Posts

Showing posts from September, 2014

Volatility Bash Script v0.4

Here is another version of the volatility bash script.

#!/bin/bash
# Script to collect information by utilizing volatility

# v0.4 - Added a loop to iterate through the plugins
#      - Added svcscan, sockets, sockscan, driverscan, cachedump, timeliner, evtlogs
#      - In hivelist the system file is upper or lower case depending on the profile
#      - Added dlllist for each process
#      - Added getsids for each process
#      - Added handles for each process
#      - Added ldrmodules for each process
#      - Extracting the contents of the registry at Software\Microsoft\Windows\CurrentVersion\Run
# v0.3 - Updated to include mftparser
#      - Added a temp directory
# v0.2 - Updated the DKOM section to include the 3 columns and not just the 1st.

#To come...
#Analyze specific registry keys that aide in an investigation

####  Configurable Settings #############
homeDir='/home/malware-analysis'
memImage="$homeDir/1bc928ac.vmem"
locVolPy='/usr/share/vol2-4/volatility-2.4/vol.py'
v…

Volatility - Follow-up Analysis Script - Customize the script

You need to customize the following script based on the information gathered from the analysis.

#!/bin/bash
# Script to collect information by utilizing volatility

#### Configurable Options #######

homeDir='/home/volatility/image'
memImage="$homeDir/image.vmem"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''

PID='1384'
dumpFileFilename='malware'  # Dump the file malware.exe

######################################

outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"

if [ ! -d $outputDir ]; then
    mkdir $outputDir
    mkdir $dumpDir
    mkdir $tempDir
fi

# Identify the profile found from output/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`

# List the dll's as…

Volatility Bash Script - Automate Initial Commands

Wrote a quick volatility script to automate most of the initial commands that I am running.  Enjoy...

#!/bin/bash
# Script to collect information by utilizing volatility

# v0.3 - Updated to include mftparser
#        - Added a temp directory
# v0.2 - Updated the DKOM section to include the 3 columns and not just the 1st.

#To come...
#Analyze specific registry keys that aide in an investigation

####  Configurable Settings #############
homeDir='/home/volatility/image'
memImage="$homeDir/image.vmem"
locVolPy='/usr/share/volatility/vol.py'
volProfile=''
#########################################

outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"

if [ ! -d $outputDir ]; then
    mkdir $outputDir
    mkdir $dumpDir
    mkdir $tempDir
fi

# Find the profile for the image that is being analyzed and store it in volProfile
python $locVolPy -f $memImage imageinfo > $outputDir/imageinfo
cat $outputDir/imageinfo | grep "S…