Categotry Archives: Forensics

by

Windows Requesting Odd Files on a Share

2 comments

Categories: Forensics

Some odd files were seen being accessed on a server share. When it was investigated, the files didn’t exist on the server at all and apparently never had. Through more testing, it appeared the client was making these requests. I thought it was maybe AV or some other product, but after disabling everything, they were still occurring. Finally, I tried from a freshly built VM (I’ve also tried on existing VMs and on a physical machine, though not on a freshly installed physical machine). No matter where I tried these following steps from, I would see 100s of these requests to read files on the share. I’m wondering if anyone has seen this before, or knows what could be doing this. Details below.

Updated:

Several people on Twitter commented that this was part of Windows Application Compatibility. While I was looking through files trying to find which might contain these paths, Francisco Falcon provided the answer. The files are referenced in c:\windows\apppatch\sysmain.sdb, which is used by c:\windows\system32\apphelp.dll.

Essentially, Windows is trying to determine if this unknown setup.exe (or install.exe or update.exe or …) need to be run with any compatibility mode options based on what it knows in the Application Compatibility Database. I know about Application Compatibility, but didn’t know it would be so proactive. Here are a few more links people provided with some additional information that may be helpful.

I also modified the post below to add the files that are accessed when you encounter an install.exe or update.exe in case someone runs across this in the future and is searching for these filenames.

Continue reading →

by

Volatility Plugin – Chrome History

21 comments

Categories: Forensics, Volatility


As part of the 2014 Volatility Plugin Contest, I created 6 plugins for locating Chrome browser history related artifacts:

They are all in the chromehistory.py module found on my volatility-plugins repo on GitHub.  They also depend on the sqlite_help.py module in the same location, which provides some useful functions for manipulating data in SQLite databases.  Firefox and Chrome both store history and browsing data in SQLite databases.  Depending on the number and type of fields in each table, certain values can be expected in certain positions, which allows us to locate records of a given table.

A sample memory image is available at voltest.zip, and the corresponding History and Cookies files from that image are at chrome_history and chrome_cookies, respectively, for comparison with the plugin output.  I’ve tested the plugins on Chrome 30 and Chrome 37. There are some slight differences between the schemas in these versions and the plugins should handle them, and presumably versions in between.

Like the core Volatility module iehistory, this module adds similar functionality for Chrome browsing history.  It can print output in the default table format or in CSV or bodyfile format.  This is useful for combining with other plugins to create a timeline.  According to W3Schools, Firefox and Chrome make up about 85% of the browser share as of July 2014, so this and my other plugin in the contest help round out Volatility’s browser coverage.

Usage and output for the plugins is below.

chromehistory

The chromehistory plugin extracts records from the Chrome urls table in the History SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The full output from the sample image is copied below with all 15 records that are in the chrome_history database linked to above, showing the plugin was able to locate them all. The output contains, among other fields, the URL, page title, number of visits, and the last visit time. The URL may occasionally be truncated, but the full URL can be displayed in CSV format. In addition, the last visit timestamp is used in the bodyfile.

The plugin also supports a -N option, for NULLTIME. This will omit any records found with a “null timestamp”. There are no examples in the output below, but sometimes the plugin finds partial records where some data has been overwritten or is incomplete. These often have an invalid timestamp which gets displayed as the epoch time, or 1601/01/01. If these entries are a problem, the -N will omit them from the output.

The history table will just show the last visit to a specific URL along with a count of the number of visits. To see every visit to a URL, see the chromevisits plugin below.

