Friday, October 16, 2009

Walk-Through: Volatility Batch File Maker and Volatility's VadDump

*********** The First 5 Steps are exactly the same as my last posted regarding Walk-Through: Volatility Batch File Maker and Volatility's ProcDump. The Walk-through Portion is repeated here for future discussions. Skip if applicable.******************

1. Download the following files from Hogfly (Website)
exemplar6.tar.gz.001
exemplar6.tar.gz.002
exemplar6.tar.gz.003

In my example I placed the files in e:\exemlar6\ directory

2. Add the downloaded files together and Extract with the following cmd prompt code:

Copy /b “exemplar6.tar.gz.001”+ “exemplar6.tar.gz.002”+” exemplar6.tar.gz.003” exemplar6.tar.gz

3. Extract using WinRAR (exemplar6.tar.gz to exemplar6.vmem)

4. Run PtfinderFE against extracted file(exemplar6.vmem) which creates exemplar6.txt


5.Run Volatility Batch File Maker.
-a. Select e:\exemlar6\xemplar6.vmem with “Browse for Memory Capture”.
-b. Select e:\exemlar6\exemplar6.txt (created by PtFinderFE) for your memory image with “Browse for Offset Text File”.
-c. Create Batch (Which is hidden until the previous listed fields are populated).

6. .Goto the directory containing exemplar6.vmem (e:\exemlar6\) and run e:\exemlar6\vaddump.bat file.

7.Browse the e:\exemlar6\vaddump folder.(The following images is a truncated view of the vaddump directory's content):


8. Drop the entire vaddump directory and the original exemplar6.vmem into ENCASE (or your forensic tool of choice).

9. Hash all the files (Search>Calculate hash value).

10. Compare Hash Values. First you will notice some duplicated hash values between VAD files from different processes. I believe this shows that there is possibility of some type of relationship between the different processes. Look at the three files with the hash of 2defb57866392bd7145b3b85894d3a4a

atsxyzd.sys.1b13b40.00af0000-00af7fff.dmp
dxonool32.sys.17fc678.00e90000-00e97fff.dmp
dw8.exe.17f7020.00a20000-00a27fff.dmp

In my last post atsxyzd.sys, dxonool32.sys and dw8.exe were identified as suspected malware.

Now look at the VAD contents that are the same for all three files. The following is a text tepresentation(truncated)of the similar VAD Files (Hash:2defb57866392bd7145b3b85894d3a4a):

Client UrlCache MMF Ver 5.2··€···P··€···U········Äý······ø······················CLUBCLEZ
····KPAN45MJ····0HEN0X2F····WTE74L2Z····················


We can then create search words out of CLUBCLEZ, KPAN45MJ, 0HEN0X2F and WTE74L2Z(which look like they might be folder names used by Internet Explorer). For every hit in the VAD files there is a hit in the original VMEM File. There is one additional hit in the VMEM file for each search term which we would then try and figure out.

11. Create search term like “http://” and go “cherry picking” you can find a lot of IP Addresses in the suspected malware. It is very easy to find the context to your search hits just by looking at the file they are located in.


There is approximately 107 megabytes of VAD files (without duplicates). The total size of the original VMEM is 256 megabytes. That is 2/5 context provided for this dump file. In less then 6 minutes.

4 comments:

furniture minimalis said...

Good Job, Thank you for presenting a wide variety of information that is very interesting to see in this artikle


http://www.tourkarimunjawaisland.com/
and http://jualfurniturejepara.com/
or http://www.mebeljeparafurniture.com/
and http://www.tokokaintenunjepara.com/

tenun jepara said...

article from a very amazing, Good Job, Thank you for presenting a wide variety of information that is very interesting to see in this artikle

kontak furniture jepara
sample warna furniture
tentang kami furniture jepara
rute expedisi jepara
cara pemesanan furniture
almari hias ukiran
lemari rak buku
almari pakaian relief daun
almari pakaian ukiran
almari pakaian minimalis
lemari hias minimalis
lemari pakaian 4 pintu
almari hias miniamalis
almari hias mewah
almari pakaian 2 pintu
almari pajangan ukir
almari pajangan jati
almari pakaian minimalis
almari pakaian peluru
AYUNAN
kursi ayunan jati
kursi ayunan jati
kursi ayunan mewah
ayunan jati mewah
ayunan jati jepara
ayunan jati jepara
ayunan jati mewah
ayunan mewah

Unknown said...

very amazing post, I like It
paket karimunjawa 2 hari 1 malam
paket karimunjawa 3 hari 2 malam
paket karimunjawa 4 hari 3 malam
paket honeymoon karimunjawa
jiwaquest resort karimunjawa
nirvana resort karimunjawa

paket karimunjawa 2 hari 1 malam
paket karimunjawa 3 hari 2 malam
paket karimunjawa 4 hari 3 malam
paket honeymoon karimunjawa

paket karimunjawa 2 hari 1 malam
paket karimunjawa 3 hari 2 malam
paket karimunjawa 4 hari 3 malam
jiwaquest resort karimunjawa
paket honeymoon karimunjawa

paket karimunjawa 2 hari 1 malam
paket karimunjawa 3 hari 2 malam
paket karimunjawa 4 hari 3 malam

paket honeymoon karimunjawa
paket karimunjawa rombongan

paket karimunjawa 2 hari 1 malam
paket karimunjawa 3 hari 2 malam
paket karimunjawa 4 hari 3 malam
paket honeymoon karimunjawa
jiwaquest resort karimunjawa
nirvana resort karimunjawa

paket tahun baru karimunjawa
paket tahun baru karimunjawa
paket tahun baru karimunjawa
paket tahun baru karimunjawa

Shalini said...

This is very useful information. I appreciate your effort for creating this informative blog. Thanks for providing it. Forensic Science College in Madurai