Digital Forensics Archives - Page 4 of 7

Volatility deskscan

Posted on July 17, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - deskscan

Volatility is a tool used for extraction of digital artifacts from volatile memory(RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time efficient and quick manner.

deskscan – a volatility plugin that is used to scan window station and then walks the lists of desktops.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Using the Volatility deskscan plugin, we can able to scan window stations.

Here are things to note when using deskscan:

- - The Winlogon desktop is what presents the login prompt in which you enter your
    username and password. If successful, the system switches you into the Default
    desktop.
  - The number of windows in the Default desktop is much higher than the others
    (238 compared with 25 in Disconnect and 6 in Winlogon)
  - The only desktop with global hooks installed is Default because the fsHooks value is non-zero.

The syntax will be like:

In Windows: vol.exe -f <memdump> –profile=<OS> deskscan

In Linux: python vol.py -f <memdump> –profile=<OS> deskscan

#note: The only threads in the Winlogon desktop actually belong to winlogon.exe. If you ever see threads belonging to a different process in this desktop, it may indicate an attempt to steal login credentials.

Volatility wndscan

Posted on July 17, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - wndscan

wndscan – a volatility plugin that is used to display the window station and their properties. Volatility provides plugins designed to explore and extract evidence from the Windows GUI subsystem.

Using the Volatility wndscan plugin, we can use this to detect applications snooping like clipboard hooking that is one of the capabilities of any information stealing malwares.

In the image below, using wndscan plugin we can see “1560 IEXPLORE.EXE” is monitoring clipboard activity.

The syntax will be like:

In Windows: vol.exe -f <memdump> –profile=<OS> wndscan

In Linux: python vol.py -f <memdump> –profile=<OS> wndscan

#note: The memory image used below was infected with info-stealing malware.

Volatility volshell

Posted on July 17, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - volshell

volshell – a volatility plugin that is used to interactively explore a memory image. This gives you an interface similar to WinDbg into the memory dump. For example, you can:

- - List Process
  - Switch into a process’s context
  - Displays types of structure/objects
  - Overlay a type over a given address
  - Walk linked lists
  - Disassemble code at a given address.

Using Volatility volshell plugin, we can peak inside the memory address.

We can choose to use -p(PID) supplied with PID of the process to investigate to interact directly inside the memory.

Here are the few commands we can use to view content inside the volatile memory:

- - dis – Disassemble.
  - dd – Display as double word.
  - db – Display as Hex Dump.
  - dt – Display structure then followed by like “_EPROCESS”.

In this sample, we take the address 0x1000000 of PID 1560 and disassemble using dis command.

The syntax will be like:

In Windows: vol.exe -f <memdump> –profile=<OS> volshell -p 1560

In Linux: python vol.py -f <memdump> –profile=<OS> volshell -p 1560

Volatility Dumpfiles

Posted on July 17, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - dumpfiles

Dumpfiles – Files are cached in memory for system performance as they are accessed and used. This makes the cache a valuable source from a forensic perspective since we are able to retrieve files that were in use correctly, instead of file carving, which does not make use of how items are mapped in memory. Dumpfiles iterates through the VAD and extracts all the files that are mapped as DataSectionObject, ImageSectionObject, or SharedCacheMap.

Using the Volatility dumpfiles plugin, we can extract the file using either targeted search that matches our regex pattern or by using the physical offset address of the file of interest.

In this demo, we will be using the physical offset address to dump the file.

First, we can use Volatility filescan plugin and get the file’s equivalent physical address.

In this case, we are hunting for file name wuaumqr.exe inside our volatile memory.

Next, we use Volatility dumpfiles with -Q option.

Finally, we can view the extracted file of interest. We can now perform further analysis.

The syntax will be like:

On Windows: vol.exe -f <memorydump> –profile=<OS> dumpfiles -Q <physical_offset> -D <directory>

On Linux: python vol.py -f <memorydump> –profile=<OS> dumpfiles -Q <physical_offset> -D <directory>

#note: To get the physical address of the file, use filescan plugin from volatility.

Using the Volatility dumpfiles plugin, we can extract the file using either targeted search that matches our regex pattern or by using the physical offset address of the file of interest.

In this demo, we will be using a regex pattern to dump the file of interest.

The syntax will be like:

In Windows: vol.exe -f <memdump> –profile=<OS> dumpfiles –regex .evtx$ –ignore-case -D <directory>
In Linux: python vol.py -f <memdump> –profile=<OS> dumpfiles –regex .evtx$ –ignore-case -D <directory>

What this command does is:

First, it uses regex pattern to search if there are “.evtx$” files inside our volatile memory.

Then, it uses –ignore-case to search for all strings in a non-sensitive case format.

#note: This approach dumps the mft residents that contains .evtx$ regex pattern from the volatile memory in Windows 7 and later.

Volatility symlinkscan

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - symlinkscan

symlinkscan – a volatility plugin that is used to print symlink objects.

Symbolic Link – is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects path name resolution.

MUP (Multiple UNC provider) – is a kernel-mode component responsible for channeling all remote file system accesses using a Universal Naming Convention(UNC) name to a network redirector(the UNC provider) that is capable of handling the remote file system requests. MUP is involved when a UNC path is used by an application.

During an incident, after an attacker has successfully compromised level 1 initial access, it may conduct reconnaissance to other system, preparing for level 2 lateral movement, and this can be done by enumerating all mounted SMB shares from that local endpoint which an attacker may execute WMI, net use, and other commands.

Now, The trick to finding evidence of remote mapped drives in memory is to look for file handles prefixed with \Device\Mup and \Device\LanmanRedirector.

The example below are the artifacts using Volatility handles plugin together with Volatility symlinkscan plugin.

