Volatility Workbench is a GUI version of one of the most popular tool Volatility for analyzing the artifacts from a memory dump. It is available free of cost, open-source, and runs on the Windows Operating system. You can download it from Here.
You can
refer to the previous article Memory
Forensics : Using Volatility from here,
Table of Contents
·
Features
of Volatility Workbench
·
Volatility
Commands
o Hunting rootkits and
malicious code
o Malfind
o Psxview
o Timers
o Getsids
o Cmdscan
o Consoles
o Privs
o Envars
o Verinfo
o Memmap
o Vadinfo
o Vadwalk
o Vadtree
o
Iehistory
o Modules
o SSDT
o Driverscan
o File Scan
o Mutant scan
o Thrdscan
o Netscan
o Hivescan
o Hivelist
o Printkey
o Hashdump
o Lsadump
o Shellbags
o Getservicesids
o Getservicesids
o Dumpregistry
o Mbrparser
o Mftparser
o
Features of Volatility Workbench
1.
A forensic investigator does
not have to worry about remembering the parameters of the command line.
2.
It has made it easier to store
dump information to a file on disk.
3.
There is a drop-down list that
contains the commands and its brief description.
4.
It records the time stamp of
the commands that were previously executed.
Download the tool and run it. Now choose the dump file that you have
previously created and select the profile of the image that was created which
could be used in place of imageinfo command. Now click on Refresh Process List
and you can run all the commands.
Hunting rootkits and malicious
code
It tends to run a scan on the memory dump and looks around for the
presence of a rootkit or a malicious code that would not be easily seen in the
system but could be running in the background.
Malfind
It is a command which helps in finding a hidden code or a code that
has been injected into the user’s memory. It doesn’t generally detect the
presence of a DLL in a process but instead locates them.
psxview
This command usually helps in
discovering any hidden processes in the plugin present in the memory dump.
Timers
It displays the timer of the kernel and all the associated timers
present in the memory dump of the system.
Getsids
This command can be used to view the Security Identifiers that are
associated with a particular process. With the help of this command, you can
identify if any malicious process has taken any privilege escalation.
Cmdscan
This plugin helps in searching the memory dump for the command the user must have used the cmd.exe application. This command is highly used if the attacker’s command activity is to be traced.
Consoles
This command is similar to cmdscan and helps to find if the attacker
had typed anything in cmd or had executed anything via the backdoor.
Privs
This command displays the
privileges assigned to the processes that are enabled or not enabled by
default.
Envars
This command displays all the variables in the process, its environment along with its current directory.
Verinfo
This command displays the version information that is present in the
PE files. It helps identify any binaries and also correlates with other files.
Memmap
This command shows the exact pages that are present on the page of a
specific process. It also shows the virtual address of the page and the size of
its page.
Vadinfo
This command usually displays information about a particular process’s VAD nodes. It displays the VAD Flags control flags, VAD tags.
Vadwalk
It is a command that is used to display all the VAD nodes in a
tabular form.
Vadtree
This process displays the VAD nodes in a tree form.
iehistory
This Plugin helps in
recovering the fragments of the Internet explore history index.dat named cache
files. It displays FTP and HTTP links that were accessed, links that were
redirected, any deleted entries.
Modules
This command is used to list the kernel drivers that are present in
the system.
SSDT
This command is used to
list the functions present in the original and GUI SSDTs. It displays the
index, the name of the function, and the owner of the driver of each entry in
the SSDT.
Driverscan
This command can be used to find the DRIVER_OBJECT present in the
physical memory by making use of a pool tag scan.
File Scan
This command can be used to find File_object that is present in the
physical memory by making use of a pool tag scan. This command will help in
finding open files in the system dump even if they are hidden with the help of
rootkit,
Mutant scan
This command is used to scan the physical memory of kmutant objects
by making use of pool tag scanning.
Thrdscan
This command is used to find the ethread objects that are present in the
physical memory with the help of a pool tag scan. It contains certain fields
that can identify its parent processes which can help in finding hidden
processes.
Netscan
This plugin helps in
finding network-related artifacts present in the memory dump. It makes use of
pool tag scanning. This plugin finds all the TCP endpoints, TCP listeners, UDP
endpoints, and UDP listeners. It provides details about the local and remote IP
and also about the local and remote port
Hivescan
This command is used to find the physical address of the registry
hives that are present in the memory. It is there to support the hivelist.
Hivelist
This command can be used to
locate the virtual addresses present in the registry hives in memory, and their
entire paths to hive on the disk.
Printkey
This command is used to display the values, data, subkeys, and data
types that are present in a specified registry.
Hashdump
This command can be
used to extract and decrypt cached domain credentials stored in the registry
which can be availed from the memory dump. The hashes that are availed from the
memory dump can be cracked using John the Ripper, Hashcat, etc
Lsadump
This command is used
to dump LSA secrets from the registry in the memory dump. This plugin gives out
information like the default password, the RDP public key, etc.
Shellbags
This command usually parses and prints the shellbag information that
is obtained from the registry.
Getservicesids
This command does the work
of calculating the SIDz for the services that are present on the machine. The
name of the services has been taken from the registry.
Dumpregistry
This plugin allows
one to dump a registry hive into a disk location.
Mbrparser
This command scans and parses potential MBR from the memory dump.
There are various ways to find MBR and the way of filtering it.
Mftparser
This command is used to scan the MFT entries in the memory dump and
prints out the information for certain types of file attributes.
0 comments:
Post a Comment