Siber Güvenlik Notları: İpucu: Volatility Aracı ile Bellek Analizi

8 Aralık 2013 Pazar

İpucu: Volatility Aracı ile Bellek Analizi

Volatility Aracı ile Bellek Analizi

Kullanılan araç: https://code.google.com/p/volatility/downloads/detail?name=volatility-2.3.1.tar.gz&can=2&q=

Analiz edilen bellek: http://wargame2k10.nuitduhack.com/epreuves/forensic/EOhpD6Ifu7/forensic2.tar.gz

Örnek bir kullanım: https://www.youtube.com/watch?v=zUUnqQimlHU

Örnek bir kaynak: http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/

0) Vol aracı hakkında tüm bilgiler:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py --help
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility - A memory forensics analysis platform.

Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/root/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/root/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--output=text Output in this format (format support is module
specific)
--output-file=OUTPUT_FILE
write output in this file
-v, --verbose Verbose information
--shift=SHIFT Mac KASLR shift address
-g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
-k KPCR, --kpcr=KPCR Specify a specific KPCR address

Supported Plugin Commands:

apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for _RTL_ATOM_TABLE
bioskbd Reads the keyboard buffer from Real Mode memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
driverscan Scan for driver objects _DRIVER_OBJECT
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Scan Physical memory for _FILE_OBJECT pool allocations
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Scan Physical memory for _CMHIVE objects (registry hives)
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules Print list of loaded modules
mutantscan Scan for mutant objects _KMUTANT
patcher Patches memory based on page scans
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procexedump Dump a process to an executable file sample
procmemdump Dump a process to an executable memory sample
pslist Print all running processes by following the EPROCESS lists
psscan Scan Physical memory for _EPROCESS pool allocations
pstree Print process list as a tree
psxview Find hidden processes with various process listings
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
sockets Print list of open sockets
sockscan Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Scan for symbolic link objects
thrdscan Scan physical memory for _ETHREAD objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for tagWINDOWSTATION (window stations)
yarascan Scan process or kernel memory with Yara signatures

1) Profil seçilir:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem imageinfo
Volatility Foundation Volatility Framework 2.3.1
WDetermining profile based on KDBG search...

Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/root/Desktop/forensic2/xp_forensics.vmem)
PAE type : PAE
DTB : 0xae2000L
KDBG : 0x80544ce0L
Number of Processors : 1
Image Type (Service Pack) : 2
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2010-06-18 13:04:52 UTC+0000
Image local date and time : 2010-06-18 15:04:52 +0200

2) Tüm prosesleri listeleme
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 pslist
Volatility Foundation Volatility Framework 2.3.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x821c8830 System 4 0 56 277 ------ 0
0x82111568 smss.exe 560 4 3 21 ------ 0 2010-06-18 12:58:19 UTC+0000
0x81fa4020 csrss.exe 608 560 11 414 0 0 2010-06-18 12:58:24 UTC+0000
0x820aada0 winlogon.exe 632 560 22 449 0 0 2010-06-18 12:58:28 UTC+0000
0x81cbd4d0 services.exe 676 632 16 272 0 0 2010-06-18 12:58:31 UTC+0000
0x81e6e498 lsass.exe 700 632 25 342 0 0 2010-06-18 12:58:32 UTC+0000
0x81d8fda0 vmacthlp.exe 872 676 1 24 0 0 2010-06-18 12:58:40 UTC+0000
0x81acc3b8 svchost.exe 884 676 20 202 0 0 2010-06-18 12:58:40 UTC+0000
0x81c4c318 svchost.exe 988 676 10 246 0 0 2010-06-18 12:58:42 UTC+0000
0x81d97da0 svchost.exe 1096 676 78 1355 0 0 2010-06-18 12:58:43 UTC+0000
0x81fa6230 svchost.exe 1172 676 7 85 0 0 2010-06-18 12:58:44 UTC+0000
0x81f2a020 svchost.exe 1308 676 15 209 0 0 2010-06-18 12:58:45 UTC+0000
0x81ad1b58 spoolsv.exe 1444 676 14 128 0 0 2010-06-18 12:58:46 UTC+0000
0x81f7baa8 vmtoolsd.exe 1756 676 5 204 0 0 2010-06-18 12:58:55 UTC+0000
0x81fddd50 VMUpgradeHelper 1892 676 5 96 0 0 2010-06-18 12:58:58 UTC+0000
0x81d77020 alg.exe 412 676 6 100 0 0 2010-06-18 12:59:00 UTC+0000
0x81c66020 wscntfy.exe 168 1096 1 34 0 0 2010-06-18 12:59:03 UTC+0000
0x81e2a020 explorer.exe 1140 1252 19 489 0 0 2010-06-18 12:59:06 UTC+0000
0x820405d0 msiexec.exe 1736 676 5 104 0 0 2010-06-18 12:59:22 UTC+0000
0x81b94470 VMwareTray.exe 836 1140 1 57 0 0 2010-06-18 12:59:31 UTC+0000
0x81ec0998 VMwareUser.exe 1052 1140 4 97 0 0 2010-06-18 12:59:31 UTC+0000
0x81ce8020 ctfmon.exe 1084 1140 1 70 0 0 2010-06-18 12:59:32 UTC+0000
0x81e84da0 wpabaln.exe 1812 632 1 66 0 0 2010-06-18 13:01:02 UTC+0000
0x81fa8980 IEXPLORE.EXE 1424 1140 16 412 0 0 2010-06-18 13:03:11 UTC+0000
0x81c0bab8 notepad.exe 364 1140 2 86 0 0 2010-06-18 13:03:40 UTC+0000
0x820a0650 IEXPLORE.EXE 304 1140 17 455 0 0 2010-06-18 13:04:18 UTC+0000

3) LSASS prosesinin exe halini bir üst dizine kaydet
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 procmemdump -D ../ -p 700
Volatility Foundation Volatility Framework 2.3.1
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x81e6e498 0x01000000 lsass.exe OK: executable.700.exe

4) LSASS prosesinin dmp halini bir üst dizine kaydet
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 memdump -D ../ -p 700
Volatility Foundation Volatility Framework 2.3.1
************************************************************************
Writing lsass.exe [ 700] to 700.dmp

