Here are just some random things that i have figured out with this tool so far. In no way at all am I calling myself an expert with this tool. These are just a few humble tips I might haev for a beginning tester.
So I have been using volatility for a little bit now, and I wanted to drop some basic things that I do for others if they are interested. This post is like many others on this site, in that it is more notes for myself that I am willing to share with others.
Some initial plugins to use:
I generally start any look in memory with the process plugins; pslist, psscan, psxview, and pstree. I generally pipe all of these commands to a text file that I can grep through later at my leisure. Sometimes you don’t see anything in the initial scan of the output, but later in the investigation you want to go back and re-look at those results.
vol.py –f memory.file –profile=profile_choice pslist >> pslist.txt
After these commands, I usually don’t wait, and just dump all of the processes that I can. For this we use “procdump”. After this I generally hash all of the files, with both SHA1 and MD5 just so I have them. I generally push the dumped processes against Virus Total to see if there are any hits. Didier Stevens has a great set of scripts to do this, so mad props to him! You can get a lot of false positives doing this, but it can also help by giving you an idea of which PIDs to pay attention to in the first place.
vol.py –f memory.file –profile=profile_choice procdump –D pdump >> pdump.txt
After this, “malfind” becomes my next plugin of choice. I still pipe this into a text file and then do some ‘grepping’ against it later. I always add the dump option, so I don’t have to run it again later.
vol.py –f memory.file –profile=profile_choice malfind –D malfind >> malfind.txt
cat malfind.txt | grep –B4 MZ
From here I can see what PIDs have had something injected into them potentially. It is important to note, that you can get false positives here. Especially where AV is concerned. I have also seen some endpoint management suites (Altiris) corrupt these results a little bit, so it is important to know what your normal memory footprint is like on your standard image. (Assuming you have a standard image.) If you get any hits, this is where you can go back to your process files and see more info about any PIDs you might find in malfind.
Some other fun plugins that I use are: “filescan”, “dlllist”, “dlldump”, “mftparser”, “netscan”, & “moddump”
There are a wide variety of Browser plugins now in volatility that can give you lots of good information, so practicing with those is also recommended.
1 – Host Unreachable
2 – Protocol Unreachable
3 – Port Unreachable
9 – Communication with destination network prohibited
10 – Communication with destination host prohibited
13 – Communication administratively prohibited
Here are some extra places you can get target VMs from:
Other Operating Systems:
- Open Indiana – Community-driven Illumos Distribution
- XStreamOS – A Server and Desktop OS based on the Illumos kernel.
- Open Solaris – An Open version of Solaris for you to play around with. You have to create or have an Oracle account to download these. The accounts are free to setup.
- Android-x86 – Run the Android OS on your PC
- Pure Darwin – emulates a Mac OS X environment
This is a quick post on how I added Malformity to my SIFT workstation. This process is super complex, so you have to make sure you are really paying attention…… ;-)
First get Malformity….
git clone https://github.com/digital4rensics/Malformity.git
Change into the new Malformity folder, and run the following
sudo python setup.py install
OK, once that is done, you need to run the following
canari create-profile Malformity
Finally, open up Maltego, and click on the main icon in the upper left hand corner. Choose import, then import configuration, and just follow the prompts then.