Computer Security & Forensics Forensics Practical Two : Volatility! This practical walks you through the forensic analysis process used to solve an online forensics challenge. It uses the volatility tool and some standard command line applications to inspect and analyse the memory captured from a PC that was suspected of being compromised via a PDF exploit. Static analysis of a suspect machine can be very useful since we can take our time over the analysis process and can do it on a separate uninfected computer. Ideally your first action on examining a live suspect computer will be to take a snapshot of the memory and save it to removable media. You can then proceed to perform a more dynamic analysis with the knowledge that you have an alternative to fall back on should anything go wrong. Operating System Version You have learnt about checksums and viewing files with a hex editor in the previous practical, we will now move on to analysing a sample memory dump. One of the first things you will want to check is the type and version of the operating system that your sample was taken from. Open up a command prompt and change directory to your forensics folder that you created last week. Make sure you have a connection to the networked drive \\wsv.cs.stir.ac.uk\Security (it is assumed that you mapped the ’S’ drive in the following examples). Now type the following to extract the version information (it may take a couple of minutes): tools\volatility imageinfo -f S:\forensics\lab.mem > lab-info.txt The ‘> lab-info.txt’ part of this command will redirect the output into the file lab-info.txt so that you do not have to keep regenerating it. If you view your home forensics directory in Explorer, you should see this file listed there and can open it with a text editor (e.g. Notepad). You should observe that the image is from a Windows XP machine running service pack 3 and aimed at an x86 architecture. The syntax for the volatility command is reasonably straightforward, you type volatility followed by the particular scan command you wish to run (e.g. imageinfo) and then indicate the file that is to be scanned via the -f <file> option. If you type volatility on its own, you will get a list of the types of actions that this tool can perform. If you wish to save the output to a text file, just add > textfilename.txt at the end where textfilename.txt is the name of a file you wish to save the results to. Viewing Processes The next step is to look at the processes that were running on the PC at the time the memory snapshot was taken. This may enable us to spot if anything unusual was running at the time we obtained our snapshot. To get this list of processes, type: tools\volatility pslist -f S:\forensics\lab.mem > lab-pslist.txt This will produce a list of the processes that were running on the machine at the time the snapshot was taken (at least those that were recorded in the kernel process list). 1 A sample of the output is shown below and you will see that it includes the memory offset of each process, its name, ID, its parent process ID (i.e. the process that started it - a very useful piece of information) and the time it was started (again very useful if you want to trace a chain of events such as cross checking a process starting with communication over the network). You can also see the number of internal threads initiated by a given process and a count of the handles it has on OS resources. Offset(V) Name PID PPID Thds Hnds Time ------0x81bcaa00 System 4 0 72 300 1970-01-01 00:00:00 0x8193ab10 smss.exe 612 4 3 19 2011-08-31 09:45:09 0x81929b10 csrss.exe 664 612 13 435 2011-08-31 09:45:11 ... We can display the above information in a more structured way using the pstree option which will show you the process hierarchy. This makes it easier to see which processes own and started other processes and also the sequence which led to each one starting. Type:
Volatility This Practical Walks You Through the Forensic Analysis
![Volatility This Practical Walks You Through the Forensic Analysis](http://data.docslib.org/img/6e65c3e95782f043c2118226fae72922-1.webp)