Volatility
In 2007, the first version of The Volatility Framework was released publicly at Black Hat DC. The software was based on years of published academic research into advanced memory analysis and forensics. Up until that point, digital investigations had focused primarily on finding contraband within hard drive images. Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Another major goal of the project was to encourage the collaboration, innovation, and accessibility to knowledge that had been common within the offensive software communities.
Since that time, memory analysis has become one of the most important topics to the future of digital investigations and Volatility has become the world’s most widely used memory forensics platform. The project is supported by one of the largest and most active communities in the forensics industry. Volatility also provides a unique platform that enables cutting edge research to be immediately transitioned into the hands of digital investigators. As a result, research built on top of Volatility has appeared at the top academic conferences and Volatility has been used on some of the most critical investigations of the past decade. It has become an indispensible digital investigation tool relied upon by law enforcement, military, academia, and commercial investigators throughout the world.
歡迎回家https://www.volatilityfoundation.org/
volatility 框架是一款用於易失性內存取證的重量級框架。在該框架下我們可以完成許多取證的操作,獲取我們想要得的各種信息。Volatility版本是對OS內部,應用程序,惡意代碼和可疑活動進行大量深入研究的結果雖然版本似乎很少,但其支持的操作系統非常廣泛,同時支持 windows, linux,Mac OSX,甚至也支持 Android 手機使用ARM處理器的取證。
Volatility常用命令行參數
-
-h 查看相關參數及幫助說明
-
--info 查看相關模塊名稱及支持的Windows版本
-
-f 指定要打開的內存鏡像文件及路徑
-
-d 開啓調試模式
-
-v 開啓顯示詳細信息模式(verbose)
volatility -f <文件名> --profile=<配置文件> <插件> [插件參數]
通過volatility --info獲取工具所支持的profile,Address Spaces,Scanner Checks,Plugins
常用插件
imageinfo:顯示目標鏡像的摘要信息,知道鏡像的操作系統後,就可以在 --profile 中帶上對應的操作系統
pslist:該插件列舉出系統進程,但它不能檢測到隱藏或者解鏈的進程,psscan可以
psscan:可以找到先前已終止(不活動)的進程以及被rootkit隱藏或解鏈的進程
pstree:以樹的形式查看進程列表,和pslist一樣,也無法檢測隱藏或解鏈的進程
mendump:提取出指定進程,常用foremost 來分離裏面的文件
filescan:掃描所有的文件列表
hashdump:查看當前操作系統中的 password hash,例如 Windows 的 SAM 文件內容
svcscan:掃描 Windows 的服務
connscan:查看網絡連接
其他插件
使用imageinfo插件來判斷dump文件的profile值
我們這裏統一文件名爲test.vmem 操作系統爲WinXPSP2x86
volatility -f test.vmem imageinfo
volatility -f test.vmem –profile=WinXPSP2x86
列舉進程
volatility -f test.vmem –profile=WinXPSP2x86 pslist
列舉緩存在內存的註冊表
volatility -f test.vmem --profile=WinXPSP2x86 hivelist
打印出註冊表中的數據
volatility -f test.vmem --profile=WinXPSP2x86 hivedump -o 註冊表的virtual地址
獲取內存中的系統密碼,我們可以使用 hashdump 將它提取出來
volatility -f test.vmem –profile=WinXPSP2x86 hashdump -y (註冊表 system 的 virtual 地址 )-s (SAM 的 virtual 地址)
獲取SAM表中的用戶
volatility -f test.vmem --profile=WinXPSP2x86 printkey -K "SAM\Domains\Account\Users\Names"
獲取最後登錄系統的賬戶
volatility -f test.vmem --profile=WinXPSP2x86 printkey -K "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
提取出內存中記錄的 當時正在運行的程序有哪些,運行過多少次,最後一次運行的時間等信息
volatility -f test.vmem --profile=WinXPSP2x86 userassist
將內存中的某個進程數據以 dmp 的格式保存出來
volatility -f test.vmem --profile=WinXPSP2x86 -p [PID] -D [dump 出的文件保存的目錄]
使用 strings 這個工具將它的字符串打印出來
strings xxxx.dmp > xxxx.txt
提取內存中保留的 cmd 命令使用情況
volatility -f test.vmem –profile=WinXPSP2x86 cmdscan
獲取到當時的網絡連接情況
volatility -f test.vmem –profile=WinXPSP2x86 netscan
獲取 IE 瀏覽器的使用情況
volatility -f test.vmem –profile=WinXPSP2x86 iehistory