JL's stuff

Volatility 2.0: Timeliner, RegistryAPI, evtlogs and more

2011-09-13T08:26:00.007-04:00

Back in July I gave a talk at OMFW about extracting timeline data from a memory sample using the Volatility framework. Now has come the time to release the plugins that came along with that talk.

In addition to the plugins I have included a whitepaper on how these plugins were created and used. It is released more in hopes that people will see how to use the framework and be able to write their own plugins or extend existing ones.

I have included all these plugins in a zip file:

$ unzip -l timeliner_9-2011.zip
Archive: timeliner_9-2011.zip
Length Date Time Name
-------- ---- ---- ----
14455 09-28-11 14:40 volatility/plugins/timeliner.py
10789 09-27-11 09:24 volatility/plugins/evtlogs.py
147458 09-09-11 11:03 volatility/plugins/malware.py
13559 09-22-11 19:09 volatility/plugins/registryapi.py
8554 09-18-11 21:33 volatility/plugins/getsids.py
40993 09-22-11 16:29 volatility/plugins/getservicesids.py
-------- -------
235808 6 files

evtlogs.py: plugin to parse Evt logs from XP/2K3
registryapi.py: plugin for routine registry actions
getservicesids.py: plugin to collect and calculate service SIDs (used with the new getsids and evtlogs
timeliner.py: the timeline creating script that pulls everything together

MHL's malware malware plugins (malware.py) are included only for convenience. You can also download them from his repository and check there for updates.

I would like to thank MHL and AW for their valuable feedback and Bertha M for extensive testing of the timeliner plugins. The links to the paper and plugins are below:

Timeliner Release Documentation (PDF)

timeliner plugins (ZIP)

Note: Any updates to these plugins will appear in my github repository first.

Volatility 2.0 and OMFW

2011-08-08T14:27:00.003-04:00

In case you missed it, Volatility 2.0 has been released! Please download it and test it out and let us know if you have any problems via the "issues area" of the Google Code project. We have lots of documentation and for those on Windows who don't like to install Python, there is a standalone executable available in the downloads section. Make sure to check out the FAQ wiki which contains information on what is supported and how to use MHL's malware plugins.

Some OMFW materials have been released:

Moyix's slides (pdf).
MHL's Stuxnet blogpost and slides.
My slides (google docs)

You can help with the development of Volatility by giving us suggestions for plugins, writing documentation or donating malware samples. Check out the FAQ for how to do all of the above.

Volatility 1.4 UserAssist plugin

2011-04-30T22:17:00.003-04:00

From a computer forensics standpoint, userassist keys can provide a lot of information about user activity (see the Harlan's posts for more information).

After looking at Didier Steven's article on userassist keys for Windows 7 from Into the Boxes issue 0x0 and RegRipper, I decided to write up a plugin that would pull out UserAssist keys from all versions of windows for Volatility.

One thing I decided to add was an enumeration of GUIDs to human friendly folder names, which were obtained from here.

The plugin is available in my git repository. Simply download and place into your volatility/plugins directory and you're set.

Update: This plugin is now part of the core Volatility code

Example Output

Below you can see some snippets of output for Windows 7. The fields are pretty self explanatory, though you can read Didier Steven's article for more details. The hex dump is the actual data from which this information was parsed, just so you can verify it yourself.

$ ./vol.py -f win7.vmem --profile=Win7SP0x86 userassist --no-cache
Volatile Systems Volatility Framework 1.4_rc1
----------------------------
Registry: \??\C:\Users\admin\ntuser.dat
Key name: Count
Last updated: 2010-07-06 22:40:25

Subkeys:

Values:
REG_BINARY Microsoft.Windows.GettingStarted :
Count: 14
Focus Count: 21
Time Focused: 0:07:00.500000
Last updated: 2010-03-09 19:49:20

0000 00 00 00 00 0E 00 00 00 15 00 00 00 A0 68 06 00 .............h..
0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0030 00 00 80 BF 00 00 80 BF FF FF FF FF EC FE 7B 9C ..............{.
0040 C1 BF CA 01 00 00 00 00 ........

REG_BINARY UEME_CTLSESSION :
Count: 187
Focus Count: 1205
Time Focused: 6:25:06.216000
Last updated: 1970-01-01 00:00:00

0000 00 00 00 00 BB 00 00 00 B5 04 00 00 B4 90 60 01 ..............`.
0010 10 00 00 00 39 00 00 00 E9 67 28 00 7B 00 44 00 ....9....g(.{.D.
0020 36 00 35 00 32 00 33 00 31 00 42 00 30 00 2D 00 6.5.2.3.1.B.0.-.
0030 42 00 32 00 46 00 31 00 2D 00 34 00 38 00 35 00 B.2.F.1.-.4.8.5.

[snip]

REG_BINARY %windir%\system32\displayswitch.exe :
Count: 13
Focus Count: 19
Time Focused: 0:06:20.500000
Last updated: 2010-03-09 19:49:20

0000 00 00 00 00 0D 00 00 00 13 00 00 00 60 CC 05 00 ............`...
0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0030 00 00 80 BF 00 00 80 BF FF FF FF FF EC FE 7B 9C ..............{.
0040 C1 BF CA 01 00 00 00 00 ........

REG_BINARY %windir%\system32\calc.exe :
Count: 12
Focus Count: 17
Time Focused: 0:05:40.500000
Last updated: 2010-03-09 19:49:20

0000 00 00 00 00 0C 00 00 00 11 00 00 00 20 30 05 00 ............ 0..
0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0030 00 00 80 BF 00 00 80 BF FF FF FF FF EC FE 7B 9C ..............{.
0040 C1 BF CA 01 00 00 00 00 ........
........

REG_BINARY Z:\vmware-share\apps\odbg110\OLLYDBG.EXE :
Count: 11
Focus Count: 266
Time Focused: 1:19:58.045000
Last updated: 2010-03-18 01:56:31

0000 00 00 00 00 0B 00 00 00 0A 01 00 00 69 34 49 00 ............i4I.
0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0030 00 00 80 BF 00 00 80 BF FF FF FF FF 70 3B CB 3A ............p;.:
0040 3E C6 CA 01 00 00 00 00 >.......

REG_BINARY %ProgramFiles%\Microsoft SDKs\Windows\v7.0\Bin\vsstools\vshadow.exe :
Count: 0
Focus Count: 67
Time Focused: 0:06:12.811000
Last updated: 1970-01-01 00:00:00

0000 00 00 00 00 00 00 00 00 43 00 00 00 57 AE 05 00 ........C...W...
0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0030 00 00 80 BF 00 00 80 BF FF FF FF FF 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 ........

REG_BINARY %windir%\regedit.exe :
Count: 2
Focus Count: 8
Time Focused: 0:03:22.626000
Last updated: 2010-03-17 23:40:36

0000 00 00 00 00 02 00 00 00 08 00 00 00 8E 15 03 00 ................
0010 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0020 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF ................
0030 00 00 80 BF 00 00 80 BF FF FF FF FF 90 3A 93 3E .............:.>
0040 2B C6 CA 01 00 00 00 00 +.......

Here you can see an example of output from Windows XP:

$ ./vol.py -f XPSP3.vmem --profile=WinXPSP3x86 userassist --no-cache
Volatile Systems Volatility Framework 1.4_rc1
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\Administrator\NTUSER.DAT
Key name: Count
Last updated: 2010-11-24 16:35:34

Subkeys:

Values:
REG_BINARY UEME_CTLSESSION :
0000 91 52 5B 0E 1F 00 00 00 .R[.....

REG_BINARY UEME_CTLCUACount:ctor :
ID: 1
Count: 2
Last updated: 1970-01-01 00:00:00

0000 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................

REG_BINARY UEME_RUNPATH :
ID: 31
Count: 589
Last updated: 2010-11-24 16:30:49

0000 1F 00 00 00 52 02 00 00 A0 91 09 F4 F4 8B CB 01 ....R...........

REG_BINARY UEME_RUNPATH:D:\SETUP.EXE :
ID: 30
Count: 6
Last updated: 2010-09-20 15:02:47

0000 1E 00 00 00 0B 00 00 00 E0 85 39 E3 D4 58 CB 01 ..........9..X..

REG_BINARY UEME_RUNPIDL :
ID: 31
Count: 124
Last updated: 2010-11-24 14:19:29

0000 1F 00 00 00 81 00 00 00 50 78 79 9B E2 8B CB 01 ........Pxy.....

REG_BINARY UEME_RUNPIDL:%csidl2%\Microsoft Visual Basic 6.0 :
ID: 1
Count: 2
Last updated: 2009-05-12 02:28:10

0000 01 00 00 00 02 00 00 00 B0 1E DB 4A A9 D2 C9 01 ...........J....

REG_BINARY UEME_RUNPATH:C:\Program Files\Microsoft Visual Studio\VB98\VB6.EXE :
ID: 1
Count: 1
Last updated: 2009-05-12 02:28:10

0000 01 00 00 00 06 00 00 00 50 62 FC 4A A9 D2 C9 01 ........Pb.J....

REG_BINARY UEME_RUNPIDL:C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk :
ID: 1
Count: 1
Last updated: 2009-05-12 02:28:36

0000 01 00 00 00 06 00 00 00 F0 D0 A1 5A A9 D2 C9 01 ...........Z....

REG_BINARY UEME_RUNPATH:C:\WINDOWS\system32\wupdmgr.exe :
ID: 31
Count: 2
Last updated: 2010-11-24 14:50:05

Shoutz to ikelos for helping me optimize this :-)

References:

Into the Boxes issue 0x0 http://intotheboxes.wordpress.com/2010/01/01/into-the-boxes-issue-0x0/

RegRipper http://regripper.wordpress.com/

What's the Difference? [A Brief Volatility 1.4 Plugin Tutorial]

2011-04-05T10:11:00.014-04:00

So if you come to this blog, you've most likely heard of Volatility. You're probably also a user... maybe you've written some plugins, maybe not. Most people tend to fall into the latter category, though they may be be power users. Today I thought I'd go over a few things that might make it easier for people to start writing their own plugins for simple useful things, because even though the Volatility 1.4 isn't officially released doesn't mean that you can't enjoy it in the meantime :-)

A common way that people start their analysis is to look at differences in output of plugins that represent what the OS knows about (pslist/modules/connections/sockets etc) vs scanning for possible hidden/unlinked items. Examples of this can be seen in Jesse Kornblum's pstotal, Command Line Kung Fu's Making a Difference and MHL's psxview (which actually is very useful).

If you look at some of these examples, you might think to yourself that it's difficult to write a plugin to get a process difference, but it's really not! You can use inheritance to make your life easier.

PSList vs. PSScan2

Below is a complete plugin for printing out the difference between pslist and psscan2, which we will go over in detail.


  1 import volatility.plugins.taskmods as taskmods
  2 import volatility.plugins.filescan as filescan
  3 
  4 class PSDiff(filescan.PSScan2):
  5     """Print processes found in psscan2, but not in pslist"""
  6     
  7     def __init__(self, config, *args):
  8         filescan.PSScan2.__init__(self, config, *args)
  9     
 10     def calculate(self):
 11         pslist = taskmods.PSList(self._config).calculate()
 12         pids = []
 13         for task in pslist:
 14             pids.append(task.UniqueProcessId.v())
 15         
 16         psscan = filescan.PSScan2.calculate(self)
 17         for task in psscan:
 18             if task.UniqueProcessId.v() not in pids:
 19                 yield task

First you need to import the plugin files that contain the classes you want to inherit into your plugin file. In this case PSList is defined in volatility/plugins/taskmods.py and PSScan2 is defined in volatility/plugins/filescan.py. You can see the import in lines (1-2). Now you have to define the class for your plugin (line 4). Try to give it a meaningful name for what it does, here we will name it PSDiff. Classes should be named in CamelCase. In the parentheses after the class name we will specify which classes we want to inherit. Since we want processes that are only found in psscan2 output, we will use the render_text output function of psscan2 without having to redefine it. Therefore, since we want for our new class to be more like psscan2, we choose this class to inherit. We specify it as filescan.PSScan2 because we had imported the plugin file as "filescan" and the class for pssscan2 is named "PSScan2".

Next on line 5, we add a description of what this plugin does as a multiline comment. Whatever you type here will appear in the help function when you run python vol.py [plugin] -h, or just python vol.py -h.

Lines 7-8 are the initialization and options section of the plugin. We are not adding any command line options to this plugin and are just initializing the PSScan2 class that we inherited.

Lines 10-19 define the calculate part of our plugin, or what we want the plugin to do. In this case we only want to print out processes that are found by psscan2 and not pslist, so should decide how to do that... Since processes should have unique process IDs (PIDs) to specify unique processes. So PIDs that are found in psscan2, but not in pslist will be printed.

Let's walk through the calculate function. First we gather all processes that pslist knows about (line 11). We call the taskmods.PSList class, give it our configuration (self._config) so that it can know what profile to use and call its calculate function, which returns eprocess objects (and really is just DllList's calculate function, but we'll ignore that for now). In line 12, we define an empty list to store PIDs from pslist in order to compare to psscan2's PIDs. Lines 13-14 collect all the PIDs pslist knows about.

Now lines 16-19 repeat the process for psscan2 except that instead of collecting PIDs into a list, we check to see if the PID we've encountered is already in the list of PIDs from pslist. If it isn't, then we yield the task that contains that PID so that it will be caught by psscan2's render_text function and output onto the screen.

The output? Here you can see what it looks like on a Windows 7 image:

$ python vol.py -f win7.dd --profile=Win7SP0x86 psdiff
Volatile Systems Volatility Framework 1.4_rc1
Offset Name PID PPID PDB Time created Time exited
---------- ---------------- ------ ------ ---------- ------------------------ ------------------------
0x3eac6030 SearchProtocol 2448 1168 0x3ecf15c0 2010-06-16 23:30:52 2010-06-16 23:33:14
0x3eb10030 SearchFilterHo 1812 1168 0x3ecf1480 2010-06-16 23:31:02 2010-06-16 23:33:14
0x3f0576a0 svchost.exe 2836 508 0x3ecf15c0 2010-06-16 17:02:34 2010-06-16 17:08:43
0x3faa66e8 dllhost.exe 948 628 0x3ecf1540 2010-06-16 23:32:15 2010-06-16 23:32:21
0x3fbcf920 dllhost.exe 3776 628 0x3ecf11e0 2010-06-16 23:32:09 2010-06-16 23:32:15

The only difference in this case seems to be exited processes.

Here you can see a run on Moyix's ds_fuzz image:

$ python vol.py -f ds_fuzz_hidden_proc.img psdiff
Volatile Systems Volatility Framework 1.4_rc1
Offset Name PID PPID PDB Time created Time exited
---------- ---------------- ------ ------ ---------- ------------------------ ------------------------
0x0181b748 alg.exe 992 660 0x08140260 2008-11-15 23:43:25
0x0185dda0 cmd.exe 940 1516 0x081401a0 2008-11-26 07:43:39 2008-11-26 07:45:49
0x018af020 taskmgr.exe 808 620 0x08140280 2008-11-26 07:45:22 2008-11-26 07:45:40
0x019456e8 csrss.exe 592 360 0x08140040 2008-11-15 23:42:56
0x01946020 svchost.exe 828 660 0x081400c0 2008-11-15 23:42:57
0x019467e0 services.exe 660 616 0x08140080 2008-11-15 23:42:56
0x0194f658 svchost.exe 1016 660 0x08140100 2008-11-15 23:42:57
0x019533c8 svchost.exe 924 660 0x081400e0 2008-11-15 23:42:57

Suppose you are concerned that a PID could have been overwritten somehow (DKOM). You could rewrite the plugin to use _EPROCESS offsets instead of PIDs for a check:


  1 import volatility.plugins.taskmods as taskmods
  2 import volatility.plugins.filescan as filescan
  3 
  4 class PSDiff(filescan.PSScan2):
  5     """Print processes found in psscan2, but not in pslist"""
  6 
  7     def __init__(self, config, *args):
  8         filescan.PSScan2.__init__(self, config, *args)
  9 
 10     def calculate(self):
 11         pslist = taskmods.PSList(self._config).calculate()
 12         offsets = []
 13         for task in pslist:
 14             offsets.append(task.obj_vm.vtop(task.obj_offset))
 15 
 16         psscan = filescan.PSScan2.calculate(self)
 17         for task in psscan:
 18             if task.obj_offset not in offsets:
 19                 yield task

The changes are in lines 12, 14 and 18. The idea is the same as our PID plugin above, only with offsets. So we rename our list to offsets to make it clearer (line 12). We append the physical address of where our _EPROCESS object is found (line 14), this is because scanners like psscan2 only output physical addresses so we want to make sure that the addresses from pslist are the same. In line 18 we check to see if our _EPROCESS object offset found by psscan2 is already found by pslist and if not we yield it so that its information will be printed. Output is the same as what we saw above for our two test images.

Conclusion

So there you have it. You can use the same idea for comparing output from modules and modscan, connections and connscan2, sockets and sockscan or files and filescan etc... (I'm leaving this as an exercise for the reader ;-)).

You can check also out the references below for further reading on Python and Volatility. Make sure to read the Volatility Plugin Writers Guide that Mike Auty and Scudette put together.

Update: I just noticed that MHL also gave the Command Line Kung Fu crew a psdiff example. You can check out another way of doing things over there.

Update 2: I just updated the code to work with the current changes in the svn (we moved psscan2 to filescan).

References

Google Python Class http://code.google.com/edu/languages/google-python-class/

Python 2.7 Tutorial http://docs.python.org/tutorial/

Volatility Plugin Writers Guide http://code.google.com/p/volatility/wiki/PluginWritersGuide

OT: Maze Generator Update

2011-04-04T12:16:00.008-04:00

Since my QC (venus) website is no longer active, I thought I'd put the files for a maze generator some place where they can be accessed, especially since I have received emails about it... Here is the original information that was on venus before it disappeared:

Maze Generator Using Disjoint Sets

I recently went through several files of mine that had been stored away from my undergrad days. So I thought I might share them. Someone might like them. I have not changed any of the code since it was first written. I have only changed the formatting of a couple of files to make them easier to read and modified the comment header slightly (also for readability). Everything is well commented, which was my style at the time :-) Hopefully I have not erased anything important as I was doing these modifications, but I have no patience to test it at the moment. Oh, and I added a GPL for my code only, just in case (though no one will really want this... :-P )

This particular project is from Prof Stewart Weiss' CS 335 class, and consisted of writing a program that would generate mazes. It was compiled under Visual Studio 6.0 C++. We had studied Disjoint Sets in our class and were allowed to use code from Mark Allen Weiss' book from which we were studying. In addition to printing out to a text file, for extra credit we could output a graphical representation of the maze. For this I used code from Owen L. Astrachan's book which I think is from CMU Graphics. Two example outputs can be seen below:

5X5.txt
25X40.txt
40X30.txt
unknown dimensions 1
unknown dimensions 2

The idea is fairly simple. The maze is broken up into cells. We will use the idea of disjoint sets: in the beginning each cell is in its own set. Cells are randomly chosen to remove a wall (and one of the four walls is also randomly chosen) and as the wall is removed, the cell and its new neighbor are then placed in the same set. You keep doing this until all cells are within the first (entry) cell's set. At this point you have a maze.

You should make sure that once a cell is in the main (entry cell's) set, it should
never be picked again to remove wall. You also have to be careful not
to remove the outer border walls, thus creating alternate exits :-)

The disjoint sets class was modified from the original given in the book. There was a problem with the find() function so it was changed. Also, I added extra functions to make it fit with the maze class. I also created a vector of cells for the maze (see Cell class and Maze class below). I would have done things differently if I were doing writing this now, but this was in the beginning of my programming experience.

DisjSets.h
DisjSets.cpp

I created a Cell class to represent each cell of the maze. This way I could control the walls of the cells and keep track of which walls were still up or down when I printed out the maze.

