A little bit of volatility notes…

Wednesday, 2. May 2012

I want to review some notes from another previous Digital Forensics challenge. I will not present anything in here that no one hasn’t seen somewhere else and this is NOT  A REAL FORENSICS investigation and nor am I a real forensics expert or professional. I’m a student learning providing some of the very little I know.

I am only putting up notes if you actually want the reports and evidence files I used, please just ask and I would be glad to put them up. Honestly I have never done anything with volatility up until this point and this was the first rabbit hole I really went down in the field of forensics. I have played with a lot of forensics tools by I am by no means an expert. This is also stuff from last November.

These commands are for some people who want to get started with some really awesome memory forensics.

Using Volatility 2.0 inside a Backtrack 5 Virtual machine Run by VMWare Workstation 8  I ran the following commands  to obtain software information like running processes, dll, connections, and sid information and exported the information to report text files.

root@bt:~/Desktop/volatility-2.0#python vol.py psscan -f /root/Windows-XP-Professional.vmem –output-file=Report_Psscan.txt

root@bt:~/Desktop/volatility-2.0# python vol.py pslist -f /root/Windows-XP-Professional.vmem –output-file=Report_Pslist.txt

root@bt:~/Desktop/volatility-2.0# python vol.py connections -f /root/Windows-XP-Professional.vmem –output-file=Report_Connections.txt

root@bt:~/Desktop/volatility-2.0# python vol.py dlllist -f /root/Windows-XP-Professional.vmem –output-file=Report_Dlllist.txt

root@bt:~/Desktop/volatility-2.0# python vol.py getsids -f /root/Windows-XP-Professional.vmem –output-file=Report_getsids.txt

 

 

Then I used Volatility 1.3 with updated plugins and the following software in Volatility

Imaging-1.1.7

Inline-0.48_01

libdasm-1.5

Inline-Python-0.39

Pycrypo-2.0.x

Yara-1.4

Yara-python-1.4a

Pefile-1.2.10-63

volreg-0.6.tar.gz

volrip-0.1.tar.gz

by running the get_plugins.bsh script Author: Jamie Levy (gleeda)

Distorm3

Registry Ripper

 

root@bt:/Volatility# python volatility psscan2 -d -f /root/Windows-XP-Professional.vmem > /root/psscan2.dot

-psscan2.dot provides a processtree image in doty format to help understand running processes.

root@bt:/Volatility# python volatility screenshot -f /root/Windows-XP-Professional.vmem

Saving screenshot to 600.858ecda8.png

-screenshot plugin allows the creation of a screenshot for what the computer screen looked like at the time of the capture

 

python volatility hivelist -o 107563872 -f /root/Windows-XP-Professional.vmem > /203Report/Hivelist-Report.txt

–          The hivelist command locates where the registry hive files reside in memory so we can run registry ripper against them.

 

The following commands where used to export system hive file reports with reg ripper against the provided system hive files because his program can examine registry hive files and export evidence reports into easy to read text format documents.

perl rip.pl -r /root/Windows-XP-Professional.vmem@0xe1cc2008 -f ntuser > /203Report/NTUSER-dat-01-Report.txt

perl rip.pl -r /root/Windows-XP-Professional.vmem@0xe10ea820 -f ntuser > /203Report/NTUSER-dat-02-Report.txt

perl rip.pl -r /root/Windows-XP-Professional.vmem@0xe10aab60 -f ntuser > /203Report/NTUSER-dat-03-Report.txt

perl rip.pl -r /root/Windows-XP-Professional.vmem@0xe15a3a80 -f software > /203Report/software-Report.txt

perl rip.pl -r /root/Windows-XP-Professional.vmem@0xe1580448 -f sam > /203Report/Sam-Report.txt

perl rip.pl -r /root/Windows-XP-Professional.vmem@0xe15834b8 -f security > /203Report/Security-Report.txt

perl rip.pl -r /root/Windows-XP-Professional.vmem@0xe1035b60 -f system > /203Report/System-Report.txt

 

root@bt:/Volatility# python volatility window_list -f /root/Windows-XP-Professional.vmem > /203Report/Windows_List-Report.txt

–          The windw_list command allows us to export everything that was on the users screen at the point and time of capture of the memory image that answers the windows list question in the challenge.

I ran a lot of other stuff just looking around but this is some of the cool parts I wanted to highlight. Maybe I will put some more stuff out after I do a list of other things I want to do.

