 Welcome back everyone today. We're going to be doing a little bit more in-depth analysis of a memory image That we might not know anything about but we are going to use the tool Volatility and I'll give a link to that tool We'll use volatility for doing a little bit more analysis and volatility is a very big Framework, I'll move this over here in a second which we can get information about Basically, it's a community-built framework for doing a lot of different Tasks in a lot of different versions of for example windows and Linux and OS X We can analyze memory in-depth much much more than what we were talking about before where we were just basically looking for keywords or Extracting data structures volatility actually goes in and tries to reconstruct and parse out all of this data So they have a lot of different Functions, and it's a very large and very robust tool and is one of the best memory analysis tools that are available It also happens to be free, which is very good. So Today we're going to be using volatility some basic functions of volatility To to do some basic analysis of this exercise one raw image that we have and I'm going to run volatility I have it installed an opt volatility vol dot pi and And This is where I have installed it on my Linux workstation volatility also works for Windows OS X this is just where I installed on mine. So to first just look at what options are available We can run Python and then this vol dot pi dash H and that should show me all of the different options that are installed That I can use Okay, so these are a lot of different options that we can use here And it gives me some information on how to run it. We have to specify for example profiles and things like that So now we're going to go through and use Some of these so one of the first ones that I want to talk about is Where is it? Image info, okay, so right now we don't know anything about this memory image So we can use image info to try to get more information about this image So we can do that by essentially running Python opt. Let me clear this out so you can actually see it Python opt volatility and then we need to give it the image that we have so here Exercise one raw Okay, so here I have Python opt volatility vol which is the location of my volatility Python script Dash F tells me the file that I want to analyze and then we can just run the module that we want So here we say image info Okay, so now it's trying to go through and figure out what it can about this image Okay, so we can see a couple different things the time that the image was created the time and date the local time and date number of processes for this system and Right some of the most important things for example is this suggested profiles because we have to use a profile If we want to be able to analyze this system So it's suggesting windows 7 sp1 x64 windows 2008 Windows 2008 windows 7 Windows 2008 so we need to use one of these profiles And what we are going to choose here is just let's try the first profile If you start to get errors or you're not getting all the information that you Expect to be getting then it might be because you chose the wrong profile here, but this should give us an idea Let's just copy that and give us an idea of what's going on So suggested profiles suggest where this memory image came from which is why it's so important if you can To document What type of system your memory image is coming from so whenever we were copying memory one of where we were doing our memory Acquisitions we would name our memory image for example windows 10 pro x 64 6 gigabytes or something like that and that is for whenever we're doing more in-depth analysis, and we need to know the data structures of For example the process lists or whatever in The windows system that we're looking at and they change depending on the version of windows, okay, so now that we know the We have an idea of the suggested profile Let's say that we want to find all of the processes that were running in the system Whenever this this memory image was taken so we can do Let's go back up instead of image info. I Now need I now know the profile or I think I know the profile so we can use profile and Then equals and then I had it pasted here paste windows 7 sp1 x 64 In this case and then we can run ps list and this will give us all of the processes the process list That was available in the system at the time. So let's run that see what happens. Okay, so now we have all of these different processes That we're running in the system with their PIDs the times and everything like that so now we can see all of the different processes that we're running and Basically all the information that we would kind of expect to be able to find in a system if it were on Reconstructing this from memory. However is is quite difficult. So volatility reconstructing this really really helps us a lot We can also look for example at the different network activity So here instead of ps list we can use the command net scan Net scan. So here I have python Vault up high my file is exercise one dot raw my profile is dash dash profile windows 7x sp1 x 64 and I want to run net scan to look at current network connections network connections that were active at the time Okay, so now it's running through and I can see all of the active or basically established closed listening all the different types of network connections that are available and The process or the owner of this network connection So then we can go through and see if there's anything suspicious here We can see what websites the the the computer was connecting to if there was You know a peer-to-peer network. What was that peer-to-peer network doing if there's a virus or something like that? Are there any network connections being established from the virus? so those types of things Now we can filter this out. Notice. This is a lot of data. So let's say that we are Let's say we're specifically interested in all of the network connections that are Closed so just like we did whenever we were doing keywords basic keyword searching for for memory we can use grep and then vi and Then closed and what vi does is basically say we don't care about the the upper case or lower case so then we will Filter out vi is filter out all of the closed connections So we should just get listening and established connections from this. So we're saying I don't want I don't want to show closed and I don't care about the capitals here So all of this information should be removed. Okay So one good thing about Volatility well, there's a lot of good things But one good thing is that we can use we can pipe all of these commands into another command For example for filtering or for keyword searching or maybe we want to look for a particular process So we can we can do that quite easily. So now we have these established connections And yeah, we can look at the different connections that are being made the different ports and the processes are the owner That is running these different connections Okay, so now we'll imagine that we want to try to detect Some some potentially malicious program We would have to go through for example PS list and then maybe PS scan and some other some other Commands to and compare all of those manually to be able to see if a Virus or some malware has been trying to Hide its traces or remove itself from some of these lists. So volatility has this quite nice tool called PSX view and what this will do is go through and Essentially compare all of these different the output of all of these different commands and see whether Something has been listed or not. So in PSX view here. We have when a process was exited. So if we have for example So it shows the PID the name the offset and if we have PS list PS scan thread proc PS PC ID CS RSS and session all of these different things and what we find is If some of these are for example removed if we have PS list, it's removed But it's true in all if it's false in PS list, but it's true in all of these others. Well, this might be suspicious actually just because Why should it not show up in PS PS list but show up everywhere else we can still find it running in the system But it's kind of removed it or detached itself from PS list now We look at some of these other ones for example down here. We see false true false false false now some of these could just be have exited or Yeah, some of these just could have exited basically and in these cases we have exit times So to see true and a bunch of falses maybe that that could be a flag, but Probably not so suspicious the really really suspicious one would be where you have a Where was it you have a False and then you have a bunch of truths. So in this case, it looks like this might this This program this process actually might be trying to hide hide itself. So we can use PS PSX view To try to get a comparison of all of these different essentially process process information that volatility gives to figure out if Something is a little bit suspicious and we need to dig into it a little bit more Okay, so volatility has a lot of different options and we can't talk about all of them today but It really depends on what you're trying to do for example true crypt passphrase true crypt summary if somebody was using true crypt it will try to Extract true crypt keys from from memory shellbags can print shellbag information, which you can use to prove that a user was Accessing specific folders Let's see there's anything else here Scan for registry hives Basically dump the hives dumps passwords hashes from memory if there are Basically windows password hashes in memory it will dump those and then you can try to to crack them or break them Which might be useful for accessing other things not only the computer Dumping certifications looking at trees looking at different Connections that have been made Looking at Different command line arguments to processes extract Contents of windows clipboard which think about the things that you normally put in clipboard it might be passwords It might be credit card numbers things like that So volatility has a lot of different things. We just focused really on on looking at Process lists and connections here, but it does a lot more So that is it for today. Thank you very much You