内存取证volatility_usage: volatility - a memory forensics analysis pl

一、内存取证技术

内存取证一般指对计算机及其相关智能设备运行时的物理内存中存储的临时数据进行获取与分析，提取相关重要信息

内存取证三步曲：解析Windows/linux/mac 的内存结构、分析进程等内存数据、根据题目提示寻找线索和思路，提取分析指定进程的特定内存数据

常见的内存结构存在于三大操作系统：windows操作系统、Linux操作系统、mac os操作系统

常见的内存文件格式：img、dmp、raw、wmem等

二、内存取证工具volatility

volatility是一款开源内存取证框架，能够对导出的内存镜像进行分析，通过获取内核数据结构，使用插件获取内存的详细情况以及系统的运行状态
取证文件后缀：raw、vmem、img
常用命令：imageinfo、pslist、dumpfiles、memdump
可疑的进程：notepad、cmd
下载链接: https://www.volatilityfoundation.org/releases

2.1volatility使用

下载：

修改环境变量：

验证：安装成功

2.2常用命令

C:\Users\20942>volatility --help
Volatility Foundation Volatility Framework 2.6
Usage: Volatility - A memory forensics analysis platform.

Options:
  -h, --help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  --conf-file=.volatilityrc
                        User based configuration file
  -d, --debug           Debug volatility
  --plugins=PLUGINS     Additional plugin directories to use (semi-colon
                        separated)
  --info                Print information about all registered objects
  --cache-directory=C:\Users\20942/.cache\volatility
                        Directory where cache files are stored
  --cache               Use caching
  --tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, --filename=FILENAME
                        Filename to use when opening an image
  --profile=WinXPSP2x86
                        Name of the profile to load (use --info to see a list
                        of supported profiles)
  -l LOCATION, --location=LOCATION
                        A URN location from which to load an address space
  -w, --write           Enable write support
  --dtb=DTB             DTB Address
  --output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
  --output-file=OUTPUT_FILE
                        Write output in this file
  -v, --verbose         Verbose information
  --shift=SHIFT         Mac KASLR shift address
  -g KDBG, --kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
                        KdCopyDataBlock)
  --force               Force utilization of suspect profile
  --cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)
  -k KPCR, --kpcr=KPCR  Specify a specific KPCR address

        Supported Plugin Commands:

