Tag Archives: memory forensics

Fun stuff with Volatility

So I have been using volatility for a little bit now, and I wanted to drop some basic things that I do for others if they are interested. This post is like many others on this site, in that it is more notes for myself that I am willing to share with others.

Some initial plugins to use:
I generally start any look in memory with the process plugins; pslist, psscan, psxview, and pstree. I generally pipe all of these commands to a text file that I can grep through later at my leisure. Sometimes you don’t see anything in the initial scan of the output, but later in the investigation you want to go back and re-look at those results.

vol.py –f memory.file –profile=profile_choice pslist >> pslist.txt

After these commands, I usually don’t wait, and just dump all of the processes that I can. For this we use “procdump”. After this I generally hash all of the files, with both SHA1 and MD5 just so I have them. I generally push the dumped processes against Virus Total to see if there are any hits. Didier Stevens has a great set of scripts to do this, so mad props to him! You can get a lot of false positives doing this, but it can also help by giving you an idea of which PIDs to pay attention to in the first place.
vol.py –f memory.file –profile=profile_choice procdump –D pdump >> pdump.txt

After this, “malfind” becomes my next plugin of choice. I still pipe this into a text file and then do some ‘grepping’ against it later. I always add the dump option, so I don’t have to run it again later.
vol.py –f memory.file –profile=profile_choice malfind –D malfind >> malfind.txt
cat malfind.txt | grep –B4 MZ

From here I can see what PIDs have had something injected into them potentially. It is important to note, that you can get false positives here. Especially where AV is concerned. I have also seen some endpoint management suites (Altiris) corrupt these results a little bit, so it is important to know what your normal memory footprint is like on your standard image. (Assuming you have a standard image.) If you get any hits, this is where you can go back to your process files and see more info about any PIDs you might find in malfind.

Some other fun plugins that I use are: “filescan”, “dlllist”, “dlldump”, “mftparser”, “netscan”, & “moddump

There are a wide variety of Browser plugins now in volatility that can give you lots of good information, so practicing with those is also recommended.

DFIR 012 – Clam AV rules to Yara

This post was inspired while I was playing around with the new SIFT workstation, and I needed to get my tools and scripts on the VM. A couple of team members saw what I was doing, and did not know this was possible so I figured I would write up a quick post on how to convert your Clam AV database to a set of Yara rules that you can use during your investigations.

You can get the Python script here

# for Clam AV
# should be installed, but this is to verify
sudo apt-get install clamav clamav-freshclam
sudo freshclam

# for Yara
sudo apt-get install libpcre3 libpcre3-dev
sudo apt-get install yara

sigtool –u /var/lib/clamav/main.cvd
python clamav_to_yara.py -f main.ndb -o clamav.yara

There is one rule I had to manually clean up though…….

vim +199819 clamav.yara

Once that is done, you can use this file anywhere you would use your yara rule.

Pretty cool!