by security software like
HIPS, AV or personal firewalls, as they act in a very
similar way malware does. The only way to be 100% sure
if the code is malicious or not the investigator has to
disassemble the dumped code .
Other tools
Mandiant Redline:Mandiant Redline is an interesting tool which can analyse all the
processes running on your PC, and then attempt to highlight any
which might be malicious.