Cell.h
cell.cpp

Next I wrote a Maze class to keep track of all of the cells. At first I thought to implement this using a 2-dimensional array, but ultimately decided to use a linear vector (defined in DisjSets) folded onto itself. There is also a list used to contain all cells of the maze. This is not the maze itself, but rather the cells that have not yet been placed into the main set in order to create a maze. I did this to cut down on run time because you do not want to remove walls from cells that have already become part of the main set and randomly picking cells most likely leads to picking cells that have already been chosen (especially towards the end). So keeping a pool of possible choices was the only logical thing to do to cut down on run time.

maze.h
maze.cpp

Now for the main part of the program. At the time I was obsessed
with making the main() function as small as possible:


int main(){
    string resp;

    while(true){

        getMazeInfo();

        cout<<"To quit press 'q', otherwise press a key"<<endl;
        cin>>resp;

        if(resp=="q")
            break;

    }//end while

    return 0;

Granted it could have been smaller... :-) It basically loops forever creating mazes of whatever size (I think 50x60 is the max) is requested and stops when the user wants to leave. The code is NOT perfect. Just glancing over ASSN3Main.cpp, I see a buffer overflow error could occur in the getMazeInfo() function. Plus there were better ways now of dealing with the graphics. (Yes I COULD fix it, but then I would find other things and before you know it this would explode into a full time project...Ok. Maybe I'm exaggerating). Perhaps some day when I have more time I will rewrite this little application. It's kinda fun to create mazes...

ASSN3Main.cpp

I am releasing all of the code in gzip files as well as a precompiled executable. You can use 7zip to open the files. If you use the executable, you will see a message box saying something about how this was compiled with the student version and can't be used as commercial software or some such. Just push Ok and you're set. After you input the dimensions and the name of the output file to which you would like the maze saved, a graphical window will pop up. Click it with the mouse and the maze should display. You have to push ESC to get out of the graphical maze window.

Hopefully I have managed to include all of the code that is needed. Let me know if something is missing.

Windows Registry Paths (_CMHIVE)

2011-04-03T16:51:00.007-04:00

A little while ago I helped get the registry stuff working on images other than XP for Volatility 1.4. There are some differences in how the paths/names of the hives are stored, that I thought I might go over here.

In XP we have the following structure for a registry hive:


'_CMHIVE' : [ 0x49c, {
   'Hive' : [ 0x0, ['_HHIVE']],
   'FileHandles' : [ 0x210, ['array', 3, ['pointer', ['void']]]],
   'NotifyList' : [ 0x21c, ['_LIST_ENTRY']],
   'HiveList' : [ 0x224, ['_LIST_ENTRY']],
   'HiveLock' : [ 0x22c, ['pointer', ['_FAST_MUTEX']]],
   'ViewLock' : [ 0x230, ['pointer', ['_FAST_MUTEX']]],
   'LRUViewListHead' : [ 0x234, ['_LIST_ENTRY']],
   'PinViewListHead' : [ 0x23c, ['_LIST_ENTRY']],
   'FileObject' : [ 0x244, ['pointer', ['_FILE_OBJECT']]],
   'FileFullPath' : [ 0x248, ['_UNICODE_STRING']],
   'FileUserName' : [ 0x250, ['_UNICODE_STRING']],
   'MappedViews' : [ 0x258, ['unsigned short']],
   'PinnedViews' : [ 0x25a, ['unsigned short']],
   'UseCount' : [ 0x25c, ['unsigned long']],
   'SecurityCount' : [ 0x260, ['unsigned long']],
   'SecurityCacheSize' : [ 0x264, ['unsigned long']],
   'SecurityHitHint' : [ 0x268, ['long']],
   'SecurityCache' : [ 0x26c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]],
   'SecurityHash' : [ 0x270, ['array', 64, ['_LIST_ENTRY']]],
   'UnloadEvent' : [ 0x470, ['pointer', ['_KEVENT']]],
   'RootKcb' : [ 0x474, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]],
   'Frozen' : [ 0x478, ['unsigned char']],
   'UnloadWorkItem' : [ 0x47c, ['pointer', ['_WORK_QUEUE_ITEM']]],
   'GrowOnlyMode' : [ 0x480, ['unsigned char']],
   'GrowOffset' : [ 0x484, ['unsigned long']],
   'KcbConvertListHead' : [ 0x488, ['_LIST_ENTRY']],
   'KnodeConvertListHead' : [ 0x490, ['_LIST_ENTRY']],
   'CellRemapArray' : [ 0x498, ['pointer', ['_CM_CELL_REMAP_BLOCK']]],
} ],

When running the hivelist command from Volatility on an XP or Windows 2003 image, the name of the hive is obtained from the FileFullPath entry above. This is more of a generic name prefixed with "\Device\HarddiskVolume1". There is also a FileUserName entry in _CMHIVE, which may contain the actual path to the hive on disk. Here are a few examples:

************************************************************************
FileFullPath: \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
FileUserName: \SystemRoot\System32\Config\SECURITY
************************************************************************
FileFullPath: \Device\HarddiskVolume1\WINDOWS\system32\config\software
FileUserName: \SystemRoot\System32\Config\SOFTWARE
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
FileUserName: \??\C:\Documents and Settings\NetworkService\ntuser.dat
************************************************************************

As I said, we get the same results for Windows 2003.

Starting with Windows Vista, we have an extra member in _CMHIVE, named HiveRootPath which contains another registry name starting either with (\REGISTRY\MACHINE or \REGISTRY\USER). Here we can see output from a modified hivelist plugin, each hive is separated by asterisks:

FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\MACHINE\HARDWARE
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
FileUserName: \??\C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
HiveRootPath: \registry\machine\Schema
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\SOFTWARE
FileUserName: \SystemRoot\System32\Config\SOFTWARE
HiveRootPath: \REGISTRY\MACHINE\SOFTWARE
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\DEFAULT
FileUserName: \SystemRoot\System32\Config\DEFAULT
HiveRootPath: \REGISTRY\USER\.DEFAULT
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\SAM
FileUserName: \SystemRoot\System32\Config\SAM
HiveRootPath: \REGISTRY\MACHINE\SAM
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\SECURITY
FileUserName: \SystemRoot\System32\Config\SECURITY
HiveRootPath: \REGISTRY\MACHINE\SECURITY
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\System32\config\COMPONENTS
FileUserName: \SystemRoot\System32\Config\COMPONENTS
HiveRootPath: \REGISTRY\MACHINE\COMPONENTS
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Boot\BCD
FileUserName: \Device\HarddiskVolume1\Boot\BCD
HiveRootPath: \REGISTRY\MACHINE\BCD00000000
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
FileUserName:
HiveRootPath: \REGISTRY\USER\S-1-5-20
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT
FileUserName: \??\C:\Windows\ServiceProfiles\LocalService\ntuser.dat
HiveRootPath: \REGISTRY\USER\S-1-5-19
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Users\user\NTUSER.DAT
FileUserName: \??\C:\Users\user\ntuser.dat
HiveRootPath: \Registry\User\S-1-5-21-3861645159-1226237480-2911178601-1000
************************************************************************
FileFullPath: \Device\HarddiskVolume1\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
FileUserName: \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
HiveRootPath: \Registry\User\S-1-5-21-3861645159-1226237480-2911178601-1000_Classes
************************************************************************
FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\MACHINE\SYSTEM
************************************************************************

You can see that there are a couple of registries that only have HiveRootPath populated (\REGISTRY\MACHINE\SYSTEM and \REGISTRY\MACHINE\HARDWARE). \REGISTRY\MACHINE\HARDWARE is a volatile hive that contains hardware information populated during bootup[1], we will explore this key a bit later... We get the same output for all service packs of Vista as well as Windows 2008 (which is closely related to Vista SP1/2).

For Windows 7 we get slightly different results. Even though FileFullPath is defined in _CMHIVE for Windows 7, it does not appear to be used at all:

FileFullPath:
FileUserName: \SystemRoot\System32\Config\SECURITY
HiveRootPath: \REGISTRY\MACHINE\SECURITY
************************************************************************
FileFullPath:
FileUserName: \??\C:\System Volume Information\Syscache.hve
HiveRootPath: \REGISTRY\A\{43bcec53-795b-11df-9d3d-000c29bf81c3}
************************************************************************
FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\MACHINE\SYSTEM
************************************************************************
FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\MACHINE\HARDWARE
************************************************************************
FileFullPath:
FileUserName: \SystemRoot\System32\Config\DEFAULT
HiveRootPath: \REGISTRY\USER\.DEFAULT
************************************************************************
FileFullPath:
FileUserName:
HiveRootPath: \REGISTRY\USER\S-1-5-20
************************************************************************
FileFullPath:
FileUserName: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
HiveRootPath: \REGISTRY\USER\S-1-5-19
************************************************************************
FileFullPath:
FileUserName: \Device\HarddiskVolume1\Boot\BCD
HiveRootPath: \REGISTRY\MACHINE\BCD00000000
************************************************************************
FileFullPath:
FileUserName: \SystemRoot\System32\Config\SOFTWARE
HiveRootPath: \REGISTRY\MACHINE\SOFTWARE
************************************************************************
FileFullPath:
FileUserName: \??\C:\Users\user\ntuser.dat
HiveRootPath: \Registry\User\S-1-5-21-1665533257-296859758-874228692-1000
************************************************************************
FileFullPath:
FileUserName: \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
HiveRootPath: \Registry\User\S-1-5-21-1665533257-296859758-874228692-1000_Classes
************************************************************************
FileFullPath:
FileUserName: \SystemRoot\System32\Config\SAM
HiveRootPath: \REGISTRY\MACHINE\SAM
************************************************************************

Therefore in Windows 7 output of hivelist, you will see FileUserName paths when they are defined or HiveRootPath paths if they are not:

Virtual Physical Name
0x963e39d0 0x1d41a9d0 \SystemRoot\System32\Config\SECURITY
0xa057a7a8 0x3518e7a8 \??\C:\System Volume Information\Syscache.hve
0x82ba6140 0x02ba6140 [no name]
0x87a0c008 0x28027008 [no name]
0x87a1c008 0x27fb5008 \REGISTRY\MACHINE\SYSTEM
0x87a429d0 0x27f9d9d0 \REGISTRY\MACHINE\HARDWARE
0x87abc898 0x1fd97898 \SystemRoot\System32\Config\DEFAULT
0x8849e008 0x27dc0008 \REGISTRY\USER\S-1-5-20
0x88521008 0x1be07008 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x8bb309d0 0x25bac9d0 \Device\HarddiskVolume1\Boot\BCD
0x8bb328d8 0x25bb58d8 \SystemRoot\System32\Config\SOFTWARE
0x91a9a9d0 0x1787c9d0 \??\C:\Users\user\ntuser.dat
0x91f2d9d0 0x13b949d0 \??\C:\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat
0x963bf008 0x1fa36008 \SystemRoot\System32\Config\SAM

Getting Registry Paths from the SYSTEM Registry

You can also obtain a list of registry files were loaded by the system by checking the "SYSTEM\CurrentControlSet\Control\Hivelist" key[1]:

$ python vol.py -f VistaSP2x86.dmp --profile=VistaSP2x86 printkey -K 'controlset001\control\hivelist'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: hivelist (V)
Last updated: 2010-11-30 18:05:20

Subkeys:

Values:
REG_SZ \REGISTRY\MACHINE\HARDWARE : (V)
REG_SZ \REGISTRY\MACHINE\SECURITY : (V) \Device\HarddiskVolume1\Windows\System32\config\SECURITY
REG_SZ \REGISTRY\MACHINE\SOFTWARE : (V) \Device\HarddiskVolume1\Windows\System32\config\SOFTWARE
REG_SZ \REGISTRY\MACHINE\SYSTEM : (V) \Device\HarddiskVolume1\Windows\System32\config\SYSTEM
REG_SZ \REGISTRY\USER\.DEFAULT : (V) \Device\HarddiskVolume1\Windows\System32\config\DEFAULT
REG_SZ \REGISTRY\MACHINE\SAM : (V) \Device\HarddiskVolume1\Windows\System32\config\SAM
REG_SZ \REGISTRY\MACHINE\COMPONENTS : (V) \Device\HarddiskVolume1\Windows\System32\config\COMPONENTS
REG_SZ \REGISTRY\MACHINE\BCD00000000 : (V) \Device\HarddiskVolume1\Boot\BCD
REG_SZ \REGISTRY\USER\S-1-5-20 : (V) \Device\HarddiskVolume1\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
REG_SZ \REGISTRY\USER\S-1-5-19 : (V) \Device\HarddiskVolume1\Windows\ServiceProfiles\LocalService\NTUSER.DAT
REG_SZ \registry\machine\Schema : (V) \Device\HarddiskVolume1\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
REG_SZ \Registry\User\S-1-5-21-3861645159-1226237480-2911178601-1000 : (V) \Device\HarddiskVolume1\Users\user\NTUSER.DAT
REG_SZ \Registry\User\S-1-5-21-3861645159-1226237480-2911178601-1000_Classes : (V) \Device\HarddiskVolume1\Users\user\AppData\Local\Microsoft\Windows\UsrClass.dat

References

[1] Mark Russinovich, David Solomon and Alex Ionescu Windows Internals 5th Edition

[2] Moyix, Enumerating Registry Hives

Update: Volatility printkey Plugin

2011-03-30T08:41:00.004-04:00

You don't have to use the printkey plugin I released to get bruteforce action. It has been incorporated into the Volatility SVN (thanks to Mike Auty :-)).

So by default you don't have to issue an offset anymore:

$ python vol.py -f ds_fuzz_hidden_proc.img printkey -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: ComputerName (S)
Last updated: 2008-10-21 17:48:29

Subkeys:

Values:
REG_SZ ComputerName : (S) GINEVRA

And keys from multiple hives will also appear with a separator:

$ python vol.py -f ds_fuzz_hidden_proc.img printkey -K 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:23

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: Winlogon (S)
Last updated: 2008-11-26 07:39:40

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:53

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\moyix\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-09-19 20:29:52

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600

Modified Volatility printkey Plugin

2011-03-25T15:13:00.012-04:00

As a lot of you already know, Volatility has some pretty cool registry plugins. You can use hivescan to look for registry hives (CMHIVE), hivelist to locate virtual and physical addresses of registry hives and printkey to print out keys for a specified hive, whose virtual address is found from hivelist.

In Volatility 1.3, you had to specify CMHIVE offset (obtained from hivescan) for hivelist in order to get the virtual address for a hive to use with printkey. In Volatility 1.4, hivelist inherits hivescan and obtains the CMHIVE offsets removing one extra step and making it easier for the user.

We still have to provide a virtual address (obtained by hivelist) to printkey in order to print a key from a particular registry. Suppose you don't know which registry contains the key, or you are a little clumsy about which offset you gave printkey, or maybe you want the same key from multiple hives (like all users for example). Well, I know I've personally had some of these issues and I'm sure others have as well ;-)

Recently I modified printkey to include a "brute-force" option to try to obtain a particular key from all hives and thought I'd share this in case anyone else might find it useful. The idea works similar to how hivelist was written to inherit from hivescan; printkey inherits hivelist and can obtain the offsets for all hives if run in brute-force mode. It also retains the previous usage so you can specify an offset.

Let's see some examples. So suppose we want to get the computer name from this image. How do we get that? So normally you have to get a list of registry hives:

$ python vol.py -f ds_fuzz_hidden_proc.img hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual Physical Name
0xe1ada008 0x0b46c008 \Device\HarddiskVolume1\Documents and Settings\moyix\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1ad0880 0x0b339880 \Device\HarddiskVolume1\Documents and Settings\moyix\NTUSER.DAT
0xe1ac09e8 0x0b21b9e8 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1a9f008 0x0b28b008 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe1797a60 0x0951da60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1790820 0x0960f820 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe1534820 0x032a9820 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe1536820 0x032ab820 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe14771f8 0x07fc91f8 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe1482008 0x07f93008 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe13725b8 0x0241d5b8 [no name]
0xe1018388 0x02200388 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe1008b60 0x020c4b60 [no name]
0x80670a8c 0x00670a8c [no name]

From the SYSTEM registry we need this key: ControlSet001\Control\ComputerName\ComputerName We find the virtual offset and specify that in the commandline along with the key:

$ python vol.py -f ds_fuzz_hidden_proc.img printkey -o 0xe1018388 -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: ComputerName (S)
Last updated: 2008-10-21 17:48:29

Subkeys:

Values:
REG_SZ ComputerName : (S) GINEVRA

Nice. Ok, suppose you didn't know you needed to get this information from the SYSTEM registry. You can use the brute-force option (-b):

$ python vol.py -f ds_fuzz_hidden_proc.img printkey -b -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatile Systems Volatility Framework 1.4_rc1
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of S-1-5-21-725345543-1292428093-2147272213-1003_Classes
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of S-1-5-19_Classes
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of S-1-5-20_Classes
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of SECURITY
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of $$$PROTO.HIV
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of SAM
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of HARDWARE
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: ComputerName (S)
Last updated: 2008-10-21 17:48:29

Subkeys:

Values:
REG_SZ ComputerName : (S) GINEVRA
WARNING : volatility.win32.rawreg: Couldn't find subkey ControlSet001 of REGISTRY

Hrmmmm.... notice that you get a lot of debug warnings in addition to the correct output for this key. This is because normally you would want to know if the key is not found and as each hive is queried for the key, failed attempts appear in output. However in this case, we know it's not going to be found in all of the registries, so we don't care about these warnings. You could comment out the piece of code in volatility/win32/rawreg.py that gives this warning, or you could use another plugin supplied by Mike Auty called disablewarnings.py This plugin (disablewarnings.py) is located in the "contrib/plugins" folder when you first download Volatility from the Google SVN. In order to use it, you must first move it to your plugins directory. So from the Volatility root folder do the following:

$ mv contrib/plugins/disablewarnings.py volatility/plugins

Now we can run the printkey plugin with brute-force option and disable debug statements with two extra switches: -d -W:

$ python vol.py -f ds_fuzz_hidden_proc.img printkey -b -d -W -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: ComputerName (S)
Last updated: 2008-10-21 17:48:29

Subkeys:

Values:
REG_SZ ComputerName : (S) GINEVRA

Want to see output from multiple hives? Let's look at the Software\Microsoft\Windows NT\CurrentVersion\WinLogon key from user hives:

$ python vol.py -f ds_fuzz_hidden_proc.img printkey -K 'Software\Microsoft\Windows NT\CurrentVersion\WinLogon' -b -d -W
Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\Documents and Settings\moyix\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-09-19 20:29:52

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:53

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: Winlogon (S)
Last updated: 2008-11-26 07:38:23

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600
Legend: (S) = Stable (V) = Volatile

Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\default
Key name: Winlogon (S)
Last updated: 2008-11-26 07:39:40

Subkeys:

Values:
REG_SZ ParseAutoexec : (S) 1
REG_SZ ExcludeProfileDirs : (S) Local Settings;Temporary Internet Files;History;Temp
REG_DWORD BuildNumber : (S) 2600

Notice that the output is also slightly different, since printkey specifies which hive it got the information from (Registry: [Path])

Update: this modification is now in the SVN see here.

John Jay Center for Cybercrime Studies Talk: 3/29/11 2PM

2011-03-22T16:03:00.004-04:00

There's an upcoming talk at The Center for Cybercrime Studies, John Jay College of Criminal Justice next week (Tuesday March 29th, 2011 2:00 PM) that may interest some of you in the NYC area:

Cyber Criminals: Who are they? Why are they successful? How do we respond?

Kim Peretti

Director, Forensic Services Practices
PricewaterhouseCoopers LLP

Formerly Senior Counsel
US Dept. of Justice, Criminal Division
Computer Crime and Intellectual Property Section

This session will walk through recent prosecutions of sophisticated hacking rings in order to provide insight into the individuals behind these types of crimes and why they are successful. This presentation will also discuss the emerging area of cyber forensics and methods by which entities can better prevent, detect, and respond to cyber attacks on their systems.

Events will take place at
John Jay College of Criminal Justice
899 Tenth Avenue
Room 630T, Haaren Hall

(between 58th and 59th Streets.)
RSVP to Nicole Daniels (ndaniels@jjay.cuny.edu: 212.237.8920).

Volatility 1.4 get_plugins Script

2011-03-22T09:48:00.006-04:00

For those who can't wait for the official release of 1.4: I've updated the Volatility Full Dev Installation Wiki to include installation on Linux.

In case you want to automate installation you can use the new get_plugins script. I've only tested it on Mac OSX and Ubuntu, but it should still install dependencies and Volatility 1.4 on other Linux distributions (provided that you have your supporting libraries like libpcre installed already). Feel free to look at the code before running however :-)

Caveat: There is still an issue with the Distorm3 library on Mac OSX and you'll have to compile and install that one manually.

