Unit 5: Windows Acquisition 5.1 Windows Acquisition Windows Memory Acquisition and Analysis

>> As we discussed in previous units, forensic investigators exam physical memory content
to detect malicious processes, threats, and memory resident malware
to recover passwords and encryption keys.

>>正如我们在前面的单元中讨论的，法医调查人员检查物理内存内容，以检测恶意进程、威胁和内存驻留恶意软件，以恢复密码和加密密钥。

In some cases, forensic examiners will not be able to start a forensic investigation
without having the physical memory content.

在某些情况下，法医审查员无法在没有物理记忆内容的情况下展开法医调查。

To start memory acquisition, let's learn some well-known Windows memory acquisition tools.

为了开始内存获取，让我们学习一些著名的Windows内存获取工具。

The open source MoonSols Windows memory toolkit is a host-based Windows memory
acquisition toolkit.

开源的MoonSols Windows内存工具包是一个基于主机的Windows内存获取工具包。

It is very easy to use. 它很容易使用。

When you run DumpIt, a tool from this toolkit, from a USB,
the raw memory dump will be generated and then written
to the same directory you are running DumpIt from.

当您从这个工具包、从USB运行DumpIt时，将生成原始内存转储，然后将其写入运行DumpIt的相同目录。

The other host-based Window's memory acquisition tools I recommend include winen.exe

from Guidance Software, MemoryDD from ManTech, FTK Imager from Access Data, and Belkasoft
Live RAM Capturer.

我推荐的其他基于主机的窗口内存获取工具包括winen。来自引导软件的exe，来自ManTech的MemoryDD，来自Access Data的FTK Imager，以及Belkasoft Live RAM Capturer。

The commercial tools such as F-Response and the forensic toolkit allow examiners
to conduct forensic acquisition remotely by running an agent on a suspect machine.

F-Response和forensic toolkit等商业工具允许检查人员通过在可疑机器上运行代理远程进行法医采集。

Once we have a physical memory image dumped, how do we extract information
such as running processes, registry data, event logs, network traffic and web history,
et cetera from the memory image for forensic analysis?

一旦我们转储了物理内存映像，我们如何从内存映像中提取诸如正在运行的进程、注册表数据、事件日志、网络流量和web历史记录等信息，以便进行取证分析?

We use a command called streams to extract printable streams from Linux memory dumps,
but streams does not give us all of the variable information we need.

我们使用一个名为streams的命令从Linux内存转储中提取可打印的流，但是流不能提供我们需要的所有变量信息。

Let's study some memory analysis tools that are capable of extracting processes,
network registry information, even password from a memory dump.

让我们研究一些能够从内存转储中提取进程、网络注册表信息甚至密码的内存分析工具。

Some of these tools also work for Linux UNIX memory contents.

其中一些工具还可以用于Linux UNIX内存内容。

WindowsSCOPE is a commercial tool for Windows memory acquisition and analysis.

WindowsSCOPE是一个用于Windows内存获取和分析的商业工具。

You can get one month's full featured trial to try out this tool.

您可以获得一个月的全功能试用来试用这个工具。

One of its strengths is the detection and the reverse engineering of root kits and malware.

它的优势之一是检测和反向工程的根工具包和恶意软件。

Redline Memoryze from FireEye is a free tool for Windows memory acquisition and analysis.

FireEye的Redline Memoryze是一个免费的Windows内存获取和分析工具。

The open source Python-based toolkit called Volatility Framework is able
to extract information from both Windows and Linux UNIX memory images.

基于python的开放源码工具包volatile Framework能够从Windows和Linux UNIX内存映像中提取信息。

Let's closely look at Volatility framework to understand how memory analysis tools extract
processes and other information.

让我们仔细研究一下volatile框架，了解内存分析工具是如何提取进程和其他信息的。

Volatility framework requires acquired memory image as an input.

波动性框架需要获取内存映像作为输入。

To start a memory analysis using Volatility, you should run the Volatility plug-in image
info first to identify the operating system's service
pack hardware architecture and the address of kernel debug structure from the given memory.

要使用volatile启动内存分析，首先应该运行volatile插件映像信息，从给定内存中识别操作系统的服务包硬件架构和内核调试结构的地址。

So, here the given memory is called mem file.

