Some useful volatility plugins
In previous diaries I have talked about using volatility, in this diary I will talk about other plugins .
1-MBR parser:
mbrparser plugin will scans for and parses potential Master Boot Records (MBRs) in the memory image.
vol.py --profile=Win7SP1x86 -f win7SP1.bin mbrparser |
And the output would be similar to this
Volatility Foundation Volatility Framework 2.5 *************************************************************************** Potential MBR at physical offset: 0x600 Disk Signature: fd-04-bb-b7 Bootcode md5: 40b32fa4b4f6aae1c2c47c02a27b873e Bootcode (FULL) md5: 0e8ac4f7d364af5e54b96b561712aa30 Disassembly of Bootable Code: 0000000600: 33c0 XOR AX, AX 0000000602: 8ed0 MOV SS, AX 0000000604: bc007c MOV SP, 0x7c00
|
As you can see the mbrparser will show the disk signature ,the bootcode md5 hash and it will disassemble the Bootable code.
2-MFT parser
mftparser plugin scans for potential Master File Table (MFT) entries in memory (using "FILE" and "BAAD" signatures) and prints out information for certain attributes, currently: $FILE_NAME ( $FN ), $STANDARD_INFORMATION ( $SI ), $FN and $SI attributes from the $ATTRIBUTE_LIST , $OBJECT_ID
Vol.py --profile=Win7SP1x86 -f win7SP1.bin mftparser –output-file=mft.txt |
And here is a sampe otpur of the mftparser output
$STANDARD_INFORMATION Creation Modified MFT Altered Access Date Type ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---- 2009-07-14 04:52:30 UTC+0000 2009-07-14 04:52:31 UTC+0000 2011-03-04 17:18:43 UTC+0000 2009-07-14 04:52:31 UTC+0000 Content not indexed
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\User Account Pictures\DEFAUL~1
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\User Account Pictures\Default Pictures
*************************************************************************** *************************************************************************** MFT entry found at offset 0x160c00 Attribute: In Use & Directory Record Number: 295 Link count: 1
$STANDARD_INFORMATION Creation Modified MFT Altered Access Date Type ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---- 2009-07-14 02:37:05 UTC+0000 2009-07-14 02:04:54 UTC+0000 2011-03-04 17:18:43 UTC+0000 2009-07-14 02:37:05 UTC+0000 Unknown Type
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 2011-03-04 17:15:12 UTC+0000 PROGRA~2\MICROS~1\Vault
*************************************************************************** *************************************************************************** MFT entry found at offset 0x2a9000 Attribute: In Use & File Record Number: 18536 Link count: 2
$STANDARD_INFORMATION Creation Modified MFT Altered Access Date Type ------------------------------ ------------------------------ ------------------------------ ------------------------------ ---- 2010-11-20 21:29:06 UTC+0000 2010-11-20 21:29:06 UTC+0000 2011-03-04 17:16:41 UTC+0000 2010-11-20 21:29:06 UTC+0000 Archive
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 dnscmmc.dll
$FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 2011-03-04 17:16:41 UTC+0000 Windows\System32\dnscmmc.dll
$DATA
$OBJECT_ID Object ID: 40000000-0000-0000-00b0-010000000000 Birth Volume ID: 00aa0100-0000-0000-00aa-010000000000 Birth Object ID: 311bcb11-0900-ada0-ffff-ffff82794711 Birth Domain ID: 00000000-0000-0000-0000-000000000000
|
3- Userassists
UserAssist is GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.
In Windows 7 machines users
NTUSER.DAT HIVE
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count
Userassist plugin will scans the entire memory image and parse the userassit key.
vol.py --profile=Win7SP1x86 -f win7SP1.bin userassist --output-file=userassist.txt |
---------------------------- Registry: \??\C:\Users\Daniel\ntuser.dat Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count Last updated: 2013-10-15 18:48:57 UTC+0000
Subkeys:
Values:
REG_BINARY %windir%\system32\mspaint.exe : Count: 10 Focus Count: 12 Time Focused: 0:03:40.594000 Last updated: 2013-10-15 18:46:16 UTC+0000 Raw Data: 0x00000000 00 00 00 00 0a 00 00 00 0c 00 00 00 be 5b 03 00 .............[.. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................ 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 10 f1 72 d4 ..............r. 0x00000040 d6 c9 ce 01 00 00 00 00 ........
|
Here is a sample output of userassist plugin ,the count entry shows the number of times that mspaint.exe has been executed
4-Shellbags :
Which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed.
vol.py --profile=Win7SP1x86 -f win7SP1.bin shellbags --output-file=shellbags.txt |
And here is a sample of the shellbags plugin
*************************************************************************** Registry: \??\C:\Users\Daniel\ntuser.dat Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop Last updated: 2013-10-15 18:45:30 UTC+0000 Value File Name Modified Date Create Date Access Date File Attr Unicode Name ------------------------- -------------- ------------------------------ ------------------------------ ------------------------------ ------------------------- ------------ ItemPos1024x768x96(1) GZIP-1~1.12- 2013-10-06 16:33:54 UTC+0000 2013-10-06 16:33:54 UTC+0000 2013-10-06 16:33:54 UTC+0000 DIR gzip-1.3.12-1-bin ItemPos1024x768x96(1) PROCES~1.31- 2013-10-15 18:13:28 UTC+0000 2013-10-15 18:13:28 UTC+0000 2013-10-15 18:13:28 UTC+0000 DIR processhacker-2.31-bin ItemPos1024x768x96(1) SYSINT~1 2011-03-04 14:39:26 UTC+0000 2011-03-04 14:39:26 UTC+0000 2011-03-04 14:39:26 UTC+0000 NI, DIR SysinternalsSuite ItemPos1024x768x96(1) TRUECR~1 2013-10-06 16:38:34 UTC+0000 2013-10-05 01:33:00 UTC+0000 2013-10-06 16:38:34 UTC+0000 DIR TrueCrypt ItemPos1024x768x96(1) nasm.lnk 2013-10-06 16:33:06 UTC+0000 2013-10-06 16:33:06 UTC+0000 2013-10-06 16:33:06 UTC+0000 ARC nasm.lnk ItemPos1024x768x96(1) PROCES~1.ZIP 2013-10-15 18:13:08 UTC+0000 2013-10-15 18:13:18 UTC+0000 2013-10-15 18:13:18 UTC+0000 ARC, NI processhacker-2.31-bin.zip ItemPos1024x768x96(1) TRUECR~1.ZIP 2013-10-05 01:32:24 UTC+0000 2013-10-05 01:32:30 UTC+0000 2013-10-05 01:32:30 UTC+0000 ARC, NI TrueCrypt 7.1a Source.zip ItemPos1024x768x96(1) WINSDK~1.EXE 2013-10-06 16:11:04 UTC+0000 2013-10-06 16:11:40 UTC+0000 2013-10-06 16:11:40 UTC+0000 ARC, NI winsdk_web.exe ItemPos1024x768x96(1) VMWARE~1.LNK 2013-10-15 18:45:08 UTC+0000 2013-10-06 19:16:02 UTC+0000 2013-10-15 18:45:08 UTC+0000 ARC VMware Shared Folders.lnk ************************* |
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago