By Derek Meier - March 11, 2015
I like to process RAM images using Volatility. The Volatility framework, available at http://www.volatilityfoundation.org/, has saved me endless nights toiling away doing a deep dive into a full forensic disk image. The time it takes to fully analyze a RAM capture of an infected machine is nothing compared to doing analysis on a full forensic disk image. I will never say dead disk forensics is a relic of times gone by, and a RAM capture may not have a complete picture of an event, but it should give you a great amount of relevant information. Hopefully this information can rapidly rule out the need to continue with a full disk analysis.
I also like those commercials on late night TV where you simply set it, and/or forget it. Hitting start on a system and coming back in an hour to find a folder full of results is a wonderful feeling. Plus I find it very useful in my line of work to have reproducible results. As I started capturing more and more RAM images for processing it became apparent that I was always running the same plugins or needing similar information. So, after a bit of playing around one night I came up with a simple shell script to help automate some of the aspects of using Volatility. This script encompasses very little of the analysis you can perform with Volatility, so check it out at their website for a complete list - and please buy "The Art of Memory Forensics!"
There are a few requirements to using this script:
- This script is only intended for processing Windows RAM images
- I use the latest version of Volatility from their Github repository - 2.4 currently
- My main system is running Ubuntu 14.04 LTS x64, but 12.04 should work just fine
- A few simple tools that should be used are nuhup, mactime, yara, and hashdeep
- There are a few custom plugins used that were written by the outstanding community members - check out some of the winning plugins from the 2014 plugin contest: http://www.volatilityfoundation.org/#!2014/cjpn
- I'm using the current stable version of Bulk_Extractor from their Github repository - 1.5: https://github.com/simsong/bulk_extractor
To use the script I will customize the grep terms and then save a copy in the same directory as the RAM image. Then just run the file from the command line:
> ./vol_script.sh
Once running it will prompt you for a name or description for the case you are working on, and then attempt to find the correct Windows profile automatically.
When the script is finished there will be a new directory called "vol" with the output from all of the plugins and the time.log file.
You can grab a copy of the script here:
https://raw.githubusercontent.com/dmeier-umn/VolScript/master/vol_script.shI will update the script frequently (consider it a work in progress) and may move to a new Github repository once I have a few more things finalized.
If you like the script, or have a better way to do things please don't hesitate to leave a comment below!
Resources (more found in the script):
The Art of Memory Forensics: http://www.memoryanalysis.net/#!amf/cmg5
Github repository for the latest version of Volatility: https://github.com/volatilityfoundation/volatility
http://www.jeffbryner.com/code/pdgmail
https://github.com/simsong/bulk_extractor
http://bitbucket.cassidiancybersecurity.com/prefetch-parser
https://github.com/dfirfpi/hotoloti
No comments:
Post a Comment