INTRODUCTION
Memory Analysis has come a long way and it is imperative that a good Incident Responder realize the valuable information that can be obtained in analyzing memory.
I have been conducting Incident Response investigation for a few years now and have always used Volatility as my tool of choice. I like it because first off it is open source and I have found it to be very user friendly in identifying possible malware and being able to understand the results that are being retrieved from memory.
As a consultant for Guidance Software’s Federal Sector I interact and train quite a few agencies on the deployment and use of Encase. I have been getting a lot of requests from agencies that have a young Incident Response (IR) team with little or no experience to incorporate memory analysis training in with the normal Encase training. In creating a training program for this I got to thinking how I can train a young team on how to use memory analysis tools with Encase. I have been using the "File Viewer" in Encase for quite some time to view different files with third party tools. So I decided to try this with Volatility and some "batch" scripts to come up with some training tools that can be used with EnCase. With that said I am going to go through how I created the batch scripts and how they work with the File Viewer in EnCase. My assumption going in is the user already has Volatility installed on their system. I will go into a little of how I installed Volatility but not in detail since there is a very good instruction on the volatility site which can be accessed at http://code.google.com/p/volatility/w/list. This process will only work if you import a raw memory image, not an E01 file.
INSTALLING VOLATILITY
To install Volatility I would suggest you go to the above listed site and browse over to the Wiki and look at the Full Installation for Volatility. Obviously you will need python, Distorm, and Pycrypto installed along with the latest version of Volatility. If you follow the instructions on the Wiki you should get it installed with no problem. The only thing I did different was that I did not use the SVN function. Instead I manually downloaded the latest version by going to http://code.google.com/p/volatility/downloads/list. From here I downloaded the Volatility 2.0.tar.gz and used the compression tool 7-zip to extract it to the root of my "c:" drive.
Once you have everything installed and volatility setup on your system you will need to ensure you also download the python script "malware.py." This script is not part of the default installation of Volatility but can be downloaded at http://malwarecookbook.googlecode.com/svn/trunk/malware.py. Once downloaded make sure you copy it into the plugins sub-folder in the Volatility folder. This script is a multi-script written by the author of "Malware Cookbook" and is free for distribution. To ensure the malware.py is working properly you will need to open a command prompt and run the following: python vol.py –h. You should see a listing of all plugins and the very first one should be "apihooks" with the word [malware] next to it. If you do not see that then something went wrong and you need to try it again. Now let’s move on to EnCase and the batch scripts.
FILE VIEWER
First let’s talk a little about how the File Viewer function works in Encase. This viewer is used to view files of any type that cannot be seen inside of Encase. It gives you the ability to point to a tool already installed on your local system and view the highlighted file from Encase. The way it works is Encase will copy the highlighted file out to the default temp directory and then launch the third party tool and view the file. Now the way it works for volatility is you set the file viewer up to launch the command prompt and give it some basic commands to make the command prompt stay open. Encase of course still needs to copy the highlighted memory image out to the default temp directory before running the batch script. Below is a sample of a file viewer setup for one of the multi-scripts:
As you can see the viewer is very basic. The Name is whatever you want to call the viewer; in this case I called it "ImageInfo" which is the name of the volatility plugin. In volatility 2.0 you need the profile of the image to run the plugins so this is the 1st plugin that must be run.
The application path is where we call the cmd.exe (command prompt) and the command line is telling the command prompt to open and stay open and then go to the batch files and run the imageinfo.bat.
So when you get all these setup then your File Viewer will look something like the following screen shot:
As you can see there is a folder called "Volatility" which holds the individual batch files corresponding to the volatility plugins.
BATCH SCRIPTS
I am not going to get into how to write a batch script as that would be for someone that is far better than me at script writing. The way I have this setup is the File Viewer in EnCase is given instructions to access a folder called "bat_files" that will sit in the root of your volatility folder. It would look like this: "C:\Volatlity-2.0\bat_files\". In this batch file folder will sit a batch file that corresponds with each plugin that Volatility currently has. I also have created 8 Multi-Script batch files that we will be using in EnCase. I have used the SAN Memory Analysis Cheat Sheet as a basis. The categories are as follows:
1. Identify Rogue Processes
2. Analyze Process DLLs and Handles
3. Review Network Artifacts
4. Look for Evidence of Code Injection
5. Check for signs of a RootKit.
6. Dump Suspicious Processes and Drivers
7. Registry Analysis
8. Timeliner
The "File Viewer" will launch a "command prompt" and then run the batch script requested. The following is a sample of one of the batch scripts I wrote:
@Echo off
cd \
cd Volatility\
echo DLLDUMP
::echo
::echo
echo Dump DLLs from specific processes.
