Back in Time Memory Forensics

Published: 2016-09-27
Last Updated: 2016-09-27 17:25:27 UTC
by Basil Alawi S.Taher (Version: 1)
4 comment(s)

 

You might get into a case where you have only the disk image without having the memory image. Or even if you have the memory image but you wish If you have something back in time.With hibernation file (hiberfil.sys) ,Page File (page and crash dump that might be possible. And if you are lucky enough you might be able to recover them from volume shadow copy which is enabled by default in most of modern Windows OS  .In forensic point of view Hibernation file is the most useful file type that might have useful information.

“hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the hibernation process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.”[1]

If you have a disk image of Windows Vista+ or later you can check if you have a previous copy of hiberfil.sys through Volume Snapshot Volume (Aka Shadow Copy) which might be prior to a malware infection or compromised or it might have some artifacts that was deleted.

If you like to check your image for pervious versions of hiberfil.sys and restore it ,you can use LibVShadow by Joachim Metz[2].

When you recover the desired hiberfil.sys version,while Volatility framework can examine hiberfil.sys ,but that will very slow and it’s better to convert it first to raw memory image. 

vol.py -f hiberfil.sys --profile=Win7SP1x64 imagecopy -O rawimage.img

 

In the above example I used imagecopy plugin to do the conversation , you have to specify the exact windows version with the service pack level . Another option is using hib2bin.exe by Matt Suiche.[3]

Now let’s examine our image

vol.py -f rawimage.img --profile=Win7SP1x64 pslist

 

olatility Foundation Volatility Framework 2.4

Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                         

------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------

0xfffffa800ccca9e0 System                    4      0    112      567 ------      0 2012-03-15 22:34:19 UTC+0000                                

0xfffffa800d2b5b30 smss.exe                228      4      3       35 ------      0 2012-03-15 22:34:19 UTC+0000                                

0xfffffa800e8862f0 csrss.exe               352    344      9      869      0      0 2012-03-15 22:34:44 UTC+0000                                

0xfffffa800cd049f0 csrss.exe               404    396      9       78      1      0 2012-03-15 22:34:49 UTC+0000                                

0xfffffa800e9a8060 wininit.exe             436    344      3       77      0      0 2012-03-15 22:34:49 UTC+0000                                

0xfffffa800e9a7860 winlogon.exe            444    396      4       94      1      0 2012-03-15 22:34:49 UTC+0000                                

0xfffffa800e9df060 services.exe            508    436      9      274      0      0 2012-03-15 22:34:55 UTC+0000                                

0xfffffa800e9e3850 lsass.exe               516    436      8      942      0      0 2012-03-15 22:34:56 UTC+0000                                

0xfffffa800e9ea910 lsm.exe                 524    436     14      311      0      0 2012-03-15 22:34:56 UTC+0000                                

0xfffffa800ea45860 svchost.exe             612    508     11      375      0      0 2012-03-15 22:35:05 UTC+0000                                

0xfffffa800ea779f0 svchost.exe             688    508     11      364      0      0 2012-03-15 22:35:08 UTC+0000                                

0xfffffa800ea94b30 LogonUI.exe             764    444      8      201      1      0 2012-03-15 22:35:09 UTC+0000                                

0xfffffa800eaa8b30 svchost.exe             772    508     22      522      0      0 2012-03-15 22:35:09 UTC+0000                                

0xfffffa800eaceb30 svchost.exe             832    508     21      517      0      0 2012-03-15 22:35:10 UTC+0000                                

0xfffffa800ead2b30 svchost.exe             856    508     45     1402      0      0 2012-03-15 22:35:10 UTC+0000                                

0xfffffa800eb16b30 svchost.exe             972    508     22      395      0      0 2012-03-15 22:35:12 UTC+0000                                 

0xfffffa800eb4d730 svchost.exe             292    508     25      697      0      0 2012-03-15 22:35:14 UTC+0000                                

0xfffffa800eb51b30 spoolsv.exe             924    508     14      337      0      0 2012-03-15 22:35:26 UTC+0000                                

0xfffffa800ebd5820 svchost.exe             360    508     21      332      0      0 2012-03-15 22:35:27 UTC+0000                                

0xfffffa800ec5e650 FireSvc.exe            1168    508     21      349      0      0 2012-03-15 22:35:32 UTC+0000                                

 

And let check the network connections:

vol.py -f rawimage.img --profile=Win7SP1x64 netscan

 

Volatility Foundation Volatility Framework 2.4

Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created

0x3636300          UDPv4    0.0.0.0:0                      *:*                                   3736     Skype.exe      2012-04-06 13:09:31 UTC+0000

0x959f010          TCPv4    10.3.58.6:62978                72.14.204.138:80     FIN_WAIT1        7508     chrome.exe    

0x29933cf0         TCPv4    10.3.58.6:62979                72.14.204.102:80     FIN_WAIT1        7508     chrome.exe    

0x2ac90a50         TCPv4    -:62088                        14.0.33.84:80        CLOSED           7508     chrome.exe    

