THE ARCHITECTURE OF THE GUI WINDOWS SYSTEM FROM THE FORENSICS POINT OF VIEW
In this module:
➡ The use of the Volatility plugins for forensic analysis of the Windows system.
➡ How extract evidence from a Windows GUI subsystem.
➡ Try to identify hidden processes.
➡ Analyzing kernel driver identification.
➡ Exploring the plugins to collect evidence.
To deal with the topics of Module 2 we will explore a classic example of Malware
forensics. Let's find out the profile of the memory sample. And from that point we
will use some Volatility commands and try to understand the flow the Malware infection
causes on the victim machine.
We started considering that we don’t have any information about the image that we
received to analyze. So, let's use imageinfo (can also use the kdbgscan command)
to describe the profile of the operating system associated with this image.
Then we use the pslist command to try to extract evidence from the listed processes in memory. Then we try to identify priority processes or any evidence of infection.
Run pslist
➡ In Windows:
vol.exe pslist --profile=WinXPSP3x86 -f stuxnet.vmem
➡ In Kali Linux 2016.1:
volatility pslist --profile=WinXPSP3 -f /root/forensics/stuxnet.vmem
➡ If you want, set an environment variable (Linux):
export VOLATILITY_LOCATION=file:///root/forensics/stuxnet.vmem
export VOLATILITY_PROFILE=WinXPSP3x86
The _EPROCESS and PEB in Windows Memory (see [2], p. 219)
Pslist output
The output of the plugin pslist shows us some important information. The winlogon.exe process (PID 624) is the parent process (PPID) of lsass.exe (PID 680). But we have two more lsass.exe process (PID 868 and 1928) whose parent process is services.exe process (PPID 668). Windows, in a normal situation, initializes only one instance of lsass.exe created by winlogon.exe. In this case, we have two instances of lsass.exe created by services.exe [1].
Psscan plugin: searching for hidden process
vol.exe psscan --profile=WinXPSP2x86 -f xplaptop.img
The offset address must be used to search for hidden process.
Time exited shows if a processes has terminated.
Windows XP PID and PPID
Malware behavior: stuxnet variation
The output of dlllist for lsass.exe PID 1928:
In this module:
➡ The use of the Volatility plugins for forensic analysis of the Windows system.
➡ How extract evidence from a Windows GUI subsystem.
➡ Try to identify hidden processes.
➡ Analyzing kernel driver identification.
➡ Exploring the plugins to collect evidence.
To deal with the topics of Module 2 we will explore a classic example of Malware
forensics. Let's find out the profile of the memory sample. And from that point we
will use some Volatility commands and try to understand the flow the Malware infection
causes on the victim machine.
We started considering that we don’t have any information about the image that we
received to analyze. So, let's use imageinfo (can also use the kdbgscan command)
to describe the profile of the operating system associated with this image.
Then we use the pslist command to try to extract evidence from the listed processes in memory. Then we try to identify priority processes or any evidence of infection.
Run pslist
➡ In Windows:
vol.exe pslist --profile=WinXPSP3x86 -f stuxnet.vmem
➡ In Kali Linux 2016.1:
volatility pslist --profile=WinXPSP3 -f /root/forensics/stuxnet.vmem
➡ If you want, set an environment variable (Linux):
export VOLATILITY_LOCATION=file:///root/forensics/stuxnet.vmem
export VOLATILITY_PROFILE=WinXPSP3x86
The _EPROCESS and PEB in Windows Memory (see [2], p. 219)
Pslist output
The output of the plugin pslist shows us some important information. The winlogon.exe process (PID 624) is the parent process (PPID) of lsass.exe (PID 680). But we have two more lsass.exe process (PID 868 and 1928) whose parent process is services.exe process (PPID 668). Windows, in a normal situation, initializes only one instance of lsass.exe created by winlogon.exe. In this case, we have two instances of lsass.exe created by services.exe [1].
Psscan plugin: searching for hidden process
vol.exe psscan --profile=WinXPSP2x86 -f xplaptop.img
The offset address must be used to search for hidden process.
Time exited shows if a processes has terminated.
Windows XP PID and PPID
Malware behavior: stuxnet variation
The output of dlllist for lsass.exe PID 1928: