Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Some useful volatility plugins - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Some useful volatility plugins

In previous diaries I have talked about using volatility, in this diary I will talk about other plugins .

1-MBR parser:

mbrparser plugin will scans for and parses potential Master Boot Records (MBRs) in the memory image.

vol.py  --profile=Win7SP1x86 -f win7SP1.bin mbrparser

 

And the output would be similar to this

Volatility Foundation Volatility Framework 2.5

***************************************************************************

Potential MBR at physical offset: 0x600

Disk Signature: fd-04-bb-b7

Bootcode md5: 40b32fa4b4f6aae1c2c47c02a27b873e

Bootcode (FULL) md5: 0e8ac4f7d364af5e54b96b561712aa30

Disassembly of Bootable Code:

0000000600: 33c0                             XOR AX, AX

0000000602: 8ed0                             MOV SS, AX

0000000604: bc007c                           MOV SP, 0x7c00

 

 

As you can see the mbrparser will show the disk signature ,the bootcode md5 hash and it will disassemble the Bootable code.

2-MFT parser

mftparser plugin scans for potential Master File Table (MFT) entries in memory (using "FILE" and "BAAD" signatures) and prints out information for certain attributes, currently:  $FILE_NAME  ( $FN ),  $STANDARD_INFORMATION  ( $SI ),  $FN  and  $SI  attributes from the  $ATTRIBUTE_LIST ,  $OBJECT_ID

Vol.py  --profile=Win7SP1x86 -f win7SP1.bin mftparser –output-file=mft.txt

And here is a sampe otpur of the mftparser output

 

$STANDARD_INFORMATION

Creation                       Modified                       MFT Altered                    Access Date                    Type

------------------------------ ------------------------------ ------------------------------ ------------------------------ ----

2009-07-14 04:52:30 UTC+0000 2009-07-14 04:52:31 UTC+0000   2011-03-04 17:18:43 UTC+0000   2009-07-14 04:52:31 UTC+0000   Content not indexed

 

$FILE_NAME

Creation                       Modified                       MFT Altered                    Access Date                    Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000   2011-03-04 17:15:12 UTC+0000   2011-03-04 17:15:12 UTC+0000   PROGRA~2\MICROS~1\User Account Pictures\DEFAUL~1

 

$FILE_NAME

Creation                       Modified                       MFT Altered                    Access Date                    Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000   2011-03-04 17:15:12 UTC+0000   2011-03-04 17:15:12 UTC+0000   PROGRA~2\MICROS~1\User Account Pictures\Default Pictures

 

***************************************************************************

***************************************************************************

MFT entry found at offset 0x160c00

Attribute: In Use & Directory

Record Number: 295

Link count: 1

 

 

$STANDARD_INFORMATION

Creation                       Modified                       MFT Altered                    Access Date                    Type

------------------------------ ------------------------------ ------------------------------ ------------------------------ ----

2009-07-14 02:37:05 UTC+0000 2009-07-14 02:04:54 UTC+0000   2011-03-04 17:18:43 UTC+0000   2009-07-14 02:37:05 UTC+0000   Unknown Type

 

$FILE_NAME

Creation                       Modified                       MFT Altered                    Access Date                    Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000   2011-03-04 17:15:12 UTC+0000   2011-03-04 17:15:12 UTC+0000   PROGRA~2\MICROS~1\Vault

 

***************************************************************************

***************************************************************************

MFT entry found at offset 0x2a9000

Attribute: In Use & File

Record Number: 18536

Link count: 2

 

 

$STANDARD_INFORMATION

Creation                       Modified                       MFT Altered                    Access Date                    Type

------------------------------ ------------------------------ ------------------------------ ------------------------------ ----

2010-11-20 21:29:06 UTC+0000 2010-11-20 21:29:06 UTC+0000   2011-03-04 17:16:41 UTC+0000   2010-11-20 21:29:06 UTC+0000   Archive

 

$FILE_NAME

Creation                       Modified                       MFT Altered                    Access Date                    Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000   2011-03-04 17:16:41 UTC+0000   2011-03-04 17:16:41 UTC+0000   dnscmmc.dll

 

$FILE_NAME

Creation                       Modified                       MFT Altered                    Access Date                    Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000   2011-03-04 17:16:41 UTC+0000   2011-03-04 17:16:41 UTC+0000   Windows\System32\dnscmmc.dll

 

$DATA

 

 

$OBJECT_ID

Object ID: 40000000-0000-0000-00b0-010000000000

Birth Volume ID: 00aa0100-0000-0000-00aa-010000000000

Birth Object ID: 311bcb11-0900-ada0-ffff-ffff82794711

Birth Domain ID: 00000000-0000-0000-0000-000000000000

 

 

3-  Userassists

 

UserAssist is GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.

In Windows 7 machines users

NTUSER.DAT HIVE

NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count

Userassist plugin will scans the entire memory image and parse the userassit key.

vol.py --profile=Win7SP1x86 -f win7SP1.bin userassist --output-file=userassist.txt

 

----------------------------

Registry: \??\C:\Users\Daniel\ntuser.dat

Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count

Last updated: 2013-10-15 18:48:57 UTC+0000

 

Subkeys:

 

Values:

 

REG_BINARY    %windir%\system32\mspaint.exe :

Count:          10

Focus Count:    12

Time Focused:   0:03:40.594000

Last updated:   2013-10-15 18:46:16 UTC+0000

Raw Data:

0x00000000  00 00 00 00 0a 00 00 00 0c 00 00 00 be 5b 03 00   .............[..

0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................

0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................

0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 10 f1 72 d4   ..............r.

0x00000040  d6 c9 ce 01 00 00 00 00                           ........

 

 

 

Here is a sample output of userassist plugin ,the count entry shows the number of times that mspaint.exe has been executed

 

4-Shellbags :

Which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed.

vol.py --profile=Win7SP1x86 -f win7SP1.bin shellbags --output-file=shellbags.txt

 

And here is a sample of the shellbags plugin

***************************************************************************

Registry: \??\C:\Users\Daniel\ntuser.dat

Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop

Last updated: 2013-10-15 18:45:30 UTC+0000

Value                     File Name      Modified Date                  Create Date                    Access Date                    File Attr                 Unicode Name

------------------------- -------------- ------------------------------ ------------------------------ ------------------------------ ------------------------- ------------

ItemPos1024x768x96(1)     GZIP-1~1.12-   2013-10-06 16:33:54 UTC+0000   2013-10-06 16:33:54 UTC+0000   2013-10-06 16:33:54 UTC+0000   DIR                       gzip-1.3.12-1-bin

ItemPos1024x768x96(1)     PROCES~1.31-   2013-10-15 18:13:28 UTC+0000   2013-10-15 18:13:28 UTC+0000   2013-10-15 18:13:28 UTC+0000   DIR                       processhacker-2.31-bin

ItemPos1024x768x96(1)     SYSINT~1       2011-03-04 14:39:26 UTC+0000   2011-03-04 14:39:26 UTC+0000   2011-03-04 14:39:26 UTC+0000   NI, DIR                   SysinternalsSuite

ItemPos1024x768x96(1)     TRUECR~1       2013-10-06 16:38:34 UTC+0000   2013-10-05 01:33:00 UTC+0000   2013-10-06 16:38:34 UTC+0000   DIR                       TrueCrypt

ItemPos1024x768x96(1)     nasm.lnk       2013-10-06 16:33:06 UTC+0000   2013-10-06 16:33:06 UTC+0000   2013-10-06 16:33:06 UTC+0000   ARC                       nasm.lnk

ItemPos1024x768x96(1)     PROCES~1.ZIP   2013-10-15 18:13:08 UTC+0000   2013-10-15 18:13:18 UTC+0000   2013-10-15 18:13:18 UTC+0000   ARC, NI                   processhacker-2.31-bin.zip

ItemPos1024x768x96(1)     TRUECR~1.ZIP   2013-10-05 01:32:24 UTC+0000   2013-10-05 01:32:30 UTC+0000   2013-10-05 01:32:30 UTC+0000   ARC, NI                   TrueCrypt 7.1a Source.zip

ItemPos1024x768x96(1)     WINSDK~1.EXE   2013-10-06 16:11:04 UTC+0000   2013-10-06 16:11:40 UTC+0000   2013-10-06 16:11:40 UTC+0000   ARC, NI                   winsdk_web.exe

ItemPos1024x768x96(1)     VMWARE~1.LNK   2013-10-15 18:45:08 UTC+0000   2013-10-06 19:16:02 UTC+0000   2013-10-15 18:45:08 UTC+0000   ARC                       VMware Shared Folders.lnk

*************************

 

 

 

 

 Basil

60 Posts
ISC Handler
Subscribe Jan 18th 2016
3 years ago
Might be useful: combine mbrparser output 'disk signature' with what is found in HKLM\SYSTEM\MountedDevices.
 cudeso

7 Posts
Quote Jan 19th 2016
3 years ago
You can set default volatility values and create file volatilityrc (Windows) or ~/.volatilityrc (Linux) in the same directory. No need to enter.

[DEFAULT]
PROFILE=Win7SP1x64
LOCATION=file:///C:\Case\LAPTOP-20160119.raw
 cudeso
1 Posts
Quote Jan 19th 2016
3 years ago

Sign Up for Free or Log In to start participating in the conversation!