Wednesday, February 16, 2011

Volatility 1.4

This is just an initial post about the beta availability of Volatility 1.4. I've been teaching 1.3 as part of my Advanced Live Forensics course for 18 months or so but it only supports XP SP2 and 3 RAM images. The new 1.4 version from the devs and helpers at www.volatilesystems.com have been toiling over this version for somewhile and its great to at last have a play with it.

First things first you can find proper 'how to' resources at http://code.google.com/p/volatility/ but downloads are currently limited to within svn. If this is new to you its easy enough. If you are using a Mac with Snow Leopard just open a terminal and type 'svn checkout http://volatility.googlecode.com/svn/branches/Volatility-1.4_rc1'. This will download the 1.4 version and put the Volatility files in your user root folder.

Once downloaded just 'cd Volatility-1.4_rc1'. Anyone used to the old version will see a small difference in the running of the commands. Instead of-

python volatility pslist -f [pathtoRAM]

..you have quite a different syntax. It breaks down like this-

python vol.py [plugin] --profile=[PROFILE] -f [image]

vol.py replaces the old volatility framework command
plugin is the command such as pslist, psscan2 etc
profile is completely new but a vital component of the new framework. For all RAM images except from Windows XPSP2 x86 should have the profile defined at the --profile switch. The BasicUsage document lists them as:-

PROFILES
--------
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win2K8SP1x86 - A Profile for Windows 2008 SP1 x86
Win2K8SP2x86 - A Profile for Windows 2008 SP2 x86
Win7SP0x86 - A Profile for Windows 7 SP0 x86
WinXPSP2x86 - A Profile for Windows XP SP2
WinXPSP3x86 - A Profile for windows XP SP3

So running a basic pslist against myram.dd imaged from a Windows SP3 box would look like this-

python vol.py pslist --profile WinXPSP3x86 -f myram.dd

In the previous version outputing the results to a file could be achieved by using '>' or '>>' to output to a text file etc such as -

python volatility pslist -f myram.dd >> pslist.txt

However, in 1.4 we have many more options, by adding -

--output= you can specify numerous output types if the module being invoked supports it. This includes -

--output=text
--output=html
--output=csv

To check what a module/plugin supports just check help - python vol.py pslist --h and look for the output section.

You can add -

--output-file=myoutputfile.csv to name your output file. So our previous command line could look like this -

python vol.py pslist --profile WinXPSP3x86 -f myram.dd --output=text --output-file=myfile.txt

That should get you started.

There are also some exciting new modules to play with such as bioskbd a plugin based on Andreas Schusters work. It enables the reading of input text from the BIOS area of memory which can include the BIOS password or even Full Disk Encryption passwords. Check out the link to Andreas site for more information. This plug in has apparently been around for a while but I'd completely missed it. If you do check it out take note that some RAM dumping tools dont image that area of RAM. For example if you are using Matthieu Suiches win32dd tool you need to add '-t 1' to grab page zero.

Also there are some exciting malware analysis plugins such as svcscan which can list Windows services from both usermode and kernelmode and also ldrmodules for detecting unlinked DLL's.

Anyway, thats all for now, I'll try and post more in due course once I've had a proper play.

Nick

1 comment:

thinkinginforensics said...

There is an error:

$ svn checkout http://volatility.googlecode.com/svn/branches/Volatility-1.4_rc1
svn: OPTIONS of 'http://volatility.googlecode.com/svn/branches/Volatility-1.4_rc1': could not connect to server (http://volatility.googlecode.com)