Typically, inside this artifact in volatile memory, when lateral movement is done by the attacker, the MUP in the handles output will contain the local drive name, the remote BIOS name and the share and file system path.

Here are the sample output for handles MUP: \Device\Mup\<drive_letter>\<net_bios_name>\<file_system_path>

You may also want to check the Process ID responsible for SMB sharing which can also be found using handles plugin.

Also, we can correlate the output from handles plugin with symlinkscan which can gives us also the local drive name and the creating time if such action is being done on the system.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> symlinkscan | findstr -i lanman

#note: You can correlate Volatility plugins results from cmdscan, consoles, handles and symlinkscan to follow the actions of the attacker, this can allow us to timeline the events during the incident.

Volatility consoles

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - consoles

consoles – a volatility plugin that is used to extract command history by scanning for _CONSOLE_INFORMATION structure.

During an incident, an attacker may perform lateral movement to gain full access to the whole organization.

For us, responders/analyst/investigator, when investigating patient zero we must know what commands are executed by the attacker to perform such attacks and what tools the attacker uses to perform lateral movement.

After running the Volatility cmdscan plugin and identifying that certain commands that are used for lateral movement is used by the attacker to compromise the system, we can then use the Volatility consoles plugin to view the command history and its output.

In this sample, we run the Volatility consoles plugin to our dumped volatile memory.

We can then see that certain commands are being executed and we can also see the output of that commands.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> consoles

#note: The result of this plugin may vary depending on the command history on the system itself. It may print a huge amount of information in which case we can extract the result and dump it to disk as a .txt file to give us a good view.

Volatility cmdscan

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - cmdscan

cmdscan – a volatility plugin that is used to extract command history by scanning for _COMMAND_HISTORY structure.

During an incident, an attacker may perform lateral movement to gain full access to the whole organization.

Using the Volatility cmdscan plugin, we can extract the command line history that can be used as breadcrumbs to follow the 2nd stage of lateral movement the attack has made.

In this sample, we execute the sample command line arguments and then dump the volatile memory and run the Volatility cmdscan plugin.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> cmdscan

#note: The result of this plugin may vary depending on the command history on the system itself. It may print a huge amount of information, in which case we can extract the result and dump it to disk as a .txt file to give us a good view.

Volatility mftparser

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - mftparser

mftparser – a volatility plugin that is used to scan for and parses potential MFT entries.

MFT – can be considered one of the most important files in the NTFS files system. It keeps records of all files in a volume, the file’s location in the directory, the physical location of the files in on the drive and the file metadata. There is at least on entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and data stamps, permissions, and data content is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.

Using Volatility mftparser plugin, it can help the investigator answer the following questions

- - What time was the attack delivered?
  - How long was the system compromised?
  - What was the first sign of lateral movement?
  - What data are exfiltrated?

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> mftparser

#note: You can use filtering like findstr or grep for this plugin as it returns huge amount of data.

#note: mftparser plugin will return huge amount of information as it prints all the file in the MFT entries, the best use is to extract the output and dump to disk as a .txt file for better analysis.

Volatility filescan

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - filescan

filescan – a volatility plugin that is used to print file objects.

In an incident, we must know what files are being extracted from the compromised systems or what file object is responsible for infecting our system, if it involves a phishing document, .exe, .dll and etc.

Using the Volatility filescan plugin, we can be able to open and search our volatile memory for opened file handles.

This file handles are in a form of .pf, .txt, .docs, .pdf, .rar, .dll and many other file objects.

In searching the volatile memory, it will print a lot of information, so the best is to dump it to disk and save it as a .txt file or if you want a quick view when using Windows OS, you can filter it by using findstr, and on Linux, you can use grep.

In this lab, we are using Windows platform and we can pipe our output to findstr to search for specific file(s).

Our syntax will be like: vol.exe -f –profile= filescan | findstr -i

Volatility privs

Posted on June 21, 2022January 24, 2025 by randrada

Memory Analysis using Volatility - privs

privs – a volatility plugin that is used to display process privilege.

Privilege – is the permission to perform a specific task, such as debugging a process, shutting down the computer, changing the time zone, or loading a kernel driver. Before a process can enable a privilege, the privilege must be present in the process’ token. Administrators decide which privileges are present by configuring them in the Local Security Policy(LSP).

Commonly exploited privileges:

- - SeBackupPrivilege – This grants read access to any file on the file system, regardless of its specified access control list (ACL). Attackers can leverage this privilege to copy locked files.
  - SeDebugPrivilege – This grants the ability to read from or write to another process’ private memory space. It allows malware to bypass the security boundaries that typically isolate processes. Practically all malware that performs code injection from user mode relies on enabling this privilege.
  - SeLoadDriverPrivilege – This grants the ability to load or unload kernel drivers.
  - SeChangeNotifyPrivilege – This allows the caller to register a callback function that gets executed when specific files and directories change. Attackers can use this to determine immediately when one of their configuration or executable files are removed by antivirus or administrators.
  - SeShutdownPrivilege – This allows the caller to reboot or shut down the system. Some infections, such as those that modify the Master Boot Record (MBR) don’t activate until the next time the system boots. Thus, you’ll often see malware trying to manually speed up the procedure by invoking a reboot.

Using the Volatility privs plugin on a process get us to know what privilege is enabled.

This can be a good use when investigating a process and what privilege does the process have.

This also answer our question if the process has the ability to operate in the kernel, that enable to load a kernel driver.

Depending on the enabled privilege, we can see what the capability of the process have.

Our syntax will be like: vol.exe -f <mem_dump> –profile=<OS_version> privs -p <PID>

#note: There are privileges that is enabled by default, those privilege that is manually enabled should we focused on.