Acquiring Linux Memory using AVML and Using it with Volatility

Posted on 20 June 2019 by [email protected]

This is another quick post going over the process to acquire memory from a Linux system, but instead of using LiME, I’m going to use AVML which stands for Acquire Volatile Memory for Linux, and could be found here. The tool has been developed by Brian Casewell for Microsoft and is a “userland volatile memory acquisition tool”.

AVML tries to acquire memory from the following memory sources:

    /dev/crash
    /proc/kcore
    /dev/mem

The installation is straight forward and well documented on the Github page. I used the build on Ubuntu, which is really just “copy & paste” no super power required there, thanks to Brian! One note is there are two builds, one will provide an upload feature to upload the images to Azure and the other build without that. The size is really small, mine with full features was 5.5MB. After finishing the build you will find the binary (at least on my system) under:

./target/x86_64-unknown-linux-musl/release/

Continue reading

Posted in DFIR, Forensics, Memory, Software/Tools | Tagged , , , , , , , | Comments Off on Acquiring Linux Memory using AVML and Using it with Volatility

Forensic Acquisitions over Netcat

Posted on 4 June 2019 by [email protected]

In the past I used to write here what I did so I do not forget, so I’ll try to get back to that habit again :)

These days whenever I find time, I’m playing with TSURUGI, which is a new (at least to me) Linux DFIR distro. More about the distro could be found on the system’s website here. I highly recommend if you are reading these words of mine, that you go download TSURUGI and give it a try. It can be seen as the KALI Linux of DFIR!

Now, there is a project that I’m working on related to Linux, so I needed to acquire an image of a Linux system running on my testing system. So, I turned off the the system to be acquired and used the TSURUGI Linux to boot the system to be acquired. The problem in my setup, is I do not want to use a removable drive to acquire the image using TSURUGI and copy it to that target drive. Therefore, I had to go with other options, one was SSH. Doing acquisitions over SSH will be a great option, but unfortunately, in my situation, it did not work. I have not troubleshooted the reason why, since I’m not into that now, but I assume SSH did not work and every time I tried to connect to the running SSH, it just gave me a reset, because it was running in Read-Only mode from the RAM and therefore SSH sessions could not be created! (not 100% sure, just an assumption).
Continue reading

Posted in DFIR, GNU/Linux | Tagged , , , , , , , , , | Comments Off on Forensic Acquisitions over Netcat

Windows InstallTime vs InstallDate Registry Values

Posted on 31 May 2019 by [email protected]

This is just a quick post about two Registry Values InstallTime and InstallDate which are found under the following key:
SOFTWARE\Microsoft\Windows NT\CurrentVersion

The confusion happens when my students ask which one is correct? Continue reading

Posted in Forensics, Windows | Tagged , , , , , , | Comments Off on Windows InstallTime vs InstallDate Registry Values

Update: Hidden Prefetch Files Detection using New PECmd

Posted on 26 May 2019 by [email protected]

Before diving into this post, I wanted to say, that I have been teaching digital forensics for a long time by now, and in my Operating System Forensics class, I use Eric Zimmerman‘s tools a lot, and when I say “a lot”, I truly mean it! The course is not about tools, but when it comes to using a tool to form an understanding of what that session was about, then you’ll always find a tool from Eric there (plus others for sure)! This is one thing about how great Eric’s tools are, but for me, there is more than that! Me and my students from time to time find new things, new bugs, etc. I sometimes send Eric a message from inside class and share a sample with him. We most of the times, get the solution fixed while we’re still in class! That is one of the best things about this guy, how much he cares about his tools, and how much support he provides the community! That is why, I doubt you’ll get such support even from a commercial vendor. They will never be able to get back to you this quick.

What does all that mean here? Well, continuing the previous work “Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis” it means we just got a fix or a new feature added to PECmd :)
Continue reading

Posted in AntiX, ThreatHunting, Windows | Tagged , , , , , , , , | Comments Off on Update: Hidden Prefetch Files Detection using New PECmd

Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis

Posted on 26 May 2019 by [email protected]

While doing more experiments of running EXEs and Malicious EXEs from ADS and Stealthy ADS to continue my previous work “Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS“, and in order to create a forensic image and share it with the community as I mentioned here, I found some unusual findings!

When creating a forensic image, I also create a list of files and directories within that image, as seen in Figure 1, just for further checking and verification purposes. So, as usual, was doing the image to share and I noticed the following:

Figure 1: List of files found in a Forensic Image

Continue reading

Posted in AntiX, Forensics, ThreatHunting, Windows | Tagged , , , , , , , , | Comments Off on Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis