VOLATILITY

 

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

VOLATILITUX

 

Volatilitux is pretty much the equivalent of Volatility for Linux systems.

Volatilitux supports the following architectures for physical memory dumps:

  • ARM

  • x86

  • x86 with PAE enabled

 

It supports the following commands:

  • pslist: print the list of all process

  • memmap: print the memory map of a process

  • memdmp: dump the addressable memory of a process

  • filelist: print the list of all open files for a given process

  • filedmp: dump an open file

 

It can easily be extended with new architectures, commands and classes.

Volatilitux automatically detects kernel structure offsets within the memory dump, and can export its current configuration into a XML file. If it is unable to successfuly detect offsets, you can use the provided Loadable Kernel Module to generate a configuration file.

LINUX MEMORY EXTRACTOR (LIME)

 

A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

 

  • Full Android memory acquisition

  • Acquisition over network interface

  • Minimal process footprint

MEMORYANALYSIS

 

This is an update to a previously submitted (and approved) EnScript that parses all Windows, OSX and Linux memory images. This update fixes an issue that ocurred when a user attempted to use the script against an evidence file (.E01). There are no other changes to the script. 

This EnPack will process ANY Windows memory image from XP thru Windows 8x64, including Server. The EnPack will also process any Linux and OSX memory image. Results are output to console; with a text version available for user selected export. The user can expect to obtain, at a minimum, all running processes, parents, create dates, and process names. Additonal processing functions can be selected by simply putting a 1 in the appropriate box on the start up menu. Memory resident MFT entries, Registry entries, IP addresses, Open Ports, Twitter artifacts and more can be selected. To use: double click EnPack, at opening menu select memory image to process (type) from list at top. If you do not know what the exact image type is start with the 32 bit version first. If you don't know anything about the memory image you can select "Unknown" and the EnPack will attempt to identify the image file based on Dispatch Header Values. You can disable processing for running processess by selecting "Disable" - You will still be able to run the other processing selections against the image file. You can also parse ANY MFT with this script - by simply blue checking the MFT file, disabling the specific memory search and enabling the MFT parsing. This EnPack will only process "Blue Checked" files; for memory image files it is HIGHLY recommended that you process one file at a time as the output is to the console and will be cleared by the next entry before you will have time to view the first.

BULK EXTRACTOR

 

bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools. bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important. The program can be used for law enforcement, defense, intelligence, and cyber-investigation applications.

 

bulk_extractor is distinguished from other forensic tools by its speed and thoroughness. Because it ignores file system structure, bulk_extractor can process different parts of the disk in parallel. In practice, the program splits the disk up into 16MiByte pages and processes one page on each available core. This means that 24-core machines process a disk roughly 24 times faster than a 1-core machine. bulk_extractor is also thorough. That’s because bulk_extractor automatically detects, decompresses, and recursively re-processes compressed data that is compressed with a variety of algorithms. Our testing has shown that there is a significant amount of compressed data in the unallocated regions of file systems that is missed by most forensic tools that are commonly in use today.

 

Another advantage of ignoring file systems is that bulk_extractor can be used to process any digital media. We have used the program to process hard drives, SSDs, optical media, camera cards, cell phones, network packet dumps, and other kinds of digital information.

MEMORYZE

 

Mandiant’s Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.

 

Mandiant’s Memoryze features:

 

  • image the full range of system memory (not reliant on API calls).

  • image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps and stacks.

  • image a specified driver or all drivers loaded in memory to disk.

  • enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:

  • report all open handles in a process (for example, all files, registry keys, etc.).

  • list the virtual address space of a given process including:

  • displaying all loaded DLLs.

  • displaying all allocated portions of the heap and execution stack.

  • list all network sockets that the process has open, including any hidden by rootkits.

  • specify the functions imported by the EXE and DLLs.

  • specify the functions exported by the EXE and DLLs.

  • hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.  This is disk based.)

  • hash the EXE and DLLs in the process address space. (This is a MemD5 of the binary in memory).

  • verify the digital signatures of the EXE and DLLs. (This is disk based.)

  • output all strings in memory on a per process basis.

  • identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:

  • specify the functions the driver imports.

  • specify the functions the driver exports.

  • hash the driver. (MD5, SHA1, SHA256. this is disk based.)

  • verify the digital signature of the driver (This is disk based.)

  • output all strings in memory on a per driver base.

  • report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.

  • identify all loaded kernel modules by walking a linked list.

  • identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs) and driver function tables (IRP tables).

REDLINE

 

Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.  With Redline, users can:

 

  • Thoroughly audit and collect all running processes and drivers from memory, file system metadata, registry data, event logs, network information, services, tasks, and web history.

  • Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.

  • Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.

  • Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.

  • Perform Indicator of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.

 
 
 
 
 
 
 

Subscribe for Updates

Congrats! You’re subscribed