NYC4SEC Meeting 1/19/2011

2011-01-05T16:18:00.005-05:00

There is an NYC4SEC meeting this month on 1/19/2011. This month our speaker is Jon Stewart who will be giving a talk about his new tool: Lightgrep. Details are below:

Lightgrep - Fast Keyword Searching for Forensics

Dislike waiting 5 days for your keyword search to complete? Been brought to tears by thousands of keywords? Lost faith in your forensics tools when they didn't find all the hits they should have? Come to this talk to see the first public demonstration of Lightgrep, a new regular expressions search tool designed specifically for forensics.

Search is a fundamental part of forensics, useful not only for discovering relevant documents and snippets of text, but also artifacts, files in unallocated space, and file signature analysis. We will discuss the basic principles behind how a grep search works, why it's important to consider how multiple keywords are handled, and how to validate a search tool's results. Finally, we'll show Lightgrep, a tool that allows for fast searching for thousands of keywords, with full EnCase integration.

Please join us on Wednesday, January 19th, 7:00pm at John Jay College - Forensic Computing Program and the Center for Cybercrime Studies
899 Tenth Avenue - btwn 58th & 59th
Room 610T - 6th Floor

Jon Stewart is a software developer and co-founder of Lightbox Technologies, Inc. Prior to Lightbox, Jon was a senior developer and consultant with Guidance Software, where he worked heavily on the EnScript programming language and created EnCase eDiscovery. Jon lives in Arlington, VA and blogs regularly about EnScript, programming, and forensics at http://codeslack.blogspot.com/

Don't forget to RSVP!!!

Thanks to Douglas Brush, Prof Bilal Khan, Prof Douglas Salane and Prof Richard Lovely for helping to make this possible.

Identifying Memory Images

2010-12-12T14:15:00.005-05:00

Have you ever been given a memory image to examine and not known what OS it was? Or maybe you were told it was X when it was really Y? Or perhaps you have a collection of images that may not be labeled correctly?

So how do you figure out the OS of an unknown Windows image?

Strings

You could use strings to look for clues of the OS type. For example looking for the version numbers [1]. You can often find this in close proximity to a DLL name. Two examples (XP and Windows 7) are below:

Windows XP: 5.1.2600

2546060:5.1.2600.0 (xpclient.010817-1148)
2546134:InternalName
2546160:HCAppRes.dll
2546194:LegalCopyright
2546226: Microsoft Corporation. All rights reserved.
2546322:OriginalFilename
2546356:HCAppRes.dll

Windows 7: 6.1.7600.16385 (win7_rtm.090713-1255)

1335896:6.1.7600.16385 (win7_rtm.090713-1255)
1335978:InternalName
1336004:BlbEvents.dll
1336038:LegalCopyright
1336070: Microsoft Corporation. All rights reserved.

How do you determine if the memory image is from a x86 or x64 machine? Well, here you can look for environmental variables like PROCESSOR_ARCHITECTURE and PROCESSOR_ARCHITEW6432 (used for WOW64) [2]. An example from x86 and x64 machines:

PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 5, GenuineIntel

PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64

PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64

More details about these variables can be found here.

Still, this is more labor intensive than it need be.

Using _DBGKD_DEBUG_DATA_HEADER64

Remembering a blogpost Moyix wrote about finding kernel global variables in Windows I figured each OS would have a different size after the OwnerTag defined in wdbgext.h:


typedef struct _DBGKD_DEBUG_DATA_HEADER64 {
   LIST_ENTRY64 List;
   ULONG           OwnerTag;  //"KDBG"
   ULONG           Size;      //Different for each OS
} DBGKD_DEBUG_DATA_HEADER64, *PDBGKD_DEBUG_DATA_HEADER64;

Moyix gives us the pattern to search for regarding x86 OSes since the end of LIST_ENTRY64 will be 0 for x86 machines [3]:

\x00\x00\x00\x00\x00\x00\x00\x00KDBG

First let's try to find the sizes for each OS:


$ xxd xpsp3x86.dd |less
[skip]
0000b70: 6780 0000 0000 0000 0000 4b44 4247 9002  g.........KDBG..
[skip]

$ xxd win7x86.dd |less
[skip]
0000bf0: ffff ffec 6fbb 83ec 6fbb 8300 0000 0000  ....o...o.......
0000c00: 0000 004b 4442 4740 0300 0000 8084 8300  ...KDBG@........
[skip]

After examining XP, W2K3, Vista, W2K8 and Windows 7 machines (and different service packs), this is what we get (Windows 2000 value not done personally, but taken from Moyix's blog [3]):

OS Size
Windows 2000 \x08\x02
XP \x90\x02
W2K3 \x18\x03
Vista \x28\x03
W2K8 \x30\x03
Windows 7 \x40\x03

Now we need to find the pattern for x64 systems as well. We could do this with a hexdump of memory images to find the KDBG pattern:


$ xxd win7x64.dd |less
[skip]
0000080: f8ff ff10 44a1 0200 f8ff ff4b 4442 4740  ....D......KDBG@
0000090: 0300 0000 f080 0200 f8ff ff60 8f87 0200  ...........`....
[skip]

$ xxd w2k8x64.dd |less
[skip]
0000f10: f8ff ff40 f878 0100 f8ff ff4b 4442 4730  ...@.x.....KDBG0
0000f20: 0300 0000 c060 0100 f8ff ff60 b865 0100  .....`.....`.e..
[skip]

After examining several x64 dumps, the pattern that seemed universal to them was:

'\x00\xf8\xff\xffKDBG'

The header sizes also appear to remain the same for x64 and x86 machines. So there it is. You can search for a unique pattern in the memory image in order to figure out what OS it is. Some examples:

Windows 7x86: '\x00\x00\x00\x00\x00\x00\x00\x00KDBG\x40\x03'
W2K3 x86: '\x00\x00\x00\x00\x00\x00\x00\x00KDBG\x18\x03'
W2K8 x64: '\x00\xf8\xff\xffKDBG\x30\x03'

You could very easily write a Python script to identify Windows memory images using this technique, but you don't have to: This has already been incorporated into the Volatility 1.4 framework in the imageinfo.py plugin. Thanks to Mike Auty (ikelos) for doing the honors :-)

References

[1] List of Windows Versions
http://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions

[2] HOWTO: Detect Process Bitness
http://blogs.msdn.com/b/david.wang/archive/2006/03/26/howto-detect-process-bitness.aspx

[3] Finding Kernel Global Variables in Windows
http://moyix.blogspot.com/2008/04/finding-kernel-global-variables-in.html

Volatility 1.3 get_plugins Script Update

2010-12-06T09:21:00.005-05:00

I've finally gotten around to updating the get_plugins script I wrote a while back for Volatility 1.3 (and finally gotten around to blogging about it). This is due to a few changes in plugins, dependencies and to address difficulties mentioned in lorgor's blog.

MHL has also updated malfind2 to work with Yara 1.4a, so this script is compatible with those changes.

I have only tested this on Ubuntu and Mac OSX (with MacPorts installed).

You must run this script as root

This script also installs Volatility using SVN. If you are running Ubuntu or Mac it will check that SVN is installed, and if not, will install it and pull down Volatility in the current directory.

If you are running Ubuntu or Mac OSX, this script will install other dependencies you will need like pcregrep libpcre++-dev python-dev for Ubuntu or pcre pcre++ for Mac.

This script installs dependencies: pefile, libdasm, pycrypto, yara-python 1.4a, as well as all known Volatility plugins, including the newer VAP ones from MHL

You still have to install Inline::Python on your own.

You can find the script in my GitHub repository or as raw text here

Misc Updates

2010-11-18T09:56:00.002-05:00

There have been some interesting items in the last week:

Brian Carrier has started a new Open Source Digital Forensics website. It offers a quick way for people to find useful tools, papers and procedures.

Dave Kovar released a new version of analyzeMFT. Not sure how he's had time to work on this, what with his busy glob-trotting lifestyle, but he's done it again :-)

Lance Mueller blogged recently about an EnScript that uses MSSQL for faster filtering of files by hash values. It was provided by Oliver Höpli and as Jon Stewart(Mr. EnScript) can tell you, it's quite useful.

For the iPhone forensics peeps, an iPhone Forensics White Paper was released on viaForensics.

There was also an open source iPhone Analyser released on Sourceforge.

NYC4SEC Meeting 11/17/2010

2010-11-17T08:21:00.003-05:00

There is a NYC4SEC meeting tonight (11/17/2010). This month our speaker is Professor Nasir Memon who will be giving a presentation on digital image forensics. Description below:

Photo Forensics: There is More to a Picture Than Meets the Eye

When presented with a device full of active or deleted data – what do you know about the images? Can you recover them all? Can you tell which camera they are taken with? Can you tell if they are manipulated? Can you find from the Internet all other pictures taken from the same camera? Forensics professionals all over the world are increasingly encountering such questions.

Given the ease by which digital images can be created, altered, and manipulated with no obvious traces, digital image forensics has emerged as a research field with important implications for ensuring digital image credibility. This presentation provides an overview of recent developments in the field, focusing on three problems.

First, collecting image evidence and reconstructing them from fragments, with or without missing pieces. This involves sophisticated file carving technology.

Second, attributing the image to a source, be it a camera, a scanner, or a graphically generated picture. The process entails associating the image with a class of sources with common characteristics (device model) or matching the image to an individual source device, for example a specific camera.

Third, attesting to the integrity of image data. This involves image forgery detection to determine whether an image has undergone modification or processing after being initially captured.

So please join us on Wednesday, November 17th, 7:00pm at John Jay College.

John Jay College - Forensic Computing Program and the Center for Cybercrime Studies
899 Tenth Avenue - btwn 58th & 59th
Room 610T - 6th Floor

Don't forget to RSVP!!!

Thanks to Douglas Brush, Joe Garcia, Prof Bilal Khan and Prof Douglas Salane for making this possible.

Upcoming NYC4SEC Meeting 10/27/2010

2010-10-19T09:25:00.004-04:00

We have another NYC4SEC meetup next week on October 27th, 2010 7:00PM:

Halloween Edition - Are those knocks on your firewall doors for tricks or treats?

Either way you have to realize one of the largest threats to your environment is the human element and none other than super malware and security forensicator Lenny Zeltser will be giving us a special Halloween talk about how attackers can trick you or the people inside your organization to get access to treats. Ok, no more puns....

John Jay College has reached out and offered to host this and future events for NYC4SEC so lets spread the word and show them that the NYC cyber security community is strong in numbers and appreciate their support!

Lenny Zeltser - "Knock, Knock! How Attackers Use Social Engineering to Bypass Your Defenses"

Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This talk explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing corporate security defenses. Lenny Zeltser will review how attackers have bypassed technological controls by making use of social engineering techniques. Attend this engaging talk to improve the relevance of your security awareness training and to adjust your defenses by revisiting your perspective of the threat landscape.

John Jay College - Forensic Computing Program and the Center for Cybercrime Studies
899 Tenth Avenue - btwn 58th & 59th
Room 610T - 6th Floor

More details and RSVP here:

NYC4SEC RSVP

Thanks to Douglas Brush, Joe Garcia, Prof Bilal Khan and Prof Douglas Salane for making this possible.

Upcoming NYC4SEC Meeting 9/16/10

2010-08-30T21:32:00.008-04:00

The next NYC4SEC meeting will take place on September 16, 2010 at 7:00PM at Pace University. Details:

Grab your TrapperKeepers (I'm rockin' the red Lambo), your Saved By the Bell book covers and Garbage Pail Kids cards to stick on the inside of your locker because it's back to school time.

Pace University is our gracious host and our speaker will be Ovie Carroll who will be in town teaching a SANS Forensics 408: Computer Forensic Essentials Course here in NYC and offered to stop by after a day of training to meet our group.

If you would like to attend the 408 course Ovie has provided a special offer for a class discount! Use "COINS-OC" to get 10% off and to make sure to get into class! http://www.sans.org/new-york-forensics-2010-cs/description.php?tid=4207

More details to follow on specific room location for the NYC4SEC Meet-up but please get your parents to sign off on your NYC4SEC permission slips for Thursday, September 16th @ 7pm

Thanks to Douglas Brush and Joe Garcia for arranging this event.

More details can be found here: http://www.nyc4sec.info/calendar/14520625/

Upated Volatility SQLite plugins

2010-08-14T21:21:00.014-04:00

I have recently updated the Volatility sqlite3 plugins (for 1.3.2 branch) with some minor changes:

1) Removal of path from image name
2) Lowercase of all processes, dlls, filenames, modules etc

To make things even more interesting, I have converted some of the scanning code to output in sqlite3 as well:

tar -cvzf vol_sql-0.3.tgz vol_sql-0.3/
vol_sql-0.3/
vol_sql-0.3/connections_2.py
vol_sql-0.3/connscan2sql.py
vol_sql-0.3/dlllist_2.py
vol_sql-0.3/driverscan2sql.py
vol_sql-0.3/files_2.py
vol_sql-0.3/filescan2sql.py
vol_sql-0.3/getsids.py
vol_sql-0.3/modscan2sql.py
vol_sql-0.3/modules_2.py
vol_sql-0.3/pslist_2.py
vol_sql-0.3/psscan3sql.py
vol_sql-0.3/sockets_2.py
vol_sql-0.3/sockscan2sql.py

Schema:

CREATE TABLE connections (pid integer, local text, remote text, memimage text);

CREATE TABLE connscan2(pid integer, local text, remote text, memimage text);

CREATE TABLE dlls (pname text, pid integer, cmdline text, base text, size text, path text, memimage text);

CREATE TABLE driverscan2(paddr text, objtype text, pointers integer, handles integer, start text, size text, srvckey text, driver text, path text, memimage text);

CREATE TABLE files (pid integer, file text, num integer, memimage text);

CREATE TABLE filescan2(paddr text, objtype text, pointers integer, handles integer, access text, file text, memimage text);

CREATE TABLE modscan2 (file text, base text, size text, name text, memimage text);

CREATE TABLE modules (file text, base text, size text, name text, memimage text);

CREATE TABLE process (pname text, pid integer, ppid integer, thrds text, hndl text, ctime text, memimage text);

CREATE TABLE psscan3(pid integer, ppid integer, ctime text, etime text, offset text, pdb text, pname text, memimage text);

CREATE TABLE sids (pname text, pid integer, sid_string text, sid_name text, memimage text);

CREATE TABLE sockets (pid integer, port integer, proto text, ctime text, memimage text);

CREATE TABLE sockscan2(pid integer, port integer, proto text, ctime text, offset text, memimage text);

So what kinds of queries could we make with the output of these plugins? Here are few brief examples.

Suppose you want to focus on one pid:


  select * from files where pid = [pid]
  select * from connections where pid = [pid]

etc..

Suppose you want to link up connections output with the process information:

select process.pname, connections.* from connections
join process where process.pid = connections.pid
order by connections.pid;

Suppose you have information from more than one image in your database and want to see if there are any dlls/processes/files in one image not represented in the others:


select * from dlls 
   where path not in 
     (select path from dlls where memimage is not [image name])

Suppose you don't care about dlls with a certain path, like winsxs for example:


select * from dlls
   where path not in 
      (select path from dlls
         where memimage is not [image name]) and
           path not like '%winsxs%';

Want to output all files in alphabetical order?


  select * from files order by file;

or by PID?


  select * from files order by pid;

Now that we have sqlite output for some of the scanning plugins we can quickly compare for information missing from regular plugins. Here's an example of pslist vs psscan3 on an image released by Moyix in his post releasing psscan3:


select psscan3.pid, psscan3.ppid, psscan3.ctime, 
 psscan3.pname from psscan3 
  where pid not in (select pid from process) 
    order by pid;

0|0||idle
592|360|Sat Nov 15 23:42:56 2008|csrss.exe
660|616|Sat Nov 15 23:42:56 2008|services.exe
828|660|Sat Nov 15 23:42:57 2008|svchost.exe
924|660|Sat Nov 15 23:42:57 2008|svchost.exe
992|660|Sat Nov 15 23:43:25 2008|alg.exe
1016|660|Sat Nov 15 23:42:57 2008|svchost.exe
1696|1516|Wed Nov 26 07:43:28 2008|network_listene

Well, I'm sure you can think up a lot more crazy queries as well...

The older sqlite plugins usage can be found here. The newly converted plugins usage is:


  ./volatility plugin -f [image] -d [sqlite db]

At some point I'll cover output rendering in the 1.4 branch, which is more interesting :-) Until then:

Happy hunting!

Misc Forensic News

2010-07-25T22:40:00.005-04:00

I'm somewhat behind in my blogging... In the past couple of weeks a few things of interest have come out. Here are some highlights:

Moyix released psscan3: a robust process scanner. He also released GDI Utilities for taking screenshots of memory dumps, which is VERY cool! :-)

Lenny Zeltser released REMnux "a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu" which includes Volatility in its arsenal.

Detective Cindy Murphy published a guide on cell phone examinations, which is definitely worth a read.

My former boss and GSI alum, Jon Stewart (Mr. EnScript), has written two posts on the 3 laws of EnScript with a third post surely coming soon. If you care anything about EnScript programming, these posts are definitely worth a read.

There have been some updates to some of the Sysinternals tools that you might want to check out.

F-Reponse now supports Android, which is pretty cool. You can check out their blogpost which includes details and a video.

Into the Boxes is currently looking for collaborators for 0x2. Don't be shy, I know there are a lot of people out who could contribute an article for the next edition. If you have an idea for an article, hit the call box.

The Next HOPE and NYC4SEC

2010-07-15T14:39:00.006-04:00

We will have another NYC4SEC meetup after Chris Pogue's talk on Sniper Forensics at The Next HOPE. You can RSVP here. Details:

This is the NYC4SEC after HOPE Meet-up for Sunday, July 18th at 6pm at Stout NYC on 33rd St. (btwn 6th & 7th) – just across the street from the Hotel Pennsylvania.

Informal meet up to hang out and mingle to talk about the highlights of the HOPE conference.

I spoke with Chris Pogue who will be presenting at the conference on Sunday at 4pm - Sniper Forensics - Changing the Landscape of Modern Forensics and Incident Response and he said he will stop by to join us. Checkout Chris’s on his blog: http://thedigitalstandard.blogspot.com/

C’mon by to drink, talk and hang with others in the NYC InFosec community!

Thanks to Douglas Brush for setting this up ;-)

Moving Forward

2010-07-11T19:52:00.002-04:00

A while back I read an article on managing geeks. I think it's fairly accurate and also carries over into the computer forensics arena. If you are in a position of managing geeks and are not one yourself, you might want to read this article.

Thanks to Harlan Carvey I read Lenny Zeltser's presentation on How To Respond To An Unexpected Security Event. That's another good read you shouldn't miss.

Ignoring the problem leads to discontent and inevitably: desertion. Content geeks on the other hand tend to be loyal.

That's about all I'm going to say about that...

Briefly: Moving of stuff

2010-07-11T19:12:00.003-04:00

Since access to my QC website has now expired, I've moved some of the stuff that was linked to there from this blog to here. Future misc scripts will be dumped there as well.

Very Briefly: CEIC

2010-05-25T10:46:00.004-04:00

Some people have asked me about CEIC. I will not be attending this year unfortunately. I hope those of you who are currently there are having a blast though :-)

Extremely Off Topic - Google: Feeling Lucky?

2010-03-15T20:46:00.003-04:00

Just a bit of nonsense I discovered today:

Notice a theme?

GNB's Timeline EnScript

2010-02-14T21:06:00.010-05:00

A former colleague of mine, Geoff Black, has a pretty cool timeline EnScript (zip file) available on his website. I have been playing around with it and have meant to blog about it for a while...

The contents of the zip are as follows:

Timeline Report.EnPack
Timeline Report.EnScript (actual code)
Timeline_Report_README.pdf
Timeline_Report_WHATSNEW.pdf
Include\GNB_HTMLlib.EnScript (library file)
Include\GNB_XMLlib.EnScript (library file)

I must say that it's nice that Geoff has given us the code to his Timeline script so that one can modify as desired. It's also nice that he includes README and WHATSNEW files so you can have something to reference for past and present versions.

Simply unzip these items (without the pdfs) into your EnCaseX\EnScript folder and you are ready to go. You can run the script by either double clicking the EnPack or the EnScript, just make sure to add a disk image to the case first ;-). When you run it you will see the following:

There are a lot of options you can choose. Here's a closeup of the interface itself:

You can pick a certain time period with a start and stop date for the timeline (boxed in blue). You can pick the type of output you want (boxed in pink), whether you want Records, Bookmarks, a Tab Delimited report (TSV), how many entries you'd like in each TSV file and whether or not you would like an HTML report better suited for IE or Firefox. There are more Script Options and Time Options (boxed in green) that allow you to select files you want in the timeline report (default is all files) and which time entries you are interested in seeing (default is all). You can modify the order to the Output Fields (boxed in red) for the TSV file or remove fields that are not of interest. Other fields are self explanatory.

While the script is running you can see the progress bar at the bottom right. If you choose the HTML report option you may end up with several HTML files (depending on how many files are selected and how many entries per file you have selected) and if this is the case each file is named in order for example:

TimelineReport-FF.html
TimelineReport-FF2.html
TimelineReport-FF3.html

and so on... You can see an example report below:

The latest change is highlighted, but you can see that some files might have the same time stamp for different fields. In this case the file will be listed twice, once with Created highlighted and once with Accessed highlighted (from the README).

You can check out some of Geoff's other EnScripts and CEIC presentations at his website: http://www.geoffblack.com/forensics.

Yahoo Messenger EnScripts

2010-02-14T14:05:00.009-05:00

There are a couple of publicly available Yahoo Messenger EnScripts/EnPacks out, such as:

Yahoo Decoder in unallocated by Lance Mueller

YahooMessenger-Parser by Paul Bobby

Pretty useful scripts, however they don't handle right-to-left languages like Hebrew and Arabic. Here are some before pics from my test run with Hebrew:

Lance Mueller's script's output:

Paul Bobby's scripts' output:

As you can see, (well if you know what Hebrew letters are supposed to look like) the letters come out as some gobbeldy-gook. This is something I've been meaning to comment on for a while, having written various chat EnScripts at the beginning of my GSI employment. I have just gotten around to it now... The "encryption" method is the same for all unicode languages in that it is a byte-by-byte xor with the local username. The problem is that the encoding becomes distorted when it is just saved in a string. For example the letters ש and ל with UTF-8 encodings d7a9 and d79c respectively become c397 and c2a9 (it is left as an exercise for the reader to figure out why). So here comes a solution that I have used in the past.

The EnScripting language has a class called MemoryFileClass, which allows you to have in memory buffers that you can treat as files. You can create them, open them, read and write to them as you would any other file. So the idea is simple enough: write to a memory buffer as you decrypt the message and then extract the message after all decryption has taken place. This is accomplished by adding a couple of helper functions to Paul Bobby's code:

bool WriteBuffer(MemoryFileClass &file, char msg) {
  file.SetCodePage(CodePageClass::ANSI);
  int temp = msg;
  file.WriteBinaryInt(temp, 1);
  return file.IsValid();
}

void ReadBuffer(MemoryFileClass &file, String &msg) {
  file.SetCodePage(CodePageClass::UTF8);
  file.Seek(0);
  file.ReadString(msg);
}

Now we can just call the functions as appropriate when decrypting and outputting the messages. You can see the correct output after this modification below (yeah, the conversation is lame and is just a test ;-):

The complete modified EnScript is available on the GSI forum (registration required):

A thread on the GSI forum with Paul Bobby's fixed EnScript

Briefly: Volatility News (2/14)

2010-02-14T09:58:00.007-05:00

I'm a little behind in my blogging, but I wanted to post about a few items that people might not have noticed. So here it is just in time for Valentines Day.

Volatility SQL Plugins

I modified the Volatility SQL output plugins (download link) slightly. I changed the schema in the dlllist_2.py plugin:

memory_plugins/dlllist_2.py


Table Name:  dlls

pname           Process name (changed)
pid             Process ID 
cmdline         Command Line text
base            Base Address
size            Size
path            Path of DLL
memimage  Memory image information was extracted from

I also removed the Volatility files (vutils.py and commands.py) since there were two patches that address the items I changed in those files. So now all you have to do is download Volatility from the SVN and unzip the plugins like before.

For the more adventurous, the SQL rendering plugins have been incorporated into the experimental branch of Volatility (thank you Scudette!). You can download all branches with the following command:

svn checkout http://volatility.googlecode.com/svn/branches Vol_All

For the experimental branch (located in the experimental folder) you must have Python 2.6 installed.

Volatility User Manual

There is a new Volatility User Manual contributed to the VDP by Mark Morgan. It is a compilation of past VDP articles and blogposts and covers all public plugins to date. Shouts to Mark!

EnCase Enscripts + Volatility = Takahiro Haruyama's Memory Forensics Toolkit

Takahiro Haruyama has released a new version of his Memory Forensics Toolkit. I had played around with his previous version. Now there is no excuse for the EnCase reliant not to get in on memory forensics ;-) Shouts to Takahiro for making it easier for these users!

Briefly: Memory Analysis EnScripts

2010-02-07T15:30:00.008-05:00

I came across a post for the Memory Forensic Toolkit EnScript in the GSI Forum a few days ago. I finally got a chance to play around with it a little today and this will be a very brief overview.

Prerequisite: EnCase 6.14 or higher.

Simply download the toolkit from the link above and unzip it into your EnCaseX.X.X\EnScripts folder. You should see something like the following in your EnScript pane with a Windows 7 folder and Windows XP:

I have only tested the XP scripts at this time. EnScripts available:

- PsList: List of all processes
- KMList: Show all loaded kernel modules
- ConnList: View all TCP connections
- VadSearch:　VAD process in the search for a string
- DllList: List Dlls
- OpenFiles: List of open files that the process
- ProcDump: Extracting of a process to exe format
- PsScan: Enumerates process information (EPROCESS)
- ConnScan: Enumerates TCP connection information (TCPT_OBJECT)
- KMScan: Enumerates kernel modules (LDR_MODULE)
- Vtypes/Win32/x86: library to use the above scripts

You can run these EnScripts on raw memory dumps, just make sure to check the blue box for the memory dump you would like to run the EnScript against. Just double click the script you'd like to run.

Here's an example run of PsList:

And ConnScan:

The output is very similar to Volatility and goes to the console by default. You can easily modify the script to output to a text file, Excel spreadsheet or any other output type you can think about, however.

For some EnScripts like dlllist, you are prompted for a PID to run it against. You can modify the script to run agains all PIDs however, if desired.

There is also a Microsoft Crash Analyzer which I have yet to try.

Forensic Regexes

2010-02-07T13:02:00.007-05:00

The other day on the #volatility channel we were discussing how it might be nice to have a list of Perl Regex for common things like IP addresses etc. Here are a few items we came up with:

IP Address: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

MAC Address: ([a-fA-F0-9]{2}\:){5}[a-fA-F0-9]{2}

URL: (http|https|ftp|mail)\:[\/\w.]+

Email: [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}

You can find some other Regex expressions on the SANS blog however the regex expression for IP addresses matches items like 999.999.999.999, which we know is not a valid IP address.

There's a nice post by geek00l listed at the bottom of the SANS post which links to other interesting posts.

Other references of interest:

Regular-Expressions.info
Regex Reference

What would you like to add to the list?

Cybercrime Studies: File Carving for Forensics Recovery

2010-01-28T21:21:00.005-05:00

There is an upcoming talk at John Jay College that should be interesting:

File Carving for Forensics Recovery

Nasir Memon

Professor of Computer Science
Director of the Information Systems and Internet Security (ISIS) Lab
Polytechnic Institute of New York University

As the number of digital devices in use continues to increase, there has also been an increase in the seizure and analysis of digital data for forensic purposes. One of the areas of high forensic interest is in the recovery of digital data from devices. In cases where the file system information for a digital device is missing or corrupt, newer data recovery techniques involving a process known as file carving are used to recover the data. This talk describes the need for and evolution of file carving, and presents the various technologies that have been used to improve file carving recovery, including our own Smart Carving techniques.


Date:       Tuesday, February 9, 2010
Time:       Reception – 1:45pm, Lecture – 2:00 pm
Location:   Room 630T, Haaren Hall
            899 Tenth Avenue, New York City 10019

RSVP: Nicole Daniels at 212-237-8920 or email ndaniels@jjay.cuny.edu.
For additional information please contact Professor Doug Salane, Director of the Center for Cybercrime Studies, at 212-237-8836 or email dsalane@jjay.cuny.edu.

Volatility's Output Rendering Functions

2010-01-11T21:49:00.012-05:00

Lately I've been playing around writing plugins for Volatility. A few of these will will be released at the end of this blog post, some others are still in the works to be released later. During the writing of some of the more complicated plugins, I decided that I needed to have some temporary storage while doing complex processing. Sure I could dump to a file and process that later, but why not do it within Volatility itself?

SQLite is good for this. There's an option to use an in-memory database (":memory:") that will remain in memory until the process dies. I also started thinking that some people might like to have a SQLite database of all the information they could get from a memory image for various reasons. Hence this is what the first release of plugins is all about.

Luckily Volatility has an option for plugins to have more than one output option. If you look at the code in forensics/commands.py you'll see the following (line numbers not included):


82   function_name = "render_%s" % self.opts.output
83   if not self.opts.out_file:
84       outfd = sys.stdout
85   else:
86       outfd = open(self.opts.out_file,'w')

This allows plugins to have more than one output function. For example a plugin might have a render_text function that would print to stdout as usual, a render_html function that prints out in html style, a render_sql function that does some SQL actions etc etc... The framework allows the user to pick which output option s/he wants and the output file on the command line as defined in vutils.py:


45 def get_standard_parser(cmdname):
...
...
59   op.add_option('-H','--output',default = 'text',
60        help='(optional, default="text") Output format (xml, html, sql)')
61   op.add_option('-O', '--out_file', default=None,
62        help='(output filename to write results onto - default stdout)')

Therefore, if there is a plugin that has an html output option, it can be invoked from the command line like so:

./volatility <plugin> -H html -O <out_file> -f mem.dd

Quite cool :-)

Plugin Structure

If you are interested in writing plugins for Volatility, you really should read Andreas Schuster's slides. They go into nice detail on how to write plugins for the framework. Here I will simply give you the gist :-)

The "skeleton" for the plugins is defined in forensics/commands.py. Items of interest include the help() function which is the plugin description you see when you run Volatility with the help option:

./volatility -h

Also of interest is the parser() function, which allows the plugin to modify its command line options. There is also the calculate() function, which is where the real work is done. The last item of our interest is the execute() function which allows us to calculate and collect the desired data from the memory image and then output it using the plugin's chosen render_* function.

The plugins I'm releasing now consist of core commands (defined in vmodules.py) that have been converted to this code structure so I could have more than one type of output for each of these commands. The plugins in this package are:

memory_plugins/connections_2.py
memory_plugins/dlllist_2.py
memory_plugins/files_2.py
memory_plugins/modules_2.py
memory_plugins/pslist_2.py
memory_plugins/sockets_2.py

Schema

The schema for these plugins is quite simple and not much different than the original output for these core commands. There is an extra field for the name of the memory image that was analyzed in case someone would like to place information for more than one memory image into a SQLite database. This may change at some point and of course you are free to change it as you like. It's enough for what I needed, however.

connections_2.py


Table Name:  connections

pid       Process ID 
local     Local connection information
remote    Remote connection information
memimage  Memory image information was extracted from

memory_plugins/dlllist_2.py [Edit: 2/16/10 new schema]


Table Name:  dlls

image_file_name  Process name
pid             Process ID 
cmdline         Command Line text
base            Base Address
size            Size
path            Path of DLL
memimage  Memory image information was extracted from

memory_plugins/files_2.py


Table Name:  files

pid       Process ID 
file      Open file
num       Number of times file is open by pid      
memimage  Memory image information was extracted from

memory_plugins/modules_2.py


Table Name:  modules

file      Module Path
base      Base Address
size      Size
name      Module Name
memimage  Memory image information was extracted from

memory_plugins/pslist_2.py


Table Name:  process  

pname     Process Name
pid       Process ID
ppid      Parent Process ID
thrds     Threads
hndl      Handle Count
ctime     Creation Time
memimage  Memory image information was extracted from

memory_plugins/sockets_2.py


Table Name:  sockets

pid       Process ID
port      Port
proto     Protocol
ctime     Creation Time
memimage  Memory image information was extracted from

Installation

First, make sure you have SQLite3 installed along with support for Python. Now download the Volatility code from the SVN. Download the plugins from here. A listing of the plugins is as follows:

$ tar -tzf vol_sql.tgz
vutils.py
forensics/commands.py
memory_plugins/connections_2.py
memory_plugins/dlllist_2.py
memory_plugins/files_2.py
memory_plugins/modules_2.py
memory_plugins/pslist_2.py
memory_plugins/sockets_2.py

Make a backup of your vutils.py and forensics/commands.py files if you like. I had to make a small modification to both of these files to get the plugins working properly. Then place the tar file into your Volatility directory and type:

$ tar -xvzf vol_sql.tgz

Each of the redefined core commands end with "_2" so pslist becomes pslist_2 and connections becomes connections_2 and so on. So if I wanted to dump the output of the connections_2 plugin to a SQLite file I would type the following:

./volatility connections_2 -H sql -O test.db -f mem.dd

After running all of the new commands to the same SQLite3 file, I can then look at what I have stored:

$ sqlite3 test.db
SQLite version 3.5.9
Enter ".help" for instructions
sqlite> .table
connections dlls files modules process sockets
sqlite> .schema
CREATE TABLE connections (pid integer, local text, remote text, memimage text);
CREATE TABLE dlls (image_file_name text, pid integer, cmdline text, base text, size text, path text, memimage text);
CREATE TABLE files (pid, file, num, memimage);
CREATE TABLE modules (file text, base text, size text, name text, memimage text);
CREATE TABLE process (pname text, pid integer, ppid integer, thrds text, hndl text, ctime text, memimage text);
CREATE TABLE sockets (pid integer, port integer, proto text, ctime text, memimage text);
sqlite> select * from files where pid = 4 and file like '%SEC%';
4|\WINDOWS\system32\config\SECURITY|1|/home/levy/forensic/evidence/10.vmem
4|\WINDOWS\system32\config\SECURITY.LOG|1|/home/levy/forensic/evidence/10.vmem
sqlite> .quit

You can make as many complex queries as you like now :-)

Briefly: Misc News

2010-01-02T19:17:00.005-05:00

Into the Boxes Issue 0x0 is now out. It contains a small article on Linux memory forensics I wrote as well as a cool article on Windows 7 UserAssist Registry Keys by Didier Stevens, a hardware quick tip and FTK imager quick tip by Don C. Weber and a PCI interview with Harlan Carvey. For those who are interested in contributing to future publications, check out the Collaboration Box. Congratulations to Don and Harlan on the first release!

There is a new meetup group that I am helping to organize: NYC4Sec. The group consists of computer security, forensics and compliance professionals based in the Tri-State area and we will be meeting to discuss the latest trends in threats and responses as well as what to do when attacked. We are aiming to meet at the end of the month. Feel free to sign up and come to the meeting. If anyone is interested in presenting at the meeting, please contact myself or Morton Swimmer.

I have also been asked to give a talk at CEIC 2010. So if you are planning to attend, I'll see you there :-)

Linux Memory Forensics: task_struct

2009-12-20T14:05:00.004-05:00

A while back, I started blogging about /dev/kcore and had gotten up to the task_struct structure, promising to continue talking about it. Well, it's been a while since, but I have not forgotten. This will take more than one post to finish it up, however. Today we will start with a brief introduction. Later posts will continue our exploration concluding with some small real demonstrations.

task_struct

So what is the task_struct structure? It's a structure that contains information about what a process is doing. It allows the kernel to keep track of processes that are running, the states they are in as well as other information needed by that process during execution.

States of the process are also defined in include/linux/sched.h and let the kernel know if the process is running (TASK_RUNNING), interruptible (TASK_INTERRUPTIBLE), uninterruptible (TASK_UNINTERRUPTIBLE), stopped (TASK_STOPPED), being traced by a debugger (TASK_TRACED), or exiting (EXIT_ZOMBIE, EXIT_DEAD).

The task_struct structure also contains identifying information such as the process PID, thread group leader ID. There are also pointers to the parent process' task_struct structure and real_parent task_struct structure for debugging purposes.

Also contained in the task_struct structure is information about other relationships the current process has such as children or siblings.

The executable name excluding the path is also stored in task_struct as well as current directory information and file descriptors.

The signal_struct structure contains information regarding signals for this process as well as tty associated with it.

Also contained in the task_struct is the mm_struct which contains pointers to vm_area_structs which are areas of virtual memory. We will discuss mm_struct and vm_area_struct next time.

References:
Bovet, D., M. Cesati (2000). Understanding the linux kernel. Cambridge: O'Reilly Media.

Rusling, D. Virtual Memory, The Linux Tutorial http://www.linux-tutorial.info/modules.php?name=MContent&pageid=322

Audience Participation Time

2009-12-20T09:47:00.009-05:00

While catching up on some reading over at Harlan's blog I started thinking about all of the programming I've done in the past year or so. I really appreciate all of the hard work that goes into developing programs like RegRipper and countless others. It's cool when people are able to share tools they have developed to solve problems they have encountered in the field. It's also cool when people who are in the field are able to solve the problems themselves. I have been thinking about whether or not someone who is working in the field of digital forensics really needs to know a programming language or not. My thoughts are yes (which is influenced by what I see around me and may be biased, considering that I do a lot of programming), but I can see how some people may think differently. The reason why I bring this up is because this question has been in the back of my mind since my last discussion with someone from my alma mater, John Jay College.

John Jay's MS in Forensic Computing has been established since 2004 and it has been evolving ever since its conception. The courses of the program have roughly contained a lot of hands on labs as well as theory (algorithms, cryptography, network protocols etc) and programming (various scripting, C Linux OS) in addition to Criminal Justice courses on laws regarding digital evidence. The question has come up several times as to whether or not the theoretical and programming courses are needed in the background of someone who wants to be a forensic examiner.

When I was in attendance there, the general feeling from *some* (not all) of my colleagues was that they didn't need to learn programming and theory in order to work as a forensic examiner. They said they only needed to learn how to use tool XXX or YYY and get a certification in A, B, and/or C they would be set... Perhaps they were right in some way, as they went on to find jobs where that was enough for them. The debate continues about the direction of the program and whether or not theory and programming are needed and whether or not some kind of certification should be obtained instead.

Having been out in the "real world" for a little while, I see a lot of people who do not need any programming knowledge whatsoever to fulfill their jobs. There are plenty of tools that they are more than proficient in using and I'm not knocking their skills, because they are really quite knowledgeable at what they do. However, there are many times that tool XXX or tool YYY doesn't do whatever it should normally, or it cannot fulfill the job the way the client would like. Having a little programming knowledge helps out immensely in these cases. In addition to the EnScripts I have written at work, I have written a lot of Perl scripts, *nix scripts, Visual Basic programs, SQL queries etc. to get the job done. I have also taken someone else's code in language X, Y or Z and tweaked it to run the way I needed it to for a particular job. Now I concede that it's not every day that I need to write these customizations, but it happens enough that I'm glad I can do it.

I often hear from colleagues at work or elsewhere that they wish they knew how to program in X or Y so they could write their own tools to do something. I have suggested books or websites from which they could glean this wanted knowledge. This often comes with some "stern" advice that they must also practice programming if they want it to stick. Some have taken my advice, some probably just don't have the time for it...

So after much rambling on the subject, what do you think? How often do you wish/are you glad that you knew how to program? How often would it have helped you/does it help you on your job as a forensic examiner/incident responder?

Don't be afraid to comment. I only moderate to keep down on the spam (which I seem to get a lot of for some reason).

More Misc Stuff

2009-12-19T19:13:00.017-05:00

I recently came across a couple of tools that may be helpful to someone and I have created a repository for some of my stuff:

Maatkit

Maatkit has a lot of cool utilities that allow you greater control of MySQL. I recently found it very useful for restoring an extremely large MySQL dump by using the mk-parallel-restore. For information about its feature, either visit the website or you can check out this Linux Magazine article.

HTMLDOC

HTMLDOC allows you create PDF documents of html pages. You can convert pages one page at a time, or as a book. So you could use wget to download the pages of a website recursively, including the graphics and then pdf'ify it into one book with references... pretty useful.

Some of my stuff

Since I'm not sure how much longer I will have my academic website, I am starting to move some of the code that's been hosted there to another location. I have also added a few things that are not listed on the old code page or elsewhere on my academic site, such as a DC3 Image Assember script that worked with the last DC3 challenge (haven't looked at the current one) and a Virus Total hash checker that takes a list of hashes and posts them to Virus Total to build an html report. This last one needs some modification however, since if one is checking lots of files Virus Total starts to report errors... Hopefully I'll have some time to create a new version in the future...