$ vol.py --plugins=plugins/ -f voltest.dmp chromehistory
Volatility Foundation Volatility Framework 2.4
Index  URL                                                                              Title                                                                            Visits Typed Last Visit Time            Hidden Favicon ID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
    15 https://www.google.com/webhp?sourceid=c...pv=2&ie=UTF-8#q=What%20is%20Volatliity                                                                                       1     0 2014-08-31 13:09:30.069591      0          0
     8 https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8       Google                                                                                2     0 2014-08-30 19:58:20.439710      0          0
    13 http://www.ubuntu.com/download/desktop/...ou/?version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu                                        1     0 2014-08-30 19:56:08.004058      0          0
    14 http://www.ubuntu.com/download/desktop/...=US&version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu                                        1     0 2014-08-30 19:56:08.004058      0          0
    12 http://www.ubuntu.com/download/desktop/...te/?version=14.04.1&architecture=amd64 Contribute to Ubuntu | Ubuntu | Ubuntu                                                1     0 2014-08-30 19:56:04.495058      0          0
    11 http://www.ubuntu.com/download/desktop                                           Download Ubuntu Desktop | Download | Ubuntu                                           1     0 2014-08-30 19:56:01.778058      0          0
     9 https://www.google.com/webhp?sourceid=c...=1&espv=2&ie=UTF-8#q=ubuntu%20download                                                                                       1     0 2014-08-30 19:55:46.171058      0          0
     5 http://www.facebook.com/                                                         Welcome to Facebook - Log In, Sign Up or Learn More                                   2     2 2014-08-31 13:09:50.603591      0          0
     7 http://www.cnn.com/                                                              CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News             1     1 2014-08-30 19:55:33.514058      0          0
     6 https://www.facebook.com/                                                        Welcome to Facebook - Log In, Sign Up or Learn More                                   2     0 2014-08-31 13:09:50.603591      0          0
    10 http://www.ubuntu.com/download                                                   Get Ubuntu | Download | Ubuntu                                                        1     0 2014-08-30 19:55:54.285058      0          0
     4 http://www.foxnews.com/                                                          Fox News - Breaking News Updates | Latest News Headlines | Photos & News Videos       1     1 2014-08-18 01:55:04.057529      0          0
     1 http://tools.google.com/chrome/intl/en/welcome.html                              Getting Started                                                                       1     0 2014-08-18 01:53:54.354616      0          0
     3 https://www.google.com/                                                          Google                                                                                1     1 2014-08-18 01:54:43.940616      0          0
     2 https://www.google.com/intl/en/chrome/browser/welcome.html                       Getting Started                                                                       1     0 2014-08-18 01:53:54.354616      0          0

Back to top

chromevisits

The chromevisits plugin extracts records from the Chrome visits table in the History SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The full output from the sample image is copied below with all 18 records that are in the chrome_history database linked to above, showing the plugin was able to locate them all.

The visits tables doesn’t contain the actual URLs that were visited; those are stored in the urls table, so a SQL JOIN is needed to combine the two. The default behavior of the plugin is to call the chromehistory plugin internally, then search for visits records and combine the data before printing. If only the data from the visits table is desired, the -Q, for QUICK, option can be given. This will run much faster, but will have a limited amount of information.

The visits table contains the URL id, the last visit time, and the “transition” field. Details of the transition field values can be found at the following links:

In the full output, there are two last visit times. The first is from the visits table and will be the time for that visit; the second is the time from the urls table, so it will correspond to the most recent visit, even when displayed on an earlier visit. The URL field in the full output may occasionally be truncated, but the full URL can be displayed in CSV format. In addition, the last visit timestamp is used in the bodyfile.

visits – QUICK
$ vol.py --plugins=plugins/ -f voltest.dmp chromevisits -Q
Volatility Foundation Volatility Framework 2.4
Visit ID URL ID Visit Time                 From Visit Transition                                                   Segment ID Is Indexed Visit Duration
-------- ------ -------------------------- ---------- ------------------------------------------------------------ ---------- ---------- --------------
      18      6 2014-08-31 13:09:50.603591         17 TYPED;CHAIN_END;SERVER_REDIRECT;                                      0 n/a            2994192297
      17      5 2014-08-31 13:09:50.603591          0 TYPED;CHAIN_START;                                                    3 n/a                     0
      14     14 2014-08-30 19:56:08.004058         13 LINK;CHAIN_END;SERVER_REDIRECT;                                       0 n/a           62001879533
      15      8 2014-08-30 19:58:20.439710          0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START;                               0 n/a                     0
      12     12 2014-08-30 19:56:04.495058         11 FORM_SUBMIT;CHAIN_START_END;                                          0 n/a               3509000
      11     11 2014-08-30 19:56:01.778058         10 LINK;CHAIN_START_END;                                                 0 n/a               2717000
      10     10 2014-08-30 19:55:54.285058          0 LINK;CHAIN_START_END;                                                 0 n/a               7493000
      13     13 2014-08-30 19:56:08.004058         12 LINK;CHAIN_START;                                                     0 n/a                     0
       7      7 2014-08-30 19:55:33.514058          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               4 n/a              12962000
       9      9 2014-08-30 19:55:46.171058          8 LINK;CHAIN_END;CLIENT_REDIRECT;                                       0 n/a                     0
       8      8 2014-08-30 19:55:41.021058          0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START;                               0 n/a                     0
      16     15 2014-08-31 13:09:30.069591         15 LINK;CHAIN_END;CLIENT_REDIRECT;                                       0 n/a                     0
       4      4 2014-08-18 01:55:04.057529          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               2 n/a              13520000
       2      2 2014-08-18 01:53:54.354616          1 START_PAGE;CHAIN_END;SERVER_REDIRECT;                                 0 n/a              83221913
       5      5 2014-08-30 19:55:26.138058          0 TYPED;CHAIN_START;                                                    3 n/a                     0
       3      3 2014-08-18 01:54:43.940616          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               1 n/a                     0
       6      6 2014-08-30 19:55:26.138058          5 TYPED;CHAIN_END;SERVER_REDIRECT;                                      0 n/a                     0
       1      1 2014-08-18 01:53:54.354616          0 START_PAGE;CHAIN_START;                                               0 n/a                     0
visits – FULL
$ vol.py --plugins=plugins/ -f voltest.dmp chromevisits
Volatility Foundation Volatility Framework 2.4
Visit ID URL ID Visit Time                 From Visit Transition                                                   Segment ID Is Indexed Visit Duration URL                                                                              Title                                                                            Visits Typed Last Visit Time            Hidden Favicon ID
-------- ------ -------------------------- ---------- ------------------------------------------------------------ ---------- ---------- -------------- -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
      18      6 2014-08-31 13:09:50.603591         17 TYPED;CHAIN_END;SERVER_REDIRECT;                                      0 n/a            2994192297 https://www.facebook.com/                                                        Welcome to Facebook - Log In, Sign Up or Learn More                                   2     0 2014-08-31 13:09:50.603591      0          0
      17      5 2014-08-31 13:09:50.603591          0 TYPED;CHAIN_START;                                                    3 n/a                     0 http://www.facebook.com/                                                         Welcome to Facebook - Log In, Sign Up or Learn More                                   2     2 2014-08-31 13:09:50.603591      0          0
      14     14 2014-08-30 19:56:08.004058         13 LINK;CHAIN_END;SERVER_REDIRECT;                                       0 n/a           62001879533 http://www.ubuntu.com/download/desktop/...=US&version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu                                        1     0 2014-08-30 19:56:08.004058      0          0
      15      8 2014-08-30 19:58:20.439710          0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START;                               0 n/a                     0 https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8       Google                                                                                2     0 2014-08-30 19:58:20.439710      0          0
      12     12 2014-08-30 19:56:04.495058         11 FORM_SUBMIT;CHAIN_START_END;                                          0 n/a               3509000 http://www.ubuntu.com/download/desktop/...te/?version=14.04.1&architecture=amd64 Contribute to Ubuntu | Ubuntu | Ubuntu                                                1     0 2014-08-30 19:56:04.495058      0          0
      11     11 2014-08-30 19:56:01.778058         10 LINK;CHAIN_START_END;                                                 0 n/a               2717000 http://www.ubuntu.com/download/desktop                                           Download Ubuntu Desktop | Download | Ubuntu                                           1     0 2014-08-30 19:56:01.778058      0          0
      10     10 2014-08-30 19:55:54.285058          0 LINK;CHAIN_START_END;                                                 0 n/a               7493000 http://www.ubuntu.com/download                                                   Get Ubuntu | Download | Ubuntu                                                        1     0 2014-08-30 19:55:54.285058      0          0
      13     13 2014-08-30 19:56:08.004058         12 LINK;CHAIN_START;                                                     0 n/a                     0 http://www.ubuntu.com/download/desktop/...ou/?version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu                                        1     0 2014-08-30 19:56:08.004058      0          0
       7      7 2014-08-30 19:55:33.514058          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               4 n/a              12962000 http://www.cnn.com/                                                              CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News             1     1 2014-08-30 19:55:33.514058      0          0
       9      9 2014-08-30 19:55:46.171058          8 LINK;CHAIN_END;CLIENT_REDIRECT;                                       0 n/a                     0 https://www.google.com/webhp?sourceid=c...=1&espv=2&ie=UTF-8#q=ubuntu%20download                                                                                       1     0 2014-08-30 19:55:46.171058      0          0
       8      8 2014-08-30 19:55:41.021058          0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START;                               0 n/a                     0 https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8       Google                                                                                2     0 2014-08-30 19:58:20.439710      0          0
      16     15 2014-08-31 13:09:30.069591         15 LINK;CHAIN_END;CLIENT_REDIRECT;                                       0 n/a                     0 https://www.google.com/webhp?sourceid=c...pv=2&ie=UTF-8#q=What%20is%20Volatliity                                                                                       1     0 2014-08-31 13:09:30.069591      0          0
       4      4 2014-08-18 01:55:04.057529          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               2 n/a              13520000 http://www.foxnews.com/                                                          Fox News - Breaking News Updates | Latest News Headlines | Photos & News Videos       1     1 2014-08-18 01:55:04.057529      0          0
       2      2 2014-08-18 01:53:54.354616          1 START_PAGE;CHAIN_END;SERVER_REDIRECT;                                 0 n/a              83221913 https://www.google.com/intl/en/chrome/browser/welcome.html                       Getting Started                                                                       1     0 2014-08-18 01:53:54.354616      0          0
       5      5 2014-08-30 19:55:26.138058          0 TYPED;CHAIN_START;                                                    3 n/a                     0 http://www.facebook.com/                                                         Welcome to Facebook - Log In, Sign Up or Learn More                                   2     2 2014-08-31 13:09:50.603591      0          0
       3      3 2014-08-18 01:54:43.940616          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               1 n/a                     0 https://www.google.com/                                                          Google                                                                                1     1 2014-08-18 01:54:43.940616      0          0
       6      6 2014-08-30 19:55:26.138058          5 TYPED;CHAIN_END;SERVER_REDIRECT;                                      0 n/a                     0 https://www.facebook.com/                                                        Welcome to Facebook - Log In, Sign Up or Learn More                                   2     0 2014-08-31 13:09:50.603591      0          0
       1      1 2014-08-18 01:53:54.354616          0 START_PAGE;CHAIN_START;                                               0 n/a                     0 http://tools.google.com/chrome/intl/en/welcome.html                              Getting Started                                                                       1     0 2014-08-18 01:53:54.354616      0          0