5) Mevcut bağlantılar sanal RAM'e göre listelenir:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 connections
Volatility Foundation Volatility Framework 2.3.1
Offset(V) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x81c1be70 192.168.160.142:1094 213.199.186.202:80 304
0x81c0edd8 192.168.160.142:1086 65.55.21.250:80 304
0x81fd5b30 192.168.160.142:1102 72.32.231.8:80 304
0x81c1ab08 192.168.160.142:1088 213.199.164.110:80 304
0x81d19720 192.168.160.142:1103 209.85.229.101:80 304
0x81cb79e8 192.168.160.142:1091 194.209.253.48:80 304
0x81fd45d0 192.168.160.142:1092 213.199.186.203:80 304
0x82021008 192.168.160.142:1090 65.55.149.121:80 304
0x81d6cd48 192.168.160.142:1104 131.194.151.100:80 304
0x81b8e008 192.168.160.142:1108 194.209.253.32:80 304
0x81c0a038 192.168.160.142:1096 194.209.253.42:80 304
0x81fd4cc8 192.168.160.142:1093 213.199.186.202:80 304

6) Mevcut bağlantılar fiziksel RAM'e göre listelenir:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 connscan
Volatility Foundation Volatility Framework 2.3.1
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x01ec3008 192.168.160.142:1099 205.128.90.126:80 304
0x01f8e008 192.168.160.142:1108 194.209.253.32:80 304
0x0200a038 192.168.160.142:1096 194.209.253.42:80 304
0x0200edd8 192.168.160.142:1086 65.55.21.250:80 304
0x0201ab08 192.168.160.142:1088 213.199.164.110:80 304
0x0201be70 192.168.160.142:1094 213.199.186.202:80 304
0x020b79e8 192.168.160.142:1091 194.209.253.48:80 304
0x02119720 192.168.160.142:1103 209.85.229.101:80 304
0x0216cd48 192.168.160.142:1104 131.194.151.100:80 304
0x0218f008 192.168.160.142:1109 4.71.209.19:80 304
0x02276b48 192.168.160.142:1080 66.220.153.15:80 1424
0x02283980 192.168.160.142:1079 69.63.189.16:80 1424
0x022be398 192.168.160.142:1111 93.184.220.20:80 304
0x0230f570 192.168.160.142:1107 93.184.220.20:80 304
0x02345248 192.168.160.142:1110 93.184.220.20:80 304
0x023d45d0 192.168.160.142:1092 213.199.186.203:80 304
0x023d4cc8 192.168.160.142:1093 213.199.186.202:80 304
0x023d5b30 192.168.160.142:1102 72.32.231.8:80 304
0x02421008 192.168.160.142:1090 65.55.149.121:80 304
0x02526008 192.168.160.142:1105 213.186.33.19:80 304

7) Bellekteki Event Loglar elde edilebilir.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 evtlogs -D /root/Desktop/Test
Volatility Foundation Volatility Framework 2.3.1
Parsed data sent to secevent.txt
Parsed data sent to appevent.txt
Parsed data sent to sysevent.txt

8) Servislerin SID değeri elde edilebilir:
python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 getservicesids
Volatility Foundation Volatility Framework 2.3.1
servicesids = {
'S-1-5-80-2675092186-3691566608-1139246469-1504068187-1286574349': 'Abiosdsk',
'S-1-5-80-2200411935-3214395760-3985565908-2861215955-1226862917': 'abp480n5',
'S-1-5-80-850610371-2162948594-2204246734-1395993891-583065928': 'ACPIEC',
'S-1-5-80-2838020983-819055183-730598559-323496739-448665943': 'adpu160m',
'S-1-5-80-3218321610-3296847771-3570773115-868698368-3117473630': 'aec',
'S-1-5-80-934984265-4079461471-3978616717-2318450786-290302611': 'Aha154x',
'S-1-5-80-1344778701-2960353790-662938617-678076498-4183748354': 'aic78u2',
'S-1-5-80-1076555770-1261388817-3553637611-899283093-3303637635': 'Alerter',
'S-1-5-80-1587539839-2488332913-1287008632-3751426284-4220573165': 'AliIde',
'S-1-5-80-3980410673-3391719637-2113285402-1294014731-1235999994': 'amsint',
...
}

9) Proseslerin SID değeri elde edilebilir:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 getsids
Volatility Foundation Volatility Framework 2.3.1
System (4): S-1-5-18 (Local System)
System (4): S-1-5-32-544 (Administrators)
System (4): S-1-1-0 (Everyone)
System (4): S-1-5-11 (Authenticated Users)
smss.exe (560): S-1-5-18 (Local System)
smss.exe (560): S-1-5-32-544 (Administrators)
smss.exe (560): S-1-1-0 (Everyone)
smss.exe (560): S-1-5-11 (Authenticated Users)
csrss.exe (608): S-1-5-18 (Local System)
csrss.exe (608): S-1-5-32-544 (Administrators)
csrss.exe (608): S-1-1-0 (Everyone)
csrss.exe (608): S-1-5-11 (Authenticated Users)
winlogon.exe (632): S-1-5-18 (Local System)
winlogon.exe (632): S-1-5-32-544 (Administrators)
winlogon.exe (632): S-1-1-0 (Everyone)
winlogon.exe (632): S-1-5-11 (Authenticated Users)
services.exe (676): S-1-5-18 (Local System)
services.exe (676): S-1-5-32-544 (Administrators)
services.exe (676): S-1-1-0 (Everyone)
services.exe (676): S-1-5-11 (Authenticated Users)
lsass.exe (700): S-1-5-18 (Local System)
lsass.exe (700): S-1-5-32-544 (Administrators)
lsass.exe (700): S-1-1-0 (Everyone)
lsass.exe (700): S-1-5-11 (Authenticated Users)
vmacthlp.exe (872): S-1-5-18 (Local System)
vmacthlp.exe (872): S-1-5-32-544 (Administrators)
vmacthlp.exe (872): S-1-1-0 (Everyone)
vmacthlp.exe (872): S-1-5-11 (Authenticated Users)
svchost.exe (884): S-1-5-18 (Local System)
svchost.exe (884): S-1-5-32-544 (Administrators)
....
IEXPLORE.EXE (304): S-1-5-32-545 (Users)
IEXPLORE.EXE (304): S-1-5-4 (Interactive)
IEXPLORE.EXE (304): S-1-5-11 (Authenticated Users)
IEXPLORE.EXE (304): S-1-5-5-0-58825 (Logon Session)
IEXPLORE.EXE (304): S-1-2-0 (Local (Users with the ability to log in locally))

10) Kayıt değerlerini listeler.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 hivelist
Volatility Foundation Volatility Framework 2.3.1
Virtual Physical Name
---------- ---------- ----
0xe1cf9008 0x19524008 \??\C:\Documents and Settings\mr_esclave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1cd65e8 0x16ab95e8 \Device\HarddiskVolume1\Documents and Settings\mr_esclave\NTUSER.DAT
0xe17f39d8 0x0fa549d8 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c7cb60 0x1067db60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT
0xe17a8008 0x0d9f1008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe179cb60 0x0cc28b60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
0xe15fdb60 0x0688ab60 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe15ebb60 0x06708b60 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe15fd008 0x0688a008 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe15f2658 0x066cf658 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe12eb288 0x02d58288 [no name]
0xe1035b60 0x02a9fb60 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008 0x02a99008 [no name]

11) SAM ve SYSTEM dosyalarını kullanarak LM ve NTLM değerlerini verir.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 hashdump -y 0xe1035b60 -s 0xe15f2658
Volatility Foundation Volatility Framework 2.3.1
Administrateur:500:a94c6377a507e293d87f0f06a65161cd:ca5cf9cfc07ec43a78d00bc936242594:::
Traceback (most recent call last):
File "vol.py", line 184, in <module>
main()
File "vol.py", line 175, in main
command.execute()
File "/root/Desktop/forensic2/volatility-2.3.1/volatility/commands.py", line 122, in execute
func(outfd, data)
File "/root/Desktop/forensic2/volatility-2.3.1/volatility/plugins/registry/lsadump.py", line 98, in render_text
for d in data:
File "/root/Desktop/forensic2/volatility-2.3.1/volatility/win32/hashdump.py", line 323, in dump_hashes
lmhash.encode('hex'), nthash.encode('hex'))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 5: ordinal not in range(128)

12) IE geçmişi incelenebilir:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 iehistory >> ../../Test/asd
Volatility Foundation Volatility Framework 2.3.1
**************************************************
Process: 1140 explorer.exe
Cache type "URL " at 0xfd5000
Record length: 0x100
Location: :2010061820100619: mr_esclave@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Last modified: 2010-06-18 15:03:12 UTC+0000
Last accessed: 2010-06-18 13:03:12 UTC+0000
File Offset: 0x100, Data Offset: 0x0, Data Length: 0x0
**************************************************
...
**************************************************
Process: 1140 explorer.exe
Cache type "URL " at 0xfd5a00
Record length: 0x180
Location: :2010061820100619: mr_esclave@file:///C:/Documents%20and%20Settings/All%20Users/Documents/Mes%20images/%C9chantillons%20d'images/Coucher%20de%20soleil.jpg
Last modified: 2010-06-18 15:04:47 UTC+0000
Last accessed: 2010-06-18 13:04:47 UTC+0000
File Offset: 0x180, Data Offset: 0x0, Data Length: 0x0
**************************************************
...
**************************************************
Process: 1424 IEXPLORE.EXE
Cache type "URL " at 0xac5500
Record length: 0x100
Location: Cookie:mr_esclave@rad.msn.com/
Last modified: 2010-06-18 13:03:16 UTC+0000
Last accessed: 2010-06-18 13:04:20 UTC+0000
File Offset: 0x100, Data Offset: 0x88, Data Length: 0x0
File: mr_esclave@rad.msn[2].txt
**************************************************
...

12) Imaj olarak RAM kaydı yapar.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 imagecopy --output-image=../xp_forensics.img
Volatility Foundation Volatility Framework 2.3.1
Writing data (5.00 MB chunks): |.......................................................................................................|

13) SYSTEM ve SECURITY kullanarak LSASecret değerlerini elde eder:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 lsadump -s 0xe15fd008 -y 0xe1035b60
Volatility Foundation Volatility Framework 2.3.1
L$RTMTIMEBOMB_1320153D-8DA3-4e8e-B27B-0D888223A588
0x00000000 80 c5 00 1b 14 6d cb 01 .....m..

_SC_MSDTC

DefaultPassword
0x00000000 63 00 75 00 69 00 72 00 6d 00 6f 00 75 00 73 00 c.u.i.r.m.o.u.s.
0x00000010 74 00 61 00 63 00 68 00 65 00 t.a.c.h.e.

SAI
0x00000000 02 00 00 00 01 00 00 00 02 00 00 00 87 b1 ef 02 ................
0x00000010 a2 c5 e3 3e 1a b2 85 de 99 b6 2f 95 bc e3 73 39 ...>....../...s9
0x00000020 7d 58 26 b2 3a bd 44 77 8c 23 fd 96 39 af 91 cd }X&.:.Dw.#..9...
0x00000030 cc 58 42 8c 4f bc 79 55 36 85 49 9b e9 e9 89 6a .XB.O.yU6.I....j
0x00000040 94 9a ba 71 4c 0d 32 d7 38 89 4e c7 dc 89 7b d8 ...qL.2.8.N...{.
0x00000050 42 97 6b 59 1a 6b a5 7c 45 05 b2 93 cf 7d 54 17 B.kY.k.|E....}T.
0x00000060 82 b9 d7 61 4b 62 3c d3 b8 3d e6 75 ab 95 9b f2 ...aKb<..=.u....
0x00000070 f6 79 5d 73 70 62 6f ab 37 05 49 76 e7 d9 9b 2d .y]spbo.7.Iv...-
0x00000080 c9 c7 36 1f 6e bb c4 32 5c 80 b8 e5 ..6.n..2\...

_SC_Alerter

SAC
0x00000000 02 00 00 00 01 00 00 00 88 00 00 00 0e 1a 16 0e ................
0x00000010 64 b0 de 25 39 55 3a fd 1a be 60 f8 74 b5 52 ae d..%9U:...`.t.R.
0x00000020 55 a4 04 2f 91 cd 7b e2 32 bf 6b ae 63 0e 50 12 U../..{.2.k.c.P.
0x00000030 8f 04 8c 8b 9e cc 13 30 24 3c 71 a1 a7 4b 91 9b .......0$<q..K..
0x00000040 2d 90 d8 15 44 99 c2 b7 11 68 0c c9 a0 6d b6 5d -...D....h...m.]
0x00000050 7d 25 64 a5 57 de 15 d0 92 1d 68 55 c2 23 e0 33 }%d.W.....hU.#.3
0x00000060 65 3a de 5b ad be 6f 13 8f 33 2d 3b fd 65 1d 95 e:.[..o..3-;.e..
0x00000070 b0 e1 b8 2b ff 01 18 e9 d3 76 4a 3c d9 fc 60 e1 ...+.....vJ<..`.
0x00000080 2e 49 ef 98 56 27 74 06 c7 be 13 a9 54 33 68 aa .I..V't.....T3h.
0x00000090 7b b0 4c ce {.L.

_SC_Dnscache

_SC_RpcSs

G${ED8F4747-E13D-47bc-856B-5CEFE1A81A7F}
0x00000000 2c 30 40 2d e0 f2 c8 4b 8c 2b 55 2a ea 38 95 a6 ,0@-...K.+U*.8..

L$HYDRAENCKEY_28ada6da-d622-11d1-9cb9-00c04fb16e75
0x00000000 52 53 41 32 48 00 00 00 00 02 00 00 3f 00 00 00 RSA2H.......?...
0x00000010 01 00 01 00 f3 14 3e e5 c7 a0 d8 b6 69 b4 d1 3e ......>.....i..>
0x00000020 98 82 43 96 ed 06 2d 76 62 50 1f 29 b5 22 56 5b ..C...-vbP.)."V[
0x00000030 2c d5 9f 92 d1 56 ea 98 4f 41 d6 94 87 74 8b 30 ,....V..OA...t.0
0x00000040 c5 05 3b 24 d5 a5 c1 8f 03 77 69 85 18 8a a4 95 ..;$.....wi.....
0x00000050 90 8c f0 9e 00 00 00 00 00 00 00 00 8f d6 4c 1e ..............L.
0x00000060 aa 23 a4 22 c3 ab 03 f1 a4 7e 69 98 96 38 9d 8c .#.".....~i..8..
0x00000070 7a f0 d3 43 ee 2b 16 0c ce 26 2e cd 00 00 00 00 z..C.+...&......
0x00000080 5d 2d 13 bb b7 bc 2e 37 90 08 66 70 e4 fb 5b 83 ]-.....7..fp..[.
0x00000090 dd 25 3b 1d b1 b3 43 ad 91 19 26 73 e9 6b 4e c6 .%;...C...&s.kN.
0x000000a0 00 00 00 00 0b a9 c6 71 f0 81 2f c4 a8 96 40 07 .......q../...@.
0x000000b0 94 b9 c6 32 96 36 c1 cf f3 7c 2e ca 0b 14 c0 cf ...2.6...|......
0x000000c0 d9 c7 90 a6 00 00 00 00 2d 9a 42 42 a4 9e bf 69 ........-.BB...i
0x000000d0 53 1e c6 77 39 74 25 c3 11 b1 ef b0 a0 90 71 cc S..w9t%.......q.
0x000000e0 95 c1 94 23 95 72 ac 26 00 00 00 00 77 6c f7 10 ...#.r.&....wl..
0x000000f0 fe e2 de 8d 1e 45 e5 64 0c f9 24 e0 19 2f 55 e9 .....E.d..$../U.
0x00000100 44 7e d1 b4 f3 16 ab 28 b0 d9 3b a2 00 00 00 00 D~.....(..;.....
0x00000110 89 3a 4a 73 a5 3e da b1 f2 9e fd 59 04 b5 18 82 .:Js.>.....Y....
0x00000120 9c d1 1c b5 33 97 2c fb cd 1b 3c 9e cf 77 99 73 ....3.,...<..w.s
0x00000130 e4 59 2d e1 cd 28 71 d6 bd c7 31 43 90 04 e0 d1 .Y-..(q...1C....
0x00000140 5d 04 3d 5c ca bd 8f ee a3 99 19 1a 1b 75 19 3b ].=\.........u.;
0x00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000170 00 00 00 00 00 00 00 00 00 00 00 00 ............

_SC_ALG

_SC_RpcLocator

0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantSID
0x00000000 01 05 00 00 00 00 00 05 15 00 00 00 81 77 d9 74 .............w.t
0x00000010 ee 94 02 07 43 17 0a 32 e8 03 00 00 ....C..2....

_SC_SSDPSRV

_SC_upnphost

NL$KM
0x00000000 ba 83 3c cf 74 ba f5 6a 56 af 8e 6b 04 2d 4a 34 ..<.t..jV..k.-J4
0x00000010 e1 49 63 ed 3c e7 59 7e 33 66 9c b0 cc 4e 7b 94 .Ic.<.Y~3f...N{.
0x00000020 24 ac 73 a2 80 cb 28 41 f4 7e 16 8f 1f 4c 08 df $.s...(A.~...L..
0x00000030 59 8a 02 b3 5d 10 e6 c4 50 66 2c 73 e3 a8 c0 7c Y...]...Pf,s...|

_SC_LmHosts

_SC_WebClient

DPAPI_SYSTEM
0x00000000 01 00 00 00 b0 42 12 e5 f8 a8 f1 51 f6 bf b7 a9 .....B.....Q....
0x00000010 eb 0e 9a 71 8b 28 ad c3 32 4a d6 2d e0 14 2d 5f ...q.(..2J.-..-_
0x00000020 78 c5 60 a4 d2 98 2f b7 08 fe 7f f2 x.`.../.....

L${6B3E6424-AF3E-4bff-ACB6-DA535F0DDC0A}
0x00000000 2b d1 5d 56 5e 60 08 8e 57 f2 dd d8 f2 53 7d 15 +.]V^`..W....S}.
0x00000010 73 d1 09 d2 e8 8f 6c bb 8c 52 54 01 36 2f 39 cd s.....l..RT.6/9.
0x00000020 75 10 d0 f1 fb 4b cf 0d 13 77 ee f1 d2 31 50 9b u....K...w...1P.
0x00000030 c3 a3 22 8c 55 2d 1b c5 ..".U-..

20ed87e2-3b82-4114-81f9-5e219ed4c481-SALEMHELPACCOUNT

0083343a-f925-4ed7-b1d6-d95d17a0b57b-RemoteDesktopHelpAssistantAccount
0x00000000 61 00 61 00 28 00 38 00 58 00 77 00 67 00 42 00 a.a.(.8.X.w.g.B.
0x00000010 58 00 7a 00 35 00 68 00 64 00 61 00 00 00 X.z.5.h.d.a...

14)Kayıt değerlerini listeler:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 printkey
Volatility Foundation Volatility Framework 2.3.1
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\system
Key name: $$$PROTO.HIV (S)
Last updated: 2010-06-18 12:57:58 UTC+0000

Subkeys:
(S) ControlSet001
(S) ControlSet002
(S) LastKnownGoodRecovery
(S) MountedDevices
(S) Select
(S) Setup
(S) WPA
(V) CurrentControlSet

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT
Key name: $$$PROTO.HIV (S)
Last updated: 2010-06-18 09:25:20 UTC+0000

Subkeys:
(S) AppEvents
(S) Console
(S) Control Panel
(S) Environment
(S) Identities
(S) Keyboard Layout
(S) Printers
(S) Software
(S) UNICODE Program Groups

Values:
----------------------------
Registry: [no name]
Key name: REGISTRY (S)
Last updated: 2010-06-18 12:57:58 UTC+0000

Subkeys:
(S) MACHINE
(S) USER

Values:
----------------------------
Registry: [no name]
Key name: HARDWARE (S)
Last updated: 2010-06-18 12:57:59 UTC+0000

Subkeys:
(S) ACPI
(S) DESCRIPTION
(S) DEVICEMAP
(V) RESOURCEMAP

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Key name: S-1-5-19_Classes (S)
Last updated: 2010-06-18 09:25:24 UTC+0000

Subkeys:

Values:
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\mr_esclave\NTUSER.DAT
Key name: $$$PROTO.HIV (S)
Last updated: 2010-06-18 13:02:43 UTC+0000

Subkeys:
(S) AppEvents
(S) Console
(S) Control Panel
(S) Environment
(S) Identities
(S) Keyboard Layout
(S) Printers
(S) Software
(S) UNICODE Program Groups
(S) Windows 3.1 Migration Status
(V) SessionInformation
(V) Volatile Environment

Values:
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
Key name: SECURITY (S)
Last updated: 2010-06-18 12:58:24 UTC+0000

Subkeys:
(S) Cache
(S) Policy
(S) RXACT
(V) SAM

Values:
----------------------------
...