因此，这里给定的内存称为mem文件。

The image in for output tells you the suggested profile of the image.

输出的图像告诉您图像的建议配置文件。

For example, WinXPSP386.

例如,WinXPSP386。

You will pass on this parameter when you run other plug-ins.

您将在运行其他插件时传递此参数。

Knowing this profile information, Volatility will use the kernel debug structure to point
to kernel objects and structures which contains processes and network information.

了解了这些配置文件信息后，volatile将使用内核调试结构来指向包含进程和网络信息的内核对象和结构。

For example, a Windows kernel uses EPROCESS data structure
to store information for each running process.

例如，Windows内核使用EPROCESS数据结构存储每个正在运行的进程的信息。

All active EPROCESS are double-linked together.

所有活动的EPROCESS都是双链接在一起的。

This linked list of EPROCESS structure is pointed by PS active process head.

此EPROCESS结构链表由PS active process head指定。

Volatility uses kernel debug structure to find the PS active process head and then
to list all current running processes by traversing through the EPROCESS linked list.

volatile使用内核调试结构找到PS活动进程头，然后通过遍历EPROCESS链表列出所有当前运行的进程。

Volatility framework supports a variety of plug-ins, including PS list, PS scan, DLL
lists, modules, conn scan, hive list, et cetera to
allow us to extract processes, threats, registry, network connections, and many crucial
information.

volatile框架支持各种插件，包括PS列表、PS扫描、DLL列表、模块、conn扫描、hive列表等，允许我们提取进程、威胁、注册表、网络连接和许多关键信息。

PS list plug-in instructs Volatility to use PS active process head to list all
running processes.

PS list插件指示volatile使用PS active process head来列出所有正在运行的进程。

To run Volatility framework with plug-ins, we will provide the profile we learned
from the plug-in image info.

要使用插件运行volatile框架，我们将提供从插件映像信息中学到的概要文件。

So, here is one example using a plug-in, PS list.

这里有一个使用插件PS list的例子。

However, to hide processes, rootkits simply unlink these processes from the EPROCESS list.

但是，要隐藏进程，rootkit只需从EPROCESS列表中断开这些进程的链接。

Once unlinked, although these processes continue to run normally, they will be hidden
from most standard process enumeration tools such as Windows Task Manager and Sysinternals
utilities.

一旦解除链接，尽管这些进程将继续正常运行，但它们将被隐藏在大多数标准的进程枚举工具(如Windows任务管理器和Sysinternals实用程序)之外。

The Volatility plug-in PS scan does not use the linked list of EPROCESS.

volatile插件PS扫描不使用EPROCESS的链表。

It scans memory looking for EPROCESS structure that represent process
and then returns the physical address spaces for all EPROCESS objects.

它扫描内存，寻找表示进程的EPROCESS结构，然后返回所有EPROCESS对象的物理地址空间。

Therefore, PS scan will list all processes, even the process are hidden by rootkits
and are not shown by PS list plug-in.

因此，PS scan会列出所有进程，即使是被rootkit隐藏的进程，也不会被PS list插件显示。

Any discrepancy between outputs shown by PS list and PS scan may indicate
that rootkits is likely installed on the suspect machine.

PS list和PS scan显示的输出之间的任何差异都可能表明rootkit可能安装在可疑机器上。

Similarly, the plug-in conn scan can extract hidden network connections while the plug-in
connections cannot survive from the malicious attack.

类似地，插件conn扫描可以提取隐藏的网络连接，而插件连接不能幸免于恶意攻击。

The plug-in CryptoScan attempts to recover encryption passphrase from a memory image.
Here is an example of using CryptoScan.

插件加密扫描试图从内存映像中恢复加密密码。

下面是一个使用加密扫描的例子。

For Windows memory images, Volatility framework uses plug-ins hive list and hive scan to dump
out the registry hives such as SAM, security, software, NT user dot at,
user class dot at found in memory.

对于Windows内存映像，volatile框架使用插件hive list和hive scan来转储注册表蜂箱，例如SAM、security、software、NT user dot at、user class dot at。

Google's open source Rekall Memory Forensics framework, in terms of functionality,
is very similar to Volatility framework.

就功能而言，谷歌的开源Rekall内存取证框架与volatile框架非常相似。

In addition, Rekall is able to acquire Windows, Linux, and Mac memory images.
Volatility framework does not have the acquisition function.

此外，Rekall还可以获取Windows、Linux和Mac内存映像。

波动性框架不具备获取功能。

In the demo, I will show you how to use Volatility framework to analyze a memory dump.

在演示中，我将向您展示如何使用volatile框架来分析内存转储。

 

Volatility for Memory Analysis Demo

Start of transcript. Skip to the end.

1. >> We learned earlier that FTK Imager from AccessData can dump
2. out physical memory from a live system.
3. >>我们之前学过AccessData的FTK Imager可以从活动系统中转储物理内存。
5. If you are running a virtual machine, the virtual machine's page file, .vmem,
6. contains a copy of the guest's main memory.
7. 如果您正在运行虚拟机，那么虚拟机的页面文件.vmem包含客户机主内存的副本。
9. The open-source toolkit Volatility Framework is one of the best memory forensic analysis
10. tools to extract valuable information from a memory
11. dump or a .vmem file.
12. 开源工具包volatile框架是从内存转储或.vmem文件中提取有价值信息的最佳内存分析工具之一。
14. In this video, I will show you some basic Volatility plugins to analyze a memory file,
15. and we will use a Zeus memory dump as a example.
16. 在这个视频中，我将展示一些基本的volatile插件来分析内存文件，我们将使用Zeus内存转储作为一个例子。
18. Now, the Zeus memory dump is provided by Malware Analyst's Cookbook DVD,
19. and you can also find detailed Zeus memory analysis using Volatility
20. from various source online.
21. 现在，Zeus内存转储是由恶意软件分析人员的烹饪书DVD提供的，您还可以在网上找到使用波动性的Zeus内存分析的详细信息。
23. I will provide to this websites in this week's activities,
24. for those of you who would like to try by yourself.
25. 我会在这周的活动中提供给这个网站，给那些想自己尝试的人。
27. And here, I'm still using the SANS Investigative Forensic Toolkits virtual machine,
28. because this virtual machine has Volatility installed.
29. 在这里，我仍然使用SANS调查取证工具包虚拟机，因为这个虚拟机已经安装了volatile。
31. Now, if you look at, here, I said which vol.py, Python, and then this,
32. we try to find out whether this Volatility is installed.
33. 现在，如果你看一下，这里，我说的是哪个v。py Python，然后这个，我们试着找出是否安装了这个波动。
35. So, this is the path for Python, for Volatility, and to start, we can use the main page,
36. and then also, we can use a help page.
37. 这是Python的路径，对于易变性，首先，我们可以使用主页，然后，我们也可以使用帮助页面。
39. For example, for Volatility Framework, they have a very nice help page, if I provide dash
40. H, dash H, and you will see the information about
41. the plugins, various plugins, configuration.
42. 例如，对于volatile框架，他们有一个非常好的帮助页面，如果我提供了dash H, dash H，你会看到关于插件的信息，各种各样的插件，配置。
44. There's a long, yeah, this is a long help, help page.
45. 有一个很长的帮助页面。
47. So, there's a plugins, how do you run that, and then supported plugins,
48. I'll talk about a few of them in the class, and here is a complete list.
49. 这里有一个插件，你如何运行它，然后支持插件，我会在课上讲一些，这里有一个完整的列表。
51. So, for example, connect scan, that one will scan for connections, and many ones,
52. we'll also talk about the PS scan, and that means the process scan, and a hive scan for,
53. hive scan, hive list for registry, hive dump.
54. 例如，connect scan，它会扫描连接，我们还会讨论PS扫描，这意味着进程扫描，hive扫描，hive扫描，注册表的hive列表，hive转储。
56. So, many of that, and you probably should spend some time,
57. if you're interested in, to look through that.
58. 很多，如果你感兴趣的话，你可能应该花点时间，看看这些。
60. Alright.
62. So, at first, we need to find out to, for the given image,
63. what is the type of the operating system, as well as the date and time
64. that this memory image was taken.
65. 首先，我们需要知道，对于给定的映像，操作系统的类型是什么，以及这个内存映像的拍摄日期和时间。
