2. it
  3. Unit 5: Windows Acquisition 5.3 Activity and Discussion Activity: Practicing Volatility

Unit 5: Windows Acquisition 5.3 Activity and Discussion Activity: Practicing Volatility

mac2022-06-30  23

ACTIVITY: PRACTICING VOLATILITY

Time: This activity should take you approximately 30–60 minutes to complete.

SOFTWARE AND DOWNLOADS

SIFT Workstation 3

Note: This activity takes place in a Linux system environment using SANS SIFT Workstation, a collection of forensic tools. For instructions to download and set up this environment, click Virtual Workstation in the toolbar.

If you prefer to work on your own system, you can download the latest version of Volatility from The Volatility Foundation. Volatility supports Windows, Mac OS X, and Linux platforms.

Volatility download linkDocumentation, including a list of image types that Volatility can analyze

The Malware Analyst’s Cookbook DVD contains an image file you will use during the activity.

Malware Analyst’s Cookbook DVD download link (.zip file)Extract the zip file and save it to your desktop. In the activity you will use the Zeus memory sample in the folder named “17” and in the sub folder “1.” Zeus is a malware designed to steal credentials.

GOAL

The open-source toolkit, Volatility framework, is one of the best memory forensic analysis tools to extract valuable information from a memory dump or a .vmem file. In this activity, you will practice volatility’s basic plugins for extracting valuable information from a memory image.

In my demonstration video Volatility for Memory Analysis Demo, I use the Zeus memory image from the Malware Analyst’s Cookbook. You can use that file for the activities as well as your own memory images or .vmem files.

INSTRUCTIONS

Launch SIFT Workstation 3.Run vol.py –h to see volatility’s options and plugins.Practice these basic plugins to understand how you can use the result for your investigation. imageinfoShows basic system information such as type of OSpslistLists the processes of a systempsscanFinds processes that previously terminated (inactive) and processes that have been hidden or unlinked by a rootkitpstreeDisplays the process listing in tree formconnectionsShows the TCP connections that were active at the time of the memory acquisitionconnscanExtracts TCP connections that were active at the time of the memory acquisition and previous connections that have since been terminated.hivelistLocates the virtual addresses of registry hives in memory and the full paths to the corresponding hive on diskhivescanDisplays the physical addresses of registry hives in memoryprintkeyDisplays the subkeys, values, data, and data types contained within a specified registry key

If you are interested in learning other plugins that are not covered in the lecture, you can refer to the Volatility Command Reference.

Answer the Check Your Work questions.

转载于:https://www.cnblogs.com/sec875/articles/10015680.html

最新回复(0)