Forensic IT How-To: Using Volatility to examine your RAM dump
In the previous forensic how-to, we have made a dump of your computer's active RAM, or Random Access Memory. This is the memory that stores everything you're working on and with when your computer is on. Viruses and other malware can run exclusively in your RAM, but you can also possibly find cryptographic keys - for example, for whole disk encryption - here.
As you can imagine, whether you're a forensic IT''ist (working for the police or a private company) or a home user, you can get some very interesting information from your RAM dump. So, let's Start!
Required software
Before we can actually start, we need some software. We need two pieces of software. Well, we actually need one, but to use it, we need another.
You may or may not be familiar with Python. Python is a multi-purpose scripting language where even you can script in. From entire programs to dedicated scripts for data processing, it's possible.
"So, where can I find this Python?" you ask? Well, we'll go to python.org. Please make sure you download the 2.x.x version of Python (I am using version 2.6.4)! The newer version, in the 3.x.x range, will not work with the next piece of software we'll need.
Install Python and go to the directory where you installed it.
The second piece of software we need it actually written in Python. It is called the Volatility Memory Forensics Framework. This software is capable of analyzing the RAM dump we made earlier. You can find the software on volatilesystems.com. Download the newest version (I am using version 1.3 beta in this post). Download, unpack and remember where you've unpacked it.
So, to sum up, we need the following two pieces of software, in order:
Download and install these two components according to the instructions above.
Step One: the command prompt and setting it up
Yes, a young person's nightmare; the command prompt. For the older - or crazier - people among you, you are most likely quite familiar with the command prompt.
To open one, simply press the Start button, and whether or not you're on an OS higher than XP, click "Execute...". If you have a search field, don't. Then type the command cmd. This will open a command prompt for you.
Now we only need to set it up. We need to add a path to the cmd's path string. For this, you need the directory you installed Python in. For me, this is D:\Program Files\Python 2.6.4. Type in the following (change the path to Python with your own path):
This will add your Python's install path to the paths of the command prompt. For experienced cmd/DOS people, you can of course do this in your sleep.
Now, go to the folder you unpacked Volatility in. For me, this is C:\Users\Michiel\Desktop\Volatility-1.3_Beta. I do this with the following command:
Now, you are in the folder you unpacked Volatility to. We are now ready to start for real.
Step Two: Dissect that dump!
Now you are ready to start for real. Yes - this time I mean it. If you've been smart enough to read the Readme.txt file that came along with Volatility, you know what is possible.
For now, we'll just print out a list of processes that were running when the RAM dump was made. My dump is located at D:\ram.dmp. I type in the following:
This gives me a list of all running processes, as demonstrated in this image (note that it may take a while - depending on the size of your RAM dump - before any results show up):
These processes were running when I made the dump. You can for example compare the list with the list your task manager process list, to find 'hidden' processes that might indicate malicious behavior.
Of course the Volatility Memory Forensics Framework can do lots and lots more. You can find a list of all its options in the readme file that accompanied it. For this example's sake, we'll show off one more:
This produces a list of all network connections that were active when the dump was made (this, also, may take a while):
Final words
And then some final words. The Volatility Framework is of course (almost) infinity more feature rich than shown in this how-to. I encourage you to walk through the readme file, it will provide you with a list of features.
I wish you much excitement when scavenging through your own memory dumps with Volatility. In the next how-to - I have no idea when it will come, though - I will write a piece about scanning for viruses within your dump.
Hope to see you later and don't forget to leave a comment if you liked it! See ya!
How-To: Use the PHP Data Objects class to access your database
If you're a PHP developer, you are of course aware of PDO; PHP Data Objects. Or are you?
PDO is the new form to communicate with databases, for example MySQL, PostgreSQL and MSSQL. When you're using MySQL, you may be using the following methode to connect to your database:
$connection = new mysqli('localhost','username','password');
Or, even worse:
mysql_connect('localhost','username','password');
This of course is hopelessly outdated, and with PHP version 6 on the way, will soon be removed from the standard installed libraries. But there is a better, more Object Oriented way to connect to your database, and that is PHP Data Objects.
What is PDO?
According to php.net:
The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP. Each database driver that implements the PDO interface can expose database-specific features as regular extension functions. Note that you cannot perform any database functions using the PDO extension by itself; you must use a database-specific PDO driver to access a database server.
PDO provides a data-access abstraction layer, which means that, regardless of which database you're using, you use the same functions to issue queries and fetch data. PDO does not provide a database abstraction; it doesn't rewrite SQL or emulate missing features. You should use a full-blown abstraction layer if you need that facility.
PDO ships with PHP 5.1, and is available as a PECL extension for PHP 5.0; PDO requires the new OO features in the core of PHP 5, and so will not run with earlier versions of PHP.
