After having obtained a memory image using FireWire (or other methods), I eventually wanted to actually examine what was going on as the image was taken.
Installing Volatility
Volatility is a framework that helps ripping interesting information out of a Windows XP memory dump. Although “strings” and “dd” are good tools, analysing 1GB of binary crap is not really a fun thing to do. Volatility knows how to parse the memory and allows to do fancy stuff on the memory.
Installation of Volatility is a bit weird because it is obviously written for Windows and they hardcode the path of a Windows Python interpreter. Also, their module system is a bit weird, but in fairness works at least alrightish. The application itself is funnily packaged. They don’t really make use of namespaces and depend on modules being locally available.
That made it painful produce a Debian/Ubuntu package, but I made it and you can find it in my PPA. To install volatility through that PPA, you might want to do a:
sudo add-apt-repository ppa:ubuntu-bugs-auftrags-killer/muelli && sudo apt-get update && sudo apt-get install volatility
I think I packaged every available module so that you don’t need to go through 13 stupid^W very helpful but funny pages. You can see the available commands via plugins here:
muelli@xbox:/tmp$ volatility /usr/lib/pymodules/python2.6/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha *** Unable to load module kernel_hooks: No module named pefile *** Unable to load module usermode_hooks2: No module named pefile *** Unable to load module malfind2: No module named pydasm *** Unable to load module kernel_hooks: No module named pefile *** Unable to load module usermode_hooks2: No module named pefile *** Unable to load module malfind2: No module named pydasm Volatile Systems Volatility Framework v1.3 Copyright (C) 2007,2008 Volatile Systems Copyright (C) 2007 Komoku, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. usage: volatility cmd [cmd_opts] Run command cmd with options cmd_opts For help on a specific command, run 'volatility cmd --help' Supported Internal Commands: connections Print list of open connections connscan Scan for connection objects connscan2 Scan for connection objects (New) datetime Get date/time information for image dlllist Print list of loaded dlls for each process dmp2raw Convert a crash dump to a raw dump dmpchk Dump crash dump information files Print list of open files for each process hibinfo Convert hibernation file to linear raw image ident Identify image properties memdmp Dump the addressable memory for a process memmap Print the memory map modscan Scan for modules modscan2 Scan for module objects (New) modules Print list of loaded modules procdump Dump a process to an executable sample pslist Print list of running processes psscan Scan for EPROCESS objects psscan2 Scan for process objects (New) raw2dmp Convert a raw dump to a crash dump regobjkeys Print list of open regkeys for each process sockets Print list of open sockets sockscan Scan for socket objects sockscan2 Scan for socket objects (New) strings Match physical offsets to virtual addresses (may take a while, VERY verbose) thrdscan Scan for ETHREAD objects thrdscan2 Scan for thread objects (New) vaddump Dump the Vad sections to files vadinfo Dump the VAD info vadwalk Walk the vad tree Supported Plugin Commands: cachedump Dump (decrypted) domain hashes from the registry cryptoscan Find TrueCrypt passphrases driverirp Print driver IRP function addresses driverscan Scan for driver objects fileobjscan Scan for file objects getsids Print the SIDs owning each process hashdump Dump (decrypted) LM and NT hashes from the registry hivedump Dump registry hives to CSV hivelist Print list of registry hives hivescan Scan for _CMHIVE objects (registry hives) idt Print Interrupt Descriptor Table (IDT) entries intobjscan Scan for interrupt handler registrations keyboardbuffer Print BIOS keyboard buffer lsadump Dump (decrypted) LSA secrets from the registry memmap_ex_2 Print the memory map moddump Dump loaded kernel modules to disk. mutantscan Scan for mutant (mutex) objects objtypescan Scan for object type objects orphan_threads Find kernel threads that don't map back to loaded modules printkey Print a registry key, and its subkeys and values pslist_ex_1 Print list running processes pslist_ex_3 Print list running processes pstree ssdt Display SSDT entries suspicious Find suspicious command lines and display them symlinkobjscan Scan for symbolic link objects thread_queues Print message queues for each thread usrdmp_ex_2 Dump the address space for a process Example: volatility pslist -f /path/to/my/file muelli@xbox:/tmp$
So yeah, some warnings are due to missing dependencies. But it’s all packaged with the exception of pydasm. So if you have enough time at your hands, please do that 😉
If you have another module that you want to have added or if anything doesn’t work, please give me a shout.
Using Volatility
An interesting question might be whether someone has viewed a given picture. We know that the physical address space contains many 4kB sized pages. This is a problem for analysing the memory because we usually expect data to be larger than 4kB and this data is most likely fragmented in physical memory. So extracting a picture from the raw memory dump, while possible would be problematic. Our approach was to create a contiguous dump of a processes virtual memory address space and to search our target image in that memory dump. Fortunately, volatility is already able to dump a process’ virtual memory address space, which leaves us with the admittedly not too hard task of finding and extracting binary data of that picture.
We started by generating a list of running processes from the RAM image to identify the process ID of our target process (firefox in our case):
$ volatility pslist -f memorydump Name Pid PPid Thds Hnds Time firefox.exe 2212 2720 22 320 Sat Mar 20 14:33:29 2010
Afterwards, we dump the processes virtual memory, using the PID of that process, into a file. Using this we can start searching for our target picture in the process memory dump:
$ volatility memdmp -p 2212 -f memorydump
If we knew that the picture file that is being searched for was a JPEG and we found that these files have a start and end byte sequence 0xffd8 and 0xffd9 respectively. While this was helpful information we still need to narrow down our search. Using xxd we can take small byte sequences from the body of original picture and search for this sequence in the process’ ID image file. Using this method we are able to find the start of the JPEG picture, in the firefox process memory dump. Here, we can see that the start of the JPEG image marker (0xffd8) occurs at address 0x4e20008 in the image dump:
4e20000: 120e 0200 120e 0200 ffd8 ffe0 0010 4a46 ..............JF 4e20010: 4946 0001 0200 0064 0064 0000 ffec 0011 IF.....d.d...... 4e20020: 4475 636b 7900 0100 0400 0000 3c00 00ff Ducky.......<...
Then from this point forwards in the file, a search for the JPEG end of file byte sequence (0xffd9) gives us the address of the end of the JPEG picture in the memory image file. Here we can see that the JPEG picture ends at address 0x4e40e19:
4e40e00: d5c2 5047 3401 82c7 b75c 5638 2624 461d ..PG4....\V8&$F. 4e40e10: 4c54 f6b1 3d3c 4b3f ffd9 6500 2800 2700 LT..=<K?..e.(.'. 4e40e20: 7000 7800 2700 2c00 2700 2700 2900 3b00 p.x.'.,.'.'.).;.
Then using dd with a block size of one byte, and knowing the start and end addresses of our picture image obtained above, we can get python to work out the decimal number of bytes to skip into the file and also the decimal number of bytes to count or read from that position.
$ dd if=2212.dmp bs=1 skip=$(python -c 'print 0x4e20008')
count=$(python -c 'print 0x4e40e20 - 0x4e20008') > recovered.jpg
134674+0 records in
134674+0 records out
134674 bytes (135 kB) copied, 0.812532 s, 166 kB/s
To verify that the picture extracted from RAM is the same as original picture we can get as hash of both files:
$ sha256sum Goofy\ Finger.jpg recovered.jpg e87db764d0f2baccdd5b68dd0324c31ee2281a787d27de38c48e6e9c300b2349 Goofy Finger.jpg e87db764d0f2baccdd5b68dd0324c31ee2281a787d27de38c48e6e9c300b2349 recovered.jpg $ display recovered.jpg
Collecting Password Hashes
For password recovery purposes one might be interested in obtaining the hashed passwords of a running (Windows) system. As a nice side effect, we will gain all existing users on that system. Fortunately, a plugin for volatilty exists which allows dumping the password hashes. The process, however, is a bit cumbersome and could be more automated in the future. We start off finding Registry data in the memory using the hivescan command which will give us the offset of the data in memory. We scan two of these memory locations to make sure that we identify the Security and the System hive whichs addresses we have to remember (in our case 0xe1035b60 and 0xe16bdb60). With these addresses, we run the volatility hashdump tool which happily prints all the password hashes.
