Volatility, my own cheatsheet (Part 8): Filesystem

With this part, we ended the series dedicated to Volatility: the last ‘episode’ is focused on file system.

If you want to read the other parts, take a look to this index:

  1. Image Identification
  2. Processes and DLLs
  3. Process Memory
  4. Kernel Memory and Objects
  5. Networking
  6. Windows Registry
  7. Analyze and convert crash dumps and hibernation files
  8. Filesystem

And now, let’s start to parsing the filesystem data!

mbrparser

Scans for and parses potential Master Boot Records (MBRs). There are different options for finding MBRs and filtering output. For more information please see Recovering Master Boot Records from Memory. While this plugin was written with Windows bootkits in mind, it can also be used with memory samples from other systems.

When run without any extra options, mbrparser scans for and returns information all potential MBRs defined by signature (‘\x55\xaa’) found in memory. Information includes: disassembly of bootcode (must have distorm3 installed) and partition information. This will most likely have false positives.

If distorm3 is not installed, the -H/--hex option can be used to get the entire bootcode section in hex instead of disassembly:

$ vol.py -f [sample] mbrparser -H

If the physical offset of the MBR is known, it can be specified with the -o/--offset= option for example:

$ vol.py -f [sample] -o 0x600 mbrparser

If the md5 hash of the desired bootcode is known, one can be specified using either the -M/--hash (the hash of bootcode up to the RET instruction) or -F/--fullhash (the hash of full bootcode) option.

$ vol.py mbrparser -f AnalysisXPSP3.vmem -M 6010862faee6d5e314aba791380d4f41

or

$ python vol.py mbrparser -f AnalysisXPSP3.vmem -F 6010862faee6d5e314aba791380d4f41

In order to cut down on false positives there is a -C/--check option that checks the partition table for one bootable partition that has a known, nonempty type (NTFS, FAT*, etc).

$ vol.py -f [sample] -C mbrparser

There is also an option to change the offset for the start of the disassembly. This can be useful for investigating machines (like Windows XP) that only copy the part of the MBR bootcode that has not yet executed. For example, before changing the offset:

$ python vol.py mbrparser -f AnalysisXPSP3.vmem -o 0x600 
Volatility Foundation Volatility Framework 2.4
Potential MBR at physical offset: 0x600
Disk Signature: d8-8f-d8-8f
Bootcode md5: c1ca166a3417427890520bbb18911b1f
Bootcode (FULL) md5: c0bf3a94515bbd70e5a0af82f1804d89
Disassembly of Bootable Code:
0x00000600: 0000                             ADD [BX+SI], AL
0x00000602: 0000                             ADD [BX+SI], AL
0x00000604: 0000                             ADD [BX+SI], AL
0x00000606: 0000                             ADD [BX+SI], AL
0x00000608: 0000                             ADD [BX+SI], AL
0x0000060a: 0000                             ADD [BX+SI], AL
0x0000060c: 0000                             ADD [BX+SI], AL
0x0000060e: 0000                             ADD [BX+SI], AL
0x00000610: 0000                             ADD [BX+SI], AL
0x00000612: 0000                             ADD [BX+SI], AL
0x00000614: 0000                             ADD [BX+SI], AL
0x00000616: 0000                             ADD [BX+SI], AL
0x00000618: 0000                             ADD [BX+SI], AL
0x0000061a: 00bdbe07                         ADD [DI+0x7be], BH
0x0000061e: b104                             MOV CL, 0x4
0x00000620: 386e00                           CMP [BP+0x0], CH
[snip]

After changing the starting offset:

$ python vol.py mbrparser -f AnalysisXPSP3.vmem -o 0x600 -D 0x1b
Volatility Foundation Volatility Framework 2.4
Potential MBR at physical offset: 0x600
Disk Signature: d8-8f-d8-8f
Bootcode md5: 961f3ad835d6fa9396e60ea9f825c393
Bootcode (FULL) md5: f54546c199c72389f20d537997d50c66
Disassembly of Bootable Code:
0x0000061b: bdbe07                           MOV BP, 0x7be
0x0000061e: b104                             MOV CL, 0x4
0x00000620: 386e00                           CMP [BP+0x0], CH
0x00000623: 7c09                             JL 0x13
0x00000625: 7513                             JNZ 0x1f
0x00000627: 83c510                           ADD BP, 0x10
0x0000062a: e2f4                             LOOP 0x5
[snip]

mftparser

This plugin scans for potential Master File Table (MFT) entries in memory (using “FILE” and “BAAD” signatures) and prints out information for certain attributes, currently: $FILE_NAME ($FN), $STANDARD_INFORMATION ($SI), $FN and $SI attributes from the $ATTRIBUTE_LIST$OBJECT_ID (default output only) and resident $DATA. This plugin has room for expansion, however, and VTypes for other attributes are already included. For more information please see Reconstructing the MBR and MFT from Memory (OMFW 2012 slides). Options of interest include:

  • --machine – Machine name to add to timeline header (useful when combining timelines from multiple machines)
  • -D/--dump-dir – Output directory to which resident data files are dumped
  • --output=body – print output in Sleuthkit 3.X body format
  • --no-check – Prints out all entries including those with null timestamps
  • -E/--entry-size – Changes the default 1024 byte MFT entry size.
  • -O/--offset – Prints out the MFT entry at a give offset (comma delimited)

This plugin may take a while to run before seeing output, since it scans first and then builds the directory tree for full file paths.

Example (default output):

$ vol.py -f Bob.vmem mftparser
Volatility Foundation Volatility Framework 2.4
Scanning for MFT entries and building directory, this can take a while
[snip]
***************************************************************************
MFT entry found at offset 0x1e69c00
Type: File
Record Number: 12091
Link count: 2
$STANDARD_INFORMATION
Creation             Modified             MFT Altered          Access Date          Type
-------------------- -------------------- -------------------- -------------------- ----
2010-02-27 20:12:32  2010-02-27 20:12:32  2010-02-27 20:12:32  2010-02-27 20:12:32  Archive
$FILE_NAME
Creation             Modified             MFT Altered          Access Date          Name/Path
-------------------- -------------------- -------------------- -------------------- ---------
2010-02-27 20:12:32  2010-02-27 20:12:32  2010-02-27 20:12:32  2010-02-27 20:12:32  Documents and Settings\Administrator\Cookies\ADMINI~1.TXT
$FILE_NAME
Creation             Modified             MFT Altered          Access Date          Name/Path
-------------------- -------------------- -------------------- -------------------- ---------
2010-02-27 20:12:32  2010-02-27 20:12:32  2010-02-27 20:12:32  2010-02-27 20:12:32  Documents and Settings\Administrator\Cookies\[email protected][1].txt
$DATA
0000000000: 65 78 70 0a 31 39 0a 73 65 61 72 63 68 2d 6e 65   exp.19.search-ne
0000000010: 74 77 6f 72 6b 2d 70 6c 75 73 2e 63 6f 6d 2f 0a   twork-plus.com/.
0000000020: 31 35 33 36 0a 33 03 00 32 34 33 33 39 32 30 0a   1536.3..2433920.
0000000030: 33 30 30 36 32 36 30 35 0a 38 33 37 34 31 36 35   30062605.8374165
0000000040: 37 36 0a 33 30 30 36 32 35 36 39 0a 2a 0a         76.30062569.*.
***************************************************************************
[snip]
***************************************************************************
MFT entry found at offset 0x1cdbac00
Type: In Use & File 
Record Number: 12079
Link count: 1
$STANDARD_INFORMATION
Creation             Modified             MFT Altered          Access Date          Type   
-------------------- -------------------- -------------------- -------------------- ----
2010-02-27 20:12:28  2010-02-27 20:12:28  2010-02-27 20:12:28  2010-02-27 20:12:28  Archive
$FILE_NAME
Creation             Modified             MFT Altered          Access Date          Name/Path
-------------------- -------------------- -------------------- -------------------- ---------
2010-02-27 20:12:28  2010-02-27 20:12:28  2010-02-27 20:12:28  2010-02-27 20:12:28  Documents and Settings\Administrator\Local Settings\Temp\plugtmp\PDF.php
$DATA
Non-Resident
***************************************************************************
[snip]

The bodyfile output is also an option. It is recommended that the output be stored in a file using the --output-file option, since it is quite lengthy. The following shows creating a bodyfile using mftparser while dumping resident files. You can also see a file of interest that is created on the system (f.txt) which happens to be recovered in the output directory:

$ vol.py -f grrcon.img mftparser --output=body -D output --output-file=grrcon_mft.body
Volatility Foundation Volatility Framework 2.4
Scanning for MFT entries and building directory, this can take a while
$ cat grrcon_mft.body
[snip]
0|[MFT STD_INFO] WINDOWS\system32\systems (Offset: 0x15938400)|12029|---------------|0|0|0|1335579320|1335579320|1335579320|1335578463
0|[MFT FILE_NAME] WINDOWS\system32\systems\f.txt (Offset: 0x15938800)|12030|---a-----------|0|0|0|1335578503|1335578503|1335578503|1335578503
0|[MFT STD_INFO] WINDOWS\system32\systems\f.txt (Offset: 0x15938800)|12030|---a-----------|0|0|0|1335578503|1335578503|1335578503|1335578503
0|[MFT FILE_NAME] WINDOWS\system32\systems\g.exe (Offset: 0x15938c00)|12031|---a-----------|0|0|0|1335578514|1335578514|1335578514|1335578514
0|[MFT STD_INFO] WINDOWS\system32\systems\g.exe (Offset: 0x15938c00)|12031|---a-----------|0|0|0|1335579014|1335578514|1335578514|1335578514
0|[MFT FILE_NAME] WINDOWS\inf\divasrv.inf (Offset: 0x15c83000)|2192|---a-----------|0|0|22554|1332601266|1332601266|1332601266|1332601235
[snip]
$ ls output/*15938800*
output/file.0x15938800.data0.dmp
$ cat output/*15938800*
open 66.32.119.38
jack
2awes0me
lcd c:\WINDOWS\System32\systems
cd  /home/jack
binary
mput "*.txt"
disconnect
bye

The Sleuthkit mactime utility can then be used to output the bodyfile in a readable manner:

$ mactime -b grrcon_mft.body -d -z UTC |less
[snip]
Sat Apr 28 2012 02:01:43,0,macb,---a-----------,0,0,12030,"[MFT FILE_NAME] WINDOWS\system32\systems\f.txt (Offset: 0x15938800)"
Sat Apr 28 2012 02:01:43,0,macb,---a-----------,0,0,12030,"[MFT STD_INFO] WINDOWS\system32\systems\f.txt (Offset: 0x15938800)"
Sat Apr 28 2012 02:01:54,0,macb,---a-----------,0,0,12031,"[MFT FILE_NAME] WINDOWS\system32\systems\g.exe (Offset: 0x15938c00)"
Sat Apr 28 2012 02:01:54,0,m.cb,---a-----------,0,0,12031,"[MFT STD_INFO] WINDOWS\system32\systems\g.exe (Offset: 0x15938c00)"
Sat Apr 28 2012 02:02:05,0,macb,---a-----------,0,0,12032,"[MFT FILE_NAME] WINDOWS\system32\systems\p.exe (Offset: 0x18229000)"
Sat Apr 28 2012 02:02:05,0,...b,---a-----------,0,0,12032,"[MFT STD_INFO] WINDOWS\system32\systems\p.exe (Offset: 0x18229000)"
Sat Apr 28 2012 02:02:06,0,m...,---a-----------,0,0,12032,"[MFT STD_INFO] WINDOWS\system32\systems\p.exe (Offset: 0x18229000)"
Sat Apr 28 2012 02:02:17,0,macb,---a-----------,0,0,12033,"[MFT FILE_NAME] WINDOWS\system32\systems\r.exe (Offset: 0x18229400)"
Sat Apr 28 2012 02:02:17,0,m.cb,---a-----------,0,0,12033,"[MFT STD_INFO] WINDOWS\system32\systems\r.exe (Offset: 0x18229400)"
Sat Apr 28 2012 02:02:26,0,macb,---a-----------,0,0,12034,"[MFT FILE_NAME] WINDOWS\system32\systems\sysmon.exe (Offset: 0x18229800)"
Sat Apr 28 2012 02:02:26,0,...b,---a-----------,0,0,12034,"[MFT STD_INFO] WINDOWS\system32\systems\sysmon.exe (Offset: 0x18229800)"
Sat Apr 28 2012 02:02:27,0,m.c.,---a-----------,0,0,12034,"[MFT STD_INFO] WINDOWS\system32\systems\sysmon.exe (Offset: 0x18229800)"
[snip]

Comments