15) Tüm proseslerin exe halinin dump'ını üst dizine kaydeder:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 procexedump -D ../
Volatility Foundation Volatility Framework 2.3.1
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x821c8830 ---------- System Error: PEB at 0x0 is paged
0x82111568 0x48580000 smss.exe OK: executable.560.exe
0x81fa4020 0x4a680000 csrss.exe OK: executable.608.exe
0x820aada0 0x01000000 winlogon.exe OK: executable.632.exe
0x81cbd4d0 0x01000000 services.exe OK: executable.676.exe
0x81e6e498 0x01000000 lsass.exe OK: executable.700.exe
0x81d8fda0 0x00400000 vmacthlp.exe OK: executable.872.exe
0x81acc3b8 0x01000000 svchost.exe OK: executable.884.exe
0x81c4c318 0x01000000 svchost.exe OK: executable.988.exe
0x81d97da0 0x01000000 svchost.exe OK: executable.1096.exe
0x81fa6230 0x01000000 svchost.exe OK: executable.1172.exe
0x81f2a020 0x01000000 svchost.exe OK: executable.1308.exe
0x81ad1b58 0x01000000 spoolsv.exe OK: executable.1444.exe
0x81f7baa8 0x00400000 vmtoolsd.exe OK: executable.1756.exe
0x81fddd50 0x00400000 VMUpgradeHelper OK: executable.1892.exe
0x81d77020 0x01000000 alg.exe OK: executable.412.exe
0x81c66020 0x01000000 wscntfy.exe OK: executable.168.exe
0x81e2a020 0x01000000 explorer.exe OK: executable.1140.exe
0x820405d0 0x01000000 msiexec.exe OK: executable.1736.exe
0x81b94470 0x00400000 VMwareTray.exe OK: executable.836.exe
0x81ec0998 0x00400000 VMwareUser.exe OK: executable.1052.exe
0x81ce8020 0x00400000 ctfmon.exe OK: executable.1084.exe
0x81e84da0 0x01000000 wpabaln.exe OK: executable.1812.exe
0x81fa8980 0x00400000 IEXPLORE.EXE OK: executable.1424.exe
0x81c0bab8 0x01000000 notepad.exe OK: executable.364.exe
0x820a0650 0x00400000 IEXPLORE.EXE OK: executable.304.exe

16) Bir prosesin dump'ını exe formatında alma:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 procexedump -D ../ -p 560
Volatility Foundation Volatility Framework 2.3.1
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x82111568 0x48580000 smss.exe OK: executable.560.exe

17) Prosesler bellekteki fiziksel yerine göre listelenir.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 psscan
Volatility Foundation Volatility Framework 2.3.1
Offset(P) Name PID PPID PDB Time created Time exited
---------- ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x01ecc3b8 svchost.exe 884 676 0x069c0100 2010-06-18 12:58:40 UTC+0000
0x01ed1b58 spoolsv.exe 1444 676 0x069c01c0 2010-06-18 12:58:46 UTC+0000
0x01f94470 VMwareTray.exe 836 1140 0x069c0120 2010-06-18 12:59:31 UTC+0000
0x0200bab8 notepad.exe 364 1140 0x069c0340 2010-06-18 13:03:40 UTC+0000
0x0204c318 svchost.exe 988 676 0x069c0140 2010-06-18 12:58:42 UTC+0000
0x02066020 wscntfy.exe 168 1096 0x069c0260 2010-06-18 12:59:03 UTC+0000
0x020bd4d0 services.exe 676 632 0x069c0080 2010-06-18 12:58:31 UTC+0000
0x020e8020 ctfmon.exe 1084 1140 0x069c02c0 2010-06-18 12:59:32 UTC+0000
0x02177020 alg.exe 412 676 0x069c0240 2010-06-18 12:59:00 UTC+0000
0x0218fda0 vmacthlp.exe 872 676 0x069c00e0 2010-06-18 12:58:40 UTC+0000
0x02197da0 svchost.exe 1096 676 0x069c0160 2010-06-18 12:58:43 UTC+0000
0x0222a020 explorer.exe 1140 1252 0x069c02a0 2010-06-18 12:59:06 UTC+0000
0x0226e498 lsass.exe 700 632 0x069c00c0 2010-06-18 12:58:32 UTC+0000
0x02284da0 wpabaln.exe 1812 632 0x069c0220 2010-06-18 13:01:02 UTC+0000
0x022c0998 VMwareUser.exe 1052 1140 0x069c0280 2010-06-18 12:59:31 UTC+0000
0x0232a020 svchost.exe 1308 676 0x069c01a0 2010-06-18 12:58:45 UTC+0000
0x0237baa8 vmtoolsd.exe 1756 676 0x069c01e0 2010-06-18 12:58:55 UTC+0000
0x023a4020 csrss.exe 608 560 0x069c0040 2010-06-18 12:58:24 UTC+0000
0x023a6230 svchost.exe 1172 676 0x069c0180 2010-06-18 12:58:44 UTC+0000
0x023a8980 IEXPLORE.EXE 1424 1140 0x069c0300 2010-06-18 13:03:11 UTC+0000
0x023ddd50 VMUpgradeHelper 1892 676 0x069c0200 2010-06-18 12:58:58 UTC+0000
0x024405d0 msiexec.exe 1736 676 0x069c02e0 2010-06-18 12:59:22 UTC+0000
0x024a0650 IEXPLORE.EXE 304 1140 0x069c00a0 2010-06-18 13:04:18 UTC+0000
0x024aada0 winlogon.exe 632 560 0x069c0060 2010-06-18 12:58:28 UTC+0000
0x02511568 smss.exe 560 4 0x069c0020 2010-06-18 12:58:19 UTC+0000
0x025c8830 System 4 0 0x00ae2000

