Some useful volatility plugins - SANS Internet Storm Center

In previous diaries I have talked about using volatility, in this diary I will talk about other plugins .

1-MBR parser:

mbrparser plugin will scans for and parses potential Master Boot Records (MBRs) in the memory image.

vol.py --profile=Win7SP1x86 -f win7SP1.bin mbrparser

And the output would be similar to this

Volatility Foundation Volatility Framework 2.5

***************************************************************************

Potential MBR at physical offset: 0x600

Disk Signature: fd-04-bb-b7

Bootcode md5: 40b32fa4b4f6aae1c2c47c02a27b873e

Bootcode (FULL) md5: 0e8ac4f7d364af5e54b96b561712aa30

Disassembly of Bootable Code:

0000000600: 33c0 XOR AX, AX

0000000602: 8ed0 MOV SS, AX

0000000604: bc007c MOV SP, 0x7c00

As you can see the mbrparser will show the disk signature ,the bootcode md5 hash and it will disassemble the Bootable code.

2-MFT parser

mftparser plugin scans for potential Master File Table (MFT) entries in memory (using "FILE" and "BAAD" signatures) and prints out information for certain attributes, currently: $FILE_NAME ( $FN ), $STANDARD_INFORMATION ( $SI ), $FN and $SI attributes from the $ATTRIBUTE_LIST , $OBJECT_ID

Vol.py --profile=Win7SP1x86 -f win7SP1.bin mftparser –output-file=mft.txt

And here is a sampe otpur of the mftparser output

$STANDARD_INFORMATION

Creation Modified MFT Altered Access Date Type

------------------------------ ------------------------------ ------------------------------ ------------------------------ ----

2009-07-14 04:52:30 UTC+0000 2009-07-14 04:52:31 UTC+0000 2011-03-04 17:18:43 UTC+0000 2009-07-14 04:52:31 UTC+0000 Content not indexed

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\User Account Pictures\DEFAUL~1

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\User Account Pictures\Default Pictures

***************************************************************************

MFT entry found at offset 0x160c00

Attribute: In Use & Directory

Record Number: 295

Link count: 1

$STANDARD_INFORMATION

Creation Modified MFT Altered Access Date Type

------------------------------ ------------------------------ ------------------------------ ------------------------------ ----

2009-07-14 02:37:05 UTC+0000 2009-07-14 02:04:54 UTC+0000 2011-03-04 17:18:43 UTC+0000 2009-07-14 02:37:05 UTC+0000 Unknown Type

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\Vault

***************************************************************************

MFT entry found at offset 0x2a9000

Attribute: In Use & File

Record Number: 18536

Link count: 2

$STANDARD_INFORMATION

Creation Modified MFT Altered Access Date Type

------------------------------ ------------------------------ ------------------------------ ------------------------------ ----

2010-11-20 21:29:06 UTC+0000 2010-11-20 21:29:06 UTC+0000 2011-03-04 17:16:41 UTC+0000 2010-11-20 21:29:06 UTC+0000 Archive

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 dnscmmc.dll

$FILE_NAME

Creation Modified MFT Altered Access Date Name/Path

------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------

2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 Windows\System32\dnscmmc.dll

$DATA

$OBJECT_ID

Object ID: 40000000-0000-0000-00b0-010000000000

Birth Volume ID: 00aa0100-0000-0000-00aa-010000000000

Birth Object ID: 311bcb11-0900-ada0-ffff-ffff82794711

Birth Domain ID: 00000000-0000-0000-0000-000000000000

3- Userassists

UserAssist is GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.