 

 

 

Tool Information

 

Cool Links to check out with more details and the real goods.

Type      Name    Publisher

Open Source      Volatility 2.0 + Volatility 1.3          Google Code

Site: http://code.google.com/p/volatility/

 

Type      Name    Publisher

Open Source      Backtrack 5         Backtrack Linux

Site: http://www.backtrack-linux.org/backtrack/backtrack-5-release/

 

Type      Name    Publisher

Commercial       VMWare Workstation 8                VMware

Site: http://www.vmware.com/products/workstation/overview.html

 

 

Type      Name    Publisher

Open Source      Imaging-1.1.7

Fredrik Lundh

Site: http://effbot.org/downloads/

 

Type      Name    Publisher

Open Source     Inline-0.48_01

Brian Ingerson

 

Site: http://search.cpan.org/~sisyphus/Inline-0.48_01/

 

 

Type      Name    Publisher

Open Source      Inline-Python-0.39

Ange Albertini – Google Code

Site: http://code.google.com/p/libdasm/updates/list

 

Type      Name    Publisher

Open Source     Pycrypo-2.0.1

A.M. Kuchling

Site: http://www.amk.ca/python/code/crypto.html

 

Type      Name    Publisher

Commercial       Yara-1.4

Google Code – Victor Manuel Alvarez

Site: http://code.google.com/p/yara-project/downloads/list

 

 

Type      Name    Publisher

Open Source     Yara-python-1.4a

Google Code – Victor Manuel Alvarez

Site: http://code.google.com/p/yara-project/downloads/list

 

Type      Name    Publisher

Open Source     Pefile-1.2.10-63

Ero Carrera

Site: http://code.google.com/p/pefile/

 

 

Type      Name    Publisher

Open Source     volreg-0.6.tar.gz

PUSH THE RED BUTTON – MOYIX

Site: http://www.cc.gatech.edu/~brendan/volatility/

 

 

Type      Name    Publisher

Open Source     volrip-0.1.tar.gz

PUSH THE RED BUTTON – MOYIX

Site: http://www.cc.gatech.edu/~brendan/volatility/

 

 

 

Type      Name    Publisher

Open Source     Distorm3

Google Code – Gil Dabah

Site: http://code.google.com/p/distorm/

 

Type      Name    Publisher

Open Source      Registry Ripper v2.02      Harlan Carvey

Site: http://regripper.wordpress.com/program-files/

 

 

Screenshot Plugin output of the challenge

Registry Forensic Analysis DC3 302 2011 Challenge

Friday, 13. April 2012

I told you I would be back in no time with another dig from the archive on a file server it took me like 20 minutes to get 2 on my own network. It’s a long story but let’s say me and my virtual XTMv Watchguard firewall are not getting along. I set up a new ESXi box on my HP xw8400 workstation with the new raid card and transferred over my AD while my XTMv box got angry.

Back to forensics I actually going up the list only 1 step from last night to the 302 challenge from DC3 2011. This is the Shadow Volume Win7 Registry Analysis which was actually one of my favorites. Since the case is a registry case I used Harlan Carvey Registry Ripper v2.02 (regripperplugins_20110830.zip – version of plugins) against the provided system hive files because his program can examine registry hive files and export evidence reports into easy to read text format documents.

The challenge called for the following information provided by the Department of Defense.

I would later go on to do it with one of my favorite programs of 2011 Registry Decoder but I will save that for another post down the road because I plan to go much more into detail.

Description: Examiners must develop and document a methodology used to determine, from the provided Windows registry files obtained from a subject’s computer (used to create the 400 – Shadow Volumes Analysis Challenge), a method for detecting items of interest in the system Registry files.  Items of interest are any items that would be non-standard or not normally found on a majority of computers; or those items that indicate activity or awareness of the user that may be of interest to the investigation.

Report the exact registry key path for each item of interest listed below with any additional entry information.  Include a detailed explanation of your processes (software or technique) used to examine and detect the information, and the reason for your selections.

Examiners must also be concerned with recording a detailed methodology of the steps and recording the tools used to accomplish the task as part of their grade.”

Methodology

Notes:

Commands are highlighted in Bold Font

Selections are highlighted with Italic Text

File Hives where placed in the directory 302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\

Spaces where edited out of directory and file names to avoid command line errors(well I’m lazy and like to avoid the pain of “ “ )

I opened (with administrative privileges) the command prompt (cmd.exe) and ran the following commands.