                amcache         Print AmCache information
                apihooks        Detect API hooks in process and kernel memory
                atoms           Print session and window station atom tables
                atomscan        Pool scanner for atom tables
                auditpol        Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
                bigpools        Dump the big page pools using BigPagePoolScanner
                bioskbd         Reads the keyboard buffer from Real Mode memory
                cachedump       Dumps cached domain hashes from memory
                callbacks       Print system-wide notification routines
                clipboard       Extract the contents of the windows clipboard
                cmdline         Display process command-line arguments
                cmdscan         Extract command history by scanning for _COMMAND_HISTORY
                connections     Print list of open connections [Windows XP and 2003 Only]
                connscan        Pool scanner for tcp connections
                consoles        Extract command history by scanning for _CONSOLE_INFORMATION
                crashinfo       Dump crash-dump information
                deskscan        Poolscaner for tagDESKTOP (desktops)
                devicetree      Show device tree
                dlldump         Dump DLLs from a process address space
                dlllist         Print list of loaded dlls for each process
                driverirp       Driver IRP hook detection
                drivermodule    Associate driver objects to kernel modules
                driverscan      Pool scanner for driver objects
                dumpcerts       Dump RSA private and public SSL keys
                dumpfiles       Extract memory mapped and cached files
                dumpregistry    Dumps registry files out to disk
                editbox         Displays information about Edit controls. (Listbox experimental.)
                envars          Display process environment variables
                eventhooks      Print details on windows event hooks
                evtlogs         Extract Windows Event Logs (XP/2003 only)
                filescan        Pool scanner for file objects
                gahti           Dump the USER handle type information
                gditimers       Print installed GDI timers and callbacks
                gdt             Display Global Descriptor Table
                getservicesids  Get the names of services in the Registry and return Calculated SID
                getsids         Print the SIDs owning each process
                handles         Print list of open handles for each process
                hashdump        Dumps passwords hashes (LM/NTLM) from memory
                hibinfo         Dump hibernation file information
                hivedump        Prints out a hive
                hivelist        Print list of registry hives.   #列出注册表信息
                hivescan        Pool scanner for registry hives
                hpakextract     Extract physical memory from an HPAK file
                hpakinfo        Info on an HPAK file
                idt             Display Interrupt Descriptor Table
                iehistory       Reconstruct Internet Explorer cache / history
                imagecopy       Copies a physical address space out as a raw DD image
                imageinfo       Identify information for the image
                impscan         Scan for calls to imported functions
                joblinks        Print process job link information
                kdbgscan        Search for and dump potential KDBG values
                kpcrscan        Search for and dump potential KPCR values
                ldrmodules      Detect unlinked DLLs
                lsadump         Dump (decrypted) LSA secrets from the registry
                machoinfo       Dump Mach-O file format information
                malfind         Find hidden and injected code
                mbrparser       Scans for and parses potential Master Boot Records (MBRs)
                memdump         Dump the addressable memory for a process
                memmap          Print the memory map
                messagehooks    List desktop and thread window message hooks
                mftparser       Scans for and parses potential MFT entries
                moddump         Dump a kernel driver to an executable file sample
                modscan         Pool scanner for kernel modules
                modules         Print list of loaded modules
                multiscan       Scan for various objects at once
                mutantscan      Pool scanner for mutex objects
                notepad         List currently displayed notepad text
                objtypescan     Scan for Windows object type objects
                patcher         Patches memory based on page scans
                poolpeek        Configurable pool scanner plugin
                printkey        Print a registry key, and its subkeys and values
                privs           Display process privileges
                procdump        Dump a process to an executable file sample
                pslist          Print all running processes by following the EPROCESS lists
                psscan          Pool scanner for process objects
                pstree          Print process list as a tree
                psxview         Find hidden processes with various process listings
                qemuinfo        Dump Qemu information
                raw2dmp         Converts a physical memory sample to a windbg crash dump
                screenshot      Save a pseudo-screenshot based on GDI windows
                servicediff     List Windows services (ala Plugx)
                sessions        List details on _MM_SESSION_SPACE (user logon sessions)
                shellbags       Prints ShellBags info
                shimcache       Parses the Application Compatibility Shim Cache registry key
                shutdowntime    Print ShutdownTime of machine from registry
                sockets         Print list of open sockets
                sockscan        Pool scanner for tcp socket objects
                ssdt            Display SSDT entries
                strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
                svcscan         Scan for Windows services
                symlinkscan     Pool scanner for symlink objects
                thrdscan        Pool scanner for thread objects
                threads         Investigate _ETHREAD and _KTHREADs
                timeliner       Creates a timeline from various artifacts in memory
                timers          Print kernel timers and associated module DPCs
                truecryptmaster Recover TrueCrypt 7.1a Master Keys
                truecryptpassphrase     TrueCrypt Cached Passphrase Finder
                truecryptsummary        TrueCrypt Summary
                unloadedmodules Print list of unloaded modules
                userassist      Print userassist registry keys and information
                userhandles     Dump the USER handle tables
                vaddump         Dumps out the vad sections to a file
                vadinfo         Dump the VAD info
                vadtree         Walk the VAD tree and display in tree format
                vadwalk         Walk the VAD tree
                vboxinfo        Dump virtualbox information
                verinfo         Prints out the version information from PE images
                vmwareinfo      Dump VMware VMSS/VMSN information
                volshell        Shell in the memory image
                windows         Print Desktop Windows (verbose details)
                wintree         Print Z-Order Desktop Windows Tree
                wndscan         Pool scanner for window stations
                yarascan        Scan process or kernel memory with Yara signatures
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

#########################1.常用命令#####################33
volatility -f memory.raw imageinfo #查看内存镜像的基本信息

volatility -f memory.raw --profile=Win7SP1x64 cmdscan  #查看内存中保留的cmd命令使用情况

volatility -f memory.raw --profile=Win7SP1x64 notepad  #查看记事本相关信息

volatility -f memory.raw --profile=Win7SP1x64 filescan  #查看内存中保留的文件
volatility -f memory.raw --profile=Win7SP1x64 filescan | findstr Desktop #包含Desktop字段
volatility -f memory.raw --profile=Win7SP1x64 filescan | grep Desktop  #linux
volatility -f memory.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000007f8e0cd0 -D./  #导出文件 -Q指定文件在内存中的地址，-D指定文件导出的地址

