sleuthkit$hf_mig$

!
!
2.
4!
Edition!
Copyright!
!
2014!
The!
Volatility!
Foundation!
!
!
Development!
build!
and!
wiki:!
github.
com/volatilityfoundation!
!
!
Download!
a!
stable!
release:!
volatilityfoundation.
org!
!
!
Read!
the!
book:!
artofmemoryforensics.
com!
!
Development!
Team!
Blog:!
http://volatilityHlabs.
blogspot.
com!
!
!
(Official)!
Training!
Contact:!
voltraining@memoryanalysis.
net!
!
!
Follow:!
@volatility!
Learn:!
www.
memoryanalysis.
net!
!
!
Basic&Usage&!
Typical!
command!
components:!
!
#!
vol.
py!
Hf!
[image]!
HHprofile=[profile]!
[plugin]!
!
Display!
profiles,!
address!
spaces,!
plugins:!
#!
vol.
py!
HHinfo!
!
Display!
global!
commandHline!
options:!
#!
vol.
py!
HHhelp!
!
Display!
pluginHspecific!
arguments:!
#!
vol.
py!
[plugin]!
HHhelp!
!
Load!
plugins!
from!
an!
external!
directory:!
#!
vol.
py!
HHplugins=[path]!
[plugin]!
!
!
Specify!
a!
DTB!
or!
KDBG!
address:!
#!
vol.
py!
HHdtb=[addr]!
HHkdbg=[addr]!
!
Specify!
an!
output!
file:!
#!
vol.
py!
HHoutputHfile=[file]!
!
Image&Identification&&Get!
profile!
suggestions!
(OS!
and!
architecture):!
imageinfo!
!
&Find!
and!
parse!
the!
debugger!
data!
block:!
kdbgscan!
!
Processes&Listings&!
Basic!
active!
process!
listing:!
pslist!
!
Scan!
for!
hidden!
or!
terminated!
processes:!
psscan!
!
!
Cross!
reference!
processes!
with!
various!
lists:!
psxview!
!
Show!
processes!
in!
parent/child!
tree:!
pstree!
&Process&Information&!
Specify!
–o/HHoffset=OFFSET!
or!
Hp/HHpid=1,2,3!
!
!
Display!
DLLs:!
dlllist!
!
Show!
command!
line!
arguments:!
cmdline!
!
Display!
details!
on!
VAD!
allocations:!
vadinfo!
[HHaddr]!
!
Dump!
allocations!
to!
individual!
files:!
vaddump!
HHdumpHdir=PATH!
[HHbase]!
!
Dump!
all!
valid!
pages!
to!
a!
single!
file:!
memdump!
HHdumpHdir=PATH!
!
Display!
open!
handles:!
handles!
!
!
!
!
!
Ht/HHobjectHtype=TYPE!
!
!
Mutant,!
File,!
Key,!
etc…!
!
!
!
!
Hs/HHsilent!
Hide!
unnamed!
handles!
!
Display!
privileges:!
privs!
!
!
!
!
!
Hr/HHregex=REGEX!
Regex!
privilege!
name!
!
!
!
!
Hs/HHsilent!
Explicitly!
enabled!
only!
!
Display!
SIDs:!
getsids!
!
Display!
environment!
variables:!
envars!
!
PE&File&Extraction&!
Specify!
HD/HHdumpHdir!
to!
any!
of!
these!
plugins!
to!
identify!
your!
desired!
output!
directory.
!
!
!
Dump!
a!
kernel!
module:!
moddump!
!
!
!
!
!
Hr/HHregex=REGEX!
!
!
Regex!
module!
name!
!
!
!
!
!
Hb/HHbase=BASE!
!
!
!
!
!
!
Module!
base!
address!
!
!
Dump!
a!
process:!
procdump!
!
!
!
!
!
Hm/HHmemory!
Include!
memory!
slack!
!
Dump!
DLLs!
in!
process!
memory:!
dlldump!
!
!
!
!
!
Hr/HHregex=REGEX!