67. So, that one is called I image info, so I would run Volatility Framework, and certainly,
68. you have to give the memory dump, because Volatility cannot acquire memory.
69. 这个叫做I image info，我会运行波动率框架，当然，你必须给内存转储，因为波动率不能获得内存。
71. It can only work on dumped-out memory.
72. 它只能在转存出来的内存上工作。
74. So, this is the Zeus .vmem, and I copied, I took it from the Malware Analyst's Cookbook
75. DVD, so this is a former virtual machine's page
76. file, that .vmem.
77. 这是Zeus。vmem，我从恶意软件分析师的烹饪书DVD中复制了它，这是一个前虚拟机的页面文件，也就是。vmem。
79. So, I just move over to here, so this is the image file now we have.
80. 我移到这里，这就是我们现在的图像文件。
82. And now, we run one of the plugin called I image info.
83. 现在，我们运行一个叫做I image info的插件。
85. So, this usually is the first plugin you will use to find out the operating system,
86. and then later, you can provide that information into the profile information.
87. 因此，这通常是您将使用的第一个插件，用于找出操作系统，然后，您可以将该信息提供到配置文件信息中。
89. So now, analyze this image, and in the lecture, I also told you,
90. how does Volatility analyze this image?
91. 现在，分析这幅图像，在这节课上，我也告诉过你们，波动性如何分析这幅图像?
93. It finds out, it's suggested, it says it's a WinXP 286, so this is suggested profile.
94. 它发现，它建议，它说它是WinXP 286，这是建议配置文件。
96. Now, by default, Volatility Framework treats image as a WinXP SP 286, so if that's the
97. case, and we needn't provide the image profile,
98. if other ones, sometimes when you run Volatility from other plugins, it will complaints that
99. I do not know what is the profile.
100. 现在，在默认情况下，Volatility Framework将image作为WinXP SP 286来处理，如果是这样的话，我们就不需要提供image profile，如果是其他的，有时候当你从其他插件运行Volatility时，它会抱怨我不知道这个profile是什么。
102. Then, you have to provide a profile.
103. 然后，您必须提供一个配置文件。
105. In this case, since this is the default one and we are fine,
106. we are safe without providing the later plugin's commands.
107. 在这种情况下，由于这是默认的插件，我们很好，我们是安全的，不需要提供后面插件的命令。
109. Now, in here, it also tell you when this image, the image date and the time,
110. when this image dump was created, because every memory image is just a snapshot,
111. it's of one time.
112. 在这里，它还会告诉你这个图像，图像日期和时间，这个图像转储是什么时候创建的，因为每个内存图像只是一个快照，它是一个时间。
114. Memory is changing all the time, so this is the image time.
115. 内存一直在变化，所以这是图像时间。
117. Now, we know that, and we can move on to run other Volatility plugins.
118. 现在，我们知道了这一点，我们可以继续运行其他的volatile插件。
120. For example, we are going to watch what processes are running on the computer
121. when this memory dump was taken, was recorded.
122. 例如，当这个内存转储被记录下来时，我们将监视计算机上正在运行的进程。
124. So, we do, just change the plugin, and then we use Volatility Framework, and again,
125. it's this image, and run against pslist.
126. 所以，我们只需要改变插件，然后我们使用volatile框架，同样的，就是这个图像，然后在pslist上运行。
128. Now, in the lectures, I also discussed, I said pslist will list all the processes,
129. which is very similar to the result as Windows task manager.
130. 在课堂上，我也讨论过，pslist会列出所有进程，这和Windows任务管理器的结果非常相似。
132. If you have some processes hidden by rootkit, pslist will not be able to find it,
133. because some rootkits will work on the double link of the process,
134. try to hide specifically for a particular process.
135. 如果您有一些进程被rootkit隐藏，pslist将无法找到它，因为一些rootkit将在进程的双链接上工作，请尝试为特定进程隐藏。
137. So, commonly we also use this one to run psscan, because psscan, it use different approach.
138. 通常我们也用这个来运行psscan，因为psscan使用不同的方法。
140. It will detect some of the hidden process, if hidden by rootkit.
141. 如果被rootkit隐藏，它将检测一些隐藏进程。
143. Cannot guarantee all right, but it can sometimes can identify some.
144. 不能保证一切正常，但有时它能识别出一些。
146. So, the common process is, common practice is run this again, and now you will save.
147. 所以，常见的过程是，常见的做法是再次运行这个，现在您将保存。
149. I did not save, by the way, this time.
150. 顺便说一下，这次我没有保存。
152. You will save both files into file, then you compare, alright?
153. 将两个文件都保存到文件中，然后进行比较，好吗?
155. If you compare that both list, if you can find any discrepancy, that's possibly it is
156. a hint, say, something is going on, and then some
157. process is hidden.
158. 如果你比较这两个列表，如果你能发现任何差异，那可能是一个提示，比如说，发生了什么，然后某个过程被隐藏了。
160. So, after we done this psscan and pslist, we compare the process list.
161. 因此，在我们完成这个psscan和pslist之后，我们比较流程列表。
163. Now, to read that is also quite simple, and it tells you which word is the process,
164. SV host, those are the services.
165. 读起来也很简单，它会告诉你哪个词是进程，SV主机，这些是服务。
167. Sometimes rootkits hide within SV hosts.
168. 有时rootkit隐藏在SV主机中。
170. They call it SV hosts.
171. 他们称之为SV主机。
173. And then, the PID, process ID, and parent process ID, and timestamp, as those information.
174. 然后是PID、进程ID、父进程ID和时间戳，作为这些信息。
176. So, for this example, if you compare pslist and psscan, they remain same,
177. so did not give you much of the information.
178. 因此，在这个例子中，如果您比较pslist和psscan，它们是相同的，因此没有提供多少信息。
180. So, the next one, we want to look at the connections, internet connections.
181. 下一个，我们想看看连接，互联网连接。
183. By the way, like I said, someone has already did a very detailed analysis for Zeus,
184. so I'm just kind of showing a few of the plugins, here,
185. to help you to understand, that's all.
186. 顺便说一下，就像我说的，有人已经为Zeus做了非常详细的分析，所以我只是在这里展示一些插件，以帮助您理解，仅此而已。
188. But, if a detailed report, you can find from online, okay?
189. 但是，如果有详细的报告，你可以在网上找到，好吗?
191. So, connect scan, this will try to find the connection,
192. the network connection this machine made during the dump time,
193. during when we collect this image.
194. 所以，连接扫描，这个会尝试找到连接，这个机器在转储时建立的网络连接，在我们收集这个图像的时候。
196. So, here we see, we find, there's two connections.
197. 我们看到，我们发现，有两个联系。
199. The machine, this machine has connections with 193.104.41.45, and a connect to port
200. 80.
201. 本机器，本机器与193.104.41.45有连接，并与a连接到80端口。
203. The PID is 856, or 856.
205. Now, because it's, we understand, if it's connected to that machine's port 80,
206. then this PID, this process should be a internet browser, right?
207. 现在，因为我们知道，如果它连接到机器的端口80，那么这个PID，这个进程应该是一个互联网浏览器，对吧?
209. It's because connect to the, connect to port 80, so then we look at this PID,
210. this process with PID equal to 856, to find out whether this is a internet browser or
211. not.
212. 因为连接到端口80，所以我们看这个PID，这个PID等于856的过程，看看这是不是一个互联网浏览器。
214. >> So now, if we're going back, it's 856, let's look at, see if it's still there, 856.
215. 现在，如果我们往回看，它是856，我们看一下，它是否还在这里，856。
217. >> Okay, so this is the one.  就是这个。
219. If you look at this one, 856 supposed to be a internet browser to connect
220. to remote machine's port 80, but this one actually, it is svchost.exe, svchost.exe.
221. 如果你看这个，856应该是一个internet浏览器连接到远程机器的端口80，但这个实际上是svcho .exe,svcho .exe。
223. Now, svchost.exe, you know, innocent way in that this is a system file, Windows system
224. file, but many rootkits actually hide that rootkit
225. under svchosts.
226. 现在,svchost。exe，你知道，这是一个系统文件，Windows系统文件，但很多rootkit实际上隐藏在svchosts下。
228. In Windows, you can actually use task manager to, with the option of slash svc.
229. 在Windows中，您实际上可以使用task manager来，使用slash svc选项。
231. It will even tell you whether those svchost a real command, it can spell out,
232. then you can find out what is the real command hiding under svchost.
233. 它甚至会告诉你那些svchost是否是一个真正的命令，它可以拼出来，然后你就可以找出隐藏在svchost下的真正的命令是什么。
235. But, in here, at least we know this is suspicious, because why the process PID 856 is not a internet
236. browser, and it is a Windows service.
237. 但是，在这里，至少我们知道这是可疑的，因为进程PID 856不是internet浏览器，而是Windows服务。
239. Now, this is the first thing, suspicious things we find out,
240. and then commonly what forensic analysis or malware analysis investigators will do is,
241. if you find this IP address, and this is information you can check,
242. so you can keyword search, and also you can put this IP addresses through some online
243. tools to find out if this IP address is blacklisted
244. or not.
245. 现在,这是第一件事,我们发现可疑的事情,然后通常法医分析或恶意软件分析人员要做的是,如果你发现这个IP地址,您可以检查信息,所以你可以关键词搜索,也可以把这个IP地址通过一些在线工具来找出如果这个IP地址是否列入黑名单。
247. So, various tools you can do that, and you can do IPVoid, I-P-V-O-I-D online tool,
248. or you might try VirusTotal, or Shodan, S-H-O-D-A-N, to find out whether this IP address is malicious
249. or not.
250. 你可以用各种工具，IPVoid, I-P-V-O-I-D在线工具，或者你可以试试VirusTotal，或者Shodan, S-H-O-D-A-N，看看这个IP地址是不是恶意的。
252. But again, run it against those public variable tools, it's rely on the signature.
253. 但是，在这些公共变量工具上运行它，它依赖于签名。
255. If this, if, let's say, this machine's IP, no one has report it
256. in the blacklist, then you still cannot find.
257. 如果，假设，这台机器的IP，黑名单上没有人报告，那么你还是找不到。
259. So, in this case, if you do put this IP address into IPVoid, I-P-V-O-I-D,
260. and you will find this IP address actually is already listed as a blacklist.
261. 所以，在这种情况下，如果你把这个IP地址放入IPVoid, I-P-V-O-I-D，你会发现这个IP地址实际上已经被列入黑名单。
263. That means someone already reported, and once again,
264. those tools cannot guarantee you'll find blacklist, because someone has
265. to create the signature already, and then you will be able to find this is blacklist.
266. 这意味着已经有人报告了，再说一遍，这些工具不能保证您会找到黑名单，因为已经有人创建了签名，然后您将能够找到这是黑名单。
268. Now, couple of other things you may, you can also try is, for example, a print key, alright?
269. 现在，你还可以尝试其他一些东西，例如，打印键?
271. So, the print key one is, if you know certain registry key information,
272. this process might change, might change a certain registry key.
273. 打印键1是，如果你知道某个注册表键信息，这个过程可能会改变，可能会改变某个注册表键。
275. For example, in this case, it is common that children at registry key
276. to make sure it will be running every time when the computer is restarted,
277. and this is a win logon registry key, because they want to make sure this tool,
278. every time when people restart the machine, and then this process start to run.
279. 例如,在本例中,它是常见的儿童在注册表键以确保它将运行每次计算机重新启动时,这是一个赢得登录注册表键,因为他们要确保这个工具,每次当人们重新启动机器,然后这个过程开始运行。
281. Now, that is under the Windows, Windows win logon.
282. 现在，那是在Windows下，Windows win登录。
284. If you modify that key value, and then to insert this process into it, to be able to
285. other one.
286. 如果你修改了那个键值，然后把这个过程插入到它里面，就能得到另一个键值。
288. So now here, in this case, we will run, again, so this is, we tried to change the plugins.
289. 现在，在这种情况下，我们将再次运行，这是，我们试图改变插件。
291. It's called printkey.   它叫做printkey。
293. If you use .edge, you will find out, if you use Python, sorry, volatility.edge,
294. you will find that this print key is there, and it provide by the key,
295. which key you want to look, Microsoft Windows.

