Here are just some random things that i have figured out with this tool so far. In no way at all am I calling myself an expert with this tool. These are just a few humble tips I might haev for a beginning tester.
So I have been using volatility for a little bit now, and I wanted to drop some basic things that I do for others if they are interested. This post is like many others on this site, in that it is more notes for myself that I am willing to share with others.
Some initial plugins to use:
I generally start any look in memory with the process plugins; pslist, psscan, psxview, and pstree. I generally pipe all of these commands to a text file that I can grep through later at my leisure. Sometimes you don’t see anything in the initial scan of the output, but later in the investigation you want to go back and re-look at those results.
vol.py –f memory.file –profile=profile_choice pslist >> pslist.txt
After these commands, I usually don’t wait, and just dump all of the processes that I can. For this we use “procdump”. After this I generally hash all of the files, with both SHA1 and MD5 just so I have them. I generally push the dumped processes against Virus Total to see if there are any hits. Didier Stevens has a great set of scripts to do this, so mad props to him! You can get a lot of false positives doing this, but it can also help by giving you an idea of which PIDs to pay attention to in the first place.
vol.py –f memory.file –profile=profile_choice procdump –D pdump >> pdump.txt
After this, “malfind” becomes my next plugin of choice. I still pipe this into a text file and then do some ‘grepping’ against it later. I always add the dump option, so I don’t have to run it again later.
vol.py –f memory.file –profile=profile_choice malfind –D malfind >> malfind.txt
cat malfind.txt | grep –B4 MZ
From here I can see what PIDs have had something injected into them potentially. It is important to note, that you can get false positives here. Especially where AV is concerned. I have also seen some endpoint management suites (Altiris) corrupt these results a little bit, so it is important to know what your normal memory footprint is like on your standard image. (Assuming you have a standard image.) If you get any hits, this is where you can go back to your process files and see more info about any PIDs you might find in malfind.
Some other fun plugins that I use are: “filescan”, “dlllist”, “dlldump”, “mftparser”, “netscan”, & “moddump”
There are a wide variety of Browser plugins now in volatility that can give you lots of good information, so practicing with those is also recommended.
1 – Host Unreachable
2 – Protocol Unreachable
3 – Port Unreachable
9 – Communication with destination network prohibited
10 – Communication with destination host prohibited
13 – Communication administratively prohibited
So here are some cryptography notes for myself for various tests and things I have to study for.
Terms to know:
Stream Ciphers – This is a class of cipher that encrypts one bit of data at a time. The length of the encrypted text is the same length as the plain text content. Types of Stream cciphers: RC4, A5/I, E0, VEST, Salsa20, etc.
Block Ciphers -Encrypts data one block at a time. When the data given is an uneven length, then it is padded at the end to create an even block length. PKCS5 or PKCS7 are typically used to pad the data for any uneven blocks. Example Block ciphers: AES, DES, 3DES, Blowfish, Twofish, etc.
- Electronic Codebook
- Cipher Block Chaining Mode – a plaintext block of data is XOR’ed with the output of the previous cipher text block before it is encrypted. This is an effort to add randomness to each encryption operation and prevent duplicate blocks.
- Cipher Feedback
- Output Feedback
- Counter – A block cipher acting as a stream cipher in a small way. The IV is concatenated with a counter value that represents the input for the algorithm,
ent – pseudo random number sequence test “sudo apt-get install ent