18) Prosesler oluşturulma sırasına göre listelenir.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 pstree
Volatility Foundation Volatility Framework 2.3.1
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x821c8830:System 4 0 56 277 1970-01-01 00:00:00 UTC+0000
. 0x82111568:smss.exe 560 4 3 21 2010-06-18 12:58:19 UTC+0000
.. 0x81fa4020:csrss.exe 608 560 11 414 2010-06-18 12:58:24 UTC+0000
.. 0x820aada0:winlogon.exe 632 560 22 449 2010-06-18 12:58:28 UTC+0000
... 0x81cbd4d0:services.exe 676 632 16 272 2010-06-18 12:58:31 UTC+0000
.... 0x81fa6230:svchost.exe 1172 676 7 85 2010-06-18 12:58:44 UTC+0000
.... 0x81f7baa8:vmtoolsd.exe 1756 676 5 204 2010-06-18 12:58:55 UTC+0000
.... 0x81d97da0:svchost.exe 1096 676 78 1355 2010-06-18 12:58:43 UTC+0000
..... 0x81c66020:wscntfy.exe 168 1096 1 34 2010-06-18 12:59:03 UTC+0000
.... 0x81acc3b8:svchost.exe 884 676 20 202 2010-06-18 12:58:40 UTC+0000
.... 0x820405d0:msiexec.exe 1736 676 5 104 2010-06-18 12:59:22 UTC+0000
.... 0x81ad1b58:spoolsv.exe 1444 676 14 128 2010-06-18 12:58:46 UTC+0000
.... 0x81d77020:alg.exe 412 676 6 100 2010-06-18 12:59:00 UTC+0000
.... 0x81c4c318:svchost.exe 988 676 10 246 2010-06-18 12:58:42 UTC+0000
.... 0x81fddd50:VMUpgradeHelper 1892 676 5 96 2010-06-18 12:58:58 UTC+0000
.... 0x81d8fda0:vmacthlp.exe 872 676 1 24 2010-06-18 12:58:40 UTC+0000
.... 0x81f2a020:svchost.exe 1308 676 15 209 2010-06-18 12:58:45 UTC+0000
... 0x81e6e498:lsass.exe 700 632 25 342 2010-06-18 12:58:32 UTC+0000
... 0x81e84da0:wpabaln.exe 1812 632 1 66 2010-06-18 13:01:02 UTC+0000
0x81e2a020:explorer.exe 1140 1252 19 489 2010-06-18 12:59:06 UTC+0000
. 0x81fa8980:IEXPLORE.EXE 1424 1140 16 412 2010-06-18 13:03:11 UTC+0000
. 0x81ec0998:VMwareUser.exe 1052 1140 4 97 2010-06-18 12:59:31 UTC+0000
. 0x820a0650:IEXPLORE.EXE 304 1140 17 455 2010-06-18 13:04:18 UTC+0000
. 0x81ce8020:ctfmon.exe 1084 1140 1 70 2010-06-18 12:59:32 UTC+0000
. 0x81b94470:VMwareTray.exe 836 1140 1 57 2010-06-18 12:59:31 UTC+0000
. 0x81c0bab8:notepad.exe 364 1140 2 86 2010-06-18 13:03:40 UTC+0000

19) Fiziksel RAM crash dump'a çevrilir.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 raw2dmp --output-image=../xp_forensics_crashdump
Volatility Foundation Volatility Framework 2.3.1
Writing data (5.00 MB chunks): |........................................................................................................|

20) Ekran görüntüleri elde edilir.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 screenshot -D ../
Volatility Foundation Volatility Framework 2.3.1
Wrote ../session_0.Service-0x0-3e4$.Default.png
Wrote ../session_0.Service-0x0-3e5$.Default.png
Wrote ../session_0.SAWinSta.SADesktop.png
Wrote ../session_0.WinSta0.Default.png
Wrote ../session_0.WinSta0.Disconnect.png
Wrote ../session_0.WinSta0.Winlogon.png
Wrote ../session_0.Service-0x0-3e7$.Default.png

21) Açık soketler listelenir:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 sockets
Volatility Foundation Volatility Framework 2.3.1
Offset(V) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x81e96e98 1096 123 17 UDP 192.168.160.142 2010-06-18 12:58:59 UTC+0000
0x81ebf840 4 0 47 GRE 0.0.0.0 2010-06-18 13:02:44 UTC+0000
0x821261a8 304 1088 6 TCP 0.0.0.0 2010-06-18 13:04:19 UTC+0000
0x81cabe98 304 1092 6 TCP 0.0.0.0 2010-06-18 13:04:20 UTC+0000
0x81ab7578 304 1096 6 TCP 0.0.0.0 2010-06-18 13:04:21 UTC+0000
0x81e98cc8 700 500 17 UDP 0.0.0.0 2010-06-18 12:58:56 UTC+0000
0x81c55268 304 1104 6 TCP 0.0.0.0 2010-06-18 13:04:39 UTC+0000
0x81ebd768 4 445 6 TCP 0.0.0.0 2010-06-18 12:58:12 UTC+0000
0x81fd3e00 304 1108 6 TCP 0.0.0.0 2010-06-18 13:04:39 UTC+0000
0x81c4bc28 988 135 6 TCP 0.0.0.0 2010-06-18 12:58:43 UTC+0000
0x81d68208 4 1031 6 TCP 0.0.0.0 2010-06-18 13:02:44 UTC+0000
0x81d6c008 304 1093 6 TCP 0.0.0.0 2010-06-18 13:04:21 UTC+0000
0x81abcc20 1308 1900 17 UDP 192.168.160.142 2010-06-18 12:59:00 UTC+0000
0x81fd68f0 412 1025 6 TCP 127.0.0.1 2010-06-18 12:59:00 UTC+0000
0x81ea67e8 4 139 6 TCP 192.168.160.142 2010-06-18 12:58:48 UTC+0000
0x81e31d80 700 0 255 Reserved 0.0.0.0 2010-06-18 12:58:56 UTC+0000
0x81e96a38 1096 123 17 UDP 127.0.0.1 2010-06-18 12:58:59 UTC+0000
0x81e89698 304 1086 6 TCP 0.0.0.0 2010-06-18 13:04:18 UTC+0000
0x81c042c8 1172 1033 17 UDP 0.0.0.0 2010-06-18 13:03:11 UTC+0000
0x81eb9c20 304 1090 6 TCP 0.0.0.0 2010-06-18 13:04:20 UTC+0000
0x81ab4e48 304 1085 17 UDP 127.0.0.1 2010-06-18 13:04:18 UTC+0000
0x81d69548 304 1094 6 TCP 0.0.0.0 2010-06-18 13:04:21 UTC+0000
0x81fe6650 4 137 17 UDP 192.168.160.142 2010-06-18 12:58:48 UTC+0000
0x81fd3008 304 1102 6 TCP 0.0.0.0 2010-06-18 13:04:38 UTC+0000
0x81c1b548 304 1091 6 TCP 0.0.0.0 2010-06-18 13:04:20 UTC+0000
0x81ce9e68 1308 1900 17 UDP 127.0.0.1 2010-06-18 12:59:00 UTC+0000
0x81c18e98 700 4500 17 UDP 0.0.0.0 2010-06-18 12:58:56 UTC+0000
0x81ac9b70 4 138 17 UDP 192.168.160.142 2010-06-18 12:58:48 UTC+0000
0x81d1d5a8 4 445 17 UDP 0.0.0.0 2010-06-18 12:58:12 UTC+0000
0x81d6d4e0 304 1103 6 TCP 0.0.0.0 2010-06-18 13:04:39 UTC+0000
0x81f762e0 1172 1046 17 UDP 0.0.0.0 2010-06-18 13:03:14 UTC+0000
0x820afe98 1424 1032 17 UDP 127.0.0.1 2010-06-18 13:03:11 UTC+0000
0x81c03580 1172 1054 17 UDP 0.0.0.0 2010-06-18 13:03:15 UTC+0000

