KEMBAR78
Windows Forensics | PDF | Windows Registry | Kernel (Operating System)
Scribd
Upload
56 views1 page

Windows Forensics

This document provides information on various Volatility plugins that can be used to analyze Windows memory images. It describes plugins for parsing prefetch files and ShimCache stored in memory, identifying images and converting hibernation files, locating registry hives and keys and scanning for services, extracting passwords and secrets, listing processes, and more. The document includes the name of each plugin and basic usage examples.

Uploaded by

ablito19
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
56 views1 page

Windows Forensics

This document provides information on various Volatility plugins that can be used to analyze Windows memory images. It describes plugins for parsing prefetch files and ShimCache stored in memory, identifying images and converting hibernation files, locating registry hives and keys and scanning for services, extracting passwords and secrets, listing processes, and more. The document includes the name of each plugin and basic usage examples.

Uploaded by

ablito19
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Prefetch and ShimCache Search for and parse prefetch file headers in memory: prefetchparser

vol.py -f memory.img prefetchparser

Read ShimCache stored in memory that hasn't been written to disk : shimcachemem
vol.py -f memory.img --output=csv --output-file=file.csv shimcachemem

Image Processing Image Identification: imageinfo


vol.py -f memory.img imageinfo

Hibernation File Conversion: imagecopy


vol.py -f hiberfil.sys -O hiberfil.raw --profile=xxx imagecopy

Registry and
Services Locate virtual addresses of registry hives: hivelist
vol.py -f memory.img --profile=xxx hivelist

Display everything within a specified registry key: printkey


vol.py -f memory.img --profile=xxx -K Reg\Key printkey

Scan memory for Windows Services: svcscan


vol.py -f memory.img svcscan -v

Compare services against a baseline of known good services: servicebl


vol.py -f memory.img -B baseline.img -U servicebl

Find persistence points through ASEPs: autoruns


vol.py -f memory.img autoruns

Passwords and
secrets Extract and decrypt cached credentials: hashdump
vol.py -f memory.img --profile=xxx hashdump -y VirtualAddrOfSysHive -s VirtualAddrOfSAM

Extract plaintext passwords: mimikatz


vol.py -f memory.img --porfile=xxx mimikatz

Dump LSA secrets from memory: lsadump


vol.py -f memory.img lsadump

Process Listing List all running processes: pslist


vol.py -f memory.img pslist
ShimCache
Tools Location - SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache Enumerate processes using pool tag scanning psscan
1. ShimCacheParser.py - read ShimCache stored in registry vol.py -f memory.img --profile=xxx psscan
2. AppCompatCacheParser.exe - Windows tool runs on live or offline

View the process listing in tree form: pstree


Windows Prefetch
vol.py -f memory.img --profile=xxx pstree
Location - C:\Windows\Prefetch
First executed = creation date of .pf file
Tools Last executed = last modification date of .pf file Comparison between pslist and psscan: pstotal
1. pf - parse Windows prefetch files vol.py -f memory.img --profile=xxx -C --output=dot --output-
2. PECmd - Windows tool to parse prefetch info file=pstotal.dot
Evidence of execution
Search for malicious processes based on predefined rules: malprocfind
vol.py -f memory.img malprocfind
Tools
1. rfc.pl - Parses the structure of the
Compare processes against a baseline of known good processes: processbl
file RecentFileCache.bcf (Windows 7)
vol.py -f memory.img --profile=xxx -B baseline.img processbl
Location - C:\Windows\AppCompat\Programs\RecentFileCache.bcf

Tools
1. AmCacheParser.exe - Windows tool to extract AmCache
info Artefacts on Disk Memory Analysis DLLs and other objects Display a process' loaded DLLs dlllist
Amcache.hve (Windows 8+)
Location - C:\Windows\AppCompat\Programs\Amcache.hve vol.py -f memory.img -p 1234 dlllist
Keys = Amcache.hve\Root\File{Volume GUID}##### Volatility
First executed = last modification time of key
Show SIDs for each process getsids
vol.py -f memory.img -p 1234 getsids

