Memory analysis

Voliatility2

Find hostname

If we have the dump of the VM, we can find the hostname of the VM. First, we need to have a software for reading the dump. We can use volatility. First, you need to find the profile:

$ python2.7 vol.py -f ../ch2.dmp imageinfo                                 
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/user/Documents/forensic/rootme/ch2.dmp)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82929be8L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0x8292ac00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2013-01-12 16:59:18 UTC+0000
     Image local date and time : 2013-01-12 17:59:18 +0100

We the profile, we can read our dump. Now, we need to print the hive registry:

$ python2.7 vol.py -f ../ch2.dmp --profile=Win7SP1x86_23418 hivelist
Volatility Foundation Volatility Framework 2.6.1

Virtual    Physical   Name
---------- ---------- ----
0x8ee66740 0x141c0740 \SystemRoot\System32\Config\SOFTWARE
0x90cab9d0 0x172ab9d0 \SystemRoot\System32\Config\DEFAULT
0x9670e9d0 0x1ae709d0 \??\C:\Users\John Doe\ntuser.dat
0x9670f9d0 0x04a719d0 \??\C:\Users\John Doe\AppData\Local\Microsoft\Windows\UsrClass.dat
0x9aad6148 0x131af148 \SystemRoot\System32\Config\SAM
0x9ab25008 0x14a61008 \SystemRoot\System32\Config\SECURITY
0x9aba79d0 0x11a259d0 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x9abb1720 0x0a7d4720 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x8b20c008 0x039e1008 [no name]
0x8b21c008 0x039ef008 \REGISTRY\MACHINE\SYSTEM
0x8b23c008 0x02ccf008 \REGISTRY\MACHINE\HARDWARE
0x8ee66008 0x141c0008 \Device\HarddiskVolume1\Boot\BCD

In the example above, we have the address key: 0x8b21c008 where is stored the SYSTEM registry.

With this address, we can print the key:

$ python2.7 vol.py -f ../ch2.dmp --profile=Win7SP1x86_23418 printkey -o 0x8b21c008 -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatility Foundation Volatility Framework 2.6.1
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ComputerName (S)
Last updated: 2013-01-12 00:58:30 UTC+0000

Subkeys:

Values:
REG_SZ                        : (S) mnmsrvc
REG_SZ        ComputerName    : (S) MY-HOSTNAME

Volatility3

UserAssist registry

We can find username and any information regarding the user:

python3 vol.py -f analyse-memoire.dmp windows.registry.userassist

TCP/IP Parameter

To find any information regarding the TCP/IP stack, such as the IP address, DHCP Server, etc...

python3 vol.py -f analyse-memoire.dmp windows.registry.printkey  --key "ControlSet001\Services\Tcpip" --recurse

Or:

python3 vol.py -f analyse-memoire.dmp windows.registry.printkey  --key "ControlSet001\Services\Tcpip\Parameters" --recurse

Hostname

If we would like to get the hostname of the machine:

python3 vol.py -f analyse-memoire.dmp windows.registry.printkey  --key "ControlSet001\Services\Tcpip" --recurse

Analyse process list

List all process executed

python3 vol.py -f analyse-memoire.dmp windows.pslist

Scan list files

Scan all files which can be opened by the user:

python3 vol.py -f analyse-memoire.dmp windows.filescan

Dump files

Dump all cached files:

python3 vol.py -f analyse-memoire.dmp windows.dumpfiles

Dump files used by process

We can filter with a specific process ID:

python3 vol.py -f analyse-memoire.dmp windows.dumpfiles --pid 9048

Malicious document analysis

PDF Document

The signature of the PDF document is composed by the string %PDF-% follow by the PDF version. For instance:%PDF-1.5. In hex, the signature is:25 50 44 46 2d 31 2e 35`.

PDF Body: The body of the PDF contains a set of objects and it's organized by a specific structure:

3 0 obj
<</Type /Page /Parent 1 0 R /MediaBox [0 0 841.89 595.28] /Group << /Type /Group /S /Transparency /CS /DeviceRGB >> /Resources 2 0 R
/Contents 4 0 R>>
endobj

4 0 obj
<</Filter /FlateDecode /Length 733>> stream
%nK&!
?3LB
\|8n
4:o:
)jv[
g~qU=>
e:M]
X()t    M
^)CawGT
        DH:
endstream
endobj

PDF Cross-Reference Table: it's a map which contain the locations of all objects in the PDF file:

xref
0 13
0000000000 65535 f
0000000978 00000 n
0000052395 00000 n
0000000009 00000 n
--
0000001478 00000 n
0000001596 00000 n
0000052585 00000 n
0000052771 00000 n

PDF Trailer: it's the last section of the PDF file and provide information regarding the document, like the xref section, the size of the document, etc.

trailer << /Size 13 /Root 12 0 R /Info 11 0 R >>
startxref
53137
%%EOF

Some keywords can be used in the PDF document:

/Javascripr or /JS: contains JavaScript code can be executed in the PDF file
/Names: Name of the document itself
/OpenAction: Doing an action, like executing a script
/EmbeddedFile: Show embedded file like a script
/URI: Link to URL on Internet
/SubmitForm: Same like /URI
/Launch: Run a embedded script

To analyse a PDF document, we can do with a simple text editor like vim or to use a specific tool like:

Malicious JavaScript

When you need to analyse a malicious JavaScript code, you can use the tool Box-Js.

Microsoft Office documents

You can analyse a malicious office document such as Word or OneNote with these follow tools:

trid
oleid
olemeta
oletime
olemap
olevba
oledump
ViperMonkey
OneDump: can be use for analysing OneNote document

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search