Back in Time Memory Forensics - SANS Internet Storm Center

You might get into a case where you have only the disk image without having the memory image. Or even if you have the memory image but you wish If you have something back in time.With hibernation file (hiberfil.sys) ,Page File (page and crash dump that might be possible. And if you are lucky enough you might be able to recover them from volume shadow copy which is enabled by default in most of modern Windows OS .In forensic point of view Hibernation file is the most useful file type that might have useful information.

“hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the hibernation process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.”[1]

If you have a disk image of Windows Vista+ or later you can check if you have a previous copy of hiberfil.sys through Volume Snapshot Volume (Aka Shadow Copy) which might be prior to a malware infection or compromised or it might have some artifacts that was deleted.

If you like to check your image for pervious versions of hiberfil.sys and restore it ,you can use LibVShadow by Joachim Metz[2].

When you recover the desired hiberfil.sys version,while Volatility framework can examine hiberfil.sys ,but that will very slow and it’s better to convert it first to raw memory image.

vol.py -f hiberfil.sys --profile=Win7SP1x64 imagecopy -O rawimage.img

In the above example I used imagecopy plugin to do the conversation , you have to specify the exact windows version with the service pack level . Another option is using hib2bin.exe by Matt Suiche.[3]

Now let’s examine our image

vol.py -f rawimage.img --profile=Win7SP1x64 pslist

olatility Foundation Volatility Framework 2.4

Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------

0xfffffa800ccca9e0 System 4 0 112 567 ------ 0 2012-03-15 22:34:19 UTC+0000

0xfffffa800d2b5b30 smss.exe 228 4 3 35 ------ 0 2012-03-15 22:34:19 UTC+0000

0xfffffa800e8862f0 csrss.exe 352 344 9 869 0 0 2012-03-15 22:34:44 UTC+0000

0xfffffa800cd049f0 csrss.exe 404 396 9 78 1 0 2012-03-15 22:34:49 UTC+0000

0xfffffa800e9a8060 wininit.exe 436 344 3 77 0 0 2012-03-15 22:34:49 UTC+0000

0xfffffa800e9a7860 winlogon.exe 444 396 4 94 1 0 2012-03-15 22:34:49 UTC+0000

0xfffffa800e9df060 services.exe 508 436 9 274 0 0 2012-03-15 22:34:55 UTC+0000

0xfffffa800e9e3850 lsass.exe 516 436 8 942 0 0 2012-03-15 22:34:56 UTC+0000

0xfffffa800e9ea910 lsm.exe 524 436 14 311 0 0 2012-03-15 22:34:56 UTC+0000

0xfffffa800ea45860 svchost.exe 612 508 11 375 0 0 2012-03-15 22:35:05 UTC+0000

0xfffffa800ea779f0 svchost.exe 688 508 11 364 0 0 2012-03-15 22:35:08 UTC+0000

0xfffffa800ea94b30 LogonUI.exe 764 444 8 201 1 0 2012-03-15 22:35:09 UTC+0000

0xfffffa800eaa8b30 svchost.exe 772 508 22 522 0 0 2012-03-15 22:35:09 UTC+0000

0xfffffa800eaceb30 svchost.exe 832 508 21 517 0 0 2012-03-15 22:35:10 UTC+0000

0xfffffa800ead2b30 svchost.exe 856 508 45 1402 0 0 2012-03-15 22:35:10 UTC+0000

0xfffffa800eb16b30 svchost.exe 972 508 22 395 0 0 2012-03-15 22:35:12 UTC+0000

0xfffffa800eb4d730 svchost.exe 292 508 25 697 0 0 2012-03-15 22:35:14 UTC+0000

0xfffffa800eb51b30 spoolsv.exe 924 508 14 337 0 0 2012-03-15 22:35:26 UTC+0000

0xfffffa800ebd5820 svchost.exe 360 508 21 332 0 0 2012-03-15 22:35:27 UTC+0000

0xfffffa800ec5e650 FireSvc.exe 1168 508 21 349 0 0 2012-03-15 22:35:32 UTC+0000

And let check the network connections:

