Forensic

Work on dump disk

Prepare a VMDK :

vmware-vdiskmanager -r /datas/vmware/projetInvestigation/vulhub/DroopyCTF/DroopyCTF-disk1.vmdk -t 0 /tmp/test.vmdk

Linux trash directory

~/.local/share/Trash/

Volatility

Important : plugins must be the first option.

# volatility --plugins=profiles\linux\ubuntu\x64 -f mydump.dmp linux_pslist  --info

Work with profile thats depends on OS Version (Windows, Linux Distribution & kernel)

New profil are created in the environnement target.

volatility_2.6_win64_standalone.exe -f mydump.dmp imageinfo

Use –cache to increase speed at each search

Tip for ctf :

volatility -f dumpRootme  --profile=Win7SP1x86_23418 filescan | grep  'Desktop'

Build new profile

# apt install volatility-tools zip  build-essential linux-headers-$(uname -r)

/usr/src/volatility-tools/linux# make 
make -C //lib/modules/4.4.0-87-generic/build CONFIG_DEBUG_INFO=y M="/usr/src/volatility-tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-4.4.0-87-generic'
  CC [M]  /usr/src/volatility-tools/linux/module.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /usr/src/volatility-tools/linux/module.mod.o
  LD [M]  /usr/src/volatility-tools/linux/module.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.4.0-87-generic'
dwarfdump -di module.ko > module.dwarf
make -C //lib/modules/4.4.0-87-generic/build M="/usr/src/volatility-tools/linux" clean
make[1]: Entering directory '/usr/src/linux-headers-4.4.0-87-generic'
  CLEAN   /usr/src/volatility-tools/linux/.tmp_versions
  CLEAN   /usr/src/volatility-tools/linux/Module.symvers
make[1]: Leaving directory '/usr/src/linux-headers-4.4.0-87-generic'


/usr/src/volatility-tools/linux# zip MyProfileRintintin.zip  module.dwarf /boot/System.map-4.4.0-87-generic 
  adding: module.dwarf (deflated 89%)
  adding: boot/System.map-4.4.0-87-generic (deflated 79%)

Récupération du nom de profil

# volatility --plugins=. -f snapIntrusCo.dmp --info
Volatility Foundation Volatility Framework 2.6


Profiles
--------
LinuxMyProfileRintintinx64 - A Profile for Linux MyProfileRintintin x64
VistaSP0x64                - A Profile for Windows Vista SP0 x64


# volatility --plugins=plugins -f dumpMemoryPostAttack.dump --profile=LinuxMyProfileRintintinx64 --cache linux_pslist

List Windows process

volatility -f ../ch2.dmp --profile=Win7SP0x86 pstree

Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
. 0x896294c0:services.exe                             560    456      6    205 2013-01-12 16:38:16 UTC+0000
.. 0x89805420:svchost.exe                             832    560     19    435 2013-01-12 16:38:23 UTC+0000
... 0x87c90d40:audiodg.exe                           1720    832      5    117 2013-01-12 16:58:11 UTC+0000
.. 0x89852918:svchost.exe                             904    560     17    409 2013-01-12 16:38:24 UTC+0000
... 0x87ad44d0:dwm.exe                               2496    904      5     77 2013-01-12 16:40:25 UTC+0000
. 0x87bf7030:cmd.exe                                 3152   2548      1     23 2013-01-12 16:44:50 UTC+0000
.. 0x87cbfd40:winpmem-1.3.1.                         3144   3152      1     23 2013-01-12 16:59:17 UTC+0000
. 0x87b784b0:AvastUI.exe                             2720   2548     14    220 2013-01-12 16:40:31 UTC+0000
. 0x9549f678:iexplore.exe                            1136   2548     18    454 2013-01-12 16:57:44 UTC+0000
.. 0x87d4d338:iexplore.exe                           3044   1136     37    937 2013-01-12 16:57:46 UTC+0000

List process with command line

# volatility -f dumpRootme --cache --profile=Win7SP1x86_23418 cmdline
Volatility Foundation Volatility Framework 2.6
************************************************************************
System pid:      4
************************************************************************
VBoxTray.exe pid:   1124
Command line : "C:\Windows\System32\VBoxTray.exe" 
************************************************************************
wmpnetwk.exe pid:    392
Command line : "C:\Program Files\Windows Media Player\wmpnetwk.exe"
************************************************************************
mspaint.exe pid:   2644
Command line : "C:\Windows\system32\mspaint.exe" "C:\Users\info\Desktop\flag.png"
************************************************************************
svchost.exe pid:   2672
Command line : C:\Windows\system32\svchost.exe -k imgsvc
************************************************************************
firefox.exe pid:   2720
Command line : "C:\Program Files\Mozilla Firefox\firefox.exe" 
************************************************************************
WmiPrvSE.exe pid:   2864
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
TrueCrypt.exe pid:   3224
Command line : "C:\Program Files\TrueCrypt\TrueCrypt.exe" 
************************************************************************
notepad.exe pid:   3716
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\info\Desktop\findme

