Memory Acquisition Memory Artifact Timelining

Remember to open command prompt as Administrator The Volatility™ Timeliner plugin parses time-stamped
objects found in memory images. Output is sorted by:
Win32dd / Win64dd (x86 / x64 systems respectively)  Process creation time
/f    Image destination and filename    Thread creation time Memory Forensics Cheat Sheet v1.2
C:###BOT_TEXT###gt; win32dd.exe /f E:\mem.img  Driver compile time
POCKET REFERENCE GUIDE
 DLL / EXE compile time
Mandiant Memoryze MemoryDD.bat  Network socket creation time SANS Institute by Chad Tilbury
http://computer-forensics.sans.org http://forensicmethods.com
-output image destination  Memory resident registry key last write time
 Memory resident event log entry creation time
C:###BOT_TEXT###gt; MemoryDD.bat -output E:\
timeliner  Purpose
Volatility™ WinPmem  ‐‐output‐file    Optional file to write output (v2.1)   This cheat sheet supports the SANS FOR508 Advanced Forensics and Incident
‐ (single dash) Output to standard out  ‐‐output=body  bodyfile format for mactime (v2.3)  Response Course and SANS FOR526 Memory Analysis. It is not intended to be
an exhaustive resource for Volatility™ or other highlighted tools. Volatility™ is
‐l  Load driver for live memory analysis    a trademark of Verizon. The SANS Institute is not sponsored or approved by,
  # vol.py -f mem.img timeliner --output-file or affiliated with Verizon.
C:###BOT_TEXT###gt; winpmem_<version>.exe out.csv --profile=Win7SP1x86

Converting Hibernation Files and Crash Dumps How To Use This Document
Volatility™ imagecopy Registry Analysis Volatility™ Plugins Memory analysis is one of the most powerful tools
-f    Name of source file (crash dump, available to forensic examiners. This guide hopes to
hibernation file) hivelist - Find and list available registry hives simplify the overwhelming number of available options.
-O      Output file name # vol.py hivelist
--profile    Source OS from imageinfo   Analysis can be generally broken up into six steps:
hivedump - Print all keys and subkeys in a hive 
# vol.py imagecopy -f hiberfil.sys -O hiber.img
-o    Offset of registry hive to dump (virtual offset) 1. Identify Rogue Processes
–-profile=Win7SP1x64 # vol.py hivedump –o 0xe1a14b60 2. Analyze Process DLLs and Handles
# vol.py imagecopy -f Memory.dmp -O memdmp.img printkey  - Output a registry key, subkeys, and values  3. Review Network Artifacts
–-profile=Win7SP1x64 -K “Registry key path” 4. Look for Evidence of Code Injection
# vol.py printkey –K 5. Check for Signs of a Rootkit
“Software\Microsoft\Windows\CurrentVersion\Run”
6. Dump Suspicious Processes and Drivers
userassist - Find and parse userassist key values 
Memory Analysis Tools # vol.py userassist We outline the most useful Volatility™ plugins supporting
these six steps here. Further information is provided for:
Volatility™ (Windows/Linux/Mac) hashdump - Dump user NTLM and Lanman hashes   Memory Acquisition
http://code.google.com/p/volatility/ -y   Virtual offset of SYSTEM registry hive (from   Converting Hibernation Files and Crash Dumps
hivelist) 
Mandiant Redline (Windows)  Memory Artifact Timelining
-s    Virtual offset of SAM registry hive (from 
http://www.mandiant.com/resources/download/redline  Registry Analysis Volatility™ Plugins
hivelist) 
Volafox (Mac OS X and BSD) # vol.py hashdump –y 0x8781c008 –s  Memory Analysis Tool List
http://code.google.com/p/volafox/ 0x87f6b9c8

List of loaded dlls by process --dump-dir  Directory to save extracted files  psscan  ./output –p 868 # vol.py dlldump --dump-dir .Identify I/O Request Packet (IRP) hooks # export VOLATILITY_LOCATION=file:///images/mem.Display parent-process relationships -o    Dump driver using offset address (from modscan)  # vol.py connscan  # vol.py dlllist –p 4.py apihooks  # vol.High level view of running processes Analyze Process DLLs and Handles -b    Dump DLLs from process at physical memory offset  # vol. File.py filescan -p      Dump memory sections from these PIDs -p    Show information only for specific PIDs --dump-dir    Directory to save extracted files  -v    Verbose: show full paths from three DLL lists svcscan  .868 moddump  .py plugin –h   (show plugin usage)  modscan  .py netscan  Set name of memory image (takes place of -f ) driverirp  .[XP] ID TCP connections.py pslist -r    Dump DLLs matching REGEX name dlllist .[Win7] Scan for connections and sockets Using Environment Variables # vol.py –f mem.py connections # vol. Key.py sockscan # vol.Extract kernel drivers  pstree  . Getting Started with Volatility™ Check for Signs of a Rootkit Review Network Artifacts Getting Help psxview .img -r    Analyze drivers matching REGEX name pattern   Set profile type (takes place of --profile= ) # vol./output –r metsrv # vol.img imageinfo  ssdt    .Find hidden processes using cross-view Connections .py malfind --dump-dir .Find API/DLL function hooks # vol.py moddump --dump-dir .py handles –p 868 –t Process. Port} --dump-dir    Directory to save extracted files  --dump-dir   Directory to save  memory sections  # vol. including closed # vol. Token.Scan for Windows Service information  # vol.Print process security identifiers -r    Dump drivers matching REGEX name -p    Show information only for specific PIDs   --dump-dir    Directory to save extracted files  # vol.Find injected code and dump sections -p    Show information only for specific PIDs -p    Dump only specific PIDs -p    Show information only for specific PIDs -t    Display only handles of a certain type -o    Specify process by physical memory offset -o   Provide physical offset of single process to scan  {Process. Mutant.py sockets  -p    Operate only on specific PIDs Identify System Profile -Q    Only scan critical processes and DLLS  sockscan  .py ssdt | egrep –v ‘(ntoskrnl|win32k)’  # vol. and connscan .py pstree  getsids .py psxview # vol.Mutant filescan  ‐ Scan memory for FILE_OBJECT handles  memdump  .Display Interrupt Descriptor Table  # vol.[XP] ID sockets.py svcscan  .py plugin --info   (show available OS profiles)  unlinked drivers # vol.py ldrmodules –p 868 -v # vol.py psscan  (PIDs) # vol.py driverirp –r tcpip # export VOLATILITY_PROFILE=WinXPSP3x86 Dump Suspicious Processes and Drivers idt    .py modscan  Sample Command Line sockets  . including closed/unlinked  imageinfo  .Hooks in System Service Descriptor Table netscan  .Scan memory for EPROCESS blocks  -p   Show information only for specific process identifiers # vol.Dump process to executable sample malfind  .Dump every memory section into a file ldrmodules  .py getsids –p 868 # vol.Detect unlinked DLLs # vol.py procmemdump --dump-dir .py -f image --profile=profile plugin  apihooks  . unloaded.py idt  dlldump .py –h   (show options and supported plugins) # vol.[XP] List of open TCP connections # vol.Scan memory for loaded. Thread.[XP] Print listening sockets (any protocol)  # vol. Event.Display memory image metadata  # vol./output_dir # vol.Extract DLLs from specific processes Identify Rogue Processes -p    Dump DLLs only for specific PIDs pslist  .py memdump –dump-dir .List of open handles for each process  procmemdump ./output –r gaopdx Look for Evidence of Code Injection handles  ./output –p 868 # vol.