::echo
::echo
echo Please enter the image profile for the memory image.
echo You should have gotten this from the imageinfo plugin
::echo
::echo
pause
:input
set INPUT=
set /P INPUT=Type input: %=%
if "%INPUT%"=="" goto input
::echo
::echo
echo Please enter the dump directory you want to use.
pause
:input2
set INPUT2=
set /P INPUT2=Type input2: %=%
if "%INPUT2%"=="" goto input2
pause
::echo
::echo
echo Please enter the REGEX pattern you would like to search for.
pause
:input3
set INPUT3=
set /P INPUT3=Type input3: %=%
if "%INPUT3%"=="" goto input3
cd \
cd volatility\
python vol.py --profile=%INPUT% dlldump -f %1 --dump-dir %INPUT2% -r %INPUT3%
::echo
::echo
pause
echo MODDUMP
::echo
::echo
echo Extract Kernel Drivers.
::echo
::echo
echo Please enter the Dump Directory you want to use.
pause
:input2
set INPUT2=
set /P INPUT2=Type input2: %=%
if "%INPUT2%"=="" goto input2
pause
::echo
::echo
echo Please enter the REGEX pattern you would like to search for.
pause
:input3
set INPUT3=
set /P INPUT3=Type input3: %=%
if "%INPUT3%"=="" goto input3
python vol.py --profile=%INPUT% moddump -f %1 --dump-dir %INPUT2% -r %INPUT3%
pause
echo PROCESSMEMDUMP
::echo
::echo
echo Dumps process to executable sample.
::echo
::echo
echo Please enter the dump directory you want to use.
:input2
set INPUT2=
set /P INPUT2=Type input2: %=%
if "%INPUT2%"=="" goto input2
pause
::echo
::echo
echo Please enter the PID info you would like to search for.
pause
:input3
set INPUT3=
set /P INPUT3=Type input3: %=%
if "%INPUT3%"=="" goto input3
python vol.py --profile=%INPUT% processmemdump -f %1 --dump-dir %INPUT2% -p %INPUT3%
pause
echo MEMDUMP
::echo
::echo
echo Dump every memory section into a file.
::echo
::echo
echo Please enter the dump directory you want to use.
:input2
set INPUT2=
set /P INPUT2=Type input2: %=%
if "%INPUT2%"=="" goto input2
pause
::echo
::echo
echo Please enter the PID Info you would like to search for.
pause
:input3
set INPUT3=
set /P INPUT3=Type input3: %=%
if "%INPUT3%"=="" goto input3
echo This completes this script. Please review your results and proceed to the next multi-script.
The first thing this script does is browse over to the default location of your volatility folder. If this is different, then you would need to change the location in each batch script. It will run, and then tell you what plugin it is about to run, and ask you for user input if needed. Once you input the imageinfo information then you will not need to do that again as the script knows what that is for the remaining plugins. Once all the user input is received it will then execute vol.py, and run the plugin.
The -f option tells volatility where the image is located and in this case the %1 tells it to run the highlighted image that was just copied to the temp directory. I have setup all the batch files to create a text file and place it in a temp directory located at "C:\temp\". Each text file will be named after the name of the batch script so if you do not want a text file then just delete that portion of the script. Below is how the temp directory will look after running the scripts.
As you can see by this batch script it will run a plugin and then ask you for certain information. So you will need to run these multi-scripts in a certain order so you have the required information for the scripts that require user input. I have labeled these scripts 1-8 inside of Encase so a user will know which order to run these scripts.
ENCASE INI FILE
So if you would like to use this process for your investigations or a way to learn volatility then I have placed the "Viewer.ini" file and the "bat_files" at https://www.dropbox.com/sh/f52w8cw9cfj1ewh/GWkHmnt7_m just copy the ini file to the default location for the Encase config folder. For Version 7 it is at C:\Users\morgan\AppData\Roaming\EnCase\EnCase7.03.0232-2\Config\. For Version 6 it is at C:\Program Files\EnCase6.19.4\Config\.
For the "Bat_File" just unzip that into the root of your volatility folder c:\Volatility\ and make sure you create a temp folder at the root of c:\. Once you have done all that then you are ready to go.
SUMMARY
I hope this was informative and helpful in some way to the readers and younger Incident Responders out there. The old dogs I am sure will have their opinions on this but I wrote this because I believe the Multi-Scripts are helpful in allowing a beginner to learn what plugins to run and what information is needed by other scripts. Version 7 allows a user or agency to create a module (Enpack) to be used on the Evidence Processor, so when you launch the Evidence Processor, if Volatility, or any other memory analysis solution were to be packaged in a module, there would be an option for Memory Analysis that would give the user the option of which plugins should be run. Thanks for taking the time to read this post and I hope this gave some insight of how powerful Encase can be.
Great batch files. Would you consider posting your batch files for Regripper?
ReplyDeleteThanks
Robert