Misc Stuff

2009-12-13T10:24:00.004-05:00

Droid Forensics

For those of you interested in Droid forensics, check out the viaForensics website. There you can find a presentation on Droid forensics (pdf) as well as a regularly updated blog.

New Volatility Plugins

MHL has been busy creating new Volatility plugins. He's modified the malfind plugin to use YARA which allows one to search the process memory for defined patterns (rules). He also has created a new plugin called ldr_modules.py that can detect unlinked LDR_MODULE entries. I suggest reading his blogpost in order to take it all in. You can get the updated plugins here (zip).

Also from his blogpost you'll see that AAron and Moyix rocked the Incident Detection Summit.

MDD will cease to exist

It seems that development and maintenance of the MDD tool will cease. For those of you who are dependent on that tool, windd is a great free alternative.

Into the Boxes

For those of you who might not be aware, there is a new quarterly digital forensic and incident response ezine that is about to come out next month called Into the Boxes. For more updates, check out their twitter feed. If you are interested in contributing to future publications, you can find the guidelines here.

Briefly: New VDP Mac OSX Document

2009-11-08T09:59:00.003-05:00

We have received a new submission to the VDP. Keep them coming :-)

Dougee has submitted an install manual for Snow Leopard. It covers installation from the official tar ball release as well as from the SVN repository. It also covers installing some of the plugin dependencies. Shouts to Dougee!

OT: RSS Feeds and things

2009-11-06T14:26:00.003-05:00

This is not going to be my usual banter, just something I came across (yeah, I know, I'm late) and thought was cool. So it's no big secret that I use Google's Reader to keep up with all of my RSS feeds. I had noticed that we are now able to search for shared items and hadn't really given it much thought. I had even shared a couple of articles earlier in the year, but didn't really know what happened to them, or forgot that I had done so...

Anyway, the other day people on twitter were talking about Google Dashboard and I decided to check it out. There really wasn't that much surprising until I looked under the "Reader" section and saw I had followers. Followers? For my Google reader? I wanted to know what they were following. So after some investigation I find my shared items feed with the two things I had shared previously. I've since decided to add things to the feeder, sometimes even with notes :-)

I know... Google's got the goods on me and I'm feeding the monster, black helicopters etc etc etc... but it's still a cool way to share things you read. I've since subscribed to a few feeds myself :-)

Briefly: New Volatility Release

2009-10-25T20:57:00.009-04:00

(via Echo6)

There is a new stable release of Volatility v 1.3.2 available for download.

Also Michael Cohen (scudette) and Mike Auty have been extremely busy developing. Their fearless efforts could use some eyes to track down and report bugs, however. If you feel like helping out, download the 1.3.2 version, test it out and report any bugs you may find.

You may report bugs using the Issues feature on the Google Code site. You may also reach Mike Auty at:

mike {dot} auty {at} gmail {dot} com

And of course you can always reach the Volatility team on IRC on the #volatility channel at irc.freenode.net

Mike Auty (ikelos) and Michael Cohen (scudette) are often online so you can talk to them about any bugs you encounter directly.

Volatility Get Plugins Bash Script

2009-10-21T17:08:00.003-04:00

Earlier I had written about all of the known Volatility plugins and how to go about installing them. Now I've decided to make things even easier for some, by including a bash script that will download and install all of these plugins. It will also install pefile, pycrypto and pydasm. I have tested it on a linux box as well as a cygwin installation.

Make sure you are running this as root (or with sudo) if you are doing this under Linux. Also make sure you have subversion installed.

Prereqs for Cygwin:

Obviously you must have Cygwin installed. In addition to what I have listed in a previous post, you will also need to install:

* wget
* unzip
* svn (subversion)

Hopefully I haven't forgotten anything... let me know if I have.

Simply unzip the bash script into the directory where you want Volatility installed. Then run the script:

$ ./get_plugins.bsh

This bash script removes one of the example files (memory_plugins/example3.py) since it has a conflicting _EPROCESS definition, so if you want that file - simply comment out that remove statement.

You will have to install Inline::Python yourself until I figure out a way to get it installed in a general fashion.

Let me know if you encounter errors.

Briefly: VDP Wiki

2009-10-20T12:40:00.003-04:00

I have updated the VDP Wiki to include some blog posts out there about using or installing Volatility. There are also links to Richard McQuown's recent blogposts on his Volatility Batch File Maker and walk through. There are also links to other submitted articles on installation, usage and reporting.

I'll continue updating the Wiki as I find other articles to add to it. If anyone wants to add something new, let me know: jamie {dot} levy {at} gmail {dot} com

Briefly: OMFW 2010

2009-10-09T16:12:00.006-04:00

Open Memory Forensics Workshop (OMFW) 2010 is currently being planned. If you are interested in presenting or helping out, let them know!

Briefly: Malware Marketing talk at John Jay College

2009-10-09T13:41:00.005-04:00

There's an upcoming talk at John Jay College next week that may interest some of you in the NYC area:

Understanding the Market for Malware and Cybercrime

Thursday, Oct. 15, 2009
3:15 pm, room 630T
Tom Holt, Assistant Professor
School of Criminal Justice
Michigan State University

Events will take place at
John Jay College of Criminal Justice
899 Tenth Avenue
(between 58th and 59th Streets.)
RSVP to Nicole Daniels (ndaniels@jjay.cuny.edu: 212.237.8920).

/dev/crash Driver

2009-08-24T15:40:00.008-04:00

As you may or may not know, some distributions (RHEL, Fedora, Ubuntu) block some reads and writes to /dev/mem and have for a while. I first came across this when writing my thesis at John Jay College. Since I was trying to test the memory encryption library I had written and original tests comprised of scanning all of memory, the /dev/mem barrier was a bit cumbersome. I had gotten around it by using a Python script called Zeppoo-dump.py (project no longer maintained) to overwrite the offending instructions.

The following code only allows access within the first 256 pages of memory. (/usr/src/linux/drivers/char/mem.c):

#ifdef CONFIG_STRICT_DEVMEM
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
u64 from = ((u64)pfn) << PAGE_SHIFT;
u64 to = from + size;
u64 cursor = from;

while (cursor < to) {
if (!devmem_is_allowed(pfn)) {
printk(KERN_INFO
"Program %s tried to access /dev/mem between %Lx->%Lx.\n",
current->comm, from, to);
return 0;
}
cursor += PAGE_SIZE;
pfn++;
}
return 1;
}
#else
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
return 1;
}

and from (/usr/src/linux/arch/x86/mm/init_32.c):

int devmem_is_allowed(unsigned long pagenr)
{
if (pagenr <= 256)
return 1;
if (!page_is_ram(pagenr))
return 1;
return 0;
}

You can find a nice writeup by Anthony Lineberry from BH Europe 2009.

So suppose you want to collect the memory image from /dev/mem? What will happen if you try to do so on a machine that has CONFIG_STRICT_DEVMEM enabled? If you try to collect memory using dd you will see the following:

# dd if=/dev/mem of=mem.dd
dd: reading `/dev/mem': Operation not permitted
2056+0 records in
2056+0 records out
1052672 bytes (1.1 MB) copied, 0.159965 s, 6.6 MB/s

You should also see the following in /var/log/messages though some values will obviously vary:

Aug 23 14:37:15 [comp name] kernel: [17415.953941] Program dd tried to access /dev/mem between 101000->101200.

So there has be a way around this, right? Checking the Redhat Crash Utility listserv yielded some good advice. There are three courses of action proposed:

(1) Rebuild your kernel without the CONFIG_STRICT_DEVMEM restriction.
(2) Port the Fedora /dev/crash driver (./drivers/char/crash.c) to your kernel.
(3) Write a kretprobe module that tinkers with the return value of the
kernel's devmem_is_allowed() function such that it always returns 1.

I don't want to recompile the kernel since I'll loose whatever is currently in memory, so I'll focus on (2). Since I am currently using Ubuntu instead of Fedora, I knew I would have to port the code over. So I found a copy of crash.c and crash.h and set to work. You can find the ported crash driver here as well as a Makefile.

Now, I take NO responsibility for what may happen to your machine if something goes wrong during installation. This is for a 32bit system, and I have only tested this on Ubuntu Ibex kernel 2.6.27-14-generic. I still need to do some testing and will probably have more to say about that later... That being said, we'll continue.

Grab the tar file from above and extract:

#tar -xvzf crash_driver_ubuntu.tgz
crash_driver/
crash_driver/crash.h
crash_driver/Makefile
crash_driver/crash.c

Go inside the newly created folder and compile the kernel module:

# cd crash_driver/
# ls
crash.c crash.h Makefile

# make
make -C /lib/modules/2.6.27-14-generic/build M=/home/levy/crash/crash_driver modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.27-14-generic'
CC [M] /home/levy/crash/crash_driver/crash.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/levy/crash/crash_driver/crash.mod.o
LD [M] /home/levy/crash/crash_driver/crash.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.27-14-generic'

At this point you should have the following files:

# ls
crash.c crash.h crash.ko crash.mod.c crash.mod.o crash.o Makefile Module.markers modules.order Module.symvers

The file of interest is the crash.ko kernel module. We will load this into the kernel and check that it is installed correctly:

# insmod crash.ko

# lsmod |grep crash
crash 10368 0

# ls -l /dev/crash
crw-rw---- 1 root root 10, 59 2009-08-23 15:04 /dev/crash

# tail -n 1 /var/log/messages
Aug 23 15:04:10 [comp name] kernel: [19030.855920] crash memory driver: version 1.0

So now we have a new device we can use to access memory: /dev/crash

# dd if=/dev/crash of=crash.dd
dd: reading `/dev/crash': Bad address
6812680+0 records in
6812680+0 records out
3488092160 bytes (3.5 GB) copied, 157.964 s, 22.1 MB/s

I'm not yet sure what the "Bad address" error means, but I suspect it is because dd tried to read beyond the 3.3 GB of memory that I have available.

You can remove the crash.ko module like so when you are finished:

# rmmod crash

Now let's test the newly obtained memory dump to see if it works. I'm going to use the RH Crash Utility with the volatile patch which you can find here:

# ./crash -f /boot/System.map-2.6.27-14-generic /usr/src/linux-source-2.6.27/vmlinux crash.dd --volatile

crash 4.0-8.9
Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Red Hat, Inc.
Copyright (C) 2004, 2005, 2006 IBM Corporation
Copyright (C) 1999-2006 Hewlett-Packard Co
Copyright (C) 2005, 2006 Fujitsu Limited
Copyright (C) 2006, 2007 VA Linux Systems Japan K.K.
Copyright (C) 2005 NEC Corporation
Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc.
Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc.
This program is free software, covered by the GNU General Public License,
and you are welcome to change it and/or distribute copies of it under
certain conditions. Enter "help copying" to see the conditions.
This program has absolutely no warranty. Enter "help warranty" for details.

GNU gdb 6.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...

SYSTEM MAP: /boot/System.map-2.6.27-14-generic
DEBUG KERNEL: /usr/src/linux-source-2.6.27/vmlinux (2.6.27.18)
DUMPFILE: crash.dd
CPUS: 2
DATE: Mon Aug 23 12:31:54 2009
UPTIME: 02:44:55
LOAD AVERAGE: 0.10, 0.17, 0.17
TASKS: 252
NODENAME: --
RELEASE: 2.6.27-14-generic
VERSION: #1 SMP Tue Aug 18 16:25:45 UTC 2009
MACHINE: i686 (1994 Mhz)
MEMORY: 3.2 GB
PID: 0
COMMAND: "swapper"
TASK: c0471340 (1 of 2) [THREAD_INFO: c04aa000]
CPU: 0
STATE: TASK_RUNNING

crash>

So far so good :-)

crash> ps
PID PPID CPU TASK ST %MEM VSZ RSS COMM
0 0 0 c0471340 RU 0.0 0 0 [swapper]
> 0 0 1 f744e480 RU 0.0 0 0 [swapper]
1 0 0 f7448000 IN 0.1 3056 1900 init
2 0 1 f7448c90 IN 0.0 0 0 [kthreadd]
3 2 0 f7449920 IN 0.0 0 0 [migration/0]
4 2 0 f744a5b0 IN 0.0 0 0 [ksoftirqd/0]
5 2 0 f744b240 IN 0.0 0 0 [watchdog/0]
6 2 1 f744bed0 IN 0.0 0 0 [migration/1]
7 2 1 f744cb60 IN 0.0 0 0 [ksoftirqd/1]
8 2 1 f744d7f0 IN 0.0 0 0 [watchdog/1]
9 2 0 f744f110 IN 0.0 0 0 [events/0]
10 2 1 f7460000 IN 0.0 0 0 [events/1]
11 2 0 f7460c90 IN 0.0 0 0 [khelper]

[snip]

crash> foreach files
PID: 0 TASK: c0471340 CPU: 0 COMMAND: "swapper"
ROOT: / CWD: /
No open files

PID: 0 TASK: f744e480 CPU: 1 COMMAND: "swapper"
ROOT: / CWD: /
No open files

PID: 1 TASK: f7448000 CPU: 0 COMMAND: "init"
ROOT: / CWD: /
FD FILE DENTRY INODE TYPE PATH
0 f69c8300 f700c550 f695a3e0 CHR /dev/console
1 f69c8300 f700c550 f695a3e0 CHR /dev/console
2 f69c8300 f700c550 f695a3e0 CHR /dev/console
3 f69c8f00 f720d770 f7243c38 FIFO
4 f69c8780 f720d770 f7243c38 FIFO
5 f69c86c0 f7218990 f7045228 SOCK
6 f69c8b40 f70216e8 f70b6000 DIR inotify

PID: 2 TASK: f7448c90 CPU: 1 COMMAND: "kthreadd"
ROOT: / CWD: /
No open files

PID: 3 TASK: f7449920 CPU: 0 COMMAND: "migration/0"

[snip]

crash> foreach net
foreach: WARNING: net command requires -s or -S option

PID: 0 TASK: c0471340 CPU: 0 COMMAND: "swapper"
No open sockets.

PID: 0 TASK: f744e480 CPU: 1 COMMAND: "swapper"
No open sockets.

PID: 1 TASK: f7448000 CPU: 0 COMMAND: "init"
FD SOCKET SOCK FAMILY:TYPE SOURCE-PORT DESTINATION-PORT
5 f7045200 f6bfe380 UNIX:DGRAM

[snip]

In order to compile the kernel so that you can use the RedHat Crash Utility, you can follow the Ubuntu tutorial. After installing the appropriate packages you may have to run the following command:

sudo apt-get build-dep linux

You should end up with a linux-source*.tar.bz2 file under /usr/src . You should also have at least one folder with the kernel headers for your current kernel. You can extract the .tar.bz2 file as so:

# tar -xjf linux-source*.tar.bz2

Go into the resulting folder and set following flag in the Makefile:

CFLAGS_KERNEL = -g

Copy the .config file from your /usr/src/linux-headers-$(uname -r) folder into the /usr/src/linux-source-$(uname -r) folder.

Now type make. After the kernel is finished compiling, you should end up with a vmlinux file. This is the uncompressed kernel image with the debugging information that you need in order to run the RH crash utility.

For more information on the RH Crash Utility, check out:
Official RH Crash Utility Website
Linux Memory Forensics by A. Walters, M. Cohen and D. Collett.
slides from CEIC

Briefly: VDP Project

2009-08-20T18:45:00.001-04:00

I have volunteered to help with the Volatility Documentation Project (VDP) for Volatility. If you have something you would like to contribute, please feel free to email me at

jamie -{dot}- levy -{at}- gmail -{dot}- com

Contributed documents will appear on the Volatility Google Code website.

We have two new contributions by SAL:

VolReport(win) with an accompaning batch script as well as a manual covering the visual capabilities of Volatility.

Keep them coming :-)

Installing Volatility Plugins

2009-08-12T17:06:00.006-04:00

So you've already installed Volatility using SVN and you want to try out some of the community plugins that people are raving about. Publicly known plugins are listed on the forensics wiki. The wiki contains links to plugins as well as links to blogposts/articles for further information on installation, dependencies and how they work.

Most plugin installation is straightforward where one may simply place the plugin in the memory_plugins directory within the Volatility directory. Some are only slightly more complicated by needing a helper library installed in addition to the plugin itself. Others are even more complicated and require some installation of Python libraries which may or may not need the help of other compiled libraries. Therefore we have three cases for plugin installation (please visit the forensics wiki for more information):

Simple Case - only in memory_plugins
- volshell
- IDT
- cryptoscan
- orphan_threads
- keyboardbuffer
- getsids
- moddump
- objtypescan
- symlinkobjscan
- driverscan
- fileobjscan
- pstree
More Complex Case - also supporting file(s)
- driverirp (needs driverscan)
- threadqueues (needs lists.py)
- ssdt (needs lists.py)
Most Complex Case - installation of supporting libraries
- malfind (needs pydasm and pefile)
- kernel_hooks (needs pefile)
- usermode_hooks (needs pefile)
- volreg (needs pycrypto)
- VolRip (needs volreg and Inline::Python)

Simple installation of volshell

For an example of a simple installation, we will install the volshell plugin. Simply download the volshell.py file and place it into your memory_plugins directory. You can test to make sure that is installed correctly by running Volatility without any arguments and volshell should appear under "Supported Plugin Commands" highlighted below in Figure 1. All other "simple case" plugins should install the same way.

Figure 1: Installation of volshell

More Complex Cases

The ssdt and threadqueues plugins require that the lists.py library file be placed in the forensics/win32 directory in addition to placing the ssdt.py and threadqueues.py into the memory_plugins folder as before. The driverirp plugin requires the driverscan plugin in order to work. Both of these plugins are placed in the memory_plugins directory.

After placing the files in the appropriate places, check to make sure that the plugins are properly installed by running volatility without any arguments as before and checking under "Supported Plugin Commands" (Figure 1).

Most Complex Cases

For the "most complex cases" other libraries must be installed for the plugin to work properly. First we will look at installing the malfind plugin. First of all, download the malfind.py plugin file and place it in the memory_plugins directory. Now you must install the pydasm and pefile libraries.

In order to install the pydasm library, you will have to do some initial setup including by installing a gcc compiler and make. For this tutorial, we will use MinGW.

Figure 2: Sourceforge download site for MinGW

Download the windows installer for MinGW from the sourceforge website (Figure 2). Double click to install (Figure 3-9).

Figure 3: Choose "Download and Install"

Figure 4: Click "Agree"

Figure 5: Choose "Current"

Figure 6: Choose compilers and MinGW make

You do not necessarily have to install all compilers however, for simplicity, do a full install.

Figure 7: Choose location for installation. The default is fine.

Figure 8: Installing

Figure 9: installation complete

Once the installation is complete and you have clicked finish, you will have to make a few adjustments to the installation in order to get things working properly. First of all, we need to have an executable called "make.exe". The make executable for MinGW is appropriately named mingwmake.exe. Simply copy this executable and paste it into the same directory (C:\MinGW\bin) which should result in an identical copy named "Copy of mingwmake.exe". Rename this executable to "make.exe" as shown in Figures 10-11.

Figure 10: "Copy of mingwmake.exe"

Figure 11: Rename to "make.exe"

Now we have to modify our path to include the executables for MinGW. If you have a regular start menu, click on start and then right click on “My Computer” and choose properties. If you have the classic start menu, just right click on “My Computer” and choose properties. Click on the “Advanced” tab and then click on “Environmental Variables”. Click on the Path system variable towards the bottom of the window and click the “Edit” button. We will append the path of our Python installation to the end of the existing Path variable. Where it says “Variable Value” go to
the end of the line and add the following (if you installed MinGW in a different location, modify appropriately):

;C:\MinGW\bin

Figure 12: Adding C:\MinGW\bin to the path variable

Now for installing pydasm. Download the source code for libdasm. The easiest way to extract the contents from this tar ball is using 7zip. Once you have 7zip installed, you can associate all zip files by starting the 7zip Filemanager (Start->Programs->7-zip->7-zip File Manager) and clicking on "Tools->Options" and clicking "Select all" in the system tab and "OK" (Figure 13).