vol.py -f rawimage.img --profile=Win7SP1x64 netscan

Volatility Foundation Volatility Framework 2.4

Offset(P) Proto Local Address Foreign Address State Pid Owner Created

0x3636300 UDPv4 0.0.0.0:0 *:* 3736 Skype.exe 2012-04-06 13:09:31 UTC+0000

0x959f010 TCPv4 10.3.58.6:62978 72.14.204.138:80 FIN_WAIT1 7508 chrome.exe

0x29933cf0 TCPv4 10.3.58.6:62979 72.14.204.102:80 FIN_WAIT1 7508 chrome.exe

0x2ac90a50 TCPv4 -:62088 14.0.33.84:80 CLOSED 7508 chrome.exe

0x4ce8d610 TCPv4 -:62054 -:80 CLOSED 7508 chrome.exe

0x578b2430 UDPv6 ::1:53608 *:* 2784 svchost.exe 2012-04-06 13:59:31 UTC+0000

0x58b9ecf0 TCPv4 10.3.58.6:445 10.3.58.7:2034 ESTABLISHED 4 System

0x5a690290 TCPv4 127.0.0.1:5678 127.0.0.1:62149 ESTABLISHED 4256 svchost.exe

0x72b40010 TCPv4 10.3.58.6:62854 74.217.78.140:80 FIN_WAIT1 7508 chrome.exe

0x7c488410 UDPv4 127.0.0.1:1900 *:* 2784 svchost.exe 2012-03-20 03:53:45 UTC+0000

0x7c4eaec0 UDPv4 127.0.0.1:53609 *:* 2784 svchost.exe 2012-04-06 13:59:31 UTC+0000

0x7c5173c0 TCPv4 10.3.58.6:62795 64.12.152.17:80 FIN_WAIT1 7508 chrome.exe

Now lets check the autoruns using the autoruns plugins

vol.py -f rawimage.img --profile=Win7SP1x64 autoruns -t autoruns

Autoruns =========================================

Hive: \??\C:\Users\SRL-Helpdesk\ntuser.dat

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-03-15 21:20:12 UTC+0000)

Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000)

Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000)

mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)

Hive: \SystemRoot\System32\Config\SOFTWARE

Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-09-16 20:57:09 UTC+0000)

VMware User Process : "C:\Program Files\VMware\VMware Tools\VMwareUser.exe" (PIDs: 8984, 4916)

VMware Tools : "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" (PIDs: 6744, 1844)

McAfee Host Intrusion Prevention Tray : "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe" (PIDs: -)

Wow6432Node\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:53:13 UTC+0000)

ShStatEXE : "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (PIDs: -)

Adobe Reader Speed Launcher : "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" (PIDs: -)

McAfeeUpdaterUI : "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey (PIDs: -)

svchost : c:\windows\system32\dllhost\svchost.exe (PIDs: 4256)

Adobe ARM : "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" (PIDs: -)

Hive: \??\C:\Users\vibranium\ntuser.dat

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:03:53 UTC+0000)

Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2012-04-05 17:03:53 UTC+0000)

mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)

Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000)

Sidebar : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000)

mctadmin : C:\Windows\System32\mctadmin.exe (PIDs: -)

Hive: \??\C:\Users\nfury\ntuser.dat

Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-08-25 21:51:37 UTC+0000)

Google Update : "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe" /c (PIDs: 3968)

Skype : "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized (PIDs: 3736)

[1] http://www.forensicswiki.org/wiki/Hiberfil.sys

[2] https://github.com/libyal/libvshadow

[3] https://comae.typeform.com/to/XIvMa7

Basil

60 Posts
ISC Handler

Sep 27th 2016

Note the missing quotes around %ProgramFiles%\Windows Sidebar\Sidebar.exe

See https://technet.microsoft.com/en-us/security/dn261332.aspx and https://support.microsoft.com/en-us/kb/2719662 why you should not just fix this bloody beginner's error, but remove these command lines completely.

Anonymous

Note the abomination "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe"

Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data from "%ProgramFiles%"^Wprogram code and practice gross negligence.
KICK THEM!

Anonymous

> Note the abomination "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe"
> Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data
> from "%ProgramFiles%"^Wprogram code and practice gross negligence.

Hmm. If 'nfury' was _NOT_ an administrator-level account,
then the Google software would install somewhere into that user's own file-tree,
because the account would have _NO_ permission to install into "%ProgramFiles%" .

Here's one to the principle of "least privilege".

Anonymous

Quoting Anonymous:> Note the abomination "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe"
> Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data
> from "%ProgramFiles%"^Wprogram code and practice gross negligence.

Hmm. If 'nfury' was _NOT_ an administrator-level account,
then the Google software would install somewhere into that user's own file-tree,
because the account would have _NO_ permission to install into "%ProgramFiles%" .

Which IS the outright abomination: program code MUST NEVER be installed in a user-writable location.

Quoting Anonymous:
Here's one to the principle of "least privilege".

OUCH!
This principle means that you should run with the least privileges sufficient for a task. It does NOT mean that you should violate the principles of "privilege separation" and "write XOR execute".

Anonymous