!
!
Regex!
module!
name!
!
!
!
!
!
Hb/HHbase=BASE!
!
!
!
!
!
!
Module!
base!
address!
!
&Injected&Code&!
Specify!
–o/HHoffset=OFFSET!
or!
Hp/HHpid=1,2,3!
!
Find!
and!
extract!
injected!
code!
blocks:!
malfind!
!
!
!
!
!
HD/HHdumpHdir=PATH!
!
!
!
Dump!
findings!
here!
!
!
CrossHreference!
DLLs!
with!
memory!
mapped!
files:!
ldrmodules!
!
Scan!
a!
block!
of!
code!
in!
process!
or!
kernel!
memory!
for!
imported!
APIs:!
impscan!
!
!
!
!
!
Hp/HHpid=PID!
Process!
ID!
!
!
!
!
!
Hb/HHbase=BASE!
!
!
Base!
address!
to!
scan!
!
!
!
!
Hs/HHsize=SIZE!
!
!
!
!
!
!
Size!
to!
scan!
from!
start!
of!
base!
!
Logs&/&Histories&!
Recover!
event!
logs!
(XP/2003):!
evtlogs!
!
!
!
!
!
HS/HHsaveHevt!
Save!
raw!
event!
logs!
!
!
!
!
HD/HHdumpHdir=PATH!
!
!
Write!
to!
this!
directory!
!
Recover!
command!
history:!
cmdscan!
and!
consoles!
!
!
Recover!
IE!
cache/Internet!
history:!
iehistory!
!
!
Show!
running!
services:!
svcscan!
!
!
!
!
!
Hv/HHverbose!
!
!
!
Show!
ServiceDll!
from!
registry!
!
Networking&Information&!
Active!
info!
(XP/2003):!
connections!
and!
sockets!
!
!
Scan!
for!
residual!
info!
(XP/2003):!
connscan!
and!
sockscan!
!
Network!
info!
for!
Vista,!
2008,!
and!
7:&netscan!
!
Kernel&Memory&!
Display!
loaded!
kernel!
modules:!
modules!
!
&Scan!
for!
hidden!
or!
residual!
modules:!
modscan!
!
Display!
recently!
unloaded!
modules:&unloadedmodules!
!
Display!
timers!
and!
associated!
DPCs:&timers!
!
!
Display!
kernel!
callbacks,!
notification!
routines:!
callbacks!
!
!
!
Audit!
the!
SSDT!
&ssdt!
!
!
!
!
!
Hv/HHverbose!
!
!
!
Check!
for!
inline!
API!
hooks!
!
Audit!
the!
IDT!
and!
GDT:!
idt!
(x86!
only)!
gdt!
(x86!
only)!
!
Audit!
driver!
dispatch!
(IRP)!
tables:&driverirp!
!
!
!
!
!
Hr/HHregex=REGEX!
!
!
Regex!
driver!
name!
!
Display!
device!
tree!
(find!
stacked!
drivers):!
devicetree!
!
Print!
kernel!
pool!
tag!
usage!
stats:!
pooltracker!
!
!
!
!
!
!
Ht/HHtags=TAGS!
!
!
!
!
!
!
List!
of!
tags!
to!
analyze!
!
!
!
!
!
!
HT/HHtagfile=FILE!
!
!
pooltag.
txt!
for!
labels!
!
!
2.
4!
Edition!
Copyright!
!
2014!
The!
Volatility!
Foundation!
Kernel&Objects&!
Scan!
for!
driver!
objects:!
driverscan!
!
Scan!
for!
mutexes:!
mutantscan!
!
!
!
!
!
Hs/HHsilent!
!
!
!
!
Hide!
unnamed!
mutants!
!
Scan!
for!
used/historical!
file!
objects:!
filescan!
!
Scan!
for!
symbolic!
link!
objects!
(shows!
drive!
mappings):&symlinkscan!
!
Registry&!
Display!
cached!
hives:&hivelist!
!
Print!
a!
key's!
values!
and!
data:&printkey!
!
!
!
!
Ho/HHhive_offset=OFFSET!
!
!
Hive!
address!
(virtual)!
!
!
!
HK/HHkey=KEY!
Key!
path!
!
!
Dump!
userassist!
data:!
userassist!
!
Dump!
shellbags!
information:!
shellbags!
!
Dump!
the!
shimcache:!
shimcache!
!
Timelines&&To!
create!
a!
timeline,!
create!
output!
in!
body!
file!
format.
!
Combine!
the!
data!
and!
run!
sleuthkit's!
mactime!
to!
create!
a!
CSV!
file.
!
!
timeliner!
HHoutput=body!
>!
time.
txt!
shellbags!
HHoutput=body!
>>!
time.
txt!
!
mftparser!
HHoutput=body!
>>!
time.
txt!
!
mactime!
–b!
[time.
txt]!
[Hd]!
>!
csv.
txt!
&Volshell&!
List!
processes:!
>>>!
ps()!
!
Switch!
contexts!
by!
pid,!
offset,!
or!
name:!
>>>!
cc(pid!
=!
3028)!
>>>!
cc(offset!
=!
0x3eb31340,!
physical=True)!
>>>!
cc(name!
=!
"explorer.
exe")!
!
Acquire!
a!
process!
address!
space!
after!
using!
cc:!
>>>!
process_space!
=!
proc().
get_process_address_space()!
!
Disassemble!
data!
in!
an!
address!
space!
>>>!
dis(address,!
length,!
space)!
!
Dump!
bytes,!
dwords!
or!
qwords:!
>>>!
db(address,!
length,!
space)!
>>>!
dd(address,!
length,!
space)!
>>>!
dq(address,!
length,!
space)!
!
!
Display!
a!
type/structure:!
>>>!
dt("_EPROCESS",!
recursive!
=!
True)!
!
Display!
a!
type/structure!
instance:!
>>>!
dt("_EPROCESS",!
!
0x820c92a0)!
!
Create!
an!
object!
in!
kernel!
space:!
>>>!
thread!
=!
obj.
Object("_ETHREAD",!
offset!
=!
!
0x820c92a0,!
vm!
=!
addrspace())&&Dump&Conversion&!
Create!
a!
raw!
memory!
dump!
from!
a!
hibernation,!
crash!
dump,!
firewire!
acquisition,!
virtualbox,!
vmware!
snapshot,!
hpak,!
or!
EWF!
file:!
imagecopy!
–O/HHoutputHimage=FILE!
!
Convert!
any!
of!
the!
aforementioned!
file!
types!
to!
a!
Windows!
crash!
dump!
compatible!
with!
Windbg:!
raw2dmp!
–O/HHoutputHimage=FILE!
&API&Hooks&&!
Scan!
for!
API!
hooks:!
apihooks!
!
!
!
!
!
HR/HHskipHkernel!
!
!
!
!
!
!
!
Don't!
check!
kernel!
modules!
!
!
!
!
HP/HHskipHprocess!
!
!
!
!
!
Don't!
check!
processes!
!
!
!
!
!
HQ/HHquick!
Scan!
faster!
!
!
Yara&Scanning&&!
Scan!
for!
Yara!
signatures:!
yarascan!
!
!
!
!
!
Hp/HHpid=PID!
Process!
IDs!
to!
scan!
!
!
!
!
!
HK/HHkernel!
Scan!
kernel!
memory!
!
!
!
!
HY/HHyaraHrules=RULES!
!
!
String,!
regex,!
bytes,!
etc.
!
!
!
!
!
Hy/HHyaraHfile=FILE!
Yara!
rules!
file!
!
!
!
!
!
HW/HHwide!
Match!
Unicode!
strings!
!
!
!
!
Hs/HHsize!
Size!
of!
preview!
bytes!
!
File&System&Resources&!
Scan!
for!
MFT!
records:!
mftparser!
!
!
!
!
!
HHoutput=body!
!
!
!
Output!
body!
format!
