The last article finished describing the Volatility plugins in detail. This last article looks at doing a full Volatility run. Next some tools are described that can help automate things further.
Doing a Volatility Run
To analyze a raw memory dump, start by copying the raw dump to be analyzed into its case directory.
I wrote a quick script which to run the individual Volatility commands.
You can download it here: http://dl.dropbox.com/u/2073352/101118-volcmd.bsh
Run the script as follows:
volcmd.bsh 'my-case.dir' 'name-memory-dump'
It will run all the Volatility plugins and leave a series of files “out_xxx” in the case directory. There will also be directories (“exec_xxx”) containing extracted executables to be scanned or otherwise analyzed.
Note that the registry dumping commands still have to be run manually. For this, the script prints out to the screen sample cmds that can cut and pasted for exection.
Virus scanningOne unanswered question is what to do with all the extracted executables found by the Volatility plugins?
Clam AVOne possibility is to run one or more local AV programs against the extracted executables.
This will give a subset that can then be submitted to Virustotal for detailed scanning.
There is one open-source AV pgm that runs directly on Linux: Clam AV. This is a command-line virus scanner. It is targeted towards scanning Windows malware from a Linux host.
Installation and use of Clam is discussed in detail here: https://help.ubuntu.com/community/ClamAV
Essentially 2 packages are installed using apt-get or Synaptic Package Manager: clam, freshclam.
Then as root, run the following to update the virus signatures:
Then to scan a directory:
clamscan –r /my_directory_to_scan | egrep –v “ OK| Empty file”
Note that the “egrep –v “ cuts down the noise in the output.
Scan from a Windows PCAnother approach for local scanning would be to scan the extracted files from a Windows PC.
This can be done by setting up a Windows share from the Ubuntu host computer. This is easy to do on Ubuntu:
- Download and install samba using Synaptic. System –> Administration --> Synaptic Package Manager
- In Nautilus file manager, right click the directory with the executables.
- Sharing options –> Click Share this folder
- Be sure the onboard firewall allows windows protocols (if the firewall is enabled)
- On the windows computer, map the network share as usual. Login as one of the users defined on the Ubuntu box.
Automating Virustotal submissionsThe next step could be to batch submit a (small) subset of the executables to VirusTotal. If Volatility extracted 2000+ code samples, then maybe a selected 10% of these could be submitted to VirusTotal for further analysis.
The VirusTotal APIThere is a Virustotal public API available. The API constrains ordinary users according to the following limits:
- 20 submissions for a given 5 minute period
- 20 MB file maximum size.
lgvtotal.py moduleBased on the sample demo code available for public API, I have written a small Python script to automate uploads: lgvtotal.py.
You can download it from here: http://code.google.com/p/lgvtotal/
(Note that this pgm needs posthandler.py (in the same directory) to run correctly. Posthandler is the http MIME interface code.)
lgvtotal.py automatically takes the VirusTotal restrictions into account.
Because of the constraints on API throughput, the pgm has a checkpoint facility that allows execution to be restarted if terminated abnormally. This checkpoint function can also be used to print out a full report of results once all the files have been scanned, and results obtained by the program.
For more information, consult the pgm’s Usage documentation:
python lgvtotal.py –help
and look at the wiki located at the link mentioned above.
Odds and EndsTo finish up, this section mentions various items that didn’t seem to fit anywhere else.
hyberfil.sysRemember that the hyberfil.sys (Windows hibernation file) can be used to reconstruct a raw image dump. Sometimes if things have been deleted from the running memory / disks, the hibernation file contains previous state that may be useful.
Dumping window contents, dumping graphics filesI have not tested the following posts, but list the references in case:
Describes how to search dumped memory for graphics files such as jpg, then extract them.
Gives a plugin, with installation instructions (since extra software is needed), to show the contents of Windows screens at time of dump.