Back to top

chromesearchterms

The chromesearchterms plugin extracts records from the Chrome keyword_search_terms table in the History SQLite database file. It supports –output=csv to print in CSV format. There is no timestamp, so the body format is not supported. The full output from the sample image is copied below with the 2 records that are in the chrome_history database linked to above, showing the plugin was able to locate both of them. The output contains the search term and its lowercase representation, along with the URL ID of the url in the url tables (chromehistory plugin) that corresponds to the search, so the full search URL can be referenced.

$ vol.py --plugins=plugins/ -f voltest.dmp chromesearchterms
Volatility Foundation Volatility Framework 2.4
Row ID Keyword ID URL ID Lowercase                                                        Entered Text
------ ---------- ------ ---------------------------------------------------------------- ----------------------------------------------------------------
     2          2     15 what is volatliity                                               What is Volatliity
     1          2      9 ubuntu download                                                  ubuntu download

Back to top

chromedownloads

The chromedownloads plugin extracts records from the Chrome downloads table in the History SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. Since the output of this plugin is rather small in my examples, I’m including the CSV and bodyfile outputs as an example of what most of these plugins provide. The full output from the sample image is copied below with the 2 records that are in the chrome_history database linked to above, showing the plugin was able to locate both of them. The output contains the the path where the file is being saved, the received and total bytes downloaded, and usually the referrer. In addition it includes the start and end times which are used in the body file. Later versions of Chrome (I think around 36) added the two MIME fields, which is why they’re empty in this sample.

Standard Text Output
$ vol.py --plugins=plugins/ -f voltest.dmp chromedownloads
Volatility Foundation Volatility Framework 2.4
Row Id Current Path                                                                     Target Path                                                                      Start Time                 Received     Total Bytes  State Danger Interrupt End Time                   Opened Referer                                                          By Ext ID By Ext Name ETag                     Last Modified                  MIME Type                        Original MIME Type
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------- ------------ ------------ ----- ------ --------- -------------------------- ------ ---------------------------------------------------------------- --------- ----------- ------------------------ ------------------------------ -------------------------------- --------------------------------
     2 C:\Users\test\Downloads\npp.6.6.8.Installer.exe                                  C:\Users\test\Downloads\npp.6.6.8.Installer.exe                                  2014-08-31 13:13:32.123849      7920175      7920175     1      4         0 2014-08-31 13:19:06.350249      0                                                                                        "594509918"              Sun, 27 Jul 2014 22:42:03 GMT
     1                                                                                  C:\Users\test\Downloads\ubuntu-14.04.1-desktop-amd64.iso                         2014-08-30 19:56:11.491058     46641733   1028653056     4      0        20 1601-01-01 00:00:00             0 http://www.ubuntu.com/download/...ion=14.04.1&architecture=amd64                       "38d2064-3d...fdb504980" Tue, 22 Jul 2014 22:36:38 GMT
CSV Output
$ vol.py --plugins=plugins/ -f 2014contest/voltest.dmp chromedownloads --output=csv
Volatility Foundation Volatility Framework 2.4
"id","current_path","target_path","start_time","received_bytes","total_bytes","state","danger","interrupt","end_time","opened","referer","by_ext_id","by_ext_name","etag","last_modified","mime_type","original_mime_type"
"2","C:\Users\test\Downloads\npp.6.6.8.Installer.exe","C:\Users\test\Downloads\npp.6.6.8.Installer.exe","2014-08-31 13:13:32.123849","7920175","7920175","1","4","0","2014-08-31 13:19:06.350249","0","","","","""594509918""","Sun, 27 Jul 2014 22:42:03 GMT","",""
"1","","C:\Users\test\Downloads\ubuntu-14.04.1-desktop-amd64.iso","2014-08-30 19:56:11.491058","46641733","1028653056","4","0","20","1601-01-01 00:00:00","0","http://www.ubuntu.com/download/desktop/thank-you?country=US&version=14.04.1&architecture=amd64","","","""38d2064-3d500000-4fecfdb504980""","Tue, 22 Jul 2014 22:36:38 GMT","",""
Bodyfile Output
$ vol.py --plugins=plugins/ -f 2014contest/voltest.dmp chromedownloads --output=body
Volatility Foundation Volatility Framework 2.4
0|[CHROMEDOWNLOADS]  -> C:\Users\test\Downloads\npp.6.6.8.Installer.exe (7920175 bytes|0|---------------|0|0|0|1409491146|1409491146|1409491146|1409490812
0|[CHROMEDOWNLOADS] http://www.ubuntu.com/download/desktop/thank-you?country=US&version=14.04.1&architecture=amd64 -> C:\Users\test\Downloads\ubuntu-14.04.1-desktop-amd64.iso (1028653056 bytes|0|---------------|0|0|0|-11644473600|-11644473600|-11644473600|1409428571

Back to top

chromedownloadchains

The chromedownloadchains plugin extracts records from the Chrome downloads_url_chains table in the History SQLite database file. It supports –output=csv to print in CSV. There is no timestamp, so the bodyfile format is not supported. The full output from the sample image is copied below with the 2 records that are in the chrome_history database linked to above, showing the plugin was able to locate both of them. In this example, there is only one URL in each download chain; however, when there are redirects through multiple URLs, they will all show up and the “Chain ID/Chain Index” combination will be unique for each one.