Windows List of all handles opened by a process handles


Forensics vol.py -f memory.img -p 1234 handles

Display process command-line arguments: cmdline


Tools vol.py -f memory.img cmdline
Volume Shadow Copy
1. vshadowinfo - Show all shadow copies in a disk image
2. vshadowmount - Mount all shadow copies to a mount
point Historical Data

Scan and print network info: netscan


vol.py -f memory.img --profile=xxx netscan
Network information
Mindmap created by:
Gaurav Jaisinghani Helps find hidden or injected code/DLLs in user mode memory: malfind
python vol.py -f zeus.vmem malfind -p 1724
Code Injection
Event IDs of interest: Powershell/Operational
Script start - 4105 List loaded DLLs unlinked by stealthy malware: ldrmodules
Script stop - 4106 vol.py -f memory.img -p 1234 ldrmodules
Script details - 4104

detect different types of process hollowing techniques: hollowfind


Event Logs vol.py -f infected.vmem --profile=xxx hollowfind
Location -%SystemRoot%\System32\winevt\logs
Event IDs of interest:
Service crashed unexpectedly - 7034
Windows Services
Service sent a Start/Stop message - 7035
Service started or stopped - 7036
Service start type changed - 7040 Show hooked functions withing SSDT: ssdt
Service was installed on system - 7045 vol.py -f memory.img ssdt
Rootkit Detection

System Helps detect hidden processes by comparing seven different process listing plugins: psxview
Event IDs of interest: vol.py -f memory.img psxview
Audit log cleared - 104
Clearing tracks

Identify kernel drivers loaded: modules


vol.py -f memory.img modules

Event IDs of interest:


App Installation Compare loaded kernel drivers against a baseline of known good drivers: driverbl
Installation complete - 1033/11707
Application removal completed - 1034/11724 vol.py -f memory.img -B baseline.img driverbl
Application
Installation failed - 11708

Find API hooks in user mode or kernel mode: apihooks


vol.py -f memory.img apihooks

Event IDs of interest


Scheduled task created - 4698/106 Print the system's IDT: idt
Scheduled task updated - 4702/140 Scheduled Tasks vol.py -f memory.img idt
Scheduled task deleted - 4699/141
Scheduled task executed - 200/201
Scheduled task enabled - 4700
Scheduled tasks disabled - 4701

DLL: dlldump
Event IDs of interest: Network Shares vol.py -f memory.img dlldump
Network share accessed - 5140
Extraction and carving
Network share object checked for access - 5145
Kernel drivers: moddump
vol.py -f memory.img --dump-dir=/path/to/dir moddump

Event IDs of interest:


Logon successful - 4624
Logon failed - 4625 Process: procdump
Account Usage
Logoff Successful - 4634/4647 vol.py -f memory.img -p 1234 --dump-dir=/path/to/dir procdump
Explicit credentials used to logon (RunAs) - 4648
Account logon with admin privileges- 4672 Security
Account creation - 4720
Successful/Failed local authentication - 4776 Memory section: memdump
vol.py -f memory.img -p 1234 --dump-dir=/path/to/dir memdump

Event IDs of interest:


Remote session connected/reconnected - 4778
Remote session disconnected - 4779 Remote Sessions Command history: cmdscan
vol.py -f memory.img --profile=xxxx cmdscan

Event IDs of interest


TGT was granted - 4768
Service ticket requested - 4769
Console information with screen buffer: consoles
Pre-authentication failed - 4771
Kerberos (AD accounts) vol.py -f memory.img consoles

Scan files: filescan


Event IDs of interest: vol.py -f memory.img filescan
Service was installed on system - 4697
Windows Services

Files cached in memory: dumpfiles


vol.py -f memory.img --dump-dir=/path-to/dir dumpfiles
Event IDs of interest:
New process created - 4688
Command Line
Registry hives: dumpregistry
vol.py -f memory.img --profile=xxx --dump-dir=/path/to/dir dumpregistry

Event IDs of interest:


Audit log cleared - 1102
Clearing tracks

You might also like