Figure 13: Associating zip file types

At this point you are ready to extract the libdasm/pydasm source code. Double click the downloaded pydasm tar ball. You should see the following:

Figure 14: Opening libdasm tar ball with 7-zip

Double click on the libdasm*.tar file inside from within the 7-zip application until you see a folder icon with the name libdasm-1.5 (or other version number):

Figure 15: libdasm folder

Highlight the folder and then click on the extract button and say OK. The folder will extract with all source code inside to the path you choose, or by default the current directory:

Figure 16: Extracting the libdasm source code

Now open a command prompt and change directories until you are in the newly extracted libdasm folder. Type the following commands:

make
cd pydasm
python setup.py build -c mingw32
python setup.py install

That's it! You've installed pydasm.

Now you are ready to install the pefile library. Grab the zip file or tar ball of the source code and extract is as you did before. Go into that resulting folder and type the following:

python setup.py build
python setup.py install

Now you've installed pefile. Now you should see the malfind plugin listed under supported plugins for Volatility. All the other plugins that were depend on pefile should work as well if they are installed in the memory_plugins directory.

Installing the volreg plugin requires pycrypto. Simply go the gitweb interface for this project and download the latest git snapshot by clicking on "snapshot". This will download a tar ball file of the source code. Simply extract it as you did before, then open the command prompt and change into that directory. Then type the following:

python setup.py build
python setup.py install

You've now installed the pycrypto library. Download the volreg tarfile and extract the contents into your Volatility folder by double clicking as before, selecting all three folders and changing the extraction path to your Volatility folder. All files should be placed into the correct location:

Figure 17: Extraction of volreg into Volatility directory.

Next time we will cover the volrip plugin after I figure out how to get Inline::Python working under windows...

Volatility SVN

2009-08-03T19:44:00.016-04:00

Since the last post on Volatility some of you may be wondering how you may download the newest source of Volatility from the Google SVN repository. Well for Linux it's very easy. After you install subversion using yum or apt-get, you simply follow the instructions on the website:


$ svn checkout http://volatility.googlecode.com/svn/trunk/ [folder name]

where [folder name] is replaced by the name of the folder you want to contain the downloaded code.

For Windows users, it's only slightly more complicated. First you must install a subversion client. For this post we will use Tortoise SVN.

Figure 1: Tortoise SVN website

Go to the downloads section and choose the appropriate installer. For this post we are choosing the 32 bit version.

Figure 2: Tortoise SVN website - downloads section

Once you have downloaded the installer, run it. You may see the following security warning, just click Run. All defaults should be fine, so keep clicking next until the installation finishes.

Figure 3 and 4: Running the Tortoise SVN installer

After the installation is complete, you will have to restart your computer. After restart you should see the following menu added when you right click:

Figure 5: Tortoise SVN right click menu options

Create a folder for the repository (for this run through we will create a folder called Volatility on the root of the drive (C:\). Right click and choose "SVN Checkout" noted in the picture above. After choosing this menu, you should see the following:

Figure 6: Filling in options to download Volatility

Paste the url of the repository: http://volatility.googlecode.com/svn/trunk/ in the first text box and the location of the newly created folder in the second text box (as shown above). Leave the other options the same as shown above. Press OK. You should see the following as it begins downloading and then finishes:

Figure 7 and 8: Downloading Volatility from SVN

The newly created folder should now contain the SVN repository. This includes another folder named "Volatility" that contains the actual source code. If you go inside the inner Volatility folder you should see the python source code files as shown in Figure 10.

Figure 9 and 10: Newly created folder containing Volatility SVN repository.

To test the newly downloaded code, open a command shell, go inside the Volatility folder (which is inside your newly created folder) and type "python volatility" without the quotes. (This is assuming you have already installed Python, which is covered in the installation manual.) See below:

Figure 11: Running Volatility

Now you're set. You have the latest source code for Volatility. Next will be how to install plugins...

Briefly: recordmydesktop

2009-08-03T10:16:00.005-04:00

Occasionally I have needed to make screencasts for my students so that they would have something to look at in their own time. There are two tools that make this easy on Linux (both should available in the yum or apt repositories):

Recordmydesktop does as it sounds: it records the desktop. It has options to set the size of the area to record as well as the window you would like to record. I like to choose the window option myself. I also like to record without sound, but you can figure out how to modify the script to remove that option if you so choose.

FFmpeg is a nice tool that allows you to convert, record and stream audio and video. I use it to convert the resulting video from recormydesktop to flv format in order to upload to photobucket or elsewhere.

To make my life easier, I have created the following script that takes in 1-2 arguments. The first argument should be the desired name of the resulting video file. The second argument is an (optional) amount of time to wait before recording. The default wait time is 3 seconds.

When you run the script it waits for you to click on the window that you wish to record by using xwininfo to get the window id number. You will notice that the mouse changes to a + sign as it is waiting for you to click. Once you click the window, it will begin recording that window area after the appropriate wait time has transpired. The video is converted to [chosen filename].flv after you have stopped recording (CTRL+C in terminal from which you started the script).

Feel free to do with as you please. The script can be found below:

#!/bin/bash
#
# Warning: this does not have robust error checking!

bad=67
if [ $# -lt 1 ]
then
echo "Usage: $0 [filename] [[optional time]]"
exit $bad
fi

if [ $# -eq 1 ] #check for arguments
then
time=3 #if one (only filename) exists, sleep for 3 seconds
filename=$1 #set filename
else
time=$2 #else, we'll sleep for $2 seconds
filename=$1 #set filename
fi

recordmydesktop -windowid `xwininfo |grep "Window id:"|sed -e "s/xwininfo\:\ Window id:\ //;s/\ .*//"` -o $filename.ogv -delay $time --no-sound

ffmpeg -i $filename.ogv -b 384000 -s 640x480 -pass 1 -passlogfile log-file $filename.flv

Cygwin Installation

2009-07-30T22:52:00.002-04:00

Note: I am reusing a post from my forensics class at John Jay College. This will be used as a reference for an upcoming post on Volatility module installation. So be patient, there is more to come...

This post goes over an installation of Cygwin which is a Linux-like environment for windows. Since most of you have Windows machines, this will allow you run tools that normally run under Linux/Unix environments.

The setup file is here.

When you download setup, double click it. You should see the following:

Press ``Next'' and choose ``Install from the Internet'' :

Choose where to install Cygwin (by default it is in C:\Cygwin):

Cygwin will create a directory in which it will store the its files during installation. After installation you can delete the folder. The default location is the desktop:

Select your internet connection. The default is OK:

Select a mirror (mirrorservice.org is good):

Press ``Next'' You should see the following:

Next you will see a list of packages you can download. By default these are organized by category:

If you press the plus signs on the left hand side, it will open up the category and you can select specific packages:

Here is a list of packages you need organized by category:

Base

Everything

Devel

Gcc: C, C++, Fortran compilers
gcc-mingw: Mingw32 support headers and libraries for GCC
gcc2: Version X.XX.X [whatever is latest] of C, C++, Fortran compilers
gdb: The GNU Debugger
make: The GNU version of the `make' utility
mingw-runtime: MinGW Runtime
openssl-devel: The OpenSSL development environment

Editors

Nano: A pico clone text editor with extensions [works like pico]
vim: Vi Improved – enhanced vi editor

Interpreters

Perl
Python

Utils

until-linux: Random collection of Linux utilities
file
ELFIO

Text

less: A file pager program, similar to more(1)

After you have made your selections, press next for installation to begin. This part is the actual installation, and may take some time. Just let it finish. After it finishes you will be asked if you want to create shortcuts on the desktop. Make sure to click Finish.

Running Cygwin

When you run Cygwin for the first time, it might take a little longer to start up. This is because it is configuring
a few more files for your environment. Then you should get a command line prompt that looks like:

You are now able to work on your programs at home on your windows machines.

Volatility News

2009-07-22T21:32:00.007-04:00

So if you follow me or Moyix on twitter, you will have seen some updates about some cool new plugins by MHL for Volatility. Shouts to MHL for his awesome work!

Other volatility plugins are listed on the Forensics Wiki.

Moyix has also released his slides from his recent talk on combining memory and registry analysis. Awesome stuff!

Volatility was also recently mentioned in Episode 522 of Hak5: Whats in your RAM? along with some other very cool tools like Matthieu Suiche's win32dd

Volatility has been under heavy development lately and has issued a call for bugs. So if you are currently a user and have encountered something odd, please report it so that it may be fixed. You can do so by sending an email to the developer's listserv. In order to get the newest code updates, you can download Volatility from the svn repository simply following the instructions on the site. For installation instructions you can check out the install manual written by yours truly ;-)

Want to learn about memory forensics and the internals of Volatility? Andreas Schuster has posted slides teaching just that!

BTW, Volatile Systems is also currently hiring. So if memory forensics and reverse engineering are within your interests you can apply for a job that includes both!

It's an exciting time and I'm sure there will be much more to come.

NeFX 2009

2009-06-05T12:49:00.003-04:00

Coming to NYC this summer:

NeFX 2009
The First Annual ACM Northeast Digital Forensics Exchange

July 20-21, 2009 @ John Jay College of Criminal Justice/CUNY (NYC)

The ACM Northeast Digital Forensics Exchange (NeFX) is a workshop, sponsored in part by the National Science Foundation, to foster collaboration on digital forensics and information assurance between federal and state law enforcement, academia, and industry. Our goal is to bring together leading practitioners and academics in order to yield partnerships that advance research on digital forensic science through mutual sharing of the problems of practice and research.

This should be interesting. They have some good speakers lined up and some interesting topics for tutorials. Check the website for more details.

CEIC materials

2009-05-31T16:05:00.008-04:00

I would have had this up sooner, but I was out of town last week and the week before was the conference... Anyway, I promised I would post the slides and supporting files for my CEIC classes. I don't have the slides for the foreign language talk, but I didn't promise to give those out ;-)

How to Address ESI Involving Encryption from Disk Level to Individual Files with David Lyman [ppt | pdf]

Spoofing/hacking/memory analysis talk [pdf]

Here is the ARP spoofing perl script we used and some of you requested: [arpspoof.pl]. You must install Nemesis for the script to work, or you can modify it to use another packet crafting program. Also, depending on the distro you might have to modify the path for the arp command (for Fedora it is /sbin/arp). Anyway, you should be able to modify it on your own.

Also, we used Wireshark and Backtrack 4.

For those of you who would like more VM machines to hack into you can go to de-ice.net.

The agenda had changed somewhat for the second talk, since I had taken the class over from someone else at the last second. I would like to thank Prof Bilal Khan for all of his help and his donation of the vulnerable VM :-) Parts of this lab are representative of some of the courses in the Forensic Computing graduate program at John Jay College.

I would also like to thank AAron and Moyix from the Volatility community for their insight as well.

CEIC was a lot of fun, I met a lot of interesting people and had a blast ;-)

Some Links and Information

2009-05-11T21:32:00.010-04:00

Well, it's been a little while since I was last writing on here. Things have been busy, but it will pick up on here soon ;-)

In the mean time, I'll post some interesting things I've come across. I am personally always looking for more information on various computer forensics/security topics. After a recent conversation with some friends of mine from the John Jay College forensics program about how one can keep up with changes in these fields, I thought I might share a few resources that I use. Hopefully some of these links will be interesting to some of you. Instead of focusing on a particular tool, I'm going to focus on the human factor: where do you find people who are interested/experts in these fields? Where can you hear them talk? Where can you interact with them? Where can you get further information about a particular subject?

Podcasts / Webcasts

There are some interesting podcasts out there. Most people already know about them, but what the heck, I'm going to list some anyway in alphabetical order:

SANS' last webcast was a very good overview of what can be accomplished with memory forensics. Also Talk Forensics and PaulDotCom recently had two great podcasts with Harlan Carvey - the man of Windows Forensics. Exotic Liability is a fairly new security podcast that is as extremely interesting and entertaining. The nice thing about most of these podcasts is that you can ask questions in real time by online chat or by calling in to the show.

Forums / Listserves

Well, there are a ton of different forums/listserves for various things. Here is a short list:

Blogs

There are just too, too many to list. So, I'll tell you what I'll do... I'll give you my (edited) Google Feeds xml file if you are interested in finding more blogs. If you use Google Reader you can just import the file. I've tried to split things up into 3 categories: Forensics, Technical Law and Security. Some things overlap. Don't be offended if you own one of these blogs and aren't "listed correctly." One thing I like about using Google Reader is the ability to search over the blog posts. There are lots of times I remember reading something, but can't quite remember where I found it... this helps.

Twitter

Lots of computer forensics and security professionals can be found on Twitter. I've enjoyed my time on twitter talking with everyone there. Since I'm afraid to leave anyone out, I'll abstain from listing anyone at this point, but most of the people discussed above are on twitter and if you just search for security or forensics you'll end up finding a few more. Also a lot of people who maintain blogs also post links to their twitter profiles. Now of course, there is always the chance that someone could be "disinformational" either on purpose or not (Didier Stevens is not by the way ;-)) but more than likely you will learn a lot from people and will keep up with current events.

In spite of some of the bad things that have happened on LinkedIn in the past, it is a very helpful tool for networking and gaining information. In addition to establishing contacts with others who are in your field, you can also join groups for your interests. There are several computer forensics and security groups on LinkedIn that are very "happening" as far as member participation. Joining is easy. Some groups may have criteria about who may join, but you can search for groups by subject and decide which ones fit your interests.

Well, that's enough for now... I'm going back to hang out on #volatility on irc.freenode.net ;-)

Briefly: CEIC 2009

2009-04-20T19:34:00.004-04:00

I will attend and present at the CEIC conference in Orlando, FL. The agenda is available online and it looks like there will be a lot of interesting talks/labs to see and participate in. It should be fun.

Briefly: IWCMC 2009

2009-03-30T22:30:00.004-04:00

Jarek, Prof Bilal Khan (BK) and my paper on Permeate was accepted at IWCMC 2009 Computer and Network Security Symposium. The final paper will be available at the Permeate site after some final editing.

Shouts to Jarek and BK!

Briefly: vol2html update

2009-03-10T18:34:00.001-04:00

I have added a very small update to vol2html. Other than fixing some typos and cleaning up the code a little bit, I have added more information about DLL files.

Like the last update you can now see information about what processes have the same dll open.

There will be more... however, I think that it might be better to write a module for Volatility at this time...

Here are vol2html.pl and a new html report.

Let me know if you find any bugs :-)

The venus website is down so if you need to download vol2html you can get it from the new Google code page

PyFlag installation on CentOS 5.2 (updated)

2009-03-05T05:04:00.006-05:00

Earlier I wrote about installing Pyflag on Fedora 8. This time, I decided to go for the CentOS install.

First off, this tutorial is not for the faint of heart and as always I take no responsibility if things go wrong on your end.

I got tired of trying to get darcs installed on my CentOS box and instead downloaded the PyFlag tarball. The first thing you will have to do is update Python on your box - I installed 2.6.1 by source.

You must also install all packages mentioned earlier including MySQL for Python and Sleuthkit:

# yum install python-dateutil clamav clamav-server \
mysql mysql-devel mysql-server file-devel python-expect \
zlib zlib-devel openssl python-imaging

You may have a problem when you install MySQL for Python, however, when it tries to download the setuptools-*.egg file. If you have Python version 2.6 installed you need the following egg file:

setuptools-0.6c9-py2.6.egg.

You can download this into your MySQL-python-1.2.2 directory and change the name to setuptools-0.6c5-py2.6.egg or you can muck around with the ez_setup.py file. However you want to do it.

# python2.6 setup.py build
# python2.6 setup.py install

Now, if you have Python 2.6 installed in addition to your default Python installation, you'll have to copy over some libraries to the new location e.g.

# cp -R /usr/lib/python2.4/site-packages/pexpect.py* \
/usr/local/lib/python2.6/site-packages/

# cp -R /usr/lib/python2.4/site-packages/PIL \
/usr/local/lib/python2.6/site-packages/

# cp -R /usr/lib/python2.4/site-packages/python-dateutil \
/usr/local/lib/python2.6/site-packages/

# cp /usr/lib/python2.4/pyexpect.py* \
/usr/local/lib/python2.6/

At this point you should be set to begin PyFlag installation.

# ./configure
# make install

At that point you are set to run PyFlag. Don't forget to set up MySQL:

# /sbin/chkconfig mysqld on
# /sbin/service mysqld start
# mysqladmin -u root password 'new-passwd'

You must use quotes around the new-passwd you choose, and don't forget what it is!

Then start PyFlag by typing "pyflag" (without quotes) at the commandline.

By default PyFlag listens on port 8000. So simply open your browser and go to http://127.0.0.1:8000 You can modify settings at this point:

You will then have to initialize the database:

After which you will see a success message:

Now you are ready to start a new case, which you can do under case management.

Give the case a name:

and then you will see confirmation that your case is created:

Now you can load your evidence. In this case, I am loading a USB image. Type 0 (zero) for the offset and give your evidence some unique name you'll remember and press submit.

If things work out, you will Sleuthkit will identify the file system type in a mount point (this could be anything, I'm using /usb but it could be D: or whatever):

You will then see the uploading dialog.

Note: DO NOT BE IMPATIENT! Let it finish uploading. You will notice that it will refresh every now and then as it uploads more from the filesystem. It will then redirect to the analysis screen. You can now browse the filesystem:

Briefly: IDA Pro on CentOS 5.2

2009-02-25T12:35:00.011-05:00

This is almost a non-post, but who knows, it might be useful to someone... So today I while installing Ida Pro on CentOS, I hit a small snafu. Everything went well for key extraction: here's a nice tutorial for that. However after I retrieved the key, I placed it according to the README file in the $HOME/.idapro directory.

However, when running it I was faced with the following problem:

$ ./idal
./idal: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory

I noticed that my library was incompatible since it was libstdc++.so.6. Luckily, there are ``compat'' packages that contain these older libraries. You can install them with yum:

# yum install -y compat-libstdc++-33.i386

At this point, IDA Pro starts up nicely:

Some Brief BH DC Afterthoughts

2009-02-22T14:37:00.006-05:00

Though it's almost too late for this, I thought I would write briefly on BH DC. I had a blast while I was there and there were some very interesting talks. In case you are interested in the content of these talks, slides, papers, demos and videos are being uploaded to this site:

https://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html

The talks I liked the most were:

Let Your Mach-0 Fly by Vincenzo Iozzo

This talk describes how to replace a running process in memory with another by unmapping the current process, replacing the header and enveloping the old process with the new process. It was really cool to see the demos, but if you watch the video (if it is uploaded), you will see he has trouble with the safari example. I didn't have time to confirm my suspicions, but I thought this is because he didn't supply the entire path to the desired executable. I came to him after the talk to ask about this, but things were so rushed at the end that I didn't get a chance to ask. I emailed him and he replied: ``I found the problem, I forgot to patch a known bug before my talk,'' so he seems to have found the problem. The code for this one is available online.

New Techniques for Defeating SSL/TLS by Moxie Marlinspike

I wasn't completely sure at first that this was going to be an interesting talk, but it turned out very nice. The title is misleading in that it wasn't really about SSL in general but about https specifically. He has a tool that can MITM connections by
stripping out references to https to http. While that is not as interesting, the more interesting part comes into play with the creation and usage of fake certificates to make things "secure". It was also funny how he used the favicon feature to make give a positive indicator by switching it with a padlock. I'm not sure how effective it would be against items like Yahoo!'s sign in seal (among others), but there are other interesting possibilities. The code for his presentation is also available online. (updated link)

Attacking Intel(R) Trusted Execution Technology by Joanna Rutkowska
and Rafal Wojtczuk

This was an awesome talk. It was a pleasure to see this team of famous researchers talk about the intense of TXT and how they could exploit it. The video for this one is up, it would definitely be worthwhile to watch it. The video for this one is available online. Joanna has also posted the videos from the slides here:
http://theinvisiblethings.blogspot.com/2009/02/attacking-intel-txt-paper-and-slides.html

Defending Against BGP Man-In-the-Middle Attacks by Earl Zmijewski

This was another awesome talk! I didn't know the fine details about routers before the talk, but the MITM attack is quite simple. It was also very interesting to see how they came to a solution for detecting these attacks. It was also interesting that there after they had refined their detection algorithm they only found three instances of the attack "in the wild", all of which could be explained. Another must read/watch I think, and Earl is entertaining :-)

Blackhat DC

2009-02-16T20:58:00.004-05:00

Looks like I'll be attending Blackhat DC this week. Should be fun. Not sure if I want to do the picks thing... but there are some interesting talks scheduled.

I will probably be sticking mainly to Track 2 talks, (with some exceptions) however...

