Memory Acquisition Memory Artifact Timelining

Remember to open command prompt as Administrator The Volatility™ Timeliner plugin parses time-stamped
objects found in memory images. Output is sorted by:
Win32dd / Win64dd (x86 / x64 systems respectively)  Process creation time
/f    Image destination and filename    Thread creation time Memory Forensics Cheat Sheet v1.2
C:###BOT_TEXT###gt; win32dd.exe /f E:\mem.img  Driver compile time
 DLL / EXE compile time
Mandiant Memoryze MemoryDD.bat  Network socket creation time SANS Institute by Chad Tilbury
-output image destination  Memory resident registry key last write time
 Memory resident event log entry creation time
C:###BOT_TEXT###gt; MemoryDD.bat -output E:\
timeliner  Purpose
Volatility™ WinPmem  ‐‐output‐file    Optional file to write output (v2.1)   This cheat sheet supports the SANS FOR508 Advanced Forensics and Incident
‐ (single dash) Output to standard out  ‐‐output=body  bodyfile format for mactime (v2.3)  Response Course and SANS FOR526 Memory Analysis. It is not intended to be
an exhaustive resource for Volatility™ or other highlighted tools. Volatility™ is
‐l  Load driver for live memory analysis    a trademark of Verizon. The SANS Institute is not sponsored or approved by,
  # -f mem.img timeliner --output-file or affiliated with Verizon.
C:###BOT_TEXT###gt; winpmem_<version>.exe out.csv --profile=Win7SP1x86

Converting Hibernation Files and Crash Dumps How To Use This Document
Volatility™ imagecopy Registry Analysis Volatility™ Plugins Memory analysis is one of the most powerful tools
-f    Name of source file (crash dump, available to forensic examiners. This guide hopes to
hibernation file) hivelist - Find and list available registry hives simplify the overwhelming number of available options.
-O      Output file name # hivelist
--profile    Source OS from imageinfo   Analysis can be generally broken up into six steps:
hivedump - Print all keys and subkeys in a hive 
# imagecopy -f hiberfil.sys -O hiber.img
-o    Offset of registry hive to dump (virtual offset) 1. Identify Rogue Processes
–-profile=Win7SP1x64 # hivedump –o 0xe1a14b60 2. Analyze Process DLLs and Handles
# imagecopy -f Memory.dmp -O memdmp.img printkey  - Output a registry key, subkeys, and values  3. Review Network Artifacts
–-profile=Win7SP1x64 -K “Registry key path” 4. Look for Evidence of Code Injection
# printkey –K 5. Check for Signs of a Rootkit
6. Dump Suspicious Processes and Drivers
userassist - Find and parse userassist key values 
Memory Analysis Tools # userassist We outline the most useful Volatility™ plugins supporting
these six steps here. Further information is provided for:
Volatility™ (Windows/Linux/Mac) hashdump - Dump user NTLM and Lanman hashes   Memory Acquisition -y   Virtual offset of SYSTEM registry hive (from   Converting Hibernation Files and Crash Dumps
Mandiant Redline (Windows)  Memory Artifact Timelining
-s    Virtual offset of SAM registry hive (from  Registry Analysis Volatility™ Plugins
Volafox (Mac OS X and BSD) # hashdump –y 0x8781c008 –s  Memory Analysis Tool List 0x87f6b9c8

List of loaded dlls by process --dump-dir  Directory to save extracted files  psscan  ./output –p 868 # dlldump --dump-dir .Identify I/O Request Packet (IRP) hooks # export VOLATILITY_LOCATION=file:///images/mem.Display parent-process relationships -o    Dump driver using offset address (from modscan)  # connscan  # dlllist –p apihooks  # vol.High level view of running processes Analyze Process DLLs and Handles -b    Dump DLLs from process at physical memory offset  # vol. filescan -p      Dump memory sections from these PIDs -p    Show information only for specific PIDs --dump-dir    Directory to save extracted files  -v    Verbose: show full paths from three DLL lists svcscan  .868 moddump  .py plugin –h   (show plugin usage)  modscan  .py netscan  Set name of memory image (takes place of -f ) driverirp  .[XP] ID TCP pslist -r    Dump DLLs matching REGEX name dlllist .[Win7] Scan for connections and sockets Using Environment Variables # –f connections # vol. sockscan # vol.Extract kernel drivers  pstree  . Getting Started with Volatility™ Check for Signs of a Rootkit Review Network Artifacts Getting Help psxview .img -r    Analyze drivers matching REGEX name pattern   Set profile type (takes place of --profile= ) # vol./output –r metsrv # vol.img imageinfo  ssdt    .Find hidden processes using cross-view Connections .py malfind --dump-dir .Find API/DLL function hooks # moddump --dump-dir .py handles –p 868 –t Process. Port} --dump-dir    Directory to save extracted files  --dump-dir   Directory to save  memory sections  # vol. including closed # vol. Token.Scan for Windows Service information  # vol.Print process security identifiers -r    Dump drivers matching REGEX name -p    Show information only for specific PIDs   --dump-dir    Directory to save extracted files  # vol.Find injected code and dump sections -p    Show information only for specific PIDs -p    Dump only specific PIDs -p    Show information only for specific PIDs -t    Display only handles of a certain type -o    Specify process by physical memory offset -o   Provide physical offset of single process to scan  {Process. sockets  -p    Operate only on specific PIDs Identify System Profile -Q    Only scan critical processes and DLLS  sockscan  .py ssdt | egrep –v ‘(ntoskrnl|win32k)’  # vol. and connscan .py pstree  getsids .py psxview # vol.Mutant filescan  ‐ Scan memory for FILE_OBJECT handles  memdump  .Display Interrupt Descriptor Table  # vol.[XP] ID svcscan  .py plugin --info   (show available OS profiles)  unlinked drivers # ldrmodules –p 868 -v # psscan  (PIDs) # driverirp –r tcpip # export VOLATILITY_PROFILE=WinXPSP3x86 Dump Suspicious Processes and Drivers idt    .py modscan  Sample Command Line sockets  . including closed/unlinked  imageinfo  .Hooks in System Service Descriptor Table netscan  .Scan memory for EPROCESS blocks  -p   Show information only for specific process identifiers # vol.Dump process to executable sample malfind  .Dump every memory section into a file ldrmodules  .py getsids –p 868 # vol.Detect unlinked DLLs # procmemdump --dump-dir .py -f image --profile=profile plugin  apihooks  . idt  dlldump .py –h   (show options and supported plugins) # vol.[XP] List of open TCP connections # vol.Scan memory for loaded. Thread.[XP] Print listening sockets (any protocol)  # vol. Event.Display memory image metadata  # vol./output_dir # vol.Extract DLLs from specific processes Identify Rogue Processes -p    Dump DLLs only for specific PIDs pslist  .py memdump –dump-dir .List of open handles for each process  procmemdump ./output –r gaopdx Look for Evidence of Code Injection handles  ./output –p 868 # vol.