This document provides an overview of tools and techniques for analyzing RAM during a digital forensic investigation. It discusses Win32dd for creating a memory dump, Volatility for parsing the dump, and the various commands Volatility provides like pslist, sockscan, connscan, and vaddump. It also mentions finding plaintext passwords and files in memory dumps. The document encourages further experimentation with RAM analysis and provides some additional specific tools.
This document provides an overview of tools and techniques for analyzing RAM during a digital forensic investigation. It discusses Win32dd for creating a memory dump, Volatility for parsing the dump, and the various commands Volatility provides like pslist, sockscan, connscan, and vaddump. It also mentions finding plaintext passwords and files in memory dumps. The document encourages further experimentation with RAM analysis and provides some additional specific tools.
This document provides an overview of tools and techniques for analyzing RAM during a digital forensic investigation. It discusses Win32dd for creating a memory dump, Volatility for parsing the dump, and the various commands Volatility provides like pslist, sockscan, connscan, and vaddump. It also mentions finding plaintext passwords and files in memory dumps. The document encourages further experimentation with RAM analysis and provides some additional specific tools.
This document provides an overview of tools and techniques for analyzing RAM during a digital forensic investigation. It discusses Win32dd for creating a memory dump, Volatility for parsing the dump, and the various commands Volatility provides like pslist, sockscan, connscan, and vaddump. It also mentions finding plaintext passwords and files in memory dumps. The document encourages further experimentation with RAM analysis and provides some additional specific tools.
Capturing RAM • HELIX • WIN32DD • FTK Imager 2.7.0 Win32dd.exe • Light Client • Included on the Helix CD in the IR folder • Can be downloaded and placed on a USB drive or a CD. • Creates a standard DD memory dump. Win32dd.exe • Standard dump syntax
• Syntax to dump local memory to an attached
F Drive.
• Win32dd /d /f F:\memdump Volatility – It’s Free • Download and install • Volatility, and Python 2.6 • Python is a scripting language and Volatility is a plug-in for that scripting language. • Make sure you throw a copy of the python executable in the volatility directory, it will make the command line a lot easier. Let’s get started • Install Python 2.6 from the class DVD
• Install Python 1.3 Beta from the Class DVD
• Place the file, memdump at the root of C:
• Create a folder at the root of C: called “evidence”
• Place a copy of Python in the Volatility directory
What can Volatility do for you • Open connections • Dump addressed memory • List running processes • List open files • Much much more • Let’s take a look at the default commands. Let get started • Move to the volatility directory
• “cd C:\volatility-1.3_Beta”
• Type “python volatility”
VOLATILITY COMMANDS Volatility command line • Syntax to run a command is listed below and the default is print to screen • python volatility (process) –f (path to image) • python volatility datetime –f C:\memdump • We can also redirect the output to txt files. • python volatility datetime –f C:\memdump > C:\Evidence\datetime.txt datetime • python volatility datetime –f C:\memdump
• Now lets create a text file
• python volatility datetime –f C:\memdump >
C:\evidence\datetime.txt pslist • PS list or process list is going to give us the reference numbers we need through the rest of the examination. • PID – Process ID • PPID – Parent process ID. Run PS list
• python volatility pslist –f C:\memdump
• Run it and direct it to a text file
• python volatility pslist –f C:\memdump >
C:\evidence\pslist.txt sockscan • This is going to list open connections by PID (Process ID) • python volatility sockscan –f C:\memdump • Dump it to a file • python volatility sockscan –f C:\memdump > C:\evidence\sockscan.txt connscan • This will give you a list of open connections and IP addresses • python volatility connscan –f C:\memdump Other useful commands to try on your own • files, will dump a list of open files.
• dlllist, will print the open dll files.
• ident, will print the image information.
VAD Dump • We’re going to dump the address space for every process in to a RAW file that we can then search. • This will take up about the same amount of space as your image. • Syntax is a bit different for the output • Python volatility vaddump –f C:\memdump –d C:\evidence\ Virus Virus • Windows Defender loads some virus signatures in to RAM and Windows Defender is actually hitting on it’s own virus signatures that we just carved out of RAM. • I sent Microsoft the list and they confirmed that the items I hit on were the one’s they load. Pull the entire Evidence folder in to EnCase as single files. • Lets search for some key words • Passwd.
Does “%55%53%53%53%45%43%54%46%39%21%40” Look familiar, it should, that’s google talk storing our password as hex in plan text, let convert. • 55=U • 53=S • 53=S • 53=S • 45=E • 43=C • 54=T • 46=F • 39=9 • 21=! • 40=@ • Password for google talk and gmail account of, [email protected] is, “USSSECTF9!@” We find some plain text in a the WINWORD DUMP FILE. We find an entire txt file in the dump of the Notepad file. Volatility Enscripts • Takahiro Haruyama's Memory Forensics Toolkit. • http://cci.cocolog- nifty.com/blog/2010/02/encase-enscri-1.html
• Article about HB Gary missing rootkits
• http://cci.cocolog- nifty.com/blog/2010/02/hbgary-responde.html EnScripts Cont. • Open the ZIP File, copy the three folders in to your, • C:\Program Files\EnCase6\Enscript” Directory FTK3 RAM Analysis Next steps • This is just a preliminary introduction to Volatility, and I encourage you to play with some of the other processes like memdmp. • Some other tools that can help with RAM analysis are “strings” from sysinternals which can take your memdmp output and kick out the unicode to a text file. • I am far from an expert, but let me know if I can help with anything. Other Specific Tools • Skypeex, will run against a strings file and will dump skype chat files (Included with DVD) • Pdgmail, gmail from RAM. (www.jeffbryner.com/code/pdgmail)