PTK on CentOS 5.2

2009-02-02T21:27:00.013-05:00

Having some spare time over the weekend caused me to attempt an installation of PTK on my spare CentOS box. I've succeeded in getting it to run under Fedora, so I had a little bit of an idea of what I was getting myself into...

Before you get started, make sure you have the following packages installed:

mysql
mysql-server
php
php-mysql
php-mbstring
httpd
Sleuthkit

If you need EWF or AFF support you can install them from:

libewf
afflib

After installing everything, you need to initialize MySQL (as root):

# /sbin/chkconfig mysqld on
# /sbin/service mysqld start
# mysqladmin -u root password 'new-passwd'

You must use quotes around the new-passwd you choose, and don't forget what it is!

You must also start the http server(as root):

# /sbin/service httpd start

Now you are ready to download and install PTK from sourceforge. I downloaded version 1.0.5.

In order to install PTK, extract the tarball in your webserver directory as root:

# cd /var/www/html
# ls
ptk-1.0.5.tar.gz

# tar -xzf ptk-1.0.5.tar.gz
# chown -R apache.apache ptk

The last command above makes sure that all files are owned by the webserver user.

Now we have address a problem that still exists regarding the installation script. Go inside the ptk folder. At this point, you should see the install.php script. If you have Sleuthkit installed in /usr/local/bin the install script will not work as expected because this is not in its path. You can find out where it is installed by typing which plus one of the Sleuthkit commands e.g.:

$ which istat

If the path returned is /usr/local/bin then you can modify the install.php file by changing entries like:

$istat = shell_exec("which istat");

$istat = shell_exec('export PATH="/usr/bin:/usr/local/bin"; which istat');

and so on...

If all goes well, you will get to the options screen, which should look something like the following:

Fill everything out as you like (including distro) and press next. Now, when I installed PTK under Fedora, everything was ready to go at this point. With CentOS, it was another story. For some reason, things did not get updated with the extra configure scripts.

So, you have to manually add the locations for your Sleuthkit executables in the following files:

config/conf.php
config/conf.pl

where config is the folder within the ptk folder [/var/www/html/ptk/config]. If you open up conf.pl it may look like:

installdir => '/var/www/html/ptk/',
md5_bin => '/usr/bin/md5sum',
sha1_bin => '/usr/bin/sha1sum',
fsstat_bin => '',
mmls_bin => '',
fls_bin => '',
istat_bin => '',
[snip]

Notice that there are some blank entries. Therefore you will have to enter the correct path for those executables.

All right, so I'm not going to make you do it... :-) Here are the modified files for my CentOS box. Just make sure you put then in the right places, and you might have to chown them as well.

Enjoy! and hope this helps someone out there...

Hash of a CD

2009-01-28T05:20:00.008-05:00

Recently I had to see if two CDs were identical. I had the hash value of the iso for the desired content so I decided to check the hash for both CDs. There is really not that much to this post, but just in case someone ever needs to know how to do this I'll give you the command line how-to.

In my case, md5sum /dev/cdrom did not work. Now there is no reason to copy the CD to an iso file in order to do this. You can just use dd and pipe the output into md5sum or sha1sum.

I found that just doing a straight dd without extra options did not work. So you should use isoinfo to get the logical block size and the volume size to feed to dd (bs="Logical block size" and count="Volume size"). I decided to put this all into a bash script you can find here. The code is shown below:

INFO=`isoinfo -d -i /dev/cdrom \
|awk '{ if ($1 ~ /Volume/ && $2 ~ /size/ ) print $4; \
else if ($1 ~ /Logical/ && $2 ~ /block/ && $3 ~ /size/) \
print $5 endif }'`

INFO=($INFO)

echo "Logical block size: ${INFO[0]}"
echo "Volume size: ${INFO[1]}"
echo "Now executing: "
echo "dd if=/dev/cdrom bs=${INFO[0]} count=${INFO[1]} conv=notrunc,noerror,sync | md5sum"

dd if=/dev/cdrom bs=${INFO[0]} count=${INFO[1]} \
conv=notrunc,noerror,sync | md5sum

It's not the most beautiful solution, but there it is. This uses md5, for other hashes just modify the script as needed. Also if your CD device is not /dev/cdrom modify that as well.

Practitioner's Guide to Capturing and Analysis of RAM

2009-01-15T21:47:00.004-05:00

This is a late post, but I've been busy... I learned about this video from Moyix on the Volatility irc channel (#volatility on freenode). It's nice that people like vol2html. It encourages me to add more to it...

There's more info here if you are interested. I'm glad to see that memory analysis is getting more visibility. Cool stuff! Enjoy!

Dale Beauchamp - DojoSec January 2009 from Marcus Carey on Vimeo.

vol2html.pl update

2009-01-11T13:24:00.013-05:00

I made a small update to vol2html.pl. Since there are a lot of html files being generated, I thought it might be nice to allow the user to specify an output directory. So there is an extra (optional) option:

-D <output_dir>

if you want to print all html files to the another directory. If the directory does not exist, it is created. The script currently does not check if files exist in this directory and will clobber any files with the same name.

I have also added some more information about the open files. You can now see all processes that have the same open files and how many times each process has a file open. To do this, click on the process of interest and click open files. Each file name is linked to a report, which contain a list of all processes (by pid) that have the file open and how many times that process has the file open. There is a link to each pid as well.

Also new there is a link to the index.html file at the end of each report.

Since my website is down for now, you can get the updated script here. (updated 1/11/09 and moved from google code which was messing up some things)

Hopefully this is helpful.

Another update: Here's a second report to look at.

The venus website is down so if you need to download vol2html you can get it from the new Google code page

Still more to come....

OT: Twitter

2009-01-06T19:46:00.003-05:00

So I finally broke down and created a Twitter account recently. It started when I began watching a few people on Twitter. They often had very interesting Tweets related to my interests. After a while I realized that it would be easier to keep up with these Tweets by following these people with my own Twitter account.

Now, the reason I haven't had one up to this point was mostly because I was afraid of the privacy issues. While teaching undergraduate classes I have often been asked if I have a Facebook, Myspace, Twitter (or whatever) account so that students could ``befriend'' me. Till now I have abstained from these types of accounts mostly to avoid these types of student/teacher online friendships. Not that I dislike my students (I don't), but I just figured it might get uncomfortable at some point.

I am wondering if others have struggled with this issue. I know there are some people on Twitter who teach classes like me...

I have made my Tweets private for now to make sure that I know who is following me (but can you ever *really* know?). I know this is probably not the most favorable setup, but it makes me feel somewhat better that my inconsequential Tweets are not just openly exposed to everyone.

The people on Twitter are cool and information they give rocks. So far I am really enjoying it :-)

VMWare Workstation machine to VMWare Server

2008-12-09T21:43:00.005-05:00

Recently I received a VMWare image to work on. I had installed VMware Server 1.0.8 on my CentOS 5.2 laptop because 2.0 is just painful. Unfortunately the image had been created with a newer version of Workstation rendering it incompatible with my install. I found the VMware converter, but it wasn't much help since I'm on a Linux machine.

I created a new default machine using VMware Server with the basic settings matching that of the target machine, copied the resulting .vmx file into the folder of the target machine. (I could have just modified the original .vmx file, but just decided to start over cleanly.)

So now the vmware machine tries to boot, but fails with the following message:

One or more of your disk files were created by a more recent version of VMware software and are not supported by this version of VMware Server.

Then I modified the vmdk descriptor file from:

ddb.virtualHWVersion = "7"

ddb.virtualHWVersion = "4"

Worked like a charm :-)

I don't know if this will work in every case, but it might be helpful to someone.

Vol2html Perl Script

2008-11-24T15:37:00.012-05:00

During my forensics class I started thinking of a way to make it easier for my students to sort through the output of Volatility and starting writing a little perl script to create an html report of running processes, open files and dlls.

This is not finished as there is more information that I would like to correlate from the output of Volatility. But if you are somewhat curious, this is what I have so far: vol2html.pl. You can see an example report here. The output files for this report and the perl script are bundled together here. There is minimal error checking.

To use, first redirect the output of Volatility for pslist, dlllist and files to text files:

./volatility pslist -f mem.dd > pslist.txt
./volatility files -f mem.dd >files.txt
./volatility dlllist -f mem.dd >dlllist.txt

Then feed the perl script these files:

./vol2html.pl -pslist pslist.txt \
-files files.txt -dlllist dlllist.txt

There is more coming...

The venus website is down so if you need to download vol2html you can get it from the new Google code page

Permeate MITM

2008-11-16T22:40:00.003-05:00

It's been a long while. For that I apologize... I guess I'm not a very good blogger when the semester is in full stride. Anyway, there's a new code release for Permeate, this time with the MITM detection built in. A paper we recently submitted to ICC 09 is available there as well. Shouts to Jarek and BK :-)

Enjoy!

PTK 0.2 Patch

2008-10-23T19:35:00.004-04:00

In case you missed it, I've created a patch for PTK. You can find it here. This fixes the path issue for those who have Sleuthkit installed in /usr/local/bin. PTK 1.0 will be released soon and this will no longer be an issue.

PolyTech forensics challenge

2008-10-10T08:38:00.009-04:00

Yay! Another former student, Fausto Dutan, is in the finals (one got third place last year). There's also a MS student from John Jay - Richard Alcalde. Go CUNY :-) Good luck to all of the finalists.

Edit 10/17: Richard Alcalde got 1st place! Congrats Richard :-)

/proc/kcore part II

2008-09-22T20:37:00.010-04:00

It will take me a few posts to go through the kcore file... The last kcore post dealt only with ELF headers of the kcore file. After the ELF header ends, there are 3 program headers:

From elf.h we see that the structure of a program header is:

typedef struct
{
Elf32_Word p_type; /* Segment type */
Elf32_Off p_offset; /* Segment file offset */
Elf32_Addr p_vaddr; /* Segment virtual address */
Elf32_Addr p_paddr; /* Segment physical address */
Elf32_Word p_filesz; /* Segment size in file */
Elf32_Word p_memsz; /* Segment size in memory */
Elf32_Word p_flags; /* Segment flags */
Elf32_Word p_align; /* Segment alignment */
} Elf32_Phdr;

A look at the first program header below:

0000030: 0000 0000 0400 0000 9400 0000 0000 0000 ................
0000040: 0000 0000 d807 0000 0000 0000 0000 0000 ................
0000050: 0000 0000

The first program header is of type PT_NOTE (Auxiliary info) which has a value of 0x4
We can see that the offset is 0x94
The filesize has a value of 0x7d8

All other parts of the struct are set to 0x0

A look at the second program header below:

0000050: 0000 0000 0100 0000 0010 8038 0000 80f8 ...........8....
0000060: 0000 0000 00e0 ff06 00e0 ff06 0700 0000 ................
0000070: 0010 0000

The type is of type PT_LOAD 0x1 (loadable program segment)
The offset is 0x38801000
vaddr is 0xf8800000 (vmalloc)
filesz and memsz are both 0x6ffe000
flags are 0x7 (PF_R | PF_W | PF_X)
page alignment is 0x1000 (size of a page - 4096)

The other remaining part of the structure (p_paddr) is 0x0

The third program header looks like:

0000070: 0010 0000 0100 0000 0010 0000 0000 00c0 ................
0000080: 0000 0000 0000 0038 0000 0038 0700 0000 .......8...8....
0000090: 0010 0000

The type is of type PT_LOAD 0x1 (loadable program segment)
The offset is 0x1000 (size of a page - 4096)
vaddr is 0xc0000000 (start of lowmem)
filesz and memsz are both 0x38000000 (size of (kcore-4096))
flags are 0x7 (PF_R | PF_W | PF_X)
page alignment is 0x1000 (size of a page - 4096)

The other remaining part of the structure (p_paddr) is 0x0

From my messages file to compare:

Sep 15 12:28:57 kanga kernel:
Memory: 2060724k/2087616k available
(2252k kernel code, 25548k reserved, 1182k data, 284k init, 1170112k highmem)
Sep 15 12:28:57 kanga kernel: virtual kernel memory layout:
Sep 15 12:28:57 kanga kernel: fixmap : 0xffc53000 - 0xfffff000 (3760 kB)
Sep 15 12:28:57 kanga kernel: pkmap : 0xff400000 - 0xff800000 (4096 kB)
Sep 15 12:28:57 kanga kernel: vmalloc : 0xf8800000 - 0xff3fe000 ( 107 MB)
Sep 15 12:28:57 kanga kernel: lowmem : 0xc0000000 - 0xf8000000 ( 896 MB)
Sep 15 12:28:57 kanga kernel: .init : 0xc0761000 - 0xc07a8000 ( 284 kB)
Sep 15 12:28:57 kanga kernel: .data : 0xc063337f - 0xc075ab88 (1182 kB)
Sep 15 12:28:57 kanga kernel: .text : 0xc0400000 - 0xc063337f (2252 kB)

Notes

The next three sections will use this structure:

struct memelfnote
{
        const char *name;
        int type;
        unsigned int datasz;
        void *data;
};

Looking at the first note (only the interesting part, the rest is zeroed out):

0000090: 0010 0000 0500 0000 9000 0000 0100 0000 ................
00000a0: 434f 5245

In this case the items shown are not in the same order of the struct. This is because they have been placed in a slightly different order.

First we have the size of the name: 0x5 (strlen(CORE)+1)
Then the data size: 0x90 (size of elf_prstatus struct)
Then the type: 0x1 (NT_PRSTATUS)
Then the name itself: CORE
And finally the data, which has been zeroed out (not shown).

The next note looks like the following:

0500 0000 7c00 0000 ............|...
0000140: 0300 0000 434f 5245 0000 0000 0052 0000 ....CORE.....R..
0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000160: 0000 0000 0000 0000 766d 6c69 6e75 7800 ........vmlinux.
0000170: 0000 0000 0000 0000 726f 2072 6f6f 743d ........ro root=
0000180: 2f64 6576 2f56 6f6c 4772 6f75 7030 302f /dev/VolGroup00/
0000190: 4c6f 6756 6f6c 3030 2072 6867 6220 7175 LogVol00 rhgb qu
00001a0: 6965 7400 0000 0000 0000 0000 0000 0000 iet.............
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000

First we have the size of the name: 0x5 (strlen(CORE)+1)
Then the data size: 0x7c (sizeof(struct elf_prpsinfo))
Then the type: 0x3 (NT_PRPSINFO )
Then the name itself: CORE
And finally the data, which uses the elf_prpsinfo structure:

struct elf_prpsinfo
{
       char    pr_state;       /* numeric process state */
       char    pr_sname;       /* char for pr_state */
       char    pr_zomb;        /* zombie */
       char    pr_nice;        /* nice val */
       unsigned long pr_flag;  /* flags */
       __kernel_uid_t  pr_uid;
       __kernel_gid_t  pr_gid;
       pid_t   pr_pid, pr_ppid, pr_pgrp, pr_sid;
       /* Lots missing */
       char    pr_fname[16];   /* filename of executable */
       char    pr_psargs[ELF_PRARGSZ]; /* initial part of arg list */
};

The data consists of:
pr_state 0x0
pr_sname 0x52 (R)
pr_zomb 0x0
Executable file name (pr_fname) "vmlinux"
Saved command line (pr_psargs) up to 80 characters
ro root=/dev/VolGroup00/LogVol00 rhgb quiet

The rest is zeroed out from a memset command

The third note denotes information about the current task. Here is part of it:

0500 0000 9006 0000 ................
00001d0: 0400 0000 434f 5245 0000 0000 0000 0000 ....CORE........
00001e0: 0020 b2f0 0200 0000 0021 4000 ffff ffff . .......!@.....
00001f0: 7800 0000 7800 0000 7800 0000 b086 8af0 x...x...x.......
0000200: b086 8af0 4072 63c0 0004 0000 0000 4000 ....@rc.......@.
0000210: 0100 0000 0000 0000 0000 0000 0100 0000 ................
0000220: 494c 6a33 c10a 0000 2fd2 1d00 0000 0000 ILj3..../.......
0000230: 85b4 abc6 0c01 0000 6134 0c00 0000 0000 ........a4......
0000240: 0000 0000 0000 0000 5669 0d00 0000 0000

First we have the size of the name: 0x5 (strlen(CORE)+1)
Then the data size: 0x690 (sizeof(struct task_struct) found in linux/sched.h)
Then the type: 0x4 (NT_TASKSTRUCT )
Then the name itself: CORE
And finally the data, which consists of `current' which is the current thread (not shown above).

Now we must dissect task_struct info, which we'll do a bit later...

Visual Forensic Analysis

2008-09-18T23:32:00.007-04:00

There's an interesting talk coming up at John Jay College:

The Center for Cybercrime Studies
The John Jay College of Criminal Justice
Presents

Visual Forensic Analysis

Speaker: Greg Conti

Computer Science Department
United States Military Academy

For decades hex was the common tongue of reverse engineers and forensic analysts, but we can do better. Hex editors are the Swiss Army knives of low level analysis and have evolved significantly, but are now at a local maximum. With the tiny textual window hex provides, it is difficult, if not impossible to understand the big picture context and inner workings of binary objects - files, file systems, process memory, and network traffic. While there are helpful tools to analyze the special case of executable files, little work exists to help address the general case of all types of binary objects. This talk presents visual approaches to improve the art and science of forensic analysis, diffing, and reverse engineering, both in the context independent case where little is known about the raw structure of the binary data and at the semantic level where external knowledge can be used to inform analysis. If you are faced with low level analysis tasks, you should attend this talk.

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization (No Starch Press) and the forthcoming Googling Security (Addison-Wesley). His work can be found at www.gregconti.com and www.rumint.org.

 
Date:        September 24, 2008
Time:        3:30 PM
Location:    Mathematics Conference Room - 4238N
             445 West 59th Street, New York City 10019

PyFlag on Windows

2008-09-12T17:34:00.003-04:00

PyFlag is now available on Windows. I haven't had a chance to try it on Windows, but I will soon and then I'll report on it.

I've used it on Linux however, and it's really nice :-)

It's been a while...

2008-09-09T22:59:00.006-04:00

Well, it's been a while since I've written anything. This is just a brief update for those who care... I've been busy and I switched locations for the semester. I'm not going to go over everything that's happened since my last post, but I'm teaching at John Jay College this semester instead of Queens College. It's still CUNY :-) and everything is still cool.

Oh, our paper was accepted :-) (this is not the final copy, but you get the gist) Edit: The schedule is up now.

What's next?

ELF headers: executable vs /proc/kcore

2008-08-14T16:46:00.016-04:00

This is for 32bit

According to elf.h:

#define EI_NIDENT (16)

typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */
Elf32_Half e_type; /* Object file type */
Elf32_Half e_machine; /* Architecture */
Elf32_Word e_version; /* Object file version */
Elf32_Addr e_entry; /* Entry point virtual address */
Elf32_Off e_phoff; /* Program header table file offset */
Elf32_Off e_shoff; /* Section header table file offset */
Elf32_Word e_flags; /* Processor-specific flags */
Elf32_Half e_ehsize; /* ELF header size in bytes */
Elf32_Half e_phentsize; /* Program header table entry size */
Elf32_Half e_phnum; /* Program header table entry count */
Elf32_Half e_shentsize; /* Section header table entry size */
Elf32_Half e_shnum; /* Section header table entry count */
Elf32_Half e_shstrndx; /* Section header string table index */
} Elf32_Ehdr;

Sizes for ELF32_* (in bytes):

Word: 4
Half: 2
Off: 4
Addr: 4

Looking at a regular binary like ls for example:

$ dd if=/bin/ls bs=52 count=1|xxd
1+0 records in
1+0 records out
52 bytes (52 B) copied, 3.6108e-05 s, 1.4 MB/s
0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............
0000010: 0200 0300 0100 0000 0099 0408 3400 0000 ............4...
0000020: ec7f 0100 0000 0000 3400 2000 0800 2800 ........4. ...(.
0000030: 2000 1f00 ...

I'm using the ELF manual to analyze this.