Connecting to your MySQL database
So, how does one use it? Below is an example for MySQL (other databases might require a slightly different approach):
$connectionString = "mysql:host=localhost;dbname=database"; $pdo = new PDO($connectionString, 'username', 'password');
Now you can use the $pdo variable to do things, e.g.:
Retrieve information from tables
$results = $pdo->query("SELECT * FROM table"); foreach($results as $result) { echo $result['field'] . "<br />\r\n"; }
This is how you can read data from your database tables. Note that you don't use the while loop and the fetch_num or fetch_assoc (or similar) in this case, but a foreach loop. You can access the field values as you would in an ordinary array.
Queries that don't return anything: the wrong way to do it
For queries that don't return anything, for example INSERT and UPDATE queries, PDO provides the exec method. This method returns the amount of rows affected (if any) by the query. Using it is simple:
$pdo->exec("INSERT INTO 'table' (id, value) VALUES ('1','this is the value')");
But this method is susceptible to SQL injections. Therefore, the PDO class gives us another method to insert or alter information in/from the database: prepared statements. A prepared statement is SQL injection safe and the right way to do things, especially if you need to insert or alter user submitted information. Here an example of how to use prepared statements:
$stmt = $pdo->prepare("INSERT INTO table (name, value) VALUES (:name, :value)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value); // insert a row $name = 'one'; $value = 1; $stmt->execute();
This is a safe way to insert or update data in your database. Of course you can use prepared statements with SELECT queries as well.
The Basics
This provides you with the basics to select, insert and update data from.to your MySQL database. Later I will expand on this subject, and dive into the more complex possibilities of PDO, as wel as how to access other databases than MySQL.
Related Links
Forensic How-To: Copy your computer’s RAM
Matthieu Suiche, the developer of the windd utility, has sent me an email with some suggestions for updates for this post. I have added these suggestions in italic. Thank you, Matthieu.
In the first of what will hopefully become a series of forensic IT How-To guides, how to copy your computer's RAM memory! For the total morons (no offence 
) out there, your RAM memory is the memory where your active work is stored in. For example, if you're typing a Word document, this is stored in your computer's RAM. For more information, see the Wikipedia page on Random Access Memory.
Like I said, in this first How-To we'll be copying your active RAM contents to a container file. Then, you can do all kinds of things with it, such as searching for viruses that your virus scanner (you do have one, right?) didn't pick up, or other malware such as trojans. What exacly you can do with it and how you do it, is outside the scope of this guide. I hope to write some more How-to's in the future dealing with this, though.
I have created this How-To on Windows 7 Ultimate 64 bit, but the tool (see the next section) we'll use also works on other Windows platforms, both 32 and 64 bit. As far as I know, it doesn't work on other operating systems (such as Linux), though. It only works on Windows, however, you can run the server on a Linux machine, which will then receive the memory dump from a Windows pc.
The Tools
First, you need to download a tool. What a shock, right? You can't do anything on a computer without software, and copying your RAM memory is no different. The tool we'll use is win32dd (or to be exact, for 64 bit systems, it is win64dd).
This tool is available for free on this web site. It has a whole bunch of features, which also includes generating a crash report (by triggering a BSOD, for example), but for now we'll only focus on copying your computer's RAM. Windd can also generate a crash dump on the fly without requiring a restart of the system.
Download the ZIP file containing the files end extract them, for example to your My Documents folder. You may want to extract it to the base of a drive (for example, C:\), because this will make accessing the files from the command prompt easier.
Step One: The command prompt
Although we've been in the graphical UI age for ages now (funny!), some things just don't want to play along. The win32dd tool we've downloaded, is such a piece of software. It is designed to be used from the command prompt.
Therefore, we'll open a command prompt. In Windows Vista and 7, you can just press the nice Windows-logo on your keyboard and type "cmd", enter. This will open the command prompt.
In other versions of Windows, such as XP, you need to open the Start menu, like above, but this time click Run. Now type cmd and press enter; now you have the same command prompt.
Note: You may need to run the command prompt as Administrator, based on your UAC settings. To do this, right click on the command prompt name in the programs list and select Run as Administrator. If you're not an administrator on the computer you're working on, I don't know now you can get around this and you may not be able to use the win32dd tool in the manner descibed in this guide.
The command prompt
As you can see in the screenshot above (click on it for a larger version), the command prompt default path is your directory on your computer, which is, in my case, C:\Users\Michiel.
We need to go to the directory in which you have stored the tool we've just downloaded. You do this by typing in the command cd [path]. An example:
Note that if you're running a 64 bit version of Windows, you need to have the folder 64bits_amd64. If you're running a 32 bit version, you need the folder named 32bits_i386.
You can now see that your working directory has been changed:
Now we are in the right directory and can begin using the tool.
Step Two: Copying your RAM
When you're ready to use the tool, we can start! Win32dd has a whole lot of options, too much to explain (and too much for me to know after only knowing it exists for two days...), so we'll stick to our goal. You're free to explore the other options though, such as generating a crash dump.