Cd C:\Regripper

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\NTUSER.dat -f ntuser >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-NTUSER-dat.txt

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\System -f system >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-System.txt

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\software -f software >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-Software.txt

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\sam -f sam >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-Sam.txt

rip -r C:\302-Shadow-Volume-Win7-Registry-Analysis\Files\Hives\security -f security >> C:\302-Shadow-Volume-Win7-Registry-Analysis\Registry-Ripper-Report-Security.txt

Alright to reduce the massive amount of information I blast into these I will provide simple short links if you want to get into the nuts and bolts of my results. Please feel free to use some of my commands in your own investigation or practice. I will warn there are far more powerful features but in this case it wasn’t really required to go after any special registry keys that the Great DFIR community hasn’t already covered for newbs like me to be able to use.

Key Files of Interest: Files of Interest 302

Registry-Ripper-Report-NTUSER-dat Registry-Ripper-Report-NTUSER-dat

Registry-Ripper-Report-Sam Registry-Ripper-Report-Sam

Registry-Ripper-Report-Security Registry-Ripper-Report-Security

Registry-Ripper-Report-Software Registry-Ripper-Report-Software

Registry-Ripper-Report-System Registry-Ripper-Report-System

Alright I tried to keep the post a little shorter for browser friendly kindness. If anyone has suggestions please feel free to contact me on twitter, G +, or email me at wyattroersma@gmail.com. I would recommend leaving comments and feedback if you have something you want to see or possibly see something I could be doing better. I Love feedback because I can’t fix what’s broken if I’m blind from the problem.

Want more Registry Forensics information? Go buy the latest version of Windows Registry Analysis Book by the RR creator himself http://www.amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/1597495808.

If your to lazy and not convinced then go check out the start of it http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf.  I mean if you enjoyed my mini low level post at all then this will be the perfect bunny hole to chase down to feed the information monster inside.

In the coming days I will be posting some more Digital Forensics Challenge madness from my long endless nights of trying to figure this crap out. So please stay tuned as I will be going into Registry Decoder (Andrew Case doesn’t know it yet but I’m pretty sure I can get some comments from him about how it all came to be from the beginning) It will be a good dive into Registry Decoder which recently got nominated for Digital Forensics Software of the year, it will be a close race with Log2Timeline. I mean the log will prolly take it with the amount of power it offers.

Alright I’m finally off to do something along the lines of learning from this web thing. Turns out it can really take the time out of your life.

A final Note:

Follow @keydet89 for the Registry Goodies

Data Recovery DC3 2011 Challenge 303

Thursday, 12. April 2012

I felt like actually putting something out on a website I took down months ago. I have been busy with life crap, school and work. I am here to bring the return of my blog with a little guide or Methodology if you will of a DC3 challenge I did last year for 2011. If you are unfamiliar with the challenge what are you waiting for, a sign? well here is your Link http://dc3.mil/challenge/2012/

To get things into perspective of what the investigation indicated here is the Challenge instructions:

 

“Description: Examiners must develop and document a methodology used to examine and recover the contents of unallocated media.

The media in this instance is an image of unallocated space from a USB thumb drive.  Points will be awarded for recovering files from the image of that unallocated space and for providing the file(s) and any information on the recovered data.

Points will be awarded for the accomplishment in locating and providing the information requested, and the degree that you successfully accomplish this task.

Examiners must also be concerned with recording a detailed methodology of the steps and recording the tools used to accomplish the task as part of their grade.”

That basically cover what they instructed me to do. It also came with a raw image file “Memorex-TD-Classic.dd”

So for those looking for the quick results here they are in a CSV – Report file Files.cvs (Filelist )

If you care about how I got there well I’m getting there.

Frist a reference of all the things others created in order for a Noob like me to be able to pull something like this off.

Tools Information:

HxD – Hexeditor Version 1.7.7.0 http://mhnexus.de/en/hxd/

testdisk-6.13  – http://www.cgsecurity.org/wiki/TestDisk_Download/

FTK Imager v3.0.1.1467 http://accessdata.com/support/adownloads#FTKImager

 

Methodology

Notes:

Commands are highlighted in Bold Font

Selections are highlighted with Italic Text

The first thought I had was to export the file from the packed rar file they provided us to download. It also came with a provided MD5 Hash so I checked that to make sure it was the right file. (If you don’t know how to file hash I will be posting a how to later, hopefully most reading at least know this much)

I also try to use free programs for the most part however its sometimes has a place to actually use something that costs a little bit of coin.

For the Analysis my first instinct was to open the file in a hex editor and start poking around for information regarding the goodies we can use to recover it with as little effort as possible.

Hex Editor Analysis

I first started by renaming the provided file for process functionality from Memorex TD Classic to Memorex-TD-Classic which helps  avoid space errors in some programs. I also created the folder named “303” on the root of my C: drive. I then saved the new Memorex-TD-Classic in directory C:\303\Files.

I then open the file in Hexeditor Version 1.7.7.0 and examined the file and the first important evidence I came across was at offset: 0x00001803 hex value 45 58 46 41 54 which is “EXFAT” in ANSI which indicates a EXFAT file system used to be present on this image.

Understanding that exFAT file systems contain a boot sector for recovery purposes I decided to try and see if I could recover the entire image by restoring the boot sector so the computer could recognize the device. I mean why it would not be this easy to begin with.

I know of a nice little awesome program called testdisk that would easily allow me to pull this off if the recovery boot sector will work. (Note you can manually sure for the header of the boot record but I already knew it was there through my first trial solution that didn’t work)

Testdisk

A testdisk-6.12 program created by Christophe GRENIER has the ability to recover these types of file systems.

Step 1 in testdisk:

I placed this program into C:\303\ testdisk-6.13-WIP directory for organizational reasons. I opened (with administrative privileges) the command prompt (cmd.exe) and ran the following commands.

C:\Users\Triple>cd C:\303\testdisk-6.13-WIP

C:\303\testdisk-6.13-WIP>testdisk_win C:\303\Files\Memorex-TD-Classic.dd

(Screen shot  of step 1 commands)

Step 2: Select a media type

I then selected >Disk C:\303\testdisk-6.13-WIP>testdisk_win C:\303\Files\Memorex-TD-Classic.dd -515MB /492 MiB

(Screenshot Step 2 in testdisk: Select a media type)

Step2

Step 3: Please select the partition table type, press Enter when done

I selected the >[ None ] Non partitioned media because the structure is not any of the other listed formats and also a corrupted format.

(Step 3: Please select the partition table type, press Enter when done)

Step 4: Boot Sector Recovery

I then selcted the >[ boot ] Boot sector recovery option on the currently selected file Memorex-TD-Classic.dd.

(Screenshot Step 4: Boot Sector Recovery)

Step 5: Advanced File system Utility’s

I then selected >[ Advanced ] Filesystem Utils

(Screenshot Step 5: Advanced File system Utility’s )

Step 6: Copy backup superblock over superblock

Because the backup boot record is “exFAT OK” there is a boot sector backup that can be written to the main boot sector in order to restore the data in case the main boot record is damaged.

I then selected >[ Backup BS ] Copy backup superblock over superblock

 

Step 7: Copy backup exFAT boot record over main boot record, confirm? (Y/N)

Confirm the option to right the backup in order to recover the image

***Warning this will write to Evidence file

Type Y >Enter to confirm (Screenshot Confirmation screen)

Exit testdisk

FTK Imager

I then turned to AccessData product FTK Imager v3.0.1.1467 in order to mount the recovered image and export the file system in order to ensure the recovery worked.

Adding the image file C:\303\Files\Memorex-TD-Classic.dd

I then selected and right clicked the TD Classic [exFAT] to export a file hash list to C:\303\Files\Filelist.csv

I then selected the TD Classic [exFAT] to export a files… to C:\303\Files\ Memorex-TD-Classic this is evidence files exported from the image file showing that the image is intact after a unallocated file recovery.

 

You can review the Exported CSV I provided earlier but that is about it and all it took to perform a nice littler repair on some data. If anyone seen anything I missed/did wrong/ could do better please leave a comment and I will be sure to make a note of it and update the guide if need be. A few quick shout outs before I sign off into other random project I do.

I used Evernote for the documentation process and taking the screenshots. http://www.evernote.com/ if you haven’t installed it yet go ahead and give it a try, more than likely you will love it as well.

Also a quick shout out to Mark McKinnon, Andrew Case, and the others that helped me figure challenges out. The forensics community is amazing and extremely helpful when you reach out for it.

Later I’m out.