Saturday, January 10, 2015

Volatility Bash Script v0.5

I have been using the volatility script that I wrote back in September and made some revisions to it.  Below is the source code:

 #!/bin/bash
# Script to collect information by utilizing volatility

# v0.5 - Added a registry key to pull out of the SOFTWARE registry file the Run keys
#      - Changed the home directory to the present working directory
#      - To get yarascan's to work successfully you may have to 'apt-get install libyara-dev python-yara' on Debian based systems
#      - Note on conducting a Yara scan on the memory image 'vol.py -f memimage.img yarascan -Y "3.5.7.3" # To search for a string or IP Address in memory or add a -p to only have it search in the memory of a particluar process.
#      - Create from psscan an output file that can be viewed by graphviz.org for the relationships of processes
#      - Added the output of the strings program with word sizes larger than 8 characters
#      - Added the output of privs envars and procdump
#      - Output to envars-list this organizes and sorts the environment variables looking for anomolies
#      - Output to privs-interesting privileges that may need to be looked at closer for a particular process
#      - Output of privs-list organizes and sorts them looking for unique privileges assigned
#      - Output to ldrmodules-UnlinkedDlls a list of dll's or files that are not in the triple linked dll list
# v0.4 - Added a loop to iterate through the plugins
#      - Added svcscan, sockets, sockscan, driverscan, cachedump, timeliner, evtlogs
#      - In hivelist the system file is upper or lower case depending on the profile
#      - Added dlllist for each process
#      - Added getsids for each process
#      - Added handles for each process
#      - Added ldrmodules for each process
#      - Extracting the contents of the registry at Software\Microsoft\Windows\CurrentVersion\Run
# v0.3 - Updated to include mftparser
#      - Added a temp directory
# v0.2 - Updated the DKOM section to include the 3 columns and not just the 1st.

#To come...
#Analyze specific registry keys that aide in an investigation

####  Configurable Settings #############
homeDir=`pwd`
memImage="$homeDir/myImage.img"
locVolPy='/usr/share/vol2-4/volatility-2.4/vol.py'
volProfile=''
#########################################
date
outputDir="$homeDir/output"
dumpDir="$homeDir/dumpdir"
tempDir="$homeDir/temp"

if [ ! -d $outputDir ]; then
    mkdir $outputDir
    mkdir $outputDir/dlllist
    mkdir $outputDir/getsids
    mkdir $outputDir/handles
    mkdir $outputDir/ldrmodules
    mkdir $outputDir/procdump
    mkdir $dumpDir
    mkdir $tempDir
fi

# Find the profile for the image that is being analyzed and store it in volProfile
python $locVolPy -f $memImage imageinfo > $outputDir/imageinfo
cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print "Identified Profile: " $4}' | sed 's/,//'
volProfile=`cat $outputDir/imageinfo | grep "Suggested Profile(s)" | awk '{print $4}' | sed 's/,//'`

# Run a variety of volatility plugins and save the output
for pluginCommand in pslist pstree psscan psxview connections connscan filescan iehistory svcscan cmdscan consoles hivelist sockets sockscan driverscan ssdt cachedump timeliner privs envars
do
    echo "Running $pluginCommand and saving results to $outputDir/$pluginCommand"
    python $locVolPy -f $memImage --profile=$volProfile $pluginCommand > $outputDir/$pluginCommand
done

# Run a dot graph for graphviz.org for the relationships of processes
echo "Running dot graph and saving results to $outputDir/processes.dot"
python $locVolPy -f $memImage --profile=$volProfile psscan --output=dot --output-file=$outputDir/processes.dot

# Create a list of environment variables that are in memory looking for anomolies
cat $outputDir/envars | awk '{print $5}' | sort | uniq -c | sort -n > $outputDir/envars-list

echo "Running evtlogs and saving results to $outputDir/evtlogs"
python $locVolPy -f $memImage --profile=$volProfile evtlogs --dump-dir $outputDir

echo "Find processes in psxview that is using Direct Kernel Object Manipulation (DKOM)"
echo "Display from psxview any processes with "False" in the psscan, pslist, thrdproc"
echo "Find processes in psxview that is using Direct Kernel Object Manipulation (DKOM)" > $outputDir/possibleDKOM
echo "Display from psxview any processes with "False" in the psscan, pslist, thrdproc" >> $outputDir/possibleDKOM
while read line
do
    pslistColumn=`echo $line | awk '{print $4}'`
    psscanColumn=`echo $line | awk '{print $5}'`
    thrdprocColumn=`echo $line | awk '{print $6}'`
    if [ $pslistColumn == 'False' ]; then
        echo "$line" >> $outputDir/possibleDKOM
    fi
    if [ $psscanColumn == 'False' ]; then
        echo "Found: $line" >> $outputDir/possibleDKOM
    fi
    if [ $thrdprocColumn == 'False' ]; then
        echo "Found: $line" >> $outputDir/possibleDKOM
    fi
done < $outputDir/psxview
echo

