Memory Analysis with Volatility

1. ############################
2. # Download the Analysis VM #
3. ############################
4. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
5. user: infosecaddicts
6. pass: infosecaddicts
7.  
8.  
9.  
10. - Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
11.  
12.  
13. ###################################
14. # Setting up your virtual machine #
15. ###################################
16.  
17. Here is where we will setup all of the required dependencies for the tools we plan to install
18. ---------------------------Type This-----------------------------------
19. apt update
20. apt-get install -y foremost tcpxtract python-openpyxl python-ujson python-ujson-dbg python-pycryptopp python-pycryptopp-dbg libdistorm3-3 libdistorm3-dev python-distorm3 volatility volatility-tools
21. -----------------------------------------------------------------------
22.  
23.  
24.  
25.  
26. ################
27. # The Scenario #
28. ################
29.  
30.  
31. ###################
32. # Memory Analysis #
33. ###################
34. ---------------------------Type This-----------------------------------
35. cd ~/
36.  
37. mkdir mem_analysis
38.  
39. cd mem_analysis
40.  
41. wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem
42.  
43. volatility pslist -f hn_forensics.vmem
44. volatility pslist -f hn_forensics.vmem | awk '{print $2,$3,$4}'
45. volatility pslist -f hn_forensics.vmem | awk '{print $2,"\t\t"$3"\t\t","\t\t"$4}'
46. volatility connscan -f hn_forensics.vmem
47. volatility connscan -f hn_forensics.vmem | grep -E '888|1752'
48.  
49. mkdir malfind/
50. mkdir dump/
51. mkdir -p output/pdf/
52.  
53. volatility privs -f hn_forensics.vmem
54. volatility svcscan -f hn_forensics.vmem
55. volatility malfind -f hn_forensics.vmem --dump-dir malfind/
56.  
57.  
58. volatility -f hn_forensics.vmem memdump -p 888 --dump-dir dump/
59. volatility -f hn_forensics.vmem memdump -p 1752 --dump-dir dump/
60.  
61. ***Takes a few min***
62.  
63. cd dump/
64. strings 1752.dmp | grep "^http://" | sort | uniq
65. strings 1752.dmp | grep "Ahttps://" | uniq -u
66.  
67. foremost -i 1752.dmp -t pdf -o ../output/pdf/
68. cd ../output/pdf/
69. cat audit.txt
70. cd pdf
71. ls
72. grep -i javascript *.pdf
73.  
74.  
75. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
76. unzip pdf-parser_V0_6_4.zip
77. python pdf-parser.py -s javascript --raw 00601560.pdf
78. python pdf-parser.py --object 11 00601560.pdf
79. python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
80.  
81. cat malicious.js
82. -----------------------------------------------------------------------