Simply set the destination and the image name and press Acquire. We start Helix and go to Live Acquisition: We are using the Helix ISO to do a live capture of the RAM for our system. This plug-in helps us to find the list of services running on the system. This plug-in helps us to find the virtual addresses of registry hives in memory. ![]() This plug-in helps us to find physical addresses of registry hives in memory. These include TCP as well as UDP connections. This plug-in helps us to find out the listening socket connections during the time our memory dump was taken. The connscan plug-in helps us to find active connections as well as connections that might have been terminated. You can see this in the below screenshot: This plug-in is used to display TCP connections that were active at the time the memory dump was taken. Using connections plug-in to display TCP connections This plug-in helps to display the version information for portable executable files.įrom the above screenshot we can see the file version, product version, OS, file type, etc. Using verinfo for displaying version information Since our capture did not have any typed in commands in cmd.exe, we get no results here: This plug-in is used to find the various commands typed in locally or remotely via backdoors. Using consoles to find commands used in cmd.exe Similar to Pslist, it does not show the hidden processes. This plug-in may be used for viewing the processes in a tree form. Here are the DLLs from the hidden process smss.exe: ![]() Now we have used the offset address for smss.exe, which is 0x024f1020 and dumped the DLLs in the folder named Hidden. Here is a list of all hidden processes once again. Similarly, we can dump DLLs of a hidden process by using its offset address as shown below. We can even dump DLLs from specific processes if we figure out that a malicious process may have been running. We can see the dump of the DLLs in the directory below: vol.py –profile=WinXPSP2x86 dlldump -D -f We can dump all the DLLs for further forensic analysis using the command: The process id may be found using the pslist plug-in. To display the DLLs for all currently running processes or a particular process we use this plug-in.įor listing the DLLs for a specific process, suppose we list here the DLLs of explorer.exe, which has the process id 1484. It scans for inactive, hidden and unlinked processes by a rootkit/malware. This plug-in is mostly used for malware analysis and scanning rootkit activities. In the screenshot below we can see the details of the processor, which is a single-core processor. Each processor on a multi-core system has its own KPCR. Kpcrscan searches for and dumps potential KPCR values. A KPCR is a data structure used by the kernel to store the processor-specific data. This plug-in is used to scan for KPCR (Kernel Processor Control Region) structures. This may happen if a KDBG with an invalid PsActiveProcessHead pointer is found earlier in a sample. ![]() This is mainly helpful in clearing up confusions which might be caused if the Pslist plug-in not showing any processes in the process list. It simply scans for KDBG header signatures linked to the profiles in Volatility. This particular plug-in is designed to positively identify the correct profile of the system and the correct KDBG (kernel debugger block) address. The above screenshot shows a clear view of all the processes running during the memory dump. This plug-in gives us the option to view all running process on the particular system during which the memory dump was taken. So, if we are using Linux, we will need to create our own profile. We can see all Windows profiles here the Linux profiles will be included in future updates. Here is the list of the available profiles in Volatility. The default profile for Volatility is WinXPSP2x86 if we do not specifically set a profile. I have also explained how to take a memory dump using Helix ISO in the end of the document for the people who might be new to it.įrom the above screenshot, we can see that Volatility suggests using the profile for Windows XP SP2 x86 or Windows XP SP3 x86. We have a memory dump with us and we do not know what operating system it belongs to, so we use the imageinfo plug-in to find this out. Demo tutorialįor performing analysis using Volatility we need to first set a profile to tell Volatility what operating system the dump came from, such as Windows XP, Vista, Linux flavors, etc. It also comes pre-installed with Backtrack 5 R3, which I am presently using. The Volatility software may be downloaded from here.
0 Comments
Leave a Reply. |