SlideShare una empresa de Scribd logo

From hybernation file to malware analysis with volatility

Christiaan Beek
Christiaan Beek

Howto on creating a memdump file from a hybernationfile, followed by

Tecnología
1 de 2
Descargar para leer sin conexión
From Hybernation file to Malware analysis with Volatility Intro In many malware related cases, the systems are still up and running and perfect for creating a memory dump before starting any investigation regarding the other volatile data and interesting files. In some cases the customer already took the machines from the network and shut them down. From an investigator’s perspective, valuable volatile data could be lost caused by this shutdown. A great way to reconstruct the memory for investigation is to extract the hibernation file from the Windows system and reconstruct it to a memory-dump file format. The hibernation file (hyberfil.sys) contains all the physical memory that was saved by the operating system for restoring usage during the next time the system is booted. Extract the hiberfil.sys file How do we start? First of all a forensic sound duplicate of the hard-drive is made by using a write-blocker. After the ‘mother’-copy has been duplicated; a ‘work-copy’ is mounted to the investigator’s analysis station. With Encase or FTK Imager, it is possible to extract the file from the disk-image. In this case we use the free-tool FTK Imager. After adding the disk to the software, you have to browse to the root dir of the system. Figure 1 selecting the hiberfil.sys file While selecting the file, execute a right-mouseclick and choose the option ‘Export Files’, followed by the location you want to dump this file. Convert the hiberfile.sys to a memory-dump file We know have the file exported, but we need to convert it to a readable format for memory analysis tools like Volatility. In 2007, Matthieu Suiche started a project on this called ‘Sandman’.
This project was started to better investigate the hiberfil.sys file and what data could be extracted. One of the scripts Matthieu wrote was able to convert the hiberfil.sys file into a memory-dump format. This script and more was later adopted into Moonsols memory dump/converting toolkit. Moonsol is offering a community and enterprise edition of this toolkit. The community edition has the tool hibr2bin that is compatible with 32bit hibernation files of XP/2003/2008 & Vista. After downloading the tool we are going to convert our extracted hiberfil.sys file towards a bin file that can be used for analysis with volatility. The usage of the tool is pretty straight forward: Hibr2bin.exe <input file> <output file>: After this has been completed we have a file that can be imported to Volatility. Volatility When using Volatility, I prefer to use a ‘forensic order’ of using the plugins: Identify Image: plugin: imageinfo Identify suspicious processes: plugin: pslist & psscan Identify active/closed/hidden cons plugin: connections & connscan2, socks & sockscan2 Identify suspicious dll’s, open/hidden/closed files: plugin: dlllist , files & fileobjscan These plugins are followed by the plugin ‘malfind’ and others related to the case.

Recomendados

In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesMaxim Suhanov
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
10 resource kit remote administration tools
10 resource kit remote administration tools10 resource kit remote administration tools
10 resource kit remote administration toolsDuggesh Talawar
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Recover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerRecover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerArthur King
 

Recomendados

In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesMaxim Suhanov
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
10 resource kit remote administration tools
10 resource kit remote administration tools10 resource kit remote administration tools
10 resource kit remote administration toolsDuggesh Talawar
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Recover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerRecover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerArthur King
 
fast_bitcoin_data_mining
fast_bitcoin_data_miningfast_bitcoin_data_mining
fast_bitcoin_data_miningJason Papapanagiotakis
 
Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAVG Technologies
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Aziz Sasmaz
 
Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixPaddy Lock
 
Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Akshay koshti
 
Windows advanced
Windows advancedWindows advanced
Windows advancedyarden hanan
 
Wait events
Wait eventsWait events
Wait eventsAnu Rana
 
File windows local
File windows localFile windows local
File windows localyarden hanan
 
Unix Administration
Unix AdministrationUnix Administration
Unix AdministrationNishant Munjal
 
Hacking Windows IPC
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPCgueste041bc
 
Oracle11g notes
Oracle11g notesOracle11g notes
Oracle11g notesManish Mudhliyar
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...AbundioTeca
 
Deft v7
Deft v7Deft v7
Deft v7TGodfrey
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsCysinfo Cyber Security Community
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
3170725_Unit-4.pptx
3170725_Unit-4.pptx3170725_Unit-4.pptx
3170725_Unit-4.pptxYashPatel132112
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating SystemKunalKewat1
 

Más contenido relacionado

La actualidad más candente

Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAVG Technologies
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Aziz Sasmaz
 
Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixPaddy Lock
 
Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Akshay koshti
 
Wait events
Wait eventsWait events
Wait eventsAnu Rana
 
File windows local
File windows localFile windows local
File windows localyarden hanan
 
Hacking Windows IPC
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPCgueste041bc
 

La actualidad más candente (11)

fast_bitcoin_data_mining
fast_bitcoin_data_miningfast_bitcoin_data_mining
fast_bitcoin_data_mining
 
Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White Paper
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report
 
Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on Eduonix
 
Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to
 
Windows advanced
Windows advancedWindows advanced
Windows advanced
 
Wait events
Wait eventsWait events
Wait events
 
File windows local
File windows localFile windows local
File windows local
 
Unix Administration
Unix AdministrationUnix Administration
Unix Administration
 
Hacking Windows IPC
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPC
 
Oracle11g notes
Oracle11g notesOracle11g notes
Oracle11g notes
 

Similar a From hybernation file to malware analysis with volatility

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...AbundioTeca
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsCysinfo Cyber Security Community
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating SystemKunalKewat1
 
Encrypt and decrypt in solaris system
Encrypt and decrypt in solaris systemEncrypt and decrypt in solaris system
Encrypt and decrypt in solaris systemuzzal basak
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docxevonnehoggarth79783
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Kinect installation guide
Kinect installation guideKinect installation guide
Kinect installation guidegilmsdn
 
Batch File Virus Project Technical Paper
Batch File Virus Project Technical PaperBatch File Virus Project Technical Paper
Batch File Virus Project Technical PaperStephen Whisman
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisAbdulrahman Bassam
 

Similar a From hybernation file to malware analysis with volatility (20)

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
 
Deft v7
Deft v7Deft v7
Deft v7
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
3170725_Unit-4.pptx
3170725_Unit-4.pptx3170725_Unit-4.pptx
3170725_Unit-4.pptx
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating System
 
Encrypt and decrypt in solaris system
Encrypt and decrypt in solaris systemEncrypt and decrypt in solaris system
Encrypt and decrypt in solaris system
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
 
Booklet
BookletBooklet
Booklet
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Kinect installation guide
Kinect installation guideKinect installation guide
Kinect installation guide
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Batch File Virus Project Technical Paper
Batch File Virus Project Technical PaperBatch File Virus Project Technical Paper
Batch File Virus Project Technical Paper
 
O p
O pO p
O p
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 

Más de Christiaan Beek

We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooChristiaan Beek
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Taming worms, rats, dragons & more
Taming worms, rats, dragons & moreTaming worms, rats, dragons & more
Taming worms, rats, dragons & moreChristiaan Beek
 

Más de Christiaan Beek (7)

We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-too
 
3871778
38717783871778
3871778
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Taming worms, rats, dragons & more
Taming worms, rats, dragons & moreTaming worms, rats, dragons & more
Taming worms, rats, dragons & more
 

Último

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Último (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

From hybernation file to malware analysis with volatility

  • 1. From Hybernation file to Malware analysis with Volatility Intro In many malware related cases, the systems are still up and running and perfect for creating a memory dump before starting any investigation regarding the other volatile data and interesting files. In some cases the customer already took the machines from the network and shut them down. From an investigator’s perspective, valuable volatile data could be lost caused by this shutdown. A great way to reconstruct the memory for investigation is to extract the hibernation file from the Windows system and reconstruct it to a memory-dump file format. The hibernation file (hyberfil.sys) contains all the physical memory that was saved by the operating system for restoring usage during the next time the system is booted. Extract the hiberfil.sys file How do we start? First of all a forensic sound duplicate of the hard-drive is made by using a write-blocker. After the ‘mother’-copy has been duplicated; a ‘work-copy’ is mounted to the investigator’s analysis station. With Encase or FTK Imager, it is possible to extract the file from the disk-image. In this case we use the free-tool FTK Imager. After adding the disk to the software, you have to browse to the root dir of the system. Figure 1 selecting the hiberfil.sys file While selecting the file, execute a right-mouseclick and choose the option ‘Export Files’, followed by the location you want to dump this file. Convert the hiberfile.sys to a memory-dump file We know have the file exported, but we need to convert it to a readable format for memory analysis tools like Volatility. In 2007, Matthieu Suiche started a project on this called ‘Sandman’.
  • 2. This project was started to better investigate the hiberfil.sys file and what data could be extracted. One of the scripts Matthieu wrote was able to convert the hiberfil.sys file into a memory-dump format. This script and more was later adopted into Moonsols memory dump/converting toolkit. Moonsol is offering a community and enterprise edition of this toolkit. The community edition has the tool hibr2bin that is compatible with 32bit hibernation files of XP/2003/2008 & Vista. After downloading the tool we are going to convert our extracted hiberfil.sys file towards a bin file that can be used for analysis with volatility. The usage of the tool is pretty straight forward: Hibr2bin.exe <input file> <output file>: After this has been completed we have a file that can be imported to Volatility. Volatility When using Volatility, I prefer to use a ‘forensic order’ of using the plugins: Identify Image: plugin: imageinfo Identify suspicious processes: plugin: pslist & psscan Identify active/closed/hidden cons plugin: connections & connscan2, socks & sockscan2 Identify suspicious dll’s, open/hidden/closed files: plugin: dlllist , files & fileobjscan These plugins are followed by the plugin ‘malfind’ and others related to the case.