Cатсн²² (in)sесuяitу / ChrisJohnRiley

What is Volatility ? Volatility is a Python based memory forensics framework designed for analyzing and extracting data from Windows XP Service Pack 2 systems. I’ve played a little with Volatility in the past, but due to my overall lack of forensics work, I’ve not had a chance to really use most of the features. However after hearing about the latest plug-ins from Moyix I wanted to take a look myself. If you’ve not already had a chance to listen to the latest Pauldotcom episode, then you’re really missing out on a treat. In the technical segment they talk you through using MDD to image a system after exploitation (using Metasploits Meterpreter as an upload/download tool for MDD and the memory dump), and then using Moyix’s Volatility plug-ins to extract hash information directly from the SAM. I’ve run through the process (detailed on the ForensicZone blog in some detail) using one of NIST’s demo images and the results are good. It’s not always going to work, as a number of the NIST images give an error. From some quick research this is because the information no longer existed in RAM when the image was done. This could be due to a number of reasons.

Although there are easier ways to extract hashdumps when using Metasploit’s Meterpreter, the process is an interesting use of Volatilitiy’s forensic tools for penetration testing. I’ll be sure to try this out on my next engagement.

Pauldotcom Episode 142 Show Notes –> http://pauldotcom.com/wiki/index.php/Episode142

The Volatility Framework –> https://www.volatilesystems.com/default/volatility

NIST Memory Samples –> http://www.cfreds.nist.gov/mem/memory-images.rar