$ vol.py --plugins=plugins/ -f voltest.dmp chromedownloadchains
Volatility Foundation Volatility Framework 2.4
Row ID Chain ID    Chain Index URL
------ ----------- ----------- ------------------------------------------------------------------------------------------------------------------------
     2           2           0 http://download.tuxfamily.org/notepadplus/6.6.8/npp.6.6.8.Installer.exe
     1           1           0 http://ubuntu-releases.cs.umn.edu/14.04.1/ubuntu-14.04.1-desktop-amd64.iso

Back to top

chromecookies

The chromecookies plugin extracts records from the Chrome cookies table in the Cookies SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. A snippet of the the full output from the sample image is copied below since there are 100s of cookies even from just visiting a few sites. The chrome_cookies file linked above was taken from the machine the memory image was taken from and can be used for comparison, but it will find all the cookies in the SQLite database in the memory image. The output contains the host key, the cookie name, the path, and the value and encrypted value. Chrome started encrypting cookie values early in 2014. Older cookies will still show the unencrypted value though.

Currently, the plugin can decrypt cookies from a Mac or Linux system. The plugin supports the -K option to specify the password. This is only needed for Mac cookies. The password value can be obtained by running the following on the source Mac system to extract the password from Keychain.

security find-generic-password -w -s "Chrome Safe Storage

On Linux, the password has a fixed value of ‘peanuts’ and this is coded into the plugin. This post contains details on decrypting the cookie values and was used in writing this part of the plugin. This post has details on decrypting Windows cookies, but this is not supported in the plugin yet. The plugin also supports the -O option to specify the OS (mac, linux, windows), rather than relying on the profile. This is helpful if running the plugin directly against a Cookies SQLite file.

In addition, the output contains the creation time, last access time, and the expiration time of the cookies, which are all used in the body file output.

