Some useful volatility plugins
In previous diaries I have talked about using volatility, in this diary I will talk about other plugins .
1-MBR parser:
mbrparser plugin will scans for and parses potential Master Boot Records (MBRs) in the memory image.
|
vol.py --profile=Win7SP1x86 -f win7SP1.bin mbrparser |
And the output would be similar to this
|
Volatility Foundation Volatility Framework 2.5 *************************************************************************** Potential MBR at physical offset: 0x600 Disk Signature: fd-04-bb-b7 Bootcode md5: 40b32fa4b4f6aae1c2c47c02a27b873e Bootcode (FULL) md5: 0e8ac4f7d364af5e54b96b561712aa30 Disassembly of Bootable Code: 0000000600: 33c0 XOR AX, AX 0000000602: 8ed0 MOV SS, AX 0000000604: bc007c MOV SP, 0x7c00
|
As you can see the mbrparser will show the disk signature ,the bootcode md5 hash and it will disassemble the Bootable code.
2-MFT parser
mftparser plugin scans for potential Master File Table (MFT) entries in memory (using "FILE" and "BAAD" signatures) and prints out information for certain attributes, currently: $FILE_NAME ( $FN ), $STANDARD_INFORMATION ( $SI ), $FN and $SI attributes from the $ATTRIBUTE_LIST , $OBJECT_ID
|
Vol.py --profile=Win7SP1x86 -f win7SP1.bin mftparser –output-file=mft.txt |
And here is a sampe otpur of the mftparser output
|
$STANDARD_INFORMATION Creation Modified MFT Altered Access Date Type ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---- 2009-07-14 04:52:30 UTC+0000 2009-07-14 04:52:31 UTC+0000 2011-03-04 17:18:43 UTC+0000 2009-07-14 04:52:31 UTC+0000 Content not indexed
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\User Account Pictures\DEFAUL~1
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\User Account Pictures\Default Pictures
*************************************************************************** *************************************************************************** MFT entry found at offset 0x160c00 Attribute: In Use & Directory Record Number: 295 Link count: 1
$STANDARD_INFORMATION Creation Modified MFT Altered Access Date Type ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---- 2009-07-14 02:37:05 UTC+0000 2009-07-14 02:04:54 UTC+0000 2011-03-04 17:18:43 UTC+0000 2009-07-14 02:37:05 UTC+0000 Unknown Type
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\Vault
*************************************************************************** *************************************************************************** MFT entry found at offset 0x2a9000 Attribute: In Use & File Record Number: 18536 Link count: 2
$STANDARD_INFORMATION Creation Modified MFT Altered Access Date Type ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---- 2010-11-20 21:29:06 UTC+0000 2010-11-20 21:29:06 UTC+0000 2011-03-04 17:16:41 UTC+0000 2010-11-20 21:29:06 UTC+0000 Archive
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 dnscmmc.dll
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 Windows\System32\dnscmmc.dll
$DATA
$OBJECT_ID Object ID: 40000000-0000-0000-00b0-010000000000 Birth Volume ID: 00aa0100-0000-0000-00aa-010000000000 Birth Object ID: 311bcb11-0900-ada0-ffff-ffff82794711 Birth Domain ID: 00000000-0000-0000-0000-000000000000
|
3- Userassists
UserAssist is GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.
In Windows 7 machines users
NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count
Userassist plugin will scans the entire memory image and parse the userassit key.
|
vol.py --profile=Win7SP1x86 -f win7SP1.bin userassist --output-file=userassist.txt |
|
---------------------------- Registry: \??\C:\Users\Daniel\ntuser.dat Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count Last updated: 2013-10-15 18:48:57 UTC+0000
Subkeys:
Values:
REG_BINARY %windir%\system32\mspaint.exe : Count: 10 Focus Count: 12 Time Focused: 0:03:40.594000 Last updated: 2013-10-15 18:46:16 UTC+0000 Raw Data: 0x00000000 00 00 00 00 0a 00 00 00 0c 00 00 00 be 5b 03 00 .............[.. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 10 f1 72 d4 ..............r. 0x00000040 d6 c9 ce 01 00 00 00 00 ........
|
Here is a sample output of userassist plugin ,the count entry shows the number of times that mspaint.exe has been executed
4-Shellbags :
Which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed.
|
vol.py --profile=Win7SP1x86 -f win7SP1.bin shellbags --output-file=shellbags.txt |
And here is a sample of the shellbags plugin
|
*************************************************************************** Registry: \??\C:\Users\Daniel\ntuser.dat Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop Last updated: 2013-10-15 18:45:30 UTC+0000 Value File Name Modified Date Create Date Access Date File Attr Unicode Name ------------------------- -------------- ------------------------------ ------------------------------ ------------------------------ ------------------------- ------------ ItemPos1024x768x96(1) GZIP-1~1.12- 2013-10-06 16:33:54 UTC+0000 2013-10-06 16:33:54 UTC+0000 2013-10-06 16:33:54 UTC+0000 DIR gzip-1.3.12-1-bin ItemPos1024x768x96(1) PROCES~1.31- 2013-10-15 18:13:28 UTC+0000 2013-10-15 18:13:28 UTC+0000 2013-10-15 18:13:28 UTC+0000 DIR processhacker-2.31-bin ItemPos1024x768x96(1) SYSINT~1 2011-03-04 14:39:26 UTC+0000 2011-03-04 14:39:26 UTC+0000 2011-03-04 14:39:26 UTC+0000 NI, DIR SysinternalsSuite ItemPos1024x768x96(1) TRUECR~1 2013-10-06 16:38:34 UTC+0000 2013-10-05 01:33:00 UTC+0000 2013-10-06 16:38:34 UTC+0000 DIR TrueCrypt ItemPos1024x768x96(1) nasm.lnk 2013-10-06 16:33:06 UTC+0000 2013-10-06 16:33:06 UTC+0000 2013-10-06 16:33:06 UTC+0000 ARC nasm.lnk ItemPos1024x768x96(1) PROCES~1.ZIP 2013-10-15 18:13:08 UTC+0000 2013-10-15 18:13:18 UTC+0000 2013-10-15 18:13:18 UTC+0000 ARC, NI processhacker-2.31-bin.zip ItemPos1024x768x96(1) TRUECR~1.ZIP 2013-10-05 01:32:24 UTC+0000 2013-10-05 01:32:30 UTC+0000 2013-10-05 01:32:30 UTC+0000 ARC, NI TrueCrypt 7.1a Source.zip ItemPos1024x768x96(1) WINSDK~1.EXE 2013-10-06 16:11:04 UTC+0000 2013-10-06 16:11:40 UTC+0000 2013-10-06 16:11:40 UTC+0000 ARC, NI winsdk_web.exe ItemPos1024x768x96(1) VMWARE~1.LNK 2013-10-15 18:45:08 UTC+0000 2013-10-06 19:16:02 UTC+0000 2013-10-15 18:45:08 UTC+0000 ARC VMware Shared Folders.lnk ************************* |
Comments
Anonymous
Jan 19th 2016
9 years ago
[DEFAULT]
PROFILE=Win7SP1x64
LOCATION=file:///C:\Case\LAPTOP-20160119.raw
Anonymous
Jan 19th 2016
9 years ago