SlideShare uma empresa Scribd logo

From hybernation file to malware analysis with volatility

Christiaan Beek
Christiaan Beek

Howto on creating a memdump file from a hybernationfile, followed by

Tecnologia
1 de 2
Baixar para ler offline
From Hybernation file to Malware analysis with Volatility Intro In many malware related cases, the systems are still up and running and perfect for creating a memory dump before starting any investigation regarding the other volatile data and interesting files. In some cases the customer already took the machines from the network and shut them down. From an investigator’s perspective, valuable volatile data could be lost caused by this shutdown. A great way to reconstruct the memory for investigation is to extract the hibernation file from the Windows system and reconstruct it to a memory-dump file format. The hibernation file (hyberfil.sys) contains all the physical memory that was saved by the operating system for restoring usage during the next time the system is booted. Extract the hiberfil.sys file How do we start? First of all a forensic sound duplicate of the hard-drive is made by using a write-blocker. After the ‘mother’-copy has been duplicated; a ‘work-copy’ is mounted to the investigator’s analysis station. With Encase or FTK Imager, it is possible to extract the file from the disk-image. In this case we use the free-tool FTK Imager. After adding the disk to the software, you have to browse to the root dir of the system. Figure 1 selecting the hiberfil.sys file While selecting the file, execute a right-mouseclick and choose the option ‘Export Files’, followed by the location you want to dump this file. Convert the hiberfile.sys to a memory-dump file We know have the file exported, but we need to convert it to a readable format for memory analysis tools like Volatility. In 2007, Matthieu Suiche started a project on this called ‘Sandman’.
This project was started to better investigate the hiberfil.sys file and what data could be extracted. One of the scripts Matthieu wrote was able to convert the hiberfil.sys file into a memory-dump format. This script and more was later adopted into Moonsols memory dump/converting toolkit. Moonsol is offering a community and enterprise edition of this toolkit. The community edition has the tool hibr2bin that is compatible with 32bit hibernation files of XP/2003/2008 & Vista. After downloading the tool we are going to convert our extracted hiberfil.sys file towards a bin file that can be used for analysis with volatility. The usage of the tool is pretty straight forward: Hibr2bin.exe <input file> <output file>: After this has been completed we have a file that can be imported to Volatility. Volatility When using Volatility, I prefer to use a ‘forensic order’ of using the plugins: Identify Image: plugin: imageinfo Identify suspicious processes: plugin: pslist & psscan Identify active/closed/hidden cons plugin: connections & connscan2, socks & sockscan2 Identify suspicious dll’s, open/hidden/closed files: plugin: dlllist , files & fileobjscan These plugins are followed by the plugin ‘malfind’ and others related to the case.

Recomendados

In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesMaxim Suhanov
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
10 resource kit remote administration tools
10 resource kit remote administration tools10 resource kit remote administration tools
10 resource kit remote administration toolsDuggesh Talawar
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Recover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerRecover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerArthur King
 

Recomendados

In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesMaxim Suhanov
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
10 resource kit remote administration tools
10 resource kit remote administration tools10 resource kit remote administration tools
10 resource kit remote administration toolsDuggesh Talawar
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Recover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerRecover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerArthur King
 
fast_bitcoin_data_mining
fast_bitcoin_data_miningfast_bitcoin_data_mining
fast_bitcoin_data_miningJason Papapanagiotakis
 
Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAVG Technologies
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Aziz Sasmaz
 
Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixPaddy Lock
 
Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Akshay koshti
 
Windows advanced
Windows advancedWindows advanced
Windows advancedyarden hanan
 
Wait events
Wait eventsWait events
Wait eventsAnu Rana
 
File windows local
File windows localFile windows local
File windows localyarden hanan
 
Unix Administration
Unix AdministrationUnix Administration
Unix AdministrationNishant Munjal
 
Hacking Windows IPC
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPCgueste041bc
 
Oracle11g notes
Oracle11g notesOracle11g notes
Oracle11g notesManish Mudhliyar
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...AbundioTeca
 
Deft v7
Deft v7Deft v7
Deft v7TGodfrey
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsCysinfo Cyber Security Community
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
3170725_Unit-4.pptx
3170725_Unit-4.pptx3170725_Unit-4.pptx
3170725_Unit-4.pptxYashPatel132112
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating SystemKunalKewat1
 

Mais conteúdo relacionado

Mais procurados

Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAVG Technologies
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Aziz Sasmaz
 
Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixPaddy Lock
 
Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Akshay koshti
 
Wait events
Wait eventsWait events
Wait eventsAnu Rana
 
File windows local
File windows localFile windows local
File windows localyarden hanan
 
Hacking Windows IPC
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPCgueste041bc
 

Mais procurados (11)

fast_bitcoin_data_mining
fast_bitcoin_data_miningfast_bitcoin_data_mining
fast_bitcoin_data_mining
 
Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White Paper
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report
 
Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on Eduonix
 
Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to
 
Windows advanced
Windows advancedWindows advanced
Windows advanced
 
Wait events
Wait eventsWait events
Wait events
 
File windows local
File windows localFile windows local
File windows local
 
Unix Administration
Unix AdministrationUnix Administration
Unix Administration
 
Hacking Windows IPC
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPC
 
Oracle11g notes
Oracle11g notesOracle11g notes
Oracle11g notes
 

Semelhante a From hybernation file to malware analysis with volatility

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...AbundioTeca
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profitYouness Zougar
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsCysinfo Cyber Security Community
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating SystemKunalKewat1
 
Encrypt and decrypt in solaris system
Encrypt and decrypt in solaris systemEncrypt and decrypt in solaris system
Encrypt and decrypt in solaris systemuzzal basak
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docxevonnehoggarth79783
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Kinect installation guide
Kinect installation guideKinect installation guide
Kinect installation guidegilmsdn
 
Batch File Virus Project Technical Paper
Batch File Virus Project Technical PaperBatch File Virus Project Technical Paper
Batch File Virus Project Technical PaperStephen Whisman
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisAbdulrahman Bassam
 

Semelhante a From hybernation file to malware analysis with volatility (20)

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
 
Deft v7
Deft v7Deft v7
Deft v7
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
3170725_Unit-4.pptx
3170725_Unit-4.pptx3170725_Unit-4.pptx
3170725_Unit-4.pptx
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating System
 
Encrypt and decrypt in solaris system
Encrypt and decrypt in solaris systemEncrypt and decrypt in solaris system
Encrypt and decrypt in solaris system
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
 
Booklet
BookletBooklet
Booklet
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Kinect installation guide
Kinect installation guideKinect installation guide
Kinect installation guide
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Batch File Virus Project Technical Paper
Batch File Virus Project Technical PaperBatch File Virus Project Technical Paper
Batch File Virus Project Technical Paper
 
O p
O pO p
O p
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 

Mais de Christiaan Beek

We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooChristiaan Beek
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Taming worms, rats, dragons & more
Taming worms, rats, dragons & moreTaming worms, rats, dragons & more
Taming worms, rats, dragons & moreChristiaan Beek
 

Mais de Christiaan Beek (7)

We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-too
 
3871778
38717783871778
3871778
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Taming worms, rats, dragons & more
Taming worms, rats, dragons & moreTaming worms, rats, dragons & more
Taming worms, rats, dragons & more
 

Último

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

From hybernation file to malware analysis with volatility

  • 1. From Hybernation file to Malware analysis with Volatility Intro In many malware related cases, the systems are still up and running and perfect for creating a memory dump before starting any investigation regarding the other volatile data and interesting files. In some cases the customer already took the machines from the network and shut them down. From an investigator’s perspective, valuable volatile data could be lost caused by this shutdown. A great way to reconstruct the memory for investigation is to extract the hibernation file from the Windows system and reconstruct it to a memory-dump file format. The hibernation file (hyberfil.sys) contains all the physical memory that was saved by the operating system for restoring usage during the next time the system is booted. Extract the hiberfil.sys file How do we start? First of all a forensic sound duplicate of the hard-drive is made by using a write-blocker. After the ‘mother’-copy has been duplicated; a ‘work-copy’ is mounted to the investigator’s analysis station. With Encase or FTK Imager, it is possible to extract the file from the disk-image. In this case we use the free-tool FTK Imager. After adding the disk to the software, you have to browse to the root dir of the system. Figure 1 selecting the hiberfil.sys file While selecting the file, execute a right-mouseclick and choose the option ‘Export Files’, followed by the location you want to dump this file. Convert the hiberfile.sys to a memory-dump file We know have the file exported, but we need to convert it to a readable format for memory analysis tools like Volatility. In 2007, Matthieu Suiche started a project on this called ‘Sandman’.
  • 2. This project was started to better investigate the hiberfil.sys file and what data could be extracted. One of the scripts Matthieu wrote was able to convert the hiberfil.sys file into a memory-dump format. This script and more was later adopted into Moonsols memory dump/converting toolkit. Moonsol is offering a community and enterprise edition of this toolkit. The community edition has the tool hibr2bin that is compatible with 32bit hibernation files of XP/2003/2008 & Vista. After downloading the tool we are going to convert our extracted hiberfil.sys file towards a bin file that can be used for analysis with volatility. The usage of the tool is pretty straight forward: Hibr2bin.exe <input file> <output file>: After this has been completed we have a file that can be imported to Volatility. Volatility When using Volatility, I prefer to use a ‘forensic order’ of using the plugins: Identify Image: plugin: imageinfo Identify suspicious processes: plugin: pslist & psscan Identify active/closed/hidden cons plugin: connections & connscan2, socks & sockscan2 Identify suspicious dll’s, open/hidden/closed files: plugin: dlllist , files & fileobjscan These plugins are followed by the plugin ‘malfind’ and others related to the case.