Dump environnement variable

# volatility -f dumpRootme --profile=Win7SP1x86_23418 envars


    3716 notepad.exe          0x005007f0 PROCESSOR_ARCHITECTURE         x86
    3716 notepad.exe          0x005007f0 PROCESSOR_IDENTIFIER           x86 Family 6 Model 58 Stepping 9, GenuineIntel
    3716 notepad.exe          0x005007f0 PROCESSOR_LEVEL                6
    3716 notepad.exe          0x005007f0 PROCESSOR_REVISION             3a09
    3716 notepad.exe          0x005007f0 ProgramData                    C:\ProgramData
    3716 notepad.exe          0x005007f0 ProgramFiles                   C:\Program Files
    3716 notepad.exe          0x005007f0 PSModulePath                   C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
    3716 notepad.exe          0x005007f0 PUBLIC                         C:\Users\Public
    3716 notepad.exe          0x005007f0 SESSIONNAME                    Console
    3716 notepad.exe          0x005007f0 SystemDrive                    C:
    3716 notepad.exe          0x005007f0 SystemRoot                     C:\Windows
    3716 notepad.exe          0x005007f0 TEMP                           C:\Users\info\AppData\Local\Temp
    3716 notepad.exe          0x005007f0 TMP                            C:\Users\info\AppData\Local\Temp
    3716 notepad.exe          0x005007f0 USERDOMAIN                     pc-chall
    3716 notepad.exe          0x005007f0 USERNAME                       info
    3716 notepad.exe          0x005007f0 USERPROFILE                    C:\Users\info
    3716 notepad.exe          0x005007f0 windir                         C:\Windows

List connection (like netstat)

volatility -f ../ch2.dmp --profile=Win7SP0x86 netscan


Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0xbab2288          TCPv4    0.0.0.0:445                    0.0.0.0:0            LISTENING        4        System
0xbab2288          TCPv6    :::445                         :::0                 LISTENING        4        System
0xbebcc58          TCPv6    :::49161                       :::0                 LISTENING        560      services.exe
0x1c059910         TCPv4    192.168.1.66:58779             46.105.38.60:80      CLOSE_WAIT       1220     AvastSvc.exe

Get computer name

$ volatility -f ch2.dmp --profile=Win7SP1x86_23418 printkey -K "ControlSet001\Control\ComputerName\ActiveComputerName"

Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ActiveComputerName (V)
Last updated: 2019-02-02 11:43:29 UTC+0000

Subkeys:

Values:
REG_SZ        ComputerName    : (V) ABOUD

Scan file

# volatility -f dumpRootme  --profile=Win7SP1x86_23418 filescan 
Volatility Foundation Volatility Framework 2.6
Offset(P)            #Ptr   #Hnd Access Name
------------------ ------ ------ ------ ----
0x00000000007f3270      1      1 R----- \Device\HarddiskVolume2\System Volume Information\{ce845261-7b2a-11e6-9a0b-0800271fb50b}{3808876b-c17
6-4e48-b7ae-04046e6cc752}
0x000000001e0072e8      4      0 R--r-d \Device\HarddiskVolume2\Windows\System32\FXSMON.dll
0x000000001e007848      4      0 R--r-d \Device\HarddiskVolume2\Windows\System32\MsCtfMonitor.dll

List process

# volatility -f dumpRootme  --profile=Win7SP1x86_23418 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x83f2f9e8 System                    4      0     87      494 ------      0 2016-09-15 10:10:39 UTC+0000                                 
0x84e5d020 smss.exe                268      4      2       29 ------      0 2016-09-15 10:10:39 UTC+0000                                 
0x84d9cd40 csrss.exe               344    336      8      404      0      0 2016-09-15 10:10:40 UTC+0000                                 
0x853fa2b8 wininit.exe             380    336      3       76      0      0 2016-09-15 10:10:40 UTC+0000   

Dump process memory

# volatility -f dumpRootme  --profile=Win7SP1x86_23418 memdump -p 2644 -D /tmp/f
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing mspaint.exe [  2644] to 2644.dmp

