Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-12-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Some Memory Forensic with Forensic Suite (Volatility plugins)

Published: 2014-12-16
Last Updated: 2014-12-16 18:17:15 UTC
by Basil Alawi S.Taher (Version: 1)
0 comment(s)

In previous diaries we have talked about memory forensics and how important it is.

In this diary I will talk about a new volatility plugins called Forensic Suite written by Dave Lasalle.

The suite has 14 plugins and they cover different area of memory forensics

The Forensics Suite can be obtain from: http://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip .

In this diary I will talk about some of the plugins

Firefox history:

To test this plugin first I browsed the internet using Firefox then I closed it to see how much data firefoxhistory plugin can obtain from the memory image that I acquired after closing firefox .

The firefoxhistory will parse the places.sqlite from the memory and show the output either on the screen or you can direct to csv file using –output=csv option. If you use the –output=csv option you will be able to play with your data using a spreadsheet software such as MS Excel 

vol.py --plugin=plugins/ --profile=Win7SP1x86 --output=csv  -f sampleimage.raw firefoxhistory > firefoxhistory.csv

Firefoxcookies

Another Firefox forensics plugin is firefoxcookies , firefoxcookies will parse cookies.sqlite from the memory and show output to the screen or to a csv file

vol.py --plugin=plugins/ --profile=Win7SP1x86 --output=csv  -f sampleimage.raw firefoxcookies > firefoxcookies.csv


Forensics suite support chrome forensics as well, with the same syntax you can parse chrome history, cookies and downloads from the memory.

JAVA IDX Parser:

Many malicious jar files are coming from idx files , Forenscis suite has a plugin that will scan a memory for IDX files and it will parse it:

vol.py --plugin=plugins/ --profile=Win7SP1x86 -f sampleimage.raw idxparser

 

And here is the output

Volatility Foundation Volatility Framework 2.4

Scanning for IDX files, this can take a while.............

--------------------------------------------------------------------------------

 

[*] Section 1 (Metadata) found:

Content length: 1624

Last modified date: Tue, 01 Feb 2005 18:28:24 GMT (epoch: 1107282504)

Section 2 length: 270

 

[*] Section 2 (Download History) found:

URL: http://java.com/jsp_utils/jreCheck.class

IP: 137.254.16.66

: HTTP/1.1 200 OK

content-length: 1624

last-modified: Tue, 01 Feb 2005 18:28:24 GMT

content-type: application/java-vm

date: Mon, 13 Feb 2012 04:21:28 GMT

server: Sun-Java-System-Web-Server/7.0

--------------------------------------------------------------------------------

 

 

Keywords:
0 comment(s)
Diary Archives