Tuesday, May 31, 2011

Volatility Script for Windows

Well I've decided to make more of an effort to use my blog.

First article will be a a new windows based volatility script I've developed based on the one from lg's blog (http://lorgor.blogspot.com/2010/11/volatility-mem-forensics-ivputting-it.html)

There are few prerequisites, just follow the instructions on the Volatility Wiki site:

The report also makes use of the malware.py script from http://code.google.com/p/malwarecookbook/
just download the plugin and drop the file in the plugins directory.

Set-up
Make sure all your environment variables have been set up for Python and Perl (Instructions can be found on numerous sites ).

Drop the batch file into the volatility directory and make sure you update the following:

Your Case Directory and dumps directory, this can be where ever you like on your machine.
  • mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%
  • mkdir C:\Forensics\Training\Images\mem\%yyyy%%mm%%dd%\dumps
You should also check and set-up the following:

set VOLDIR="C:\Forensics\vol\vol1.4\%VOLDIR%\vol.py-1.4_rc1"
set PYTHON="C:\Python27\python.exe"
set PERL="C:\Perl\bin\perl.exe"

Running the script
I generally run the script in the following way:
  1. Open a command prompt and change directory to the volatility directory.
Next to run the script type the following, remember if the path contains spaces use quotes around the parameter.

volscript.bat <path-to-memory-dump> <name-of-report>


The script can take a while to complete but once the script has finished you will have one report which you can analyse.

That was the easy part, the hard part comes with analysing the report and identifying if the machine is compromised in some way.

Over the coming weeks I will provide more posts on analysing the output from the images hosted at Michael Hale Ligh's site: http://code.google.com/p/malwarecookbook/

In my opinion the Malware Analyst Cookbook has to be considered the de-facto standard when it comes to analysing malware and memory analysis, simply put you have to buy this book.


I'll periodically post updates to the script.

The script can be found here just rename the file to .bat there is also a sample report taken from the zeus sample from the Malware Cookbook site.

---Update 13/03/2012---
Added naft by Didier Stevens http://blog.didierstevens.com/2012/03/12/naft-release/ to automate dumping network traffic as part of the automated script.

Just download all the files and put naft-gfe.py in the same directory as vol.py and volscript remember to add to naft_pfef and naft_uf to C:\Python27\Lib

Once the pcap file has been created you can use NetWitness, Netminer or Wireshark to analyse the file.