$ python volatility hivescan -f memorydump /tmp/volatility-1.3b/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha Offset (hex) 58175496 0x377b008 58202976 0x3781b60 63080280 0x3c28758 118954848 0x7171b60 268880736 0x1006cb60 292773896 0x11736008 294130688 0x11881400 414687240 0x18b7a008 421538656 0x19202b60 424552368 0x194e27b0 425945952 0x19636b60 436572168 0x1a059008 705187848 0x2a085008 $ python volatility hivelist -f memorydump -o 0x377b008 /tmp/volatility-1.3b/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha Address Name 0xe1e8cb60 \DaS\joe\LS\AD\Microsoft\Windows\UsrClass.dat 0xe261f008 \DaS\joe\NTUSER.DAT 0xe1e65b60 \DaS\LocalService\LS\AD\Microsoft\Windows\UsrClass.dat 0xe1f14008 \DaS\LocalService\NTUSER.DAT 0xe1e797b0 \DaS\NetworkService\LS\AD\Microsoft\Windows\UsrClass.dat 0xe1e03008 \DaS\NetworkService\NTUSER.DAT 0xe1776008 \WINDOWS\system32\config\software 0xe1756400 \WINDOWS\system32\config\default 0xe16e3b60 \WINDOWS\system32\config\SECURITY 0xe16bdb60 \WINDOWS\system32\config\SAM 0xe14b8758 [no name] 0xe1035b60 \WINDOWS\system32\config\system 0xe102e008 [no name] $ python volatility hivelist -f memorydump -o 0x1a059008 /tmp/volatility-1.3b/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha Address Name 0xe1e03008 \Documents and Settings\NetworkService\NTUSER.DAT 0xe1776008 \WINDOWS\system32\config\software 0xe1756400 \WINDOWS\system32\config\default 0xe16e3b60 \WINDOWS\system32\config\SECURITY <-- Security Hive 0xe16bdb60 \WINDOWS\system32\config\SAM 0xe14b8758 [no name] 0xe1035b60 \WINDOWS\system32\config\system <-- System Hive 0xe102e008 [no name] 0xe1e8cb60 \DaS\joe\LS\AD\Microsoft\Windows\UsrClass.dat 0xe261f008 \DaS\joe\NTUSER.DAT 0xe1e65b60 \DaS\LocalService\LS\AD\Microsoft\Windows\UsrClass.dat 0xe1f14008 \DaS\LocalService\NTUSER.DAT 0xe1e797b0 \DaS\NetworkService\LS\AD\Microsoft\Windows\UsrClass.dat $ python volatility hashdump -f memorydump -y 0xe1035b60 -s 0xe16bdb60 /tmp/volatility-1.3b/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha Administrator:500:2637e35bf0422b90aad3b435b51404ee:48ff5741a4f96d75a9dc23432a6c2fb6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:69d67a492c3dd902282b6be852ba02cf:4672a0174e4f2400bb0fd10d50b9868c::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c0e2f264bd5be499af3d7b9740579aa7::: joe:1005:fb62f624fe735986aad3b435b51404ee:c025e7fccfbccc90b057725ef909f4e2::: mary:1006:758cd98ba77b7ff8aad3b435b51404ee:67f301368e34e8d7a3e5def3d74dbbf2::: $
Having obtained these hashes, one could use, i.e. Ophcrack to recover the password. A web based interface is available and successfully recovered each and every password (i.e.: empty, BLOGGS, MARY123, SMITH, KO*5VUMOWUKGAD). Advanced attacks such as Pass-The-Hash might also be possible.
It would be interesting to know, how to obtain password hashes from a running Linux or Mac system. The technique should be straight forward: Obtain RAM, get your own hash and search for this well known hash in memory. The harder work will then be to identify the data structures in which the hashes are embedded to reliably identify the hash storage for generality.
I would like to say “wow” what a inspiring post. This is really great. Keep doing what you’re doing!!