Volatility2 Exercise 1

1. Introduction

At the company of concern, internal data was found in data leaks. The computer is currently running and you have been able to create a RAM image. The computer identified computer is an older computer of an industrial control system.

You have to analyse the ram image with volatility.

Ressources:

0zapftis.zipDropbox

Memory Image

Volatility 3 CheatSheetonfvp

Volatilty Cheatsheet

The basic use of Volatility2 works as follows:

volatility <plugin> [plugin-optionen] [plugin-parameter] -f </pfad/zum/image> --profile=<profil>

With the following command you will get the Volatility profile:

volatility_2.6 -f <IMAGEPFAD> imageinfo

Please answer the following questions:

1. Which volatility profile should be used for the image?

2. How many processes were active at the time of the backup?

3. Are there any hidden processes?

4. What network connections exist or existed? Is anything noticeable?

5. Which processes started the connections?

6. Examine the input in the command line. Which commands were executed? Do you notice anything suspicious?

7. Which suspicious services are currently active?

2. Analysis and Answers

1. Profile detection:

   volatility.exe -f doomed.vmem imageinfo

2. Detect active processes: (22 in total)

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 pslist

Process tree view: (parten-child relationship) volatility.exe -f doomed.vmem --profile=WinXPSP2x86 pstree

3. Scan for hidden and terminated processes:

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 psscan

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 psxview

Nothing suspiscious detected so far!

4. Check network connections:

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 connscan volatility.exe -f doomed.vmem --profile=WinXPSP2x86 connections volatility.exe -f doomed.vmem --profile=WinXPSP2x86 sockscan

5. The process id 1956 belongs to explorer.exe which initiates a remote connection to 172.16.98.1:6666

6. Get command line history

A service check was executed: sc query malware

volatility.exe -f doomed.vmem --profile=WinXPSP2x86 cmdscan volatility.exe -f doomed.vmem --profile=WinXPSP2x86 consoles

Check active services: volatility.exe -f doomed.vmem --profile=WinXPSP2x86 svcscan

There are a lot of active services on that machine. Searching for malware shows that this service is still running:

Binary path is \Driver\Malware