Back in Time Memory Forensics
You might get into a case where you have only the disk image without having the memory image. Or even if you have the memory image but you wish If you have something back in time.With hibernation file (hiberfil.sys) ,Page File (page and crash dump that might be possible. And if you are lucky enough you might be able to recover them from volume shadow copy which is enabled by default in most of modern Windows OS .In forensic point of view Hibernation file is the most useful file type that might have useful information.
“hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the hibernation process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.”[1]
If you have a disk image of Windows Vista+ or later you can check if you have a previous copy of hiberfil.sys through Volume Snapshot Volume (Aka Shadow Copy) which might be prior to a malware infection or compromised or it might have some artifacts that was deleted.
If you like to check your image for pervious versions of hiberfil.sys and restore it ,you can use LibVShadow by Joachim Metz[2].
When you recover the desired hiberfil.sys version,while Volatility framework can examine hiberfil.sys ,but that will very slow and it’s better to convert it first to raw memory image.
|
vol.py -f hiberfil.sys --profile=Win7SP1x64 imagecopy -O rawimage.img |
In the above example I used imagecopy plugin to do the conversation , you have to specify the exact windows version with the service pack level . Another option is using hib2bin.exe by Matt Suiche.[3]
Now let’s examine our image
|
vol.py -f rawimage.img --profile=Win7SP1x64 pslist |
|
olatility Foundation Volatility Framework 2.4 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa800ccca9e0 System 4 0 112 567 ------ 0 2012-03-15 22:34:19 UTC+0000 0xfffffa800d2b5b30 smss.exe 228 4 3 35 ------ 0 2012-03-15 22:34:19 UTC+0000 0xfffffa800e8862f0 csrss.exe 352 344 9 869 0 0 2012-03-15 22:34:44 UTC+0000 0xfffffa800cd049f0 csrss.exe 404 396 9 78 1 0 2012-03-15 22:34:49 UTC+0000 0xfffffa800e9a8060 wininit.exe 436 344 3 77 0 0 2012-03-15 22:34:49 UTC+0000 0xfffffa800e9a7860 winlogon.exe 444 396 4 94 1 0 2012-03-15 22:34:49 UTC+0000 0xfffffa800e9df060 services.exe 508 436 9 274 0 0 2012-03-15 22:34:55 UTC+0000 0xfffffa800e9e3850 lsass.exe 516 436 8 942 0 0 2012-03-15 22:34:56 UTC+0000 0xfffffa800e9ea910 lsm.exe 524 436 14 311 0 0 2012-03-15 22:34:56 UTC+0000 0xfffffa800ea45860 svchost.exe 612 508 11 375 0 0 2012-03-15 22:35:05 UTC+0000 0xfffffa800ea779f0 svchost.exe 688 508 11 364 0 0 2012-03-15 22:35:08 UTC+0000 0xfffffa800ea94b30 LogonUI.exe 764 444 8 201 1 0 2012-03-15 22:35:09 UTC+0000 0xfffffa800eaa8b30 svchost.exe 772 508 22 522 0 0 2012-03-15 22:35:09 UTC+0000 0xfffffa800eaceb30 svchost.exe 832 508 21 517 0 0 2012-03-15 22:35:10 UTC+0000 0xfffffa800ead2b30 svchost.exe 856 508 45 1402 0 0 2012-03-15 22:35:10 UTC+0000 0xfffffa800eb16b30 svchost.exe 972 508 22 395 0 0 2012-03-15 22:35:12 UTC+0000 0xfffffa800eb4d730 svchost.exe 292 508 25 697 0 0 2012-03-15 22:35:14 UTC+0000 0xfffffa800eb51b30 spoolsv.exe 924 508 14 337 0 0 2012-03-15 22:35:26 UTC+0000 0xfffffa800ebd5820 svchost.exe 360 508 21 332 0 0 2012-03-15 22:35:27 UTC+0000 0xfffffa800ec5e650 FireSvc.exe 1168 508 21 349 0 0 2012-03-15 22:35:32 UTC+0000 |
And let check the network connections:
|
vol.py -f rawimage.img --profile=Win7SP1x64 netscan |
|
Volatility Foundation Volatility Framework 2.4 Offset(P) Proto Local Address Foreign Address State Pid Owner Created 0x3636300 UDPv4 0.0.0.0:0 *:* 3736 Skype.exe 2012-04-06 13:09:31 UTC+0000 0x959f010 TCPv4 10.3.58.6:62978 72.14.204.138:80 FIN_WAIT1 7508 chrome.exe 0x29933cf0 TCPv4 10.3.58.6:62979 72.14.204.102:80 FIN_WAIT1 7508 chrome.exe 0x2ac90a50 TCPv4 -:62088 14.0.33.84:80 CLOSED 7508 chrome.exe 0x4ce8d610 TCPv4 -:62054 -:80 CLOSED 7508 chrome.exe 0x578b2430 UDPv6 ::1:53608 *:* 2784 svchost.exe 2012-04-06 13:59:31 UTC+0000 0x58b9ecf0 TCPv4 10.3.58.6:445 10.3.58.7:2034 ESTABLISHED 4 System 0x5a690290 TCPv4 127.0.0.1:5678 127.0.0.1:62149 ESTABLISHED 4256 svchost.exe 0x72b40010 TCPv4 10.3.58.6:62854 74.217.78.140:80 FIN_WAIT1 7508 chrome.exe 0x7c488410 UDPv4 127.0.0.1:1900 *:* 2784 svchost.exe 2012-03-20 03:53:45 UTC+0000 0x7c4eaec0 UDPv4 127.0.0.1:53609 *:* 2784 svchost.exe 2012-04-06 13:59:31 UTC+0000 0x7c5173c0 TCPv4 10.3.58.6:62795 64.12.152.17:80 FIN_WAIT1 7508 chrome.exe
