Volatility
In 2007, the first version of The Volatility Framework was released publicly at Black Hat DC. The software was based on years of published academic research into advanced memory analysis and forensics. Up until that point, digital investigations had focused primarily on finding contraband within hard drive images. Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Another major goal of the project was to encourage the collaboration, innovation, and accessibility to knowledge that had been common within the offensive software communities.
Since that time, memory analysis has become one of the most important topics to the future of digital investigations and Volatility has become the world’s most widely used memory forensics platform. The project is supported by one of the largest and most active communities in the forensics industry. Volatility also provides a unique platform that enables cutting edge research to be immediately transitioned into the hands of digital investigators. As a result, research built on top of Volatility has appeared at the top academic conferences and Volatility has been used on some of the most critical investigations of the past decade. It has become an indispensible digital investigation tool relied upon by law enforcement, military, academia, and commercial investigators throughout the world.
欢迎回家https://www.volatilityfoundation.org/
volatility 框架是一款用于易失性内存取证的重量级框架。在该框架下我们可以完成许多取证的操作,获取我们想要得的各种信息。Volatility版本是对OS内部,应用程序,恶意代码和可疑活动进行大量深入研究的结果虽然版本似乎很少,但其支持的操作系统非常广泛,同时支持 windows, linux,Mac OSX,甚至也支持 Android 手机使用ARM处理器的取证。
Volatility常用命令行参数
-
-h 查看相关参数及帮助说明
-
--info 查看相关模块名称及支持的Windows版本
-
-f 指定要打开的内存镜像文件及路径
-
-d 开启调试模式
-
-v 开启显示详细信息模式(verbose)
volatility -f <文件名> --profile=<配置文件> <插件> [插件参数]
通过volatility --info获取工具所支持的profile,Address Spaces,Scanner Checks,Plugins
常用插件
imageinfo:显示目标镜像的摘要信息,知道镜像的操作系统后,就可以在 --profile 中带上对应的操作系统
pslist:该插件列举出系统进程,但它不能检测到隐藏或者解链的进程,psscan可以
psscan:可以找到先前已终止(不活动)的进程以及被rootkit隐藏或解链的进程
pstree:以树的形式查看进程列表,和pslist一样,也无法检测隐藏或解链的进程
mendump:提取出指定进程,常用foremost 来分离里面的文件
filescan:扫描所有的文件列表
hashdump:查看当前操作系统中的 password hash,例如 Windows 的 SAM 文件内容
svcscan:扫描 Windows 的服务
connscan:查看网络连接
其他插件
使用imageinfo插件来判断dump文件的profile值
我们这里统一文件名为test.vmem 操作系统为WinXPSP2x86
volatility -f test.vmem imageinfo
volatility -f test.vmem –profile=WinXPSP2x86
列举进程
volatility -f test.vmem –profile=WinXPSP2x86 pslist
列举缓存在内存的注册表
volatility -f test.vmem --profile=WinXPSP2x86 hivelist
打印出注册表中的数据
volatility -f test.vmem --profile=WinXPSP2x86 hivedump -o 注册表的virtual地址
获取内存中的系统密码,我们可以使用 hashdump 将它提取出来
volatility -f test.vmem –profile=WinXPSP2x86 hashdump -y (注册表 system 的 virtual 地址 )-s (SAM 的 virtual 地址)
获取SAM表中的用户
volatility -f test.vmem --profile=WinXPSP2x86 printkey -K "SAM\Domains\Account\Users\Names"
获取最后登录系统的账户
volatility -f test.vmem --profile=WinXPSP2x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
提取出内存中记录的 当时正在运行的程序有哪些,运行过多少次,最后一次运行的时间等信息
volatility -f test.vmem --profile=WinXPSP2x86 userassist
将内存中的某个进程数据以 dmp 的格式保存出来
volatility -f test.vmem --profile=WinXPSP2x86 -p [PID] -D [dump 出的文件保存的目录]
使用 strings 这个工具将它的字符串打印出来
strings xxxx.dmp > xxxx.txt
提取内存中保留的 cmd 命令使用情况
volatility -f test.vmem –profile=WinXPSP2x86 cmdscan
获取到当时的网络连接情况
volatility -f test.vmem –profile=WinXPSP2x86 netscan
获取 IE 浏览器的使用情况
volatility -f test.vmem –profile=WinXPSP2x86 iehistory