Archive

Posts Tagged ‘volatility’

SECCON 2016 Forensics 100 Memory Analysis writeup

December 11, 2016 2 comments

Challenge Description:

Memory Analysis
Find the website that the fake svchost is accessing.
You can get the flag if you access the website!

Hint1: http://www.volatilityfoundation.org/
Hint2: Check the hosts file

The first task was to find out all the svchost process running in the machine, then identify suspicious artifacts in order to verify the rogue svchost process. The pstree plugin from the volatility framework would list all the running process in a machine.

pstree

svhost.exe is a container of many service DLLs grouped together. They run under a smaller set of svchost.exe, typically you can see 5 or more running instances of svchost.exe in your machine. Now, let’s find out the rogue svchost process based on some artifacts,

There are totally 7 instances of svchost.exe processes running and they are started by their actual parent process services.exe (672). There are no spelling mistakes in the processes names. Well, let’s see if it has a proper image path. A legitimate svchost.exe should run from the following directory : %SystemRoot%\System32\svchost.exe

redline

As you can see the process PIDs : 848,1320,1088,936, 1036 are run from the system32 folder with legitimate parameters ( <DcomLaunch,LocalService>,<NetworkService,rpcss,netsvcs>) for grouping similar services. Now we can rule out the fake svchost.exe process PID is 1776 ^^ as it was made run in a directory other than System32. Will now find at least one or more artifacts to support our findings. Let’s also look if there is any suspicious network activity,

connscan

No idea about process IDs : 3676 and 2776 and it is not important here. The only related information is pid 1080 ( IEXPLORER.EXE). It looks legitimate as the browser is communicating over the port 80. But it’s parent process is another IEXPLORE (380) instance started by our fake svchost.exe (1776). I am stopping here and I am sure you can also find some registry artifacts.

If you try strings command after dumping the memory resident pages from the processes 380, 1080, and 1776, you can see iexplore has been run with argument “http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd&#8221;. This would lead you to a blog article. Let’s jot down this information, will be useful for later.

The hint given in the challenge was to reconstruct the c:\windows\system32\drivers\etc\hosts file. The hosts file can be found at the physical offset 0x000000000217b748 (using filescan plugin). Dumping the host file from the memory (using dumpfile plugin) would give the hosts file information.

hosts

You can also find the same IP address (153.127.200.178) after running the connscan plugin. When we access this IP address, you will see a Nginx page with a welcome message. I added the IP address and the host name in my /etc/hosts file and tried accessing the same page, I got redirected to the same Nginx page. I was wondering where I would have went wrong. They said I will get the flag if I get access to the website. But what I see is just an usual Nginx welcome message. After the contest got over, I was going through my findings and I  found this URL ( “http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd&#8221;) in my notes, that I got after dumping the process memory of the IEXPLORE process!

LOL 😀 😀 I forgot to use this link and I did not refer to my findings!! I opened the URL in a browser and I got the flag.

wget

Anyway it was a good learning experience!

Advertisements

Installing Volatility in Ubuntu

May 22, 2014 1 comment

Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile. By default the Windows profile is built inside Volatility. Other than Windows, if you are analysing a Linux or a Mac memory dump, then you have to build the profiles accordingly. Most important thing to note is, you cannot build a profile for a Ubuntu 3.13 system to analyse a memory dump from Ubuntu 3.10 system. In this article, I am going to show you how you can install volatility in your machine and in the next blog I will show you how to create linux profiles to analyse Linux based RAM memory. Please see, I am using Ubuntu 12.04, amd_64. Also, install the packages in the order which is followed before. Make sure that there are no errors appearing while installing the dependencies and libraries.

[Update] You can also refer to Volatility’s github for the latest updates about dependencies.

Step 1: Installing dependencies

h1dd3ntru7h@bi0s:~$ sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y

Step 2: Installing PyCrypto

You can either use pip to install the library or you can download the source from here and install.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf pycrypto-2.6.1.tar.gz

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ python  setup.py build

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ sudo python setup.py build install

Step 3: Installing Distrom

Distrom is a disassemble library for x86/AMD64. You can download the source from here.

h1dd3ntru7h@bi0s:~/Apps/distorm3$ unzip distorm3.zip

h1dd3ntru7h@bi0s:~/Apps$ cd distorm3/

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build install

Step 4: Installing Yara

Volatility supports many plugins which helps to identify malwares from memory dumps. Many plugins which are based on malwares uses Yara library. You can download the recent version availabe, but for this demo I am using the older version of the yara.

h1dd3ntru7h@bi0s:~/Apps$ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz

h1dd3ntru7h@bi0s:~/Apps$tar -zxvf yara-1.4.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-1.4/
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo ./configure

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make install

Step 5: Installing Yara Python

Please follow the instructions in Step 4 before installing Yara Python. You can download the Yara Python1.4a source from here. Please see, if you downloaded a different version of Yara in step 4, then do download a compatible version of Yara Python.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf yara-python-1.4a.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-python-1.4a/

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build install

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ echo “/usr/local/lib” >> /etc/ld.so.conf
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ ldconfig

We are done with installing the dependencies, now  will install the Volatility framework. Please download the source from here. You can download and use it wherever you want. Once after downloading, extract to a directory.

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build install

This will complete the installation and if everything went in the right way, then you should get a similar stdout,

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python vol.py -h
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility – A memory forensics analysis platform.

Options:
  -h, –help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  –conf-file=/home/h1dd3ntru7h/.volatilityrc
[stripped]

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

bi0s

CTF | Amrita

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......