22) Açık soketler fiziksel yerlerine göre listelenir.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 sockscan
Volatility Foundation Volatility Framework 2.3.1
Offset(P) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x01e86668 1320 1900 17 UDP 192.168.160.142 2010-06-18 10:00:56 UTC+0000
0x01eb4e48 304 1085 17 UDP 127.0.0.1 2010-06-18 13:04:18 UTC+0000
0x01eb7578 304 1096 6 TCP 0.0.0.0 2010-06-18 13:04:21 UTC+0000
0x01ebcc20 1308 1900 17 UDP 192.168.160.142 2010-06-18 12:59:00 UTC+0000
0x01ebe950 304 1098 6 TCP 0.0.0.0 2010-06-18 13:04:22 UTC+0000
0x01ec9b70 4 138 17 UDP 192.168.160.142 2010-06-18 12:58:48 UTC+0000
0x01ee8008 1488 1193 6 TCP 0.0.0.0 2010-06-18 12:03:53 UTC+0000
0x01eea398 1488 1178 6 TCP 0.0.0.0 2010-06-18 12:03:32 UTC+0000
0x02003580 1172 1054 17 UDP 0.0.0.0 2010-06-18 13:03:15 UTC+0000
0x020042c8 1172 1033 17 UDP 0.0.0.0 2010-06-18 13:03:11 UTC+0000
0x02018e98 700 4500 17 UDP 0.0.0.0 2010-06-18 12:58:56 UTC+0000
0x0201b548 304 1091 6 TCP 0.0.0.0 2010-06-18 13:04:20 UTC+0000
0x0204bc28 988 135 6 TCP 0.0.0.0 2010-06-18 12:58:43 UTC+0000
0x02055268 304 1104 6 TCP 0.0.0.0 2010-06-18 13:04:39 UTC+0000
0x020abe98 304 1092 6 TCP 0.0.0.0 2010-06-18 13:04:20 UTC+0000
0x020e9e68 1308 1900 17 UDP 127.0.0.1 2010-06-18 12:59:00 UTC+0000
0x02117b90 304 1106 6 TCP 0.0.0.0 2010-06-18 13:04:39 UTC+0000
0x0211d5a8 4 445 17 UDP 0.0.0.0 2010-06-18 12:58:12 UTC+0000
0x02165b80 304 1111 6 TCP 0.0.0.0 2010-06-18 13:04:40 UTC+0000
0x02168208 4 1031 6 TCP 0.0.0.0 2010-06-18 13:02:44 UTC+0000
0x02169548 304 1094 6 TCP 0.0.0.0 2010-06-18 13:04:21 UTC+0000
0x0216c008 304 1093 6 TCP 0.0.0.0 2010-06-18 13:04:21 UTC+0000
0x0216d4e0 304 1103 6 TCP 0.0.0.0 2010-06-18 13:04:39 UTC+0000
0x02231d80 700 0 255 Reserved 0.0.0.0 2010-06-18 12:58:56 UTC+0000
0x02289698 304 1086 6 TCP 0.0.0.0 2010-06-18 13:04:18 UTC+0000
0x02296a38 1096 123 17 UDP 127.0.0.1 2010-06-18 12:58:59 UTC+0000
0x02296e98 1096 123 17 UDP 192.168.160.142 2010-06-18 12:58:59 UTC+0000
0x02298cc8 700 500 17 UDP 0.0.0.0 2010-06-18 12:58:56 UTC+0000
0x022a67e8 4 139 6 TCP 192.168.160.142 2010-06-18 12:58:48 UTC+0000
0x022b9c20 304 1090 6 TCP 0.0.0.0 2010-06-18 13:04:20 UTC+0000
0x022bd768 4 445 6 TCP 0.0.0.0 2010-06-18 12:58:12 UTC+0000
0x022bf840 4 0 47 GRE 0.0.0.0 2010-06-18 13:02:44 UTC+0000
0x02312948 304 1099 6 TCP 0.0.0.0 2010-06-18 13:04:32 UTC+0000
0x02316160 304 1110 6 TCP 0.0.0.0 2010-06-18 13:04:40 UTC+0000
0x023762e0 1172 1046 17 UDP 0.0.0.0 2010-06-18 13:03:14 UTC+0000
0x023d3008 304 1102 6 TCP 0.0.0.0 2010-06-18 13:04:38 UTC+0000
0x023d3e00 304 1108 6 TCP 0.0.0.0 2010-06-18 13:04:39 UTC+0000
0x023d59c0 304 1105 6 TCP 0.0.0.0 2010-06-18 13:04:39 UTC+0000
0x023d68f0 412 1025 6 TCP 127.0.0.1 2010-06-18 12:59:00 UTC+0000
0x023e6650 4 137 17 UDP 192.168.160.142 2010-06-18 12:58:48 UTC+0000
0x024afe98 1424 1032 17 UDP 127.0.0.1 2010-06-18 13:03:11 UTC+0000
0x025261a8 304 1088 6 TCP 0.0.0.0 2010-06-18 13:04:19 UTC+0000

23) Servisler listelenir:
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 svcscan
Volatility Foundation Volatility Framework 2.3.1
Offset: 0x6e1e90
Order: 1
Process ID: -
Service Name: Abiosdsk
Display Name: Abiosdsk
Service Type: SERVICE_KERNEL_DRIVER
Service State: SERVICE_STOPPED
Binary Path: -