volatility -f memory.raw --profile=Win7SP1x64 envars #查看内存中的环境变量
volatility -f memory.raw --profile=Win7SP1x64 envars | findstr key
volatility -f memory.raw --profile=Win7SP1x64 envars | findstr USERNAME

volatility -f memory.raw --profile=Win7SP1x64 netscan  #查看内存中网络连接情况

volatility -f memory.raw --profile=Win7SP1x64 iehistory #查看ie浏览器历史记录

volatility -f memory.raw --profile=Win7SP1x64 svcscan  #查看内存服务

volatility -f memory.raw --profile=Win7SP1x64 pslist  #查看内存中的进程信息
volatility -f memory.raw --profile=Win7SP1x64 psscan  #扫描进程
volatility -f memory.raw --profile=Win7SP1x64 pstree  #
volatility -f memory.raw --profile=Win7SP1x64 memdump -p 364 -D ./  #将进程导出，-p指定进程号，-D指定导出位置


volatility -f memory.raw --profile=Win7SP1x64 clipboard  #查看复制、截切版

volatility -f memory.raw --profile=Win7SP1x64 hivelist #查看注册表信息
volatility -f memory.raw --profile=Win7SP1x64 hivescan #打印注册表内存地址
volatility -f memory.raw --profile=Win7SP1x64 hivedump -o 0xfffff8a000fee010 #打印注册表中的信息
volatility -f memory.raw --profile=Win7SP1x64 printkey -K "SAM\Domains\Account\users\Names" #查看注册表中的健值
##注册表主机名存放位置
\REGISTRY\MACHINE\SYSTEM
ControlSet001\Control\ComputerName\ComputerName
##注册表用户名存放位置
\SystemRoot\System32\Config\SAM
SAM\Domains\Account\Users\Names\

volatility -f EternalBlue.raw --profile=Win7SP1x64 lsadump  #获取用户密码明文
volatility -f EternalBlue.raw --profile=Win7SP1x64 hashdump #获取用户密码密文
volatility -f EternalBlue.raw --profile=Win7SP1x64 mimikatz #获取用户密码明文


#1.查看内存文件基本信息
C:\Users\20942>volatility -f C:\Users\20942\Desktop\memory.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\20942\Desktop\memory.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a470a0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a48d00L
                KPCR for CPU 1 : 0xfffff880009ef000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2021-05-23 07:56:24 UTC+0000
     Image local date and time : 2021-05-23 15:56:24 +0800
     
     
#2.指定当前文件的指定格式，使用插件查看详细信息
C:\Users\20942>volatility -f C:\Users\20942\Desktop\memory.raw --profile=Win7SP1x64 pslist


C:\Users\20942\Desktop>volatility -f memory.raw --profile=Win7SP1x64 psscan

#将进程导出
C:\Users\20942\Desktop>volatility -f memory.raw --profile=Win7SP1x64 memdump -p 364 -D ./

#获取内存中的系统用户的密码hash值
C:\Users\20942\Desktop>volatility -f memory.raw --profile=Win7SP1x64 hashdump

#获取内存中的系统用户的明文密码
C:\Users\20942\Desktop>volatility -f memory.raw --profile=Win7SP1x64 mimikatz

#获取用户密码明文（不准确）
C:\Users\20942\Desktop>volatility -f memory.raw --profile=Win7SP1x64 lsadump


#查看注册表信息
C:\Users\20942\Desktop>volatility -f memory.raw --profile=Win7SP1x64 printkey -K "SAM\Domains\Account\users\Names"

#查看缓存在内存中的注册表信息
C:\Users\20942\Desktop>volatility -f memory.raw --profile=Win7SP1x64 hivelist

#获取cmd终端信息
C:\Users\20942\Desktop>volatility -f memory.raw --profile=Win7SP1x64 cmdscan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

三、解密工具

3.1Elconsoft.Forensic.Disk

Elconsoft.Forensic.Disk解密挂载工具，主要支持TureCrypt、Bitlocker程序
​可以使用加密进程进行分析，自己得到加密密钥

3.2CnCrypt_v1.29

CnCrypt_v1.29工具主要支持CnCrypt程序
​ 需要密钥进行解密

linux常用命令

vim -r data.txt  #恢复文件
file data.txt  #查看文件格式
1
2