内存取证-volatility

centos7中安装volatility3
参考
https://blog.csdn.net/Cony_14/article/details/109230474

简介：
2019年后，volatility重构出第3个版本，即volatility3
volatility3的开发文档如下：
https://volatility3.readthedocs.io/en/latest/
volatility3的源码如下：（python3的）
https://github.com/volatilityfoundation/volatility3

python3和模块安装
yum install python3 # 已经安装python3，忽略此行
yum install python3-devel
pip3 install pefile
pip3 install capstone

下载volatility源码安装包
git clone https://github.com/volatilityfoundation/volatility3.git --depth 1

使用volatility
查看帮助
python3 vol.py -h

查看插件帮助
python3 vol.py windows.pslist -h

查看内存数据文件
python3 vol.py -f /home/user/samples/1.dmp windows.info
输出：
[root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.info
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
Variable Value

Kernel Base 0xf80003e4b000
DTB 0x187000
Symbols file:///root/download/volatility3-develop/volatility3/symbols/windows/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA-2.json.xz
Is64Bit True
IsPAE False
primary 0 WindowsIntel32e
memory_layer 1 FileLayer
KdDebuggerDataBlock 0xf8000403c0a0
NTBuildLab 7601.17514.amd64fre.win7sp1_rtm.
CSDVersion 1
KdVersionBlock 0xf8000403c068
Major/Minor 15.7601
MachineType 34404
KeNumberProcessors 1
SystemTime 2021-03-30 06:08:34
NtSystemRoot C:Windows
NtProductType NtProductWinNt
NtMajorVersion 6
NtMinorVersion 1
PE MajorOperatingSystemVersion 6
PE MinorOperatingSystemVersion 1
PE Machine 34404
PE TimeDateStamp Sat Nov 20 09:30:02 2010

查看进程信息
python3 vol.py -f /root/mem/1.raw windows.pslist
或者
python3 vol.py -f /root/mem/1.raw windows.cmdline.CmdLine

输出：
[root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.pslist
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output

4 0 System 0xfa80018bab30 95 755 N/A False 2020-12-03 08:16:16.000000 N/A Disabled
2744 2804 explorer.exe 0xfa8001d6eb30 43 1509 2 False 2020-12-03 08:20:37.000000 N/A Disabled
2692 2744 Everything.exe 0xfa8004100060 18 586 2 False 2020-12-03 08:20:37.000000 N/A Disabled
5008 2692 SogouCloud.exe 0xfa80035bcb30 21 443 2 True 2021-01-13 02:40:05.000000 N/A Disabled
2236 976 firefox.exe 0xfa80032b4120 0 - 2 False 2021-01-13 08:07:05.000000 2021-03-30 06:04:37.000000 Disabled
5508 5836 httpd.exe 0xfa80032df370 3 141 2 True 2021-01-13 08:24:27.000000 N/A Disabled
4180 5836 mysqld.exe 0xfa80036748a0 27 542 2 True 2021-01-13 08:24:27.000000 N/A Disabled
3456 2744 notepad++.exe 0xfa800410d520 0 - 2 False 2021-01-13 08:52:47.000000 2021-01-13 08:52:48.000000 Disabled
4968 2744 notepad++.exe 0xfa800248bb30 0 - 2 False 2021-01-13 08:54:41.000000 2021-01-13 08:54:41.000000 Disabled
5084 2744 notepad++.exe 0xfa80044dc060 0 - 2 False 2021-01-13 08:56:03.000000 2021-01-13 08:56:03.000000 Disabled
3808 2744 notepad++.exe 0xfa80051fb1d0 0 - 2 False 2021-01-13 09:03:21.000000 2021-01-13 09:03:21.000000 Disabled
5548 2744 calc.exe 0xfa80024eb060 3 76 2 False 2021-03-30 06:07:51.000000 N/A Disabled
3684 2744 mspaint.exe 0xfa800376ab30 7 121 2 False 2021-03-30 06:08:05.000000 N/A Disabled
1788 2744 DumpIt.exe 0xfa8003174390 2 45 2 True 2021-03-30 06:08:31.000000 N/A Disabled

查看蜂巢hive
[root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.registry.hivelist
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
Offset FileFullPath File output