The first line (16 bytes) is the (e_ident) value which consists of:

The ``magic'' value for the first four characters - 7f45 4c46
The file class (EI_CLASS) - 0x1 (ELF32CLASS)
Data encoding (EI_DATA) - 0x1 (ELFDATA2LSB) little endian
File version (EI_VERSION) - 0x1 current
Start of padded bytes (EI_PAD)

On the second line (e_type) 0x2 tells us it is an executable file
(e_machine) value 0x3 tells us that this was compiled on Intel Architecture
(e_version) value 0x1 tells us it is current
(e_entry) virtual address to which to control is given is 0x8049900
(e_phoff) Program headers start at offset 0x34

On the third line 0x17fec is the section header offset (e_shoff)
(e_flags) value 0x0 tells us that no flags are set
(e_ehsize) value of 0x34 tells that the header is of size 52 bytes decimal
(e_phentsize) value of 0x20 tells that one entry in the program header table size is 32 bytes
(e_phnum) value of 0x8 tells us the number of entries in the program header table is 8
(e_shentsize) value of 0x28 tells us the size of one entry in the section header table is 40 bytes

On the fourth line
(e_shnum) value of 0x20 tells us that number of entries in the section header table is 32
(e_shstrndx) value of 0x1f holds the section header table index of the entry associated with the section name string table

So what does /proc/kcore look like?

# dd if=/proc/kcore bs=52 count=1|xxd
1+0 records in
1+0 records out
52 bytes (52 B) copied, 3.9321e-05 s, 1.3 MB/s
0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............
0000010: 0400 0300 0100 0000 0000 0000 3400 0000 ............4...
0000020: 0000 0000 0000 0000 3400 2000 0300 0000 ........4. .....
0000030: 0000 0000 ....

The first line is the same as above.

The second line:

(e_type) 0x4 tells us it is a core file (ET_CORE) *
(e_machine) value 0x3 tells us that this was compiled on Intel Architecture
(e_version) value 0x1 tells us it is current
(e_entry) virtual address to which to control is given is 0x0
(e_phoff) program headers start at offset 0x34

* this is useful to know if we are dealing with a core file...

In the third line:

(e_shoff) value is 0x0 letting us know there is no section header offset
(e_flags) value 0x0 tells us that no flags are set
(e_ehsize) value of 0x34 tells that the elf header is of size 52 bytes decimal
(e_phentsize) value of 0x20 tells that one entry in the program header table size is 32 bytes
(e_phnum) value of 0x3 tells us the number of entries in the program header table is 3
(e_shentsize) value of 0x0 tells us that there is no section header

The fourth line values are all 0x0

To make your life easier here is a C program that will extract all of that information for you :-) You must be root to run it.

Note: I know I could have done this a bit more elegantly, but decided against that...

Network Distance Script

2008-08-11T19:08:00.003-04:00

I have decided to release some more code. I'm not claiming any of this is good, but it has served a purpose either personally or in the classroom at some point. The last item added is a distance perl script to measure Levenshtein distance of two pcap files.

I wrote this for some experiments with malware some time back. I figured I should share it in case it is of use to someone before I misplace it :-) More details are included in the script itself.

Cuil Not So Cool

2008-07-29T09:32:00.017-04:00

So after reading about the new search engine called Cuil, I couldn't wait to try it out. I didn't realize it had gone live until after reading about how much it failed. Most people complained about not being able to pronounce ``Cuil'' in spite of lots of publicity that it is pronounced ``Cool'' so maybe some people didn't bother to read. There were also disputes about what, if anything, Cuil returned during searching. So I decided to give it a try myself.

I decided to search for penguin. According to the right hand side of Cuil, there are 66,229,028 results for penguin.

First of all, the website design is really nice. I know that doesn't matter as much, but I had to say that :-) I also like the columns, the short snippets and the pictures to the side. I have to agree with Cuil that showing a picture can help the user determine relevance (FAQ #7).

There's even some tabs and a pull down menu across the top of the search to help narrow down your interest, such as ``Penguin Books'', ``Penguin Classics'', ``Penguin Putnam'', ``Linux Penguin'' etc.. Ok, that's nice.

Now for the vanity searches. First off, I'm not some conceited schmuck who likes to google herself all the time, but I know what should pop up when my name is entered. Here it goes: there are 3,619,749 results for the search term ``jamie levy'' (without quotes).

Ok, so something of mine is not on the first page like on Google. Big deal. There's something of mine on the second page:

It's a tutorial of mine. It's kind of old, and it's kind of buried in my site... I thought I would at least see the index of my site if anything... Also, I'm not really sure what that picture is next to my page. I know I didn't put it there.

Ok, on the third page I see the same tutorial above as well as another OLD tuturial of mine that I forgot to take offline after I rewrote it. So that's bizarre, why would the first resulting tutorial repeat to the second page? What is that picture next to it? How did they find the old Unix tutorial?:

This seems to be a pattern, however as I found more repeats of these results and finally my index page on the fourth page of results. However, there is finally a correct picture next to the wireshark tutorial:

After looking just little bit more I found another old course page of mine, which repeats as well:

Ok, so what happens if I decide to narrow down my search and look for myself at the place where I work? Cuil only shows four results (though it claims there are 43,752 results), three of which we have already seen above. Look next to the Unix tutorial, do you find anything curious there? I did:

Who is that man in the picture? He's so mysterious.... I know I didn't put him there! Here's a closeup:

Bizarre is all I can say... Does his picture seem relevant to Unix? I wouldn't think so... but it seems like some of these pictures are just random. Also the stuff that Cuil pulls up seems as if it's from some older snapshot. I haven't quite figured it out.

Well, I won't bore you with details of other people I ``Cuil''ed, but I thought it was interesting that I couldn't find my past adviser at all when there are 815,000 pages in Google related to his name.

I guess he isn't ``Cuil'' enough... :-)

The Last Hope (afterwards)

2008-07-21T18:22:00.013-04:00

Man, The Last Hope was a blast. I'm still trying to get over it ending...

I went with my good friend Matthew. I saw several talks of interest. The first talk I went to was ``Botnet Research, Mitigation and the Law.'' It was really interesting to hear from a lawyer as to what can and cannot be done when investigating these botnets. I have to find his email, however, because there were some more questions I wanted to ask him about this.

The next talk I went to was Kevin Williams Death Star Threat Modeling talk. It was really good and really funny. It was funny to see security models explained in a Star Wars way...

I really enjoyed the presentation by Lady Ada and pt. It was really interesting to see all of the things they could do with hardware. I was inspired :-) It was funny that they had their phone jammer there to block cell calls during the talk. I was kinda surprised how many cell phones went off during talks prior to that.

I also saw the ``Hacking Cool Things with Microcontrollers'' talk by Mitch Altman. It was interesting. He seems like an interesting guy with his cool colored hair :-) I liked his TV-be-gone product.

After a nice break, Matthew and I went to see the Cold Boot Memory Forensics talk. During the talk, the crowd was informed that some code was released as well. This was a very interesting talk. I'll have more to say on this one later...

The last talk I went to the first night was the Hacking FOIA talk. I missed some good talks that night, but there was not much I could do. I just couldn't stay.

Alright, I'm not going to list all of the other talks I went to, but a few. As for the pics, forgive me, I didn't have my usual camera with me so these didn't turn out as well...

The Steven Levy talk was quite funny. I liked the part where he talked about interviewing Steve Jobs.

Steven Rambam's talk was LONG... 3 hours scheduled... and it went into overtime with the questions... and a lot of it was already covered in his other talk. Still, I had a good time. There's something about his assertiveness that I can't help but appreciate.

I got to meet some interesting people like Bernie S:

and Emmanuel Goldstein:

(who looks as if he's plotting things here...)

I must say, I really enjoyed the social engineering panel. It was really funny, and useful to prove just how much information you can get and how some people are a little too trusting. Maybe that shows that some people are still basically good... I'm not sure.

Even though I had planned to stay for Kevin Mitnick's talk, it was really late and things had been pushed back by almost an hour. I just couldn't stay any longer with DH at home alone...

On the last day, I have to say that the most interesting talks I went to were the two Pen Testing talks: (Pen testing using LiveCds by Thomas Wilhelm and Pen testing using Firefox by DaKahuna and ThePrez98), Adam Savage and Postal Hacking. All but the Postal Hacking talk were packed full. (i'll write more on this later...)

Edit: You can find torrents of some of the talks here.

Linux Memory Forensics

2008-07-15T17:10:00.006-04:00

I knew something good would come out of the DFRWS forensic challenge. This is really great. I just had to say something about it :-)

I would have liked to have worked on the challenge myself, but with a full-time teaching schedule and other projects, just couldn't fit in the time. I was anxious to see what would happen this year, however.

Good job, guys :-)

PTK 0.2 Released

2008-07-14T10:23:00.009-04:00

PTK labs has released beta 0.2. Improvements include searching for strings in slackspace and a new installer. Now installation will be somewhat easier. You simply have to unzip the files into your apache owned folder (var/www/, /var/www/htdocs, /var/www/html etc). Make sure the permissions are set correctly. Open your browser and go to http://127.0.0.1/ptk/install.php You will see the installation page and can just fill it out as needed.

Edit 10/18: I've decided to add a patch to address the comment below.
Apply it as follows:

patch -b install.php install_diff.txt

Maze Generator

2008-07-11T19:19:00.002-04:00

I was looking for some files I had backed up from my old laptop when I came across a disk that contained old schoolwork. It was kind of fun looking at these projects I did as an undergraduate. So I decided to release them online. One project that was particularly fun was a maze generator using disjoint sets. It creates a graphical presentation of the maze and also prints it out to a text file of the user's choice.

I thought it might be fun for someone to play with.... but if not, no harm done.

An update can be found here

Windows DNS bug fix can impair firewalls

2008-07-09T15:33:00.001-04:00

It all started after downloading Microsoft's latest updates. Though this is a valid fix, if you running a firewall like Zonealarm you may not be able to connect to the internet after the latest update.

I found out the hard way this morning. It all started with phone calls from a couple of friends complaining about network connections. At first I thought it might just be an ISP issue, but then DH installed the latest updates on his computer. After he rebooted all connectivity was lost. I still had internet on my Linux box, so it prompted me to call some people back and find out if they had recently updated. Sure enough they had. A brief news search turned up the answer. Hope this doesn't affect too many people, but I think it will....

I don't think that you should uninstall the MS hotfix like some are saying, but you might have to use another firewall product or use a workaround to survive. Perhaps it's time to move on to something else...

The Last Hope

2008-07-09T10:05:00.000-04:00

The Last Hope (2600) is coming soon - July 18-20. It costs $75 for three days and is hosted at the Hotel Pennsylvania.

I'm excited to go. They have a lot of interesting talks this year. The Cold Boot talk should be interesting. Botnets, Law issues, Voip, baggage cams, RFIDs.... well there are just TOO many interesting things to write about here :-) I can't wait.

PTK on Fedora 8

2008-07-06T15:46:00.001-04:00

Wow, this was a painful install... ~~and I'm not even sure if it's completely over :-/ Though I haven't been able to get this working completely with all of my practice images,~~ PTK looks somewhat promising. Update: PTK works see update at the end.

Anyway, before you get started, you should make sure to install all of the packages you need:

mysql
mysql-server
php
php-mysql
php-mbstring
httpd
Sleuthkit

In addition, according to the help forums, you also need the following libraries for Sleuthkit (I must have had a previous version because I haven't had to do this before):

afflib
libewf

The following package is not *required* but can help you a lot if you are not used to command line management of mysql databases:

phpMyAdmin

With all of the above packages, just do a ``yum install''. After you start MySql and httpd you should be set. I have already gone over how to set up MySQL and will not repeat it here. If you want to make sure that everything has installed correctly, you can see the php information by created a file called info.php in the /var/log/www/html directory that contains:

<?php
phpinfo();
?>

To see the information, open a browser and go to http://127.0.0.1/info.php. Scroll down until you see the following:

Now, download the PTK sourcecode. After you extract it, you should have a folder that contains a license file, Setup file, PTK.sql file and another tarball. Make sure that the md5 hash values are correct:

$ cat md5sums.txt
76b10e2f1c8bfd25a7128e1ca4f3009a ptk-beta_0.1.tar.gz
15d83f58161f816db660c65cf12c717e PTK.sql
e7cebc317dda69f2df81856118d924f3 Setup
$ md5sum -c md5sums.txt
ptk-beta_0.1.tar.gz: OK
PTK.sql: OK
Setup: OK

I tried just using the Setup file and failed miserably. I would get the nice welcome screen, but couldn't log in to PTK. Then I tried the manual install shown in the tutorial... It also didn't work. Things were getting installed in the wrong directories, even after I had told it where to install correctly using the original Setup script. Also, the Setup script looks for files called md5 and sha1, which are called md5sum and sha1sum on my machine...

So after analyzing the Setup file, I wrote a patch and finally got PTK working which you can find here. To apply the patch type:

patch -b Setup fedora-patch.txt

This will make a backup of the Setup file in case things go awry.

Make sure that you pay attention to output of the Setup script and check to see if there are any errors. If things go well, you should see the following screens:

If everything goes ok, you should have PTK installed in your /var/www/html/ptk directory. You can start it by going to: http://127.0.0.1/ptk. You have to log in using the ``admin'' account, and hopefully you don't forget your password you used for this!

Issues All but the last issue are resolved:
I am not yet sure of the cause of all of these issues, but I thought I would list things here.

fatv images do not seem to be recognized and I am unable to browse the file system at all.
I am unable to get an initial correct hash of the image without running the browser as root
After the initial hash is taken, verification yields an incorrect hash (see pic below) and I suspect it is hashing the symbolic link and not the image itself. The top md5sum hash is correct, the second verification one is not.
If you have SELinux working, you will have to use workarounds to let this program work (which is an SELinux thing, not a PTK thing exactly)
When you search for images, you are initially directed to the /var/log/www/ptk/images folder, which is fine. If you add a disk image there, you do not see it. You have to go back 2 directories and then forward again before the disk image appears

Edit: PTK Works

As I wrote previously, I managed to get PTK installed on Fedora 8. I had a few issues with seeing the images at the end, however. It was a permissions problem. I can't believe I missed that. But it works and it seems fun. So if you are installing PTK on Fedora, follow the earlier instructions and use the patch I made and then check the permissions of the ptk folder to make sure that it is owned by apache (or whatever user you have as your webserver). If it isn't then do a recursive chown:

# chown -R apache.apache /var/www/html/ptk

I have only a couple of complaints: The folders are kind of hard to see on the left hand side, but there may be some way to remedy that. Also, I'm still having the problem of having to go back two folders and then forwards when importing an image, but I guess it's not that bad... Still, PTK has some nice options, like the gallery view, and the interface is nice. So far I like it :-)

MDD

2008-07-02T15:49:00.000-04:00

I'm finally writing about trying MDD on XP SP 3:

And Vista:

It works nicely and in the case of dumping XP memory, you can do analysis with Volatility afterwards. (Note: Make sure you are running the cmd as Admin.) Another nice feature is that it gives you an md5 hash of the memory image after it finishes dumping.

I also tried win32dd on Vista. It worked fine as well. (I forgot to take a screen shot but will get one soon). I was surprised at first because it seemed to work much faster than MDD, since it gave me the all clear and appeared to have finished. I then checked the size of the dump and it was too small, so at first I thought it had failed. Later I checked the dump and it was 2 GB as needed, so it did work, but must have finished dumping in the background.

Microsoft Office Binary File Format Documents

2008-07-02T15:39:00.000-04:00

Microsoft Office Binary File Format Documents were recently released. Should be useful to someone.

PyFlag Installation on Fedora 8

2008-06-25T18:23:00.003-04:00

So I finally decided to be brave and install PyFlag.

First you have to get the source code (more info on wiki or compile tutorial):

# yum install darcs
$ darcs get http://www.pyflag.net/pyflag

After this, you will have a folder called pyflag. If you look at the install instructions from the PyFlag site, you can see that there are several packages that must be installed before installing PyFlag. Most of these can be found in yum repos, but under different names (items in parenthesis are the debian package names):

python-dateutil
clamav
clamav-server (clamav-daemon)
mysql
mysql-devel
mysql-server
file-devel (libmagic-dev)
pexpect (python-pexpect)
python-imaging
python-mysqldb (manual install)

# yum install python-dateutil clamav clamav-server mysql mysql-devel mysql-server file-devel pexpect python-imaging

After installing all of these packages, you must initialize mysql:

# /sbin/chkconfig mysqld on
# /sbin/service mysqld start
# mysqladmin -u root password 'new-passwd'

You must use quotes around the new-passwd you choose, and don't forget what it is!

You must also setup clamav-server so it will work. Make sure you know where everything is installed, because things get funky with clamav and Fedora:

# rpm -q --filesbypkg [packagename]

Where [packagename] is replaced by the package(s) you installed. I went ahead and installed all of clamav packages just to be safe. Two files of interest are the daemon file itself and the configuration file. My locations are:

/usr/sbin/clamd
/usr/share/doc/clamav-server-0.92.1/clamd.conf

This is annoying, because when you run the clamd daemon, it says it can't find the clamd.conf file in the appropriate place: /etc/clamd.conf So you can add a symbolic link to the real location:

ln -s /usr/share/doc/clamav-server-0.92.1/clamd.conf /etc/clamd.conf

You'll have to figure out how to set up your own clamd.conf file.

Ok, at this point you are able to install PyFlag:

$ cd pyflag
$ sh autogen.sh
$ ./configure
$ make
$ su -
# make install

Make sure that you have no errors when running configure, make and make install. Now, before running PyFlag, you must set up the configuration file to point to the mysql.sock file. Fedora places the mysql.sock file in a different location than the default (/var/run/mysqld/mysqld.sock). So open up the configuration file using your favorite editor:

$ vi ~/.pyflagrc

Change the line that says:

dbunixsocket=/var/run/mysqld/mysqld.sock

dbunixsocket=/var/lib/mysql/mysql.sock

Notice that ``run'' is changed to ``lib'' and the `d' is absent from the end of mysql. You are now set.

Also make sure that PyFlag points to the clamav socket (for example):

clamav_socket=/var/run/clamd.d/clamd.sock

If everything goes well, you can then set up PyFlag:

$ pyflag

Follow the instructions on the website for setting up pyflag by going to http://127.0.0.1:8000.

There was only one other thing I changed. Since I already have a service listening on port 8000, I changed the port in the configuration file:

httpserver_port=7000

I'll have a post later after I've played around with this for a while...

Gateway GM5420 Desktop: Vista to XP

2008-06-24T16:23:00.001-04:00

I should have written this back when I converted the machine and it was still fresh. I'll write it up as best I remember now, however.

So back in November I bought a Gateway GM5420 Desktop . It came with Vista, which I was more than willing to try. It remained a Vista machine, but was barely used until May. DH hated Vista and refused to adapt. I wasn't really all that pleased either. The only thing I really liked about the machine was the ATI Video card, but even then, we don't watch that much TV to keep it around just for that... So we decided to make the machine a dual boot for Vista and XP.

There was one big problem: XP doesn't support SATA drives by default. After searching the Gateway website, it became clear that I wasn't going to find SATA drivers for XP. There were barely any drivers for XP at all. So after some investigation, I found the motherboard information:

Love Valley and Stoughton Motherboard Intel(r) MQ96510J

After some searching around on Intel's site, I found the appropriate drivers. I downloaded the Matrix Storage drivers, which resulted in the following executable:

iata82_enu.exe **

Now, I wanted to Slipstream my installation, so I had to extract the drivers from the executable:

mkdir drivers
iata82_enu.exe -a -p C:\drivers

At first I tried to Slipstream the image using the first tutorial, but things didn't work out for me as expected. I then found out about nLite, which is a nice tool that allows you to add drivers, updates and create a bootable ISO. There's information about it here and here.

So everything worked and XP was installed. I had another problem, the network drivers where not included. This was the easy part, however. The drivers for Intel Pro Network Connections Driver 11.2 are available online.

I still had Vista on the other side, however and needed to make it dual boot. This was no problem, there's a nice tutorial online that can be followed. I just used EasyBCD as mentioned in the article and comments and it worked.

** Note: When I did this, actually the only download available was a Floppy drive file. I then had to use Virtual Floppy Drive 2.1 to extract the drivers

Memory Acquisition Just Got Easier

2008-06-17T15:43:00.000-04:00

This is for those who asked me to keep this material up, for your further studies :-)

As you may remember, the traditional dd.exe method does not work on Windows 2003 sp 1 and above. Two opensource tools have been released that get past this:

Memory DD
Win32dd

For more details check out Volatility's blog.

Introduction

2008-06-16T13:57:00.000-04:00

So I've been keeping various blogs for classes and projects. Now I've decided to keep up with my own blog, so I'm starting over again. It's gonna be slow here in the next few days, since I'm on vacation, but it should pick up.