Tuesday, September 13, 2011

Volatility 2.0: Timeliner, RegistryAPI, evtlogs and more

Back in July I gave a talk at OMFW about extracting timeline data from a memory sample using the Volatility framework. Now has come the time to release the plugins that came along with that talk.

In addition to the plugins I have included a whitepaper on how these plugins were created and used. It is released more in hopes that people will see how to use the framework and be able to write their own plugins or extend existing ones.

I have included all these plugins in a zip file:


$ unzip -l timeliner_9-2011.zip
Archive: timeliner_9-2011.zip
Length Date Time Name
-------- ---- ---- ----
14455 09-28-11 14:40 volatility/plugins/timeliner.py
10789 09-27-11 09:24 volatility/plugins/evtlogs.py
147458 09-09-11 11:03 volatility/plugins/malware.py
13559 09-22-11 19:09 volatility/plugins/registryapi.py
8554 09-18-11 21:33 volatility/plugins/getsids.py
40993 09-22-11 16:29 volatility/plugins/getservicesids.py
-------- -------
235808 6 files



  • evtlogs.py: plugin to parse Evt logs from XP/2K3
  • registryapi.py: plugin for routine registry actions
  • getservicesids.py: plugin to collect and calculate service SIDs (used with the new getsids and evtlogs
  • timeliner.py: the timeline creating script that pulls everything together


MHL's malware malware plugins (malware.py) are included only for convenience. You can also download them from his repository and check there for updates.

I would like to thank MHL and AW for their valuable feedback and Bertha M for extensive testing of the timeliner plugins. The links to the paper and plugins are below:

Timeliner Release Documentation (PDF)

timeliner plugins (ZIP)

Note: Any updates to these plugins will appear in my github repository first.

13 comments:

Christiaan said...

Great job and thanks for sharing with the community

Anonymous said...

Nice work, I am not a programmer but I appreciate your hard work It should prove useful.

Thank you
Ben

Anonymous said...

I can't get the -S or -E functions to work (start and end times) using the YYYY-MM-DD format ... is this a bug?

Jamie Levy said...

@Anonymous #2:

If you are talking about this happening with the timeliner plugin, it was unintentional. I forgot to remove the options inherited from registryapi and actually didn't intend for one to be able to supply start/end times for timeliner itself. It is simple enough to add, however.

I am working on a newer version anyway, since I want to separate the registryapi functions to make it easier to inherit without having to worry about removing all of its options for the inheriting plugin. I will add the start/end capability to timeliner as well in a later release if it seems like a feature people would like.

Anonymous said...

hello,

i am receiving the following error when trying to use the timeliner plugin. have you seen this before, or do you have any suggestions? thx.

Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 135, in
main()
File "/usr/local/bin/vol.py", line 126, in main
command.execute()
File "/usr/local/src/Volatility/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/usr/local/src/Volatility/volatility/plugins/timeliner.py", line 86, in render_text
for line in data:
File "/usr/local/src/Volatility/volatility/plugins/timeliner.py", line 190, in calculate
space = self.find_space(addr_space, procs, mod_base)
AttributeError: 'TimeLiner' object has no attribute 'find_space'

johnmccash said...

Jamie,
Awesome work. I really need to go back and look at Volatility more often rather than just using Memoryze. Question though. I was just digging for how to use regripper with Volatility 2.0 yesterday (which was when I happened upon this post), but it appears that there's been no update to do this since Volatility 1.4. Is there something I'm just missing? What would it take to modify the dumphive plugin to output a registry hive in hive format rather than only text? If possible without tons of work, that would solve the problem rather neatly.
thanks
John

johnmccash said...

Another quick question: Any idea why this doesn't seem to work on the current volatility svn? I get the following errors on revision 1525:

*** Failed to import volatility.plugins.evtlogs (AttributeError: 'module' object has no attribute 'LdrModules')
*** Failed to import volatility.plugins.timeliner (AttributeError: 'module' object has no attribute 'LdrModules')

Jamie Levy said...

@Anon and @johnmccash

I should have mentioned, the timeliner release in the zip file only works with the official release of Volatility 2.0. We've been pretty busy on the core code and it's changed a lot since I wrote this, so I have to make some changes to get it working with the current code base. You are seeing conflicts with the core code or changed functions in MHL's malware.py

These changes are fixable if you want to try your hand. Otherwise I'll have another update soon.

Erik said...

Hi Gleeda, I too am receiving errors when executing timeliner. I'm using timeliner with Volatility 2.0 in the SIFT Workstation 2.13. Can you provide any recommendations for resolution?


vol.py timeliner -h
Volatile Systems Volatility Framework 2.0
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 135, in
main()
File "/usr/local/bin/vol.py", line 117, in main
command = MemoryRegistry.PLUGIN_COMMANDS[module](config)
File "/usr/local/src/volatility-2.0-stable-release/volatility/plugins/timeliner.py", line 76, in __init__
dlldump.DLLDump.__init__(self, config, *args)
File "/usr/local/src/volatility-2.0-stable-release/volatility/plugins/dlldump.py", line 48, in __init__
action = 'store', type = 'int')
File "/usr/local/src/volatility-2.0-stable-release/volatility/conf.py", line 364, in add_option
self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args)
File "/usr/lib/python2.6/optparse.py", line 1020, in add_option
self._check_conflict(option)
File "/usr/lib/python2.6/optparse.py", line 995, in _check_conflict
option)
optparse.OptionConflictError: option -b/--base: conflicting option string(s): -b

Ezra Caltum said...

Hey, I did some modifications on your code so it works with trunk:

On Line 144 of timeline.py I added the following :
l=str(l)
l = l.replace("\n","")
l = l.replace("[","")
l = l.replace("]","")
l = l.replace("'","")
On Line 54 of registryapi.py I modified the Following Line:
config.add_option('START', short_option = 'Z',

Jamie Levy said...

Sorry everyone, I've been pretty busy lately. I am in the process of completely rewriting the timeliner plugin to work with our current code base. Of course feel free to update/fix yourself in the meantime. I will update when the new plugin is available. Thanks for your patience.

Unknown said...

Maybe this is some cause I'm quite a noob in this, but I'm having some headache issues due to this error:
ImportError: No module named volatility.conf .. Please do anything to get me out of thiss!

Jamie Levy said...

No worries. All of these plugins have been added to the current version of Volatility. All you have to do us download the new code:

http://code.google.com/p/volatility/downloads/list