Directory: /pentest/forensics/volatility
Official Website: http://code.google.com/p/volatility/
License: GNU GPL v2
volatility is probably the best open source memory analysis tools. It was written in python, so can be run on any platform, and it supports extension by various plugins, which are python scripts as well, so you can easily create your own. The script supports all major Windows and Linux version (full list on their site) and most major memory dump formats.
Usage:
I will use a WinXP SP2 image for the examples, which I got for testing. It has a rootkit installed for study purposes.
./vol.py -h - this is the help, and will list all the plugins currently available
To display the list of open socktes, found in the memory, run:
./vol.py sockets -f /root/mem/winxp-mem.mdd
to display list of the processes, run - it will check the memory dump with many diffeent methods, and tell us, which method found it, and which doesn't:
./vol.py psxview -f /root/mem/winxp-mem.mdd
to get a list of recently run CLI commands, run (we can see in the results, that the rootkit being installed):
./vol.py cmdscan -f /root/mem/winxp-mem.mdd
to get a list of the found registry hives, run:
./vol.py hivelist -f /root/mem/winxp-mem.mdd
and based on that we can do a hashdump, and we need the location of the system and SAM hives for that. The command will be:
./vol.py hashdump -y 0xe1018378 -s 0xe1496b60 -f /root/mem/winxp-mem.mdd where -y specifies the location of the system hive, and -s the location of the SAM hive.
That's all, it has quite a few plugins, so you can play with it to discover more and more.
No comments:
Post a Comment