Cookies – Basic example
$ vol.py --plugins=plugins/ -f voltest.dmp chromecookies | more
Volatility Foundation Volatility Framework 2.4
Creation Time              Host Key                         Name             Value                                                                            Path                     Expires Time               Secure HttpOnly Last Access Time           Expires Persistent Priority   Encrypted Value
-------------------------- -------------------------------- ---------------- -------------------------------------------------------------------------------- ------------------------ -------------------------- ------ -------- -------------------------- ------- ---------- ---------- --------------------------------------------------------------------------------
2014-08-30 19:55:42.098058 www.cnn.com                      octowebstatid                                                                                     /                        2015-08-30 19:55:42             0        0 2014-08-30 19:55:42.098058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...332d8a688f51cb124c5b0817e6d59ab56696ab
2014-08-30 19:56:08.455058 .ubuntu.com                      __utma                                                                                            /                        2016-08-29 19:56:08             0        0 2014-08-30 19:56:08.455058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...bc7b27ed42f4e8654421f90ca261d0b823216d
2014-08-18 01:53:54.812617 .youtube.com                     VISITOR...1_LIVE                                                                                  /                        2015-04-18 13:46:54.812617      0        0 2014-08-18 01:53:54.812617       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...56ee53d9b5ec43a08e3ef526906e239a1be5d7
2014-08-18 01:53:54.893616 .google.com                      __utma                                                                                            /intl/en/chrome/browser/ 2016-08-17 01:53:54             0        0 2014-08-18 01:54:56.400529       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...dca0f3ff3125021c58eabd5a5c5aa1e39ff31a
2014-08-30 19:55:34.066058 .www.ugdturner.com               ug1                                                                                               /                        2019-08-29 19:55:34.066058      0        0 2014-08-30 19:55:34.066058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...770a74f1e311837ea538744ea7d181c4f1f2de
2014-08-30 19:55:34.067058 www.cnn.com                      ug                                                                                                /                        2015-08-30 19:55:34             0        0 2014-08-30 19:55:34.067058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...a27d86d1efe9652678fb31931f4f5e192bc96f
2014-08-30 19:55:34.067059 www.cnn.com                      ugs                                                                                               /                        2014-08-31 21:55:34             0        0 2014-08-30 19:55:34.067059       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...1b89901d7f7c1774f49cd9b47229e19043f883
2014-08-30 19:55:46.475058 www.cnn.com                      _chartbeat4                                                                                       /                        2014-08-30 20:55:46             0        0 2014-08-30 19:55:46.475058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...885d99442117495160258487a86d42df33973a
2014-08-30 19:55:39.137058 .doubleclick.net                 _drt_                                                                                             /                        2014-08-31 07:55:39.137058      0        1 2014-08-30 19:55:39.137058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...0fc907219965b89c8b1f1250f51af443dc2e05
2014-08-30 19:55:39.406058 .krxd.net                        ServedBy                                                                                          /                        2015-02-27 09:15:39.406058      0        0 2014-08-30 19:55:39.406058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...da32d1ec7ff79594caf486a5f45dd23d78c954
2014-08-30 19:55:39.406059 .krxd.net                        _kuid_                                                                                            /                        2015-02-26 19:55:39.406059      0        0 2014-08-30 19:55:39.406059       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...7c79dac49bed8bcc64b2d4c59cf082427263c8
2014-08-30 19:56:08.455059 .ubuntu.com                      __utmb                                                                                            /                        2014-08-30 20:26:08             0        0 2014-08-30 19:56:08.455059       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...4b6aaeec96ec8a1c3733ee8f4a3ffa124fcdf2
2014-08-30 19:55:36.159058 .cnn.com                         s_vi                                                                                              /                        2016-08-29 19:55:36.159058      0        0 2014-08-30 19:55:36.159058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...e051356b6a9a21ea3db611c21cccdc47ce9830
2014-08-30 19:55:36.797058 .outbrain.com                    _lvs2                                                                                             /                        2015-09-26 19:55:36             0        0 2014-08-30 19:55:36.797058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...9d0008d0566aadc64154f3b946207d1115148a
2014-08-30 19:55:36.915058 .rubiconproject.com              ruid                                                                                              /                        2014-11-28 19:55:36.915058      0        0 2014-08-30 19:55:36.915058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...34ec6d9be5d8722099eac8e10c39190fbd5c7c
2014-08-18 01:55:10.572529 .tapad.com                       TapAd_TS                                                                                          /                        2014-10-17 01:55:09             0        0 2014-08-18 01:55:10.572529       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...fbb5944c4fb120fc1fdf2e3acbb5f8ab630c91
2014-08-18 01:55:10.565530 .bizographics.com                BizoData                                                                                          /                        2015-02-16 13:55:10.565530      0        0 2014-08-18 01:55:10.565530       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...ddb450d13d95198dd5ff18d05eb31d89e60705
2014-08-18 01:55:10.708529 .demdex.net                      DPM                                                                                               /                        2016-08-17 01:55:09             0        0 2014-08-18 01:55:10.708529       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...169b9472b70057cfc1f0845a12d94cf484b914
2014-08-18 01:55:10.678530 .acxiom-online.com               ACXID                                                                                             /                        2015-08-18 01:55:10.678530      0        0 2014-08-18 01:55:10.678530       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...ffd2e26b6112093ba13ef1cec3ab8c7d0788bf
Cookies – No Decryption

Sample execution against another memory image, without decrypting the cookies.

$ vol.py --profile=MacMavericks_10_9_4_AMDx64 -f mem.macho chromecookies
Volatility Foundation Volatility Framework 2.4
Creation Time              Host Key                         Name             Value                                                                            Path                     Expires Time               Secure HttpOnly Last Access Time           Expires Persistent Priority   Encrypted Value
-------------------------- -------------------------------- ---------------- -------------------------------------------------------------------------------- ------------------------ -------------------------- ------ -------- -------------------------- ------- ---------- ---------- --------------------------------------------------------------------------------
2014-09-04 21:36:14.605479 .sleuthkit.org                   _sm_au_c                                                                                          /                        Never Expires                   0        0 2014-09-04 21:36:14.605479       0          0          1 7631308406dafc56e672450c48985a03152bba6342cd223910827a8db5b6cbf6f5f6ae
2014-09-04 21:36:15.262039 .cs.uno.edu                      _sm_au_c                                                                                          /                        Never Expires                   0        0 2014-09-04 21:42:22.576744       0          0          1 763130460b6ba9333f9cc802ae02f2594b48f8fbc97d1413fa9a4a39b2d9d52561fdbe
2014-09-04 21:36:15.263101 .threat-analytics.com            _sm_au_c                                                                                          /                        Never Expires                   0        0 2014-09-06 20:50:33.270622       0          0          1 763130e10cac14e080087a30697432e03fd9e90058a8fca19477aa2abe29669433dece
2014-09-04 21:36:18.805114 .dfinews.com                     _sm_au_c                                                                                          /                        Never Expires                   0        0 2014-09-05 22:56:26.547288       0          0          1 76313069b9fc355151345fb7772978a63f0b7ee60db4254b786b2a87f0ddc70de2002e
Cookies – Decrypted
Supplying the decryption password on the same sample above successfully decrypts the cookie values. They all start with iMV in the output below.

$ vol.py --profile=MacMavericks_10_9_4_AMDx64 -f mem.macho chromecookies -K "rq2uadV+VvAD+IBiBeJ75a=="
Volatility Foundation Volatility Framework 2.4
Creation Time              Host Key                         Name             Value                                                                            Path                     Expires Time               Secure HttpOnly Last Access Time           Expires Persistent Priority   Encrypted Value
-------------------------- -------------------------------- ---------------- -------------------------------------------------------------------------------- ------------------------ -------------------------- ------ -------- -------------------------- ------- ---------- ---------- --------------------------------------------------------------------------------
2014-09-04 21:36:14.605479 .sleuthkit.org                   _sm_au_c         iMVarAHaqBbHSFFQ0e                                                               /                        Never Expires                   0        0 2014-09-04 21:36:14.605479       0          0          1 7631308406dafc56e672450c48985a03152bba6342cd623910827a8db5b6cbf6f5f6ae
2014-09-04 21:36:15.262039 .cs.uno.edu                      _sm_au_c         iMVarAaaqBBarF5a0b                                                               /                        Never Expires                   0        0 2014-09-04 21:42:22.576744       0          0          1 763130460b6ba9333f9cc802ae02f2594b48f8fbc97d141efa9a4a39b2d9d52561fdbe
2014-09-04 21:36:15.263101 .threat-analytics.com            _sm_au_c         iMVaraH2qBZdJFrQ15                                                               /                        Never Expires                   0        0 2014-09-06 20:50:33.270622       0          0          1 763130e10cac14e080087a30697432e03fd9e90058a8fca19877aa2abe29669433dece
2014-09-04 21:36:18.805114 .dfinews.com                     _sm_au_c         iMVaraH2qB0ZVF0Q0c                                                               /                        Never Expires                   0        0 2014-09-05 22:56:26.547288       0          0          1 76313069b9fc355151345fb7772978a63f0b7ee60db42a4b786b2a87f0ddc70de2002e

Back to top

by

Volatility Plugin – Firefox History

13 comments

Categories: Forensics, Volatility


As part of the 2014 Volatility Plugin Contest, I created 3 plugins for locating Firefox browser history related artifacts:

They are all in the firefoxhistory.py module found on my volatility-plugins repo on GitHub.  They also depend on the sqlite_help.py module in the same location, which provides some useful functions for manipulating data in SQLite databases.  Firefox and Chrome both store history and browsing data in SQLite databases.  Depending on the number and type of fields in each table, certain values can be expected in certain positions, which allows us to locate records of a given table.

A sample memory image is available at voltest.zip, and the corresponding places.sqlite and cookies.sqlite from that image are at ff_places and ff_cookies, respectively, for comparison with the plugin output.  The firefoxdownloads plugin only works on Firefox 25 and earlier because the downloads.sqlite file was removed.  I don’t have a memory image to provide but will show sample output from parsing a downloads.sqlite file below.  The download data was moved into another table (“moz_annos” in places.sqlite) that I haven’t worked on yet.  However, the download URLs are typically in the firefoxhistory output anyway. The plugin has been run against the SQLite databases in version 25 and memory samples