0xf8a00000f010 Disabled
0xf8a000024010 REGISTRYMACHINESYSTEM Disabled
0xf8a000058010 REGISTRYMACHINEHARDWARE Disabled
0xf8a00011a010 DeviceHarddiskVolume1BootBCD Disabled
0xf8a00083b010 SystemRootSystem32ConfigSOFTWARE Disabled
0xf8a000b8a410 SystemRootSystem32ConfigSAM Disabled
0xf8a000c64010 ??C:UsersAdministratorAppDataLocalMicrosoftWindowsUsrClass.dat Disabled
0xf8a000cc3010 SystemRootSystem32ConfigSECURITY Disabled
0xf8a000d9f010 ??C:WindowsServiceProfilesNetworkServiceNTUSER.DAT Disabled
0xf8a000e2f010 ??C:WindowsServiceProfilesLocalServiceNTUSER.DAT Disabled
0xf8a0015ff010 ??C:UsersAdministrator tuser.dat Disabled
0xf8a00259c010 ??C:System Volume InformationSyscache.hve Disabled
0xf8a006733010 SystemRootSystem32ConfigDEFAULT Disabled

查看端口信息
python3 vol.py -f /root/mem/1.raw windows.netscan.NetScan
输出：
[root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.netscan.NetScan
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created

0x14947510 TCPv4 0.0.0.0 80 0.0.0.0 0 LISTENING 5508 httpd.exe -
0x14947510 TCPv6 :: 80 :: 0 LISTENING 5508 httpd.exe -
0x3a802010 UDPv4 0.0.0.0 5355 * 0 320 svchost.exe 2021-03-30 06:02:49.000000
0x495633b0 TCPv4 - 9745 101.71.72.212 443 CLOSED 2236 firefox.exe -
0x50eb0960 TCPv4 - 9773 123.125.52.87 443 CLOSED 2236 firefox.exe -
0x7d473010 TCPv4 - 10294 211.159.235.178 80 CLOSED 2236 firefox.exe -
0x7d5bb010 TCPv4 - 10201 218.11.11.191 443 CLOSED 2236 firefox.exe -
0x7da728e0 UDPv4 192.168.8.200 1900 * 0 1856 svchost.exe 2021-03-12 11:11:09.000000
0x7da98b40 TCPv4 0.0.0.0 3306 0.0.0.0 0 LISTENING 4180 mysqld.exe -

查看CA证书信息
[root@mylinuxc1 ~/download/volatility3-develop]# python3 vol.py -f /root/mem/1.raw windows.registry.certificates.Certificates
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
Certificate path Certificate section Certificate ID Certificate name

MicrosoftSystemCertificates AuthRoot 02FAF3E291435468607857694DF5E45B68851868 Sectigo (AddTrust)
MicrosoftSystemCertificates AuthRoot 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DigiCert
MicrosoftSystemCertificates AuthRoot 97817950D81C9670CC34D809CF794431367EF474 DigiCert Global Root
MicrosoftSystemCertificates AuthRoot A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 DigiCert
MicrosoftSystemCertificates AuthRoot B1BC968BD4F49D622AA89A81F2150152A41D829C GlobalSign Root CA - R1
MicrosoftSystemCertificates AuthRoot D4DE20D05E66FC53FE1A50882C78DB2852CAE474 DigiCert Baltimore Root
MicrosoftSystemCertificates AuthRoot D69B561148F01C77C54578C10926DF5B856976AD GlobalSign Root CA - R3
MicrosoftSystemCertificates AuthRoot DAC9024F54D8F6DF94935FB1732638CA6AD77C13 DST Root CA X3
MicrosoftSystemCertificates CA 109F1CAED645BB78B3EA2B94C0697C740733031C -
MicrosoftSystemCertificates ROOT A43489159A520F0D93D032CCAF37E7FE20A8B419 Microsoft Root Authority

查看程序启动和退出时间
python3 vol.py -f /root/mem/1.raw windows.psscan.PsScan

====================================================================================

给Kali安装pip
参考
https://blog.csdn.net/chaojianmo/article/details/101058452
1、下载和安装
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py # 下载安装脚本
sudo python3 get-pip.py # 运行安装脚本

