2010-11-19

Volatility Mem Forensics IV–Putting it all together

To make things simpler, this article gives an overview of doing a Volatility run, and mentions some tools that can help automate things further.



The last article finished describing the Volatility plugins in detail. This last article looks at doing a full Volatility run. Next some tools are described that can help automate things further.

Doing a Volatility Run


To analyze a raw memory dump, start by copying the raw dump to be analyzed into its case directory.
I wrote a quick script which to run the individual Volatility commands.

You can download it here: http://dl.dropbox.com/u/2073352/101118-volcmd.bsh

Run the script as follows:

volcmd.bsh 'my-case.dir' 'name-memory-dump'

It will run all the Volatility plugins and leave a series of files “out_xxx” in the case directory. There will also be directories (“exec_xxx”) containing extracted executables to be scanned or otherwise analyzed.
Note that the registry dumping commands still have to be run manually. For this, the script prints out to the screen sample cmds that can cut and pasted for exection.

Virus scanning

One unanswered question is what to do with all the extracted executables found by the Volatility plugins?

Clam AV

One possibility is to run one or more local AV programs against the extracted executables.

This will give a subset that can then be submitted to Virustotal for detailed scanning.

There is one open-source AV pgm that runs directly on Linux: Clam AV. This is a command-line virus scanner. It is targeted towards scanning Windows malware from a Linux host.

Installation and use of Clam is discussed in detail here: https://help.ubuntu.com/community/ClamAV

Essentially 2 packages are installed using apt-get or Synaptic Package Manager: clam, freshclam.

Then as root, run the following to update the virus signatures:

freshclam

Then to scan a directory:

clamscan –r /my_directory_to_scan | egrep –v “ OK| Empty file”

Note that the “egrep –v “ cuts down the noise in the output.

Scan from a Windows PC

Another approach for local scanning would be to scan the extracted files from a Windows PC.
This can be done by setting up a Windows share from the Ubuntu host computer. This is easy to do on Ubuntu:
  • Download and install samba using Synaptic. System –> Administration  --> Synaptic Package Manager
  • In Nautilus file manager, right click the directory with the executables.
  • Sharing options –> Click Share this folder
  • Be sure the onboard firewall allows windows protocols (if the firewall is enabled)
  • On the windows computer, map the network share as usual. Login as one of the users defined on the Ubuntu box.

Automating Virustotal submissions

The next step could be to batch submit a (small) subset of the executables to VirusTotal. If Volatility extracted 2000+ code samples, then maybe a selected 10% of these could be submitted to VirusTotal for further analysis.
The VirusTotal API
There is a Virustotal public API available. The API constrains ordinary users according to the following limits:
  • 20 submissions for a given 5 minute period
  • 20 MB file maximum size.
To receive an API Key, you must become member of the Virustotal user community. See http://www.virustotal.com for the details.
lgvtotal.py module
Based on the sample demo code available for public API, I have written a small Python script to automate uploads: lgvtotal.py.

You can download it from here: http://code.google.com/p/lgvtotal/
(Note that this pgm needs posthandler.py (in the same directory) to run correctly. Posthandler is the http MIME interface code.)

lgvtotal.py automatically takes the VirusTotal restrictions into account.

Because of the constraints on API throughput, the pgm has a checkpoint facility that allows execution to be restarted if terminated abnormally. This checkpoint function can also be used to print out a full report of results once all the files have been scanned, and results obtained by the program.

For more information, consult the pgm’s Usage documentation:

python lgvtotal.py –help

and look at the wiki located at the link mentioned above.

Odds and Ends

To finish up, this section mentions various items that didn’t seem to fit anywhere else.

hyberfil.sys

Remember that the hyberfil.sys (Windows hibernation file) can be used to reconstruct a raw image dump. Sometimes if things have been deleted from the running memory / disks, the hibernation file contains previous state that may be useful.

Dumping window contents, dumping graphics files

I have not tested the following posts, but list the references in case:

http://blogs.gnome.org/muelli/2010/04/volatility-memory-forensics-framework-for-ubuntu/
Describes how to search dumped memory for graphics files such as jpg, then extract them.

http://moyix.blogspot.com/2010/07/gdi-utilities-taking-screenshots-of.html
Gives a plugin, with installation instructions (since extra software is needed), to show the contents of Windows screens at time of dump.