0x4ce8d610         TCPv4    -:62054                        -:80                 CLOSED           7508     chrome.exe    

0x578b2430         UDPv6    ::1:53608                      *:*                                   2784     svchost.exe    2012-04-06 13:59:31 UTC+0000

0x58b9ecf0         TCPv4    10.3.58.6:445                  10.3.58.7:2034       ESTABLISHED      4        System        

0x5a690290         TCPv4    127.0.0.1:5678                 127.0.0.1:62149      ESTABLISHED      4256     svchost.exe   

0x72b40010         TCPv4    10.3.58.6:62854                74.217.78.140:80     FIN_WAIT1        7508     chrome.exe    

0x7c488410         UDPv4    127.0.0.1:1900                 *:*                                   2784     svchost.exe    2012-03-20 03:53:45 UTC+0000

0x7c4eaec0         UDPv4    127.0.0.1:53609                *:*                                   2784     svchost.exe    2012-04-06 13:59:31 UTC+0000

0x7c5173c0         TCPv4    10.3.58.6:62795                64.12.152.17:80      FIN_WAIT1        7508     chrome.exe    

 

 

Now lets check the autoruns using the autoruns plugins

vol.py -f rawimage.img --profile=Win7SP1x64 autoruns -t autoruns

 

Autoruns =========================================

 

Hive: \??\C:\Users\SRL-Helpdesk\ntuser.dat

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-03-15 21:20:12 UTC+0000)

        Sidebar                        : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

 

Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000)

        Sidebar                        : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000)

        mctadmin                       : C:\Windows\System32\mctadmin.exe (PIDs: -)

 

Hive: \SystemRoot\System32\Config\SOFTWARE

    Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-09-16 20:57:09 UTC+0000)

        VMware User Process            : "C:\Program Files\VMware\VMware Tools\VMwareUser.exe" (PIDs: 8984, 4916)

        VMware Tools                   : "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" (PIDs: 6744, 1844)

        McAfee Host Intrusion Prevention Tray : "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe" (PIDs: -)

    Wow6432Node\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:53:13 UTC+0000)

        ShStatEXE                      : "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (PIDs: -)

        Adobe Reader Speed Launcher    : "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" (PIDs: -)

        McAfeeUpdaterUI                : "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey (PIDs: -)

        svchost                        : c:\windows\system32\dllhost\svchost.exe (PIDs: 4256)

        Adobe ARM                      : "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" (PIDs: -)

 

Hive: \??\C:\Users\vibranium\ntuser.dat

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2012-04-05 17:03:53 UTC+0000)

        Sidebar                        : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2012-04-05 17:03:53 UTC+0000)

        mctadmin                       : C:\Windows\System32\mctadmin.exe (PIDs: -)

 

Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000)

        Sidebar                        : %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (PIDs: -)

    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2010-11-10 18:57:47 UTC+0000)

        mctadmin                       : C:\Windows\System32\mctadmin.exe (PIDs: -)

 

Hive: \??\C:\Users\nfury\ntuser.dat

    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2011-08-25 21:51:37 UTC+0000)

        Google Update                  : "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe" /c (PIDs: 3968)

        Skype                          : "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized (PIDs: 3736)

 

 

 

 

[1] http://www.forensicswiki.org/wiki/Hiberfil.sys

[2] https://github.com/libyal/libvshadow

[3] https://comae.typeform.com/to/XIvMa7

Keywords:
4 comment(s)

Comments

Note the missing quotes around %ProgramFiles%\Windows Sidebar\Sidebar.exe

See https://technet.microsoft.com/en-us/security/dn261332.aspx and https://support.microsoft.com/en-us/kb/2719662 why you should not just fix this bloody beginner's error, but remove these command lines completely.
Note the abomination "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe"

Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data from "%ProgramFiles%"^Wprogram code and practice gross negligence.
KICK THEM!
> Note the abomination "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe"
> Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data
> from "%ProgramFiles%"^Wprogram code and practice gross negligence.

Hmm. If 'nfury' was _NOT_ an administrator-level account,
then the Google software would install somewhere into that user's own file-tree,
because the account would have _NO_ permission to install into "%ProgramFiles%" .

Here's one to the principle of "least privilege".
[quote=comment#37887]> Note the abomination "C:\Users\nfury\AppData\Local\Google\Update\GoogleUpdate.exe"
> Some people at Google obviously can't distinguish "%LOCALAPPDATA%"^Wapplication data
> from "%ProgramFiles%"^Wprogram code and practice gross negligence.

Hmm. If 'nfury' was _NOT_ an administrator-level account,
then the Google software would install somewhere into that user's own file-tree,
because the account would have _NO_ permission to install into "%ProgramFiles%" .[/quote]

Which IS the outright abomination: program code MUST NEVER be installed in a user-writable location.

[quote=comment#37887]
Here's one to the principle of "least privilege".
[/quote]

OUCH!
This principle means that you should run with the least privileges sufficient for a task. It does NOT mean that you should violate the principles of "privilege separation" and "write XOR execute".

Diary Archives