Offset: 0x6e1f20
Order: 2
Process ID: -
Service Name: abp480n5
Display Name: abp480n5
Service Type: SERVICE_KERNEL_DRIVER
Service State: SERVICE_STOPPED
Binary Path: -
.....
Offset: 0x6eabb0
Order: 253
Process ID: 1096
Service Name: WZCSVC
Display Name: Configuration automatique sans fil
Service Type: SERVICE_WIN32_SHARE_PROCESS
Service State: SERVICE_RUNNING
Binary Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Offset: 0x6eac40
Order: 254
Process ID: -
Service Name: xmlprov
Display Name: Service d'approvisionnement r?seau
Service Type: SERVICE_WIN32_SHARE_PROCESS
Service State: SERVICE_STOPPED
Binary Path: -

24) Bellekteki olayları listeler.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 timeliner
Volatility Foundation Volatility Framework 2.3.1
2010-06-18 13:04:52 UTC+0000|[END LIVE RESPONSE]
2010-06-18 12:58:40 UTC+0000|[PROCESS]|svchost.exe|884|676||0x01ecc3b8||
2010-06-18 12:58:46 UTC+0000|[PROCESS]|spoolsv.exe|1444|676||0x01ed1b58||
2010-06-18 12:59:31 UTC+0000|[PROCESS]|VMwareTray.exe|836|1140||0x01f94470||
2010-06-18 13:03:40 UTC+0000|[PROCESS]|notepad.exe|364|1140||0x0200bab8||
2010-06-18 12:58:42 UTC+0000|[PROCESS]|svchost.exe|988|676||0x0204c318||
2010-06-18 12:59:03 UTC+0000|[PROCESS]|wscntfy.exe|168|1096||0x02066020||
2010-06-18 12:58:31 UTC+0000|[PROCESS]|services.exe|676|632||0x020bd4d0||
2010-06-18 12:59:32 UTC+0000|[PROCESS]|ctfmon.exe|1084|1140||0x020e8020||
2010-06-18 12:59:00 UTC+0000|[PROCESS]|alg.exe|412|676||0x02177020||
2010-06-18 12:58:40 UTC+0000|[PROCESS]|vmacthlp.exe|872|676||0x0218fda0||
2010-06-18 12:58:43 UTC+0000|[PROCESS]|svchost.exe|1096|676||0x02197da0||
2010-06-18 12:59:06 UTC+0000|[PROCESS]|explorer.exe|1140|1252||0x0222a020||
2010-06-18 12:58:32 UTC+0000|[PROCESS]|lsass.exe|700|632||0x0226e498||
2010-06-18 13:01:02 UTC+0000|[PROCESS]|wpabaln.exe|1812|632||0x02284da0||
2010-06-18 12:59:31 UTC+0000|[PROCESS]|VMwareUser.exe|1052|1140||0x022c0998||
2010-06-18 12:58:45 UTC+0000|[PROCESS]|svchost.exe|1308|676||0x0232a020||
2010-06-18 12:58:55 UTC+0000|[PROCESS]|vmtoolsd.exe|1756|676||0x0237baa8||
2010-06-18 12:58:24 UTC+0000|[PROCESS]|csrss.exe|608|560||0x023a4020||
2010-06-18 12:58:44 UTC+0000|[PROCESS]|svchost.exe|1172|676||0x023a6230||
2010-06-18 13:03:11 UTC+0000|[PROCESS]|IEXPLORE.EXE|1424|1140||0x023a8980||
2010-06-18 12:58:58 UTC+0000|[PROCESS]|VMUpgradeHelper|1892|676||0x023ddd50||
2010-06-18 12:59:22 UTC+0000|[PROCESS]|msiexec.exe|1736|676||0x024405d0||
2010-06-18 13:04:18 UTC+0000|[PROCESS]|IEXPLORE.EXE|304|1140||0x024a0650||
2010-06-18 12:58:28 UTC+0000|[PROCESS]|winlogon.exe|632|560||0x024aada0||
2010-06-18 12:58:19 UTC+0000|[PROCESS]|smss.exe|560|4||0x02511568||
-1|[PROCESS]|System|4|0||0x025c8830||
2010-06-18 12:58:59 UTC+0000|[SOCKET]|1096|192.168.160.142:123|Protocol: 17 (UDP)|0x81e96e98|||
2010-06-18 13:02:44 UTC+0000|[SOCKET]|4|0.0.0.0:0|Protocol: 47 (GRE)|0x81ebf840|||
2010-06-18 13:04:19 UTC+0000|[SOCKET]|304|0.0.0.0:1088|Protocol: 6 (TCP)|0x821261a8|||

............

25) Kayıt defteri değerleri listelenir.
root@kali:~/Desktop/forensic2/volatility-2.3.1# python vol.py -f ../xp_forensics.vmem --profile=WinXPSP2x86 userassist
Volatility Foundation Volatility Framework 2.3.1
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\mr_esclave\NTUSER.DAT
Key name: Count
Last updated: 2010-06-18 13:04:18 UTC+0000

Subkeys:

Values:

REG_BINARY UEME_CTLSESSION :
0x00000000 30 77 58 0e 01 00 00 00 0wX.....

REG_BINARY UEME_RUNPIDL:%csidl2%\Internet Explorer.lnk :
ID: 1
Count: 17
Last updated: 2010-06-18 13:04:18 UTC+0000
0x00000000 01 00 00 00 16 00 00 00 90 d5 bf c2 e6 0e cb 01 ................

REG_BINARY UEME_RUNPIDL:%csidl2%\MSN.lnk :
ID: 1
Count: 13
Last updated: 2010-06-18 12:57:41 UTC+0000
0x00000000 01 00 00 00 12 00 00 00 3c 82 87 d6 e5 0e cb 01 ........<.......

...............

REG_BINARY UEME_RUNPATH:C:\Program Files\Internet Explorer\IEXPLORE.EXE :
ID: 1
Count: 3
Last updated: 2010-06-18 13:04:18 UTC+0000
0x00000000 01 00 00 00 08 00 00 00 90 d5 bf c2 e6 0e cb 01 ................

REG_BINARY UEME_RUNPATH:C:\WINDOWS\system32\notepad.exe :
ID: 1
Count: 1
Last updated: 2010-06-18 13:03:40 UTC+0000
0x00000000 01 00 00 00 06 00 00 00 c0 6b 06 ac e6 0e cb 01 .........k......
----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\mr_esclave\NTUSER.DAT
Key name: Count
Last updated: 2010-06-18 13:02:42 UTC+0000

Subkeys:

Values:

REG_BINARY UEME_CTLSESSION :
0x00000000 34 77 58 0e 01 00 00 00 4wX.....

Siber Güvenlik Notları

8 Aralık 2013 Pazar

İpucu: Volatility Aracı ile Bellek Analizi

Hiç yorum yok:

Yorum Gönder