19 comments:

airmax2 said...

Thanks a lot for this articles about Volatility. Very helpful!

Tony Rodrigues said...

Hi ! Thanks for the nice posts.
Something that could help reducing files submition to virustotal is pre-filtering out some of them. This can be done passing all files through ssdeep and comparing the fuzzy hash results with a Known Good hashset (NSRL can be transformed and used). All files around 95% (or less, this must be analysed) could be discarded as good files.
Take care,
Tony

cbentle2 said...

HI all,
I've just started taking a more active look at using Volatility and I though I would point people in the direction of a new windows batch script I've created (Its based on the one from lg's post).

Feel free to post any improvements, I already have a few things I have in mind to update the script.

Blog Post:
http://active-security.blogspot.com/2011/05/volatility-script-for-windows.html

Script location:
https://docs.google.com/leaf?id=0Bz2rZ4S-yK8AMDE5ODhhMzEtOGNhMS00N2U3LWEyMzYtNjFkNTFmMjc4ZTZi&hl=en_US

Blogger said...

Have used AVG security for many years now, and I recommend this Antivirus to all you.

Coursework Help said...

Insightful post!A very good and informative article indeed.It helps me a lot to enhance my knowledge, I really like the way the writer presented his views.For more information visit@ coursework help

diksha sharma said...

Nice to creating this post for us it.
Mahindra Supro Minitruck

Esteban Ritchey said...

Obrigado por postar isso. Ler foi útil e agradável para mim. Muitas pessoas configuram webcams para inspecionar seus quartos ou podem configurar várias webcams sem fio em um prédio como parte de um sistema de segurança. Se houver um problema com um sting conectado à sua webcam, visite aqui teste gratuito da webcam .

Unknown said...

The article I saw was interesting because of the introduction. As I was looking forward to seeing the count of upcoming posts, showing your plan to continue sharing such great stuff, I'm glad to see you. Visit my latest post on click counter 30 seconds. It will be a pleasure to visit manual click test. Thanks for your concern.

Rian said...

event marketing there are pros and cons to each, and a strong corporate event and marketing program for the year will likely include both virtual and onsite components thank you for attending letter, speaker bios template and thank you email after successful event

Unknown said...

I appreciate the good information you provided in your article. I hope you will continue to share such articles with all of us! The following texts are related to Fix space bar not working on Windows 10. You can read my latest post about this Fix spacebar.

Essien said...

Thanks for sharing this beautiful updates! I’m thoroughly enjoying your blog. I as well as an aspiring blog writer but I’m still new to everything. Thanks for sharing. Visit samuel adegboyega university cut off mark for computer science

Essien said...

I've been aware of your post previously and you’re just too fantastic. I really like what you have got here. Thanks for sharing. Also visit elizade university cut off mark for accounting

zarkazijar said...

Great blog, the information shared is very real and special, reflecting correctly and objectively, you have done a great job in sharing, thank you a million times. what is thomas adewumi university cut off mark

rafaelabke said...

Borgata Hotel Casino & Spa Launches New Restaurant
Borgata 충주 출장마사지 Hotel 태백 출장안마 Casino & Spa 동해 출장안마 is opening an Italian restaurant in The Water Club at Harrah's Resort in 의왕 출장샵 Atlantic City. The restaurant will be serving 상주 출장마사지 Italian

TOM said...

I often face a problem whenever I do Volatility run but I have never used this method. You have explained everything so well about Volatility run. Moreover you have also discussed the Volatility plugins which will be very helpful for me. Now it's time to avail Taxi Wolverhampton for more information.

David said...

I appreciate the good information you provided in your article. This article gives an overview of doing a volatility run. Keep sharing more information with us.
Now it's time to get interior demolition for more information.

zamran said...

I value the useful details you offered in your article. An outline of performing a volatility run is provided in this article. Continue providing us with information. Its time to avail of the service of doctors-child-specialist-lahore,click Here .

Tim David said...

Nice blog to share. Keep sharing more articles for new visitors and readers. Providing such unique content is great to read. Now know about Pakistan Flood Relief.

Gary sobers said...

I am very much concerned about your post. It is very much helpful for me. Thanks for sharing your thoughts. Now its time to avail limousine service Dublin ca for more information.