echo "Running mftparser and saving results to $outputDir/mftpparser"
python $locVolPy -f $memImage --profile=$volProfile mftparser --output=body --output-file=$outputDir/mftparser.csv
mactime -b $outputDir/mftparser.csv -d -z UTC-6 > $outputDir/mftparserMactime.csv

echo "Saving the results of the hashdump to $outputDir/hashdump"
# Find the virtual address of the SYSTEM hive
while read line
do
    if [[ $line == *YSTEM* ]] || [[ $line == *ystem* ]]; then
        systemVAddr=`echo $line | awk '{print $1}'`
    fi
done < $outputDir/hivelist
# Find the virtual address of the SAM hive
while read line
do
    if [[ $line == *SAM* ]]; then
        samVAddr=`echo $line | awk '{print $1}'`
    fi
done < $outputDir/hivelist
python $locVolPy -f $memImage --profile=$volProfile -y $systemVAddr -s $samVAddr hashdump > $outputDir/hashdump

echo "Running malfind and saving results to $outputDir/malfind"
python $locVolPy -f $memImage --profile=$volProfile malfind --dump-dir $dumpDir > $outputDir/malfind

# Export to output/dlllist the PIDs found in the pslist output file
cat $outputDir/pslist | grep -v -e "Offset(V)" -e "------" | awk '{print $3}' > $tempDir/PIDlist
while read line 
do
    python $locVolPy -f $memImage --profile=$volProfile dlllist -p $line > $outputDir/dlllist/proc-$line
    python $locVolPy -f $memImage --profile=$volProfile getsids -p $line > $outputDir/getsids/proc-$line
    python $locVolPy -f $memImage --profile=$volProfile handles -p $line > $outputDir/handles/proc-$line
    python $locVolPy -f $memImage --profile=$volProfile ldrmodules -p $line > $outputDir/ldrmodules/proc-$line
    python $locVolPy -f $memImage --profile=$volProfile procdump -p $line > $outputDir/procdump/proc-$line
done < $tempDir/PIDlist

# With the dlllists look for unique path's
rm -f $tempDir/dlllistPaths
rm -f $tempDir/dlllistCommandline
touch $tempDir/dlllistPaths
touch $tempDir/dlllistCommandline
for file in $outputDir/dlllist/*
do 
    cat $file | grep "0x" | awk '{print $4 " " $5 " " $6 " " $7 " " $8 " " $9 " " $10}' >> $tempDir/dlllistPaths
    cat $file | grep "Command line :" >> $tempDir/dlllistCommandline
done
cat $tempDir/dlllistPaths | sort | uniq -c | sort -n | grep -v -i -e "windows.system32" > $outputDir/dlllist-OutsideSystem32
cat $tempDir/dlllistPaths | sort | uniq -c | sort -n | grep "1" > $outputDir/dlllist-SingleInstance
cat $tempDir/dlllistCommandline | sed 's/Command line :" //' > $outputDir/dlllist-Commandline 

# With the getsids look for unique sids or something out-of-the-ordinary
rm -f $tempDir/getsids-temp-list
touch $tempDir/getsids-temp-list
for file in $outputDir/getsids/*
do
    cat $file | awk -F ":" '{print $2}' >> $tempDir/getsids-temp-list
done
cat $tempDir/getsids-temp-list | sort | uniq -c | sort -n > $outputDir/getsids-list
cat $outputDir/svcscan | grep "Binary Path: " | sort | uniq -c > $outputDir/svcscan-binarypath

cat $outputDir/ldrmodules/proc-* | grep "0x" | grep "-" > $outputDir/ldrmodules-NoPathInfo
# Check the below ldrmodules-UnlinkedDlls for malware that could be unassociated from the triple linked dll's
cat $outputDir/ldrmodules/proc-* | grep "False  False  False" > $outputDir/ldrmodules-UnlinkedDlls
cat $outputDir/ssdt | egrep -v '(ntoskrnl | win32k)' > $outputDir/ssdt-modified

# Extract from the registry specific keys of interest
python $locVolPy -f $memImage --profile=$volProfile printkey -K "Software\Microsoft\Windows\CurrentVersion\Run" > $outputDir/registryRunKeys
python $locVolPy -f $memImage --profile=$volProfile printkey -K "Microsoft\Windows\CurrentVersion\Run" > $outputDir/registryRunKeys2
#http://digital-forensics.sans.org/blog/2010/10/20/digital-forensics-autorun-registry-keys/
#SysInternals autorun utility

# Added the output of the strings program with word sizes larger than 8 characters
strings -a --bytes=8 $memImage > $outputDir/strings.txt

# Look through the privs file and identify "Interesting Privileges that are given to Processes"
cat $outputDir/privs | awk '{print $4}' | sort | uniq -c | sort -n > $outputDir/privs-list
cat $outputDir/privs | grep -i -e "sebackupprivilege" -e "sedebugprivilege" -e "seloaddriverprivilege" -e "sechangenotifyprivilege" -e "seshutdownprivilege" > $outputDir/privs-interesting


date

echo

No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...