296. 如果你使用。edge，你会发现，如果你使用Python，不好意思，volatile。edge，

     你会发现这个打印键就在那里，它由键提供，你想看哪个键，微软Windows。

298. This is the registry key, Windows NT, and current version.
299. 这是注册表项、Windows NT和当前版本。
301. Now, we have already discuss, in next class, we will talk about the Windows registry key
302. registry, so you will know more information from there,
303. so this is the key.
304. 现在，我们已经讨论过了，在下节课，我们将讨论Windows注册表键注册表，所以你们会从那里了解更多的信息，这就是关键。
306. If you want to add something autostart, then this value will change, alright?
307. 如果你想添加一些自动启动的东西，那么这个值就会改变，对吧?
309. So, if I spell it right, then it should work.
310. 所以，如果我拼对了，应该能行。
312. If you look at here, this is what's changed, based on the memory, right?
313. 如果你看这里，这就是改变的地方，基于记忆，对吧?
315. The registry key changed, so here.
316. 注册表键改变了，这里。
318. So, you see, this is the process.
319. 你看，这就是过程。
321. Now, this name, and again, if you are the investigator,
322. you will be very happy to see that .exe.
323. 这个名字，如果你是调查员，你会很高兴看到。exe。
325. That one, those are all in the value, which means will be autostarted when the Windows,
326. when Windows boot, and this one is a not common one, definitely.
327. 这一个，这些都在值中，这意味着当Windows启动时，当Windows启动时，会自动启动，这一个肯定不是常见的。
329. The rootkit actually add itself, adds itself into this registry value.
330. rootkit实际上是添加自己，将自己添加到这个注册表值中。
332. Okay.
334. So, at this point, actually, the investigator already know quite a lot
335. of information, and I will stop here, but the complete, if you look at the complete
336. report, there are other things in this memory.
337. 所以，在这一点上，实际上，调查人员已经知道了相当多的信息，我就讲到这里，但是完整的，如果你看完整的报告，在这个记忆中还有其他东西。
339. For example, you can use a plugin called malfind.
340. 例如，您可以使用一个名为malfind的插件。
342. That one Volatility's plugin that will dump out malware, that will help investigator
343. to find any hidden or injected DLL in user mode memory, in user mode memory.
344. 这是一个volatile的插件，它可以输出恶意软件，帮助调查员在用户模式内存中，在用户模式内存中找到任何隐藏或注入的DLL。
346. So, and for that sense, it will dump out the memory, and then you try to search through
347. it to find the piece which is belong to this
348. Zeus, .vmem.
349. 所以，从这个意义上说，它会把记忆倒出来，然后你试着在里面搜索，找到属于宙斯的那块碎片。vmem。
351. And, there are other interesting things.
352. 还有其他有趣的事情。
354. So, as long as you know those plugins, and then to understand, too,
355. what are each plugins tool function, you can play around with the memories.
356. 所以，只要你了解那些插件，然后再去了解，每个插件的工具功能是什么，你就可以玩弄记忆了。
358. And, you can dump out memory by yourself, and at least, you can look around to see what
359. kind of process is running, and even though it's
360. not malicious memory dump, then you can have fun
361. to see much more information, because at the beginning, we only use strings,
362. Linux strings to dump out ASCII printable strings, but with Volatility Framework,
363. certainly, you can play more intelligently.

364. 而且，您可以自己转储内存，至少，您可以查看正在运行哪种进程，即使它正在运行

     没有恶意的内存转储，那么您就可以很有趣地看到更多的信息，因为在开始的时候，我们只使用字符串，Linux字符串来转储ASCII可打印的字符串，但是使用volatile框架，当然，您可以更智能地播放。

366. Now, there's another one, another tool I talked about in class is
367. from Google called Recall [assumed spelling], and you can play around with that, as well.
368. 现在，我在课堂上谈到的另一个工具是来自谷歌的，叫做回忆(假设拼写)，你也可以使用它。
370. Okay, so that, I will stop here.
371. 好了，我就讲到这里。
373. Hopefully, you will enjoy that, and play by yourself.
374. 希望你们会喜欢，自己玩。
376. End of transcript. Skip to the start.

转载于:https://www.cnblogs.com/sec875/articles/10015668.html