To start the copying, enter the following command:
In the above example, we'll want the contents of our RAM to be copied to C:\dump.bin. When hitting the enter key, we'll see the following:
win64dd reads your RAM information and asks you for confirmation (in this example, I will create the dump at d:dump.bin)
Press Y and the aquiring of your RAM will commence. Based on your computer capabilities (disk read/write speed, CPU power, etc) and RAM size (for example, my RAM is 4 gigabytes), this may take some time.
Once it has finished, you will see the following:
win64dd has finished
When you open the directory you've created the BIN file in, you'll see the file which is slightly larger than your actual RAM size.
Congratulations, you have now acquired a copy of your computer's Random Access Memory!
Final words
You can do all kinds of things with your RAM copy, as I've mentioned before. You can check it for viruses, trojans and other malware (some malware only runs in RAM and is not found on the hard drive), you can extract files from it (for example, a Word document that was open at the time of the copy), see al running processes, open connections, and much more.
This falls outside the scope of this How-To, but I intent to write more How-To's on this, including how to do the things mentioned above.
Thank you for reading and if you've got any questions or just want to thank me for writing this How-To (no, I'm not vain), just comment on this post.
Related links
Matthieu SuicheMatt
Connecting to the Hogeschool Leiden VPN under 64 bit
Notice: this guide is not only useful for students at the Hogeschool Leiden! It will work for anyone with a laptop running a 64 bit version of Windows or Linux and cannot use the default Cisco VPN Client (available on Blackboard at the Hogeschool). As long as you have a PCF configuration file, you can use this guide. This guide is tested under Windows 7 Ultimate.
Update - Shrew Soft has released the new VPN client - so no more release candidates to use! You'll be looking for the 2.1.5 release of the VPN client here.
In this so-callled 'guide', I will outlay a method to connect to the VPN of the Hogeschool Leiden under 64 bit. This has been tested under Windows 7, but I have reason to believe it'll work on other 64 bit Windows machines (and even Linux) as well.
This guide will circumvent the 'virtual XP mode' available on Windows 7, mostly because I find it a rediculous way to do things. No, this guide will use the Shrew Soft VPN Client, version 2.1.5-rc-5 or later. This software is free for both private and commercial use.
The great thing about this piece of software - for which the developers have compiled it in 64 bit as well, something the idiots at Cisco didn't do - is that it can import Cisco PCF (configuration) files!
Step One: aquire the PCF configuration file
The first step is to get the PCF configuration file for the VPN network at the Hogeschool. This file contains all the information a VPN client needs to connect to the network in a file format that reminds me (and you of course) of an INI file.
The Cisco VPN Client, including the above mentioned PCF file, can be downloaded from Blackboard. Alternatively, the PCF file can be downloaded from this site here. If you download it from this link, you can proceed to Step Two and ignore the rest of this step.
If you've downloaded the Cisco VPN Client ZIP file from BB, extract it to your hard disk. The folder will contain a whole list of files, but the one you're looking for, is VPNhogeschool.pcf. Copy this file somewhere else or remember the name. If you're feeling curious, you can open the file in Notepad and see the INI-like file format - not that there is any useful information in it for you...
Step Two: Download the Shrew Soft VPN Client
Step Two is to download the Shrew Soft VPN Client from this web site's download page. At the time of writing, the version you need is still a development version - a release candidate, to be exact. Scroll down and download 2.1.5-rc-5 or later if available (Update: VPN client 2,1,5 is out, so you don't need to use a release candidate anymore!). This will provide you with a VPN client that doés work under 64 bit Windows 7.
Step Three: Install the VPN Client
I could not be more basic; just install the VPN client. Once it is installed, open the Access Manager.
Step Four: Import the PCF file and connect
When you've started the VPN client, you'll see a window very similar to the Cisco client.
The Shrew Soft VPN client started for the first time
Now click File -> Import... and select the file type PCF to see VPNhogeschool.pcf. Import the file, and you'll see a new connection.
The VPNhogeschool connnection is added
Click it, and press Connect. It will ask you for your login information, which is your student number (sxxxxxxx) and your password. Click Connect, and the VPN client will connect - voila, you can now use the internet on your 64 bit laptop without the Cisco VPN Client - Take That, Cisco!
A VPN connection is established!
Fine print
Then only the fine print. I have not asked the school if the usage of the Shrew Soft VPN Client - or any other client than Cisco's, for that matter - is allowed on the network. Using the Client on the Hogeschool Leiden network is at your own risk.
Also, at the time of writing, the version I use is only a Release Candidate. It can therefore contain bugs and might not work. If might crash your computer. It might move your computer to grow legs and jump out the nearest window - I am not responsible for this. I have not worked on the Shrew Soft VPN Client and do not get paid by them to use those words (although, maybe I should - I've used it a bunch of times by now).
Usage is at your own risk. I am happy to help with any questions you might have - just comment on this post - but I won't be able to fix bugs - send them to Shrew Soft.
Related links