2010-11-19

Volatility Mem Forensics IV–Putting it all together

To make things simpler, this article gives an overview of doing a Volatility run, and mentions some tools that can help automate things further.



The last article finished describing the Volatility plugins in detail. This last article looks at doing a full Volatility run. Next some tools are described that can help automate things further.

Doing a Volatility Run


To analyze a raw memory dump, start by copying the raw dump to be analyzed into its case directory.
I wrote a quick script which to run the individual Volatility commands.

You can download it here: http://dl.dropbox.com/u/2073352/101118-volcmd.bsh

Run the script as follows:

volcmd.bsh 'my-case.dir' 'name-memory-dump'

It will run all the Volatility plugins and leave a series of files “out_xxx” in the case directory. There will also be directories (“exec_xxx”) containing extracted executables to be scanned or otherwise analyzed.
Note that the registry dumping commands still have to be run manually. For this, the script prints out to the screen sample cmds that can cut and pasted for exection.

Virus scanning

One unanswered question is what to do with all the extracted executables found by the Volatility plugins?

Clam AV

One possibility is to run one or more local AV programs against the extracted executables.

This will give a subset that can then be submitted to Virustotal for detailed scanning.

There is one open-source AV pgm that runs directly on Linux: Clam AV. This is a command-line virus scanner. It is targeted towards scanning Windows malware from a Linux host.

Installation and use of Clam is discussed in detail here: https://help.ubuntu.com/community/ClamAV

Essentially 2 packages are installed using apt-get or Synaptic Package Manager: clam, freshclam.

Then as root, run the following to update the virus signatures:

freshclam

Then to scan a directory:

clamscan –r /my_directory_to_scan | egrep –v “ OK| Empty file”

Note that the “egrep –v “ cuts down the noise in the output.

Scan from a Windows PC

Another approach for local scanning would be to scan the extracted files from a Windows PC.
This can be done by setting up a Windows share from the Ubuntu host computer. This is easy to do on Ubuntu:
  • Download and install samba using Synaptic. System –> Administration  --> Synaptic Package Manager
  • In Nautilus file manager, right click the directory with the executables.
  • Sharing options –> Click Share this folder
  • Be sure the onboard firewall allows windows protocols (if the firewall is enabled)
  • On the windows computer, map the network share as usual. Login as one of the users defined on the Ubuntu box.

Automating Virustotal submissions

The next step could be to batch submit a (small) subset of the executables to VirusTotal. If Volatility extracted 2000+ code samples, then maybe a selected 10% of these could be submitted to VirusTotal for further analysis.
The VirusTotal API
There is a Virustotal public API available. The API constrains ordinary users according to the following limits:
  • 20 submissions for a given 5 minute period
  • 20 MB file maximum size.
To receive an API Key, you must become member of the Virustotal user community. See http://www.virustotal.com for the details.
lgvtotal.py module
Based on the sample demo code available for public API, I have written a small Python script to automate uploads: lgvtotal.py.

You can download it from here: http://code.google.com/p/lgvtotal/
(Note that this pgm needs posthandler.py (in the same directory) to run correctly. Posthandler is the http MIME interface code.)

lgvtotal.py automatically takes the VirusTotal restrictions into account.

Because of the constraints on API throughput, the pgm has a checkpoint facility that allows execution to be restarted if terminated abnormally. This checkpoint function can also be used to print out a full report of results once all the files have been scanned, and results obtained by the program.

For more information, consult the pgm’s Usage documentation:

python lgvtotal.py –help

and look at the wiki located at the link mentioned above.

Odds and Ends

To finish up, this section mentions various items that didn’t seem to fit anywhere else.

hyberfil.sys

Remember that the hyberfil.sys (Windows hibernation file) can be used to reconstruct a raw image dump. Sometimes if things have been deleted from the running memory / disks, the hibernation file contains previous state that may be useful.

Dumping window contents, dumping graphics files

I have not tested the following posts, but list the references in case:

http://blogs.gnome.org/muelli/2010/04/volatility-memory-forensics-framework-for-ubuntu/
Describes how to search dumped memory for graphics files such as jpg, then extract them.

http://moyix.blogspot.com/2010/07/gdi-utilities-taking-screenshots-of.html
Gives a plugin, with installation instructions (since extra software is needed), to show the contents of Windows screens at time of dump.

3 comments:

Maksim said...

Thanks a lot for this articles about Volatility. Very helpful!

Tony Rodrigues said...

Hi ! Thanks for the nice posts.
Something that could help reducing files submition to virustotal is pre-filtering out some of them. This can be done passing all files through ssdeep and comparing the fuzzy hash results with a Known Good hashset (NSRL can be transformed and used). All files around 95% (or less, this must be analysed) could be discarded as good files.
Take care,
Tony

cbentle2 said...

HI all,
I've just started taking a more active look at using Volatility and I though I would point people in the direction of a new windows batch script I've created (Its based on the one from lg's post).

Feel free to post any improvements, I already have a few things I have in mind to update the script.

Blog Post:
http://active-security.blogspot.com/2011/05/volatility-script-for-windows.html

Script location:
https://docs.google.com/leaf?id=0Bz2rZ4S-yK8AMDE5ODhhMzEtOGNhMS00N2U3LWEyMzYtNjFkNTFmMjc4ZTZi&hl=en_US