Find documents in dump

# foremost -v -i /tmp/f/2644.dmp -o /tmp/test
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sat Mar 16 14:41:13 2019
Invocation: foremost -v -i /tmp/f/2644.dmp -o /tmp/test 
Output directory: /tmp/test
Configuration file: /etc/foremost.conf
Processing: /tmp/f/2644.dmp
|------------------------------------------------------------------
File: /tmp/f/2644.dmp
Start: Sat Mar 16 14:41:13 2019
Length: 151 MB (159367168 bytes)
 
Num	 Name (bs=512)	       Size	 File Offset	 Comment 

0:	00004251.gif 	      199 B 	    2176802 	  (18759 x 14406)
1:	00020155.gif 	       1 KB 	   10319472 	  (65535 x 65535)
2:	00020160.gif 	      22 KB 	   10321920 	  (65535 x 65535)
3:	00020632.gif 	       8 KB 	   10563688 	  (18759 x 14406)
[...]
161:	00282079.png 	      924 B 	  144424483 	  (16 x 16)
*|
Finish: Sat Mar 16 14:41:16 2019

162 FILES EXTRACTED
	
gif:= 10
htm:= 36
exe:= 101
png:= 15
------------------------------------------------------------------

Foremost finished at Sat Mar 16 14:41:16 2019

MFT entries

volatility_2.6_win64_standalone.exe -f ../ch2.dmp --profile=Win7SP0x86 mftparser

$FILE_NAME
Creation                       Modified                       MFT Altered                    Access Date                    Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2013-01-12 10:12:58 UTC+0000 2013-01-12 10:12:58 UTC+0000   2013-01-12 10:12:58 UTC+0000   2013-01-12 10:12:58 UTC+0000   Users\John Doe\AppData\Local\MICROS~1\Windows\TEMPOR~1\Low\Content.IE5\IQNJ6DHS\CBEC45~1.JPG

$FILE_NAME
Creation                       Modified                       MFT Altered                    Access Date                    Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2013-01-12 10:12:58 UTC+0000 2013-01-12 10:12:58 UTC+0000   2013-01-12 10:12:58 UTC+0000   2013-01-12 10:12:58 UTC+0000   Users\John Doe\AppData\Local\MICROS~1\Windows\TEMPOR~1\Low\Content.IE5\IQNJ6DHS\CBEC45C5E299C61D63102DAC7343D0[1].jpg

Dump file

# volatility -f dumpRootme  --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000001ffed768 -D /tmp/f
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x1ffed768   None   \Device\HarddiskVolume2\Users\info\AppData\Roaming\Mozilla\Firefox\Profiles\lj1v0osd.default\datareporting\session-state.json.tmp

Heap

volatility -f dumpRootme --profile=Win7SP1x86_23418 vaddump -p 3224 -D /tmp/dmp/vads/

Clipboard

# volatility -f dumpRootme --profile=Win7SP1x86_23418 clipboard
Volatility Foundation Volatility Framework 2.6
Session    WindowStation Format                 Handle Object     Data                                              
---------- ------------- ------------------ ---------- ---------- --------------------------------------------------
         1 WinSta0       CF_UNICODETEXT        0xd02d1 0xffbb3fb0 R3sqdl3Fuuz2ZdbdYsf56opFFLe9sAsx                  
         1 WinSta0       CF_LOCALE             0x802d9 0xff9d1af8                                                   
         1 WinSta0       CF_TEXT                   0x1 ----------                                                   
         1 WinSta0       CF_OEMTEXT                0x1 ----------     

truecrypt

# volatility -f dumpRootme --profile=Win7SP1x86_23418 truecryptsummary
Volatility Foundation Volatility Framework 2.6
Registry Version     TrueCrypt Version 7.0a
Password             R3sqdl3Fuuz2ZdbdYsf56opFFLe9sAsx at offset 0x87433e44
Process              TrueCrypt.exe at 0x84e27030 pid 3224
Service              truecrypt state SERVICE_RUNNING
Kernel Module        truecrypt.sys at 0x87400000 - 0x87437000
Symbolic Link        Volume{a4cc2add-7b2c-11e6-b853-0800271fb50b} -> \Device\TrueCryptVolumeF mounted 2016-09-15 10:11:42 UTC+0000
Driver               \Driver\truecrypt at 0x1ee1d700 range 0x87400000 - 0x87436980
Device               TrueCrypt at 0x84e1dc90 type FILE_DEVICE_UNKNOWN