2、更新国内源
cd ~
mkdir -p .config/pip/
vim ~/.config/pip/pip.conf
[global]
index-url = https://pypi.tuna.tsinghua.edu.cn/simple

sudo cat ~/.config/pip/pip.conf

3、升级pip
sudo python3 -m pip install --upgrade pip

安装取证分析工具
参考：https://blog.csdn.net/weixin_39559369/article/details/111061945
git clone https://github.com/volatilityfoundation/volatility.git --depth 1

pip install distorm3
pip install yara
pip install pycrypto
pip install Pillow
pip install openpyxl
pip install ujson

python3安装volatility
参考：
https://blog.csdn.net/qq_41122834/article/details/106292343

使用
参考
https://www.freebuf.com/articles/system/26763.html
sudo python3 /home/kali/volatility3/vol.py -h

sudo vol -h

使用vin7版本的volatility（亲测有效）
下载
https://download.csdn.net/download/xueteng71/11119820?utm_medium=distribute.pc_relevant.none-task-download-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-8.control&dist_request_id=1328740.51660.16170967934900087&depth_1-utm_source=distribute.pc_relevant.none-task-download-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-8.control
使用
https://www.icode9.com/content-3-741286.html
https://cloud.tencent.com/developer/article/1562899
https://blog.csdn.net/weixin_39559369/article/details/111061945

查看内存文件宿主机类型
查看帮助、插件
volatility.exe -h
查看版本
volatility.exe -v
# 关注profile信息
volatility.exe -f 1.raw imageinfo

Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...

Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile)
AS Layer1 : FileAddressSpace (D:a0memeryfenxiv1.raw)
PAE type : No PAE


Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...

Suggested Profile(s) : Win7SP0x64, Win7SP0x64, Win7SP0x64 (Instantiated with no profile)
AS Layer1 : FileAddressSpace (D:1SZASS-20210330-100249.dmp)
PAE type : No PAE

插件的使用
# 查看内存中的进程信息（结合前面查询到的profile值）
volatility.exe -f 1.raw --profile=Win7SP0x64 pslist
volatility.exe -f 1.raw --profile=Win7SP0x64 pstree

# 查看数据库信息（包括注册表）
volatility.exe -f 1.raw --profile=Win7SP0x64 hivelist

# 导出一个子库信息
volatility.exe -f 1.raw --profile=Win7SP0x64 hivedump -o 第一列的虚拟地址

volatility.exe -f 1.raw --profile=Win7SP0x64 userassist

====================================================================================

win7版本的volatility2
参考
https://blog.csdn.net/Soda_199/article/details/79644303?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control&dist_request_id=1328761.423.16171711007969129&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control
下载（官方各自2版本的）
https://www.volatilityfoundation.org/releases

vol第三方插件的使用

1、获取python2版本的vol2.6的源码
https://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip
参考官网：https://www.volatilityfoundation.org/releases

2、安装
python2 setup.py install

3、获取第三方插件
https://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip

4、安装插件
解压插件，拷贝到volatility/plugins目录下

win7下的一些问题和解决办法
1、提示：*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
解决办法：安装/distorm3
https://blog.csdn.net/my_xxh/article/details/51603953
下载：distorm3
https://github.com/gdabah/distorm/releases
https://github.com/volatilityfoundation/volatility/wiki/Installation
安装
cd distorm3
python2 setup.py build install

2、提示：error: Microsoft Visual C++ 9.0 is required (Unable to find vcvarsall.bat). Get it from http://aka.ms/vcpython27
解决办法：安装win7组件VCForPython27.msi
https://blog.csdn.net/xxm524/article/details/47360229/
https://blog.csdn.net/ylh071032/article/details/53435793?utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control&dist_request_id=&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7EBlogCommendFromMachineLearnPai2%7Edefault-2.control
下载：win7组件VCForPython27.msi
https://download.microsoft.com/download/7/9/6/796EF2E4-801B-4FC4-AB28-B59FBF6D907B/VCForPython27.msi

3、安装其他python组件
pip2 install Pillow
pip2 install openpyxl
pip2 install ujson==1.35

解决办法：