!
!
!
!
HD/HHdumpHdir!
!
!
!
Dump!
MFTHresident!
data!
!
!
Extract!
cached!
files!
(registry!
hives,!
executables):!
dumpfiles!
!
!
!
!
!
HD/HHdumpHdir=PATH!
!
!
!
!
!
!
Output!
directory!
!
!
!
!
!
Hr/HHregex=REGEX!
Regex!
filename!
!
!
Parse!
USN!
journal!
records:!
usnparser!
(github.
com/tomspencer)!
&GUI&Memory&!
Sessions!
(shows!
RDP!
logins):!
!
sessions!
!
Window!
stations!
(shows!
clipboard!
owners):!
wndscan!
!
Desktops!
(find!
ransomware):!
Deskscan!
!
Display!
global!
and!
session!
atom!
tables:!
atoms!
and!
atomscan!
!
!
Dump!
the!
contents!
of!
the!
clipboard:!
clipboard!
!
Detect!
message!
hooks!
(keyloggers):!
messagehooks!
!
Take!
a!
screen!
shot!
from!
the!
memory!
dump:!
screenshot!
HHdumpHdir=PATH!
!
Display!
visible!
and!
hidden!
windows:!
windows!
and!
wintree!
!
Strings&!
Use!
GNU!
strings!
or!
Sysinternals!
strings.
exe:&strings!
Ha!
Htd!
FILE!
>!
strings.
txt!
!
strings!
Ha!
Htd!
Hel!
FILE!
>>!
strings.
txt!
(Unicode)!
!
strings.
exe!
Hq!
Ho!
>!
strings.
txt!
(Windows)!
!
Translate!
the!
string!
addresses:!
strings!
!
!
!
!
Hs/HHstringHfile=FILE!
!
!
!
Input!
strings.
txt!
file!
!
!
!
!
HS/HHscan!
!
!
Password&Recovery&&Dump!
LSA!
secrets:!
lsadump!
!
!
Dump!
cached!
domain!
hashes:!
cachedump!
!
!
Dump!
LM!
and!
NTLM!
hashes:!
hashdump!
(x86!
only)!
!
Extract!
OpenVPN!
credentials:!
openvpn!
(github.
com/Phaeilo)!
!
Extract!
RSA!
private!
keys!
and!
certificates:!
dumpcerts!
!
!
!
!
Hs/HHssl!
!
!
!
!
!
!
Parse!
certificates!
with!
openssl!
!
!
Disk&Encryption&&!
Recover!
cached!
TrueCrypt!
passphrases:!
truecryptpassphrase!
!
!
Triage!
TrueCrypt!
artifacts:!
truecryptsummary!
!
Extract!
TrueCrypt!
master!
keys!
truecryptmaster!
!
Malware&Specific&!
Dump!
Zeus/Citadel!
RC4!
keys:!
zeusscan!
and!
citadelscan!
!
Find!
and!
decode!
Poison!
Ivy!
configs:!
poisonivyconfig!
!
Decode!
Java!
RAT!
config:!
javaratscan!
(github.
com/Rurik)!
!
!
!
2.
4!
Edition!
Copyright!
!
2014!
The!
Volatility!
Foundation!
!
!
General!
Investigations!
Dump!
the!
system's!
raw!
registry!
hive!
files!
dumpfiles!
Dp!
4!
DDregex='(config|ntuser)'!
DDignoreDcase!
DDname!
DD!
.
/!
Create!
a!
Graphviz!
diagram!
of!
processes!
psscan!
DDoutput=dot!
DDoutputDfile=graph.
dot!
Create!
a!
color!
coded!
diagram!
of!
processes!
memory!
vadtree!
Dp!
PID!
DDoutput=dot!
DDoutputDfile=graph.
dot!
Translate!
an!
account!
SID!
to!
user!
name!
printkey!
DK!
"Microsoft\\Windows!
NT\\CurrentVersion\\ProfileList\\[SID]"!
|!
grep!
ProfileImagePath!