|
Now lets check the autoruns using the autoruns plugins
|
vol.py -f rawimage.img --profile=Win7SP1x64 autoruns -t autoruns |
|
Autoruns =========================================
Hive: \??\C:\Users\SRL-Helpdesk\ntuser.dat Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-03-15 21:20:12 UTC+0000) Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)
Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000) Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -) Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000) mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)
Hive: \SystemRoot\System32\Config\SOFTWARE Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-09-16 20:57:09 UTC+0000) VMware User Process : "C:\Program Files\VMware\VMware Tools\VMwareUser.exe" (PIDs: 8984, 4916) VMware Tools : "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" (PIDs: 6744, 1844) McAfee Host Intrusion Prevention Tray : "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe" (PIDs: -) Wow6432Node\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:53:13 UTC+0000) ShStatEXE : "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (PIDs: -) Adobe Reader Speed Launcher : "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" (PIDs: -) McAfeeUpdaterUI : "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey (PIDs: -) svchost : c:\windows\system32\dllhost\svchost.exe (PIDs: 4256) Adobe ARM : "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" (PIDs: -)
Hive: \??\C:\Users\vibranium\ntuser.dat Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:03:53 UTC+0000) Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -) Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2012-04-05 17:03:53 UTC+0000) mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)
Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000) Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -) Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000) mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)
Hive: \??\C:\Users\nfury\ntuser.dat Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-08-25 21:51:37 UTC+0000) Google Update : "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe" /c (PIDs: 3968) Skype : "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized (PIDs: 3736)
|
Comments
See https://technet.microsoft.com/en-us/security/dn261332.aspx and https://support.microsoft.com/en-us/kb/2719662 why you should not just fix this bloody beginner's error, but remove these command lines completely.
Anonymous
Sep 27th 2016
8 years ago
Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data from "%ProgramFiles%"^Wprogram code and practice gross negligence.
KICK THEM!
Anonymous
Sep 27th 2016
8 years ago
> Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data
> from "%ProgramFiles%"^Wprogram code and practice gross negligence.
Hmm. If 'nfury' was _NOT_ an administrator-level account,
then the Google software would install somewhere into that user's own file-tree,
because the account would have _NO_ permission to install into "%ProgramFiles%" .
Here's one to the principle of "least privilege".
Anonymous
Sep 27th 2016
8 years ago
> Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data
> from "%ProgramFiles%"^Wprogram code and practice gross negligence.
Hmm. If 'nfury' was _NOT_ an administrator-level account,
then the Google software would install somewhere into that user's own file-tree,
because the account would have _NO_ permission to install into "%ProgramFiles%" .[/quote]
Which IS the outright abomination: program code MUST NEVER be installed in a user-writable location.
[quote=comment#37887]
Here's one to the principle of "least privilege".
[/quote]
OUCH!
This principle means that you should run with the least privileges sufficient for a task. It does NOT mean that you should violate the principles of "privilege separation" and "write XOR execute".
Anonymous
Sep 27th 2016
8 years ago