You might get into a case where you have only the disk image without having the memory image. Or even if you have the memory image but you wish If you have something back in time.With hibernation file (hiberfil.sys) ,Page File (page and crash dump that might be possible. And if you are lucky enough you might be able to recover them from volume shadow copy which is enabled by default in most of modern Windows OS .In forensic point of view Hibernation file is the most useful file type that might have useful information. “hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the hibernation process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.”[1] If you have a disk image of Windows Vista+ or later you can check if you have a previous copy of hiberfil.sys through Volume Snapshot Volume (Aka Shadow Copy) which might be prior to a malware infection or compromised or it might have some artifacts that was deleted. If you like to check your image for pervious versions of hiberfil.sys and restore it ,you can use LibVShadow by Joachim Metz[2]. When you recover the desired hiberfil.sys version,while Volatility framework can examine hiberfil.sys ,but that will very slow and it’s better to convert it first to raw memory image.
In the above example I used imagecopy plugin to do the conversation , you have to specify the exact windows version with the service pack level . Another option is using hib2bin.exe by Matt Suiche.[3] Now let’s examine our image
And let check the network connections:
Now lets check the autoruns using the autoruns plugins
|
Basil 60 Posts ISC Handler Sep 27th 2016 |
|||||||
Thread locked Subscribe |
Sep 27th 2016 5 years ago |
|||||||
Note the missing quotes around %ProgramFiles%\Windows Sidebar\Sidebar.exe
See https://technet.microsoft.com/en-us/security/dn261332.aspx and https://support.microsoft.com/en-us/kb/2719662 why you should not just fix this bloody beginner's error, but remove these command lines completely. |
Anonymous |
|||||||
Quote |
Sep 27th 2016 5 years ago |
|||||||
Note the abomination "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe"
Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data from "%ProgramFiles%"^Wprogram code and practice gross negligence. KICK THEM! |
Anonymous |
|||||||
Quote |
Sep 27th 2016 5 years ago |
|||||||
> Note the abomination "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe"
> Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data > from "%ProgramFiles%"^Wprogram code and practice gross negligence. Hmm. If 'nfury' was _NOT_ an administrator-level account, then the Google software would install somewhere into that user's own file-tree, because the account would have _NO_ permission to install into "%ProgramFiles%" . Here's one to the principle of "least privilege". |
Anonymous |
|||||||
Quote |
Sep 27th 2016 5 years ago |
|||||||
Quoting Anonymous:> Note the abomination "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe" Which IS the outright abomination: program code MUST NEVER be installed in a user-writable location. Quoting Anonymous: OUCH! This principle means that you should run with the least privileges sufficient for a task. It does NOT mean that you should violate the principles of "privilege separation" and "write XOR execute". |
Anonymous |
|||||||
Quote |
Sep 27th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!