In Windows 7 machines users

NTUSER.DAT HIVE

NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count

Userassist plugin will scans the entire memory image and parse the userassit key.

vol.py --profile=Win7SP1x86 -f win7SP1.bin userassist --output-file=userassist.txt

----------------------------

Registry: \??\C:\Users\Daniel\ntuser.dat

Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count

Last updated: 2013-10-15 18:48:57 UTC+0000

Subkeys:

Values:

REG_BINARY %windir%\system32\mspaint.exe :

Count: 10

Focus Count: 12

Time Focused: 0:03:40.594000

Last updated: 2013-10-15 18:46:16 UTC+0000

Raw Data:

0x00000000 00 00 00 00 0a 00 00 00 0c 00 00 00 be 5b 03 00 .............[..

0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................

0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................

0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 10 f1 72 d4 ..............r.

0x00000040 d6 c9 ce 01 00 00 00 00 ........

Here is a sample output of userassist plugin ,the count entry shows the number of times that mspaint.exe has been executed

4-Shellbags :

Which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed.

vol.py --profile=Win7SP1x86 -f win7SP1.bin shellbags --output-file=shellbags.txt

And here is a sample of the shellbags plugin

***************************************************************************

Registry: \??\C:\Users\Daniel\ntuser.dat

Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop

Last updated: 2013-10-15 18:45:30 UTC+0000

Value File Name Modified Date Create Date Access Date File Attr Unicode Name

------------------------- -------------- ------------------------------ ------------------------------ ------------------------------ ------------------------- ------------

ItemPos1024x768x96(1) GZIP-1~1.12- 2013-10-06 16:33:54 UTC+0000 2013-10-06 16:33:54 UTC+0000 2013-10-06 16:33:54 UTC+0000 DIR gzip-1.3.12-1-bin

ItemPos1024x768x96(1) PROCES~1.31- 2013-10-15 18:13:28 UTC+0000 2013-10-15 18:13:28 UTC+0000 2013-10-15 18:13:28 UTC+0000 DIR processhacker-2.31-bin

ItemPos1024x768x96(1) SYSINT~1 2011-03-04 14:39:26 UTC+0000 2011-03-04 14:39:26 UTC+0000 2011-03-04 14:39:26 UTC+0000 NI, DIR SysinternalsSuite

ItemPos1024x768x96(1) TRUECR~1 2013-10-06 16:38:34 UTC+0000 2013-10-05 01:33:00 UTC+0000 2013-10-06 16:38:34 UTC+0000 DIR TrueCrypt

ItemPos1024x768x96(1) nasm.lnk 2013-10-06 16:33:06 UTC+0000 2013-10-06 16:33:06 UTC+0000 2013-10-06 16:33:06 UTC+0000 ARC nasm.lnk

ItemPos1024x768x96(1) PROCES~1.ZIP 2013-10-15 18:13:08 UTC+0000 2013-10-15 18:13:18 UTC+0000 2013-10-15 18:13:18 UTC+0000 ARC, NI processhacker-2.31-bin.zip

ItemPos1024x768x96(1) TRUECR~1.ZIP 2013-10-05 01:32:24 UTC+0000 2013-10-05 01:32:30 UTC+0000 2013-10-05 01:32:30 UTC+0000 ARC, NI TrueCrypt 7.1a Source.zip

ItemPos1024x768x96(1) WINSDK~1.EXE 2013-10-06 16:11:04 UTC+0000 2013-10-06 16:11:40 UTC+0000 2013-10-06 16:11:40 UTC+0000 ARC, NI winsdk_web.exe

ItemPos1024x768x96(1) VMWARE~1.LNK 2013-10-15 18:45:08 UTC+0000 2013-10-06 19:16:02 UTC+0000 2013-10-15 18:45:08 UTC+0000 ARC VMware Shared Folders.lnk

*************************

Basil

59 Posts
ISC Handler

Might be useful: combine mbrparser output 'disk signature' with what is found in HKLM\SYSTEM\MountedDevices.

cudeso

7 Posts

You can set default volatility values and create file volatilityrc (Windows) or ~/.volatilityrc (Linux) in the same directory. No need to enter.

[DEFAULT]
PROFILE=Win7SP1x64
LOCATION=file:///C:\Case\LAPTOP-20160119.raw

cudeso
1 Posts