Screenshot

# volatility -f dumpRootme --profile=Win7SP1x86_23418 screenshot -D screen/
Volatility Foundation Volatility Framework 2.6
Wrote screen/session_0.Service-0x0-3e7$.Default.png
Wrote screen/session_0.Service-0x0-3e4$.Default.png
Wrote screen/session_0.Service-0x0-3e5$.Default.png
Wrote screen/session_0.msswindowstation.mssrestricteddesk.png
Wrote screen/session_0.WinSta0.Default.png
Wrote screen/session_0.WinSta0.Disconnect.png
Wrote screen/session_0.WinSta0.Winlogon.png
Wrote screen/session_1.WinSta0.Default.png
Wrote screen/session_1.WinSta0.Disconnect.png
Wrote screen/session_1.WinSta0.Winlogon.png

List available profile

volatility_2.6_win64_standalone.exe --plugins=c:\Users\vk\Desktop\volatility_2.6_win64_standalone\Linux\Ubuntu\x64\ --info
volatility_2.6_win64_standalone.exe --plugins=c:\Users\vk\Desktop\volatility_2.6_win64_standalone\Linux\Ubuntu\x64\ -f dumpUbuntu.dmp --cache --profile=LinuxUbuntu1604x64 linux_pslist

History of commands

volatility_2.6_win64_standalone.exe --plugins=c:\Users\vk\Desktop\volatility_2.6_win64_standalone\Linux\Ubuntu\x64\ -f dumpUbuntu.dmp --cache --profile=LinuxUbuntu1604x64 linux_bash
Volatility Foundation Volatility Framework 2.6
Pid      Name                 Command Time                   Command
-------- -------------------- ------------------------------ -------
    2066 bash                 2019-03-12 10:09:16 UTC+0000   uname -r
    2066 bash                 2019-03-12 10:09:16 UTC+0000   exit
    2066 bash                 2019-03-12 10:09:16 UTC+0000   cat /etc/*release
    2066 bash                 2019-03-12 10:09:16 UTC+0000   uname -a
    2066 bash                 2019-03-12 10:09:16 UTC+0000   ip a
    2066 bash                 2019-03-12 10:09:16 UTC+0000   sudo su -
    2066 bash                 2019-03-12 10:09:27 UTC+0000   (firefox)&

Grab NTLM hashes

# volatility -f dumpRootme  --profile=Win7SP1x86_23418 hivelist

Volatility Foundation Volatility Framework 2.6
Virtual    Physical   Name
---------- ---------- ----
0x8e28d3d8 0x1a0cc3d8 \Device\HarddiskVolume1\Boot\BCD
0x8e314008 0x1a153008 \SystemRoot\System32\Config\SOFTWARE
0x9005a9d0 0x19d4b9d0 \SystemRoot\System32\Config\DEFAULT
0x90156008 0x18ef9008 \SystemRoot\System32\Config\SECURITY
0x901de008 0x18be6008 \SystemRoot\System32\Config\SAM
0x90323008 0x16192008 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x90327008 0x14456008 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x88c0c4e8 0x1c4654e8 [no name]
0x88c1a280 0x1c66d280 \REGISTRY\MACHINE\SYSTEM
0x88c42008 0x1c317008 \REGISTRY\MACHINE\HARDWARE
0x8ad3e9d0 0x00a4d9d0 \??\C:\Users\info\ntuser.dat
0x8ae299d0 0x158cb9d0 \??\C:\Users\info\AppData\Local\Microsoft\Windows\UsrClass.dat

# volatility hashdump -f dumpRootme  --profile=Win7SP1x86_23418 -y 0x88c1a280 -s 0x901de008

Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404ee:57e82f46aff390080f143c09ab2c5b68:::
info:1002:aad3b435b51404eeaad3b435b51404ee:dc3817f29d2199446639538113064277:::

netscan

volatility -f dumpRootme  --profile=Win7SP1x86_23418 netscan

Volatility Foundation Volatility Framework 2.6
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x1e006478         UDPv4    10.0.2.15:137                  *:*                                   4        System         2016-09-15 10:10:49 UTC+0000
0x1e05a2a0         UDPv4    0.0.0.0:64167                  *:*                                   992      svchost.exe    2016-09-15 10:11:22 UTC+0000
0x1e074e88         UDPv6    fe80::cd7c:8018:67b8:71e2:1900 *:*                                   1320     svchost.exe    2016-09-15 10:11:00 UTC+0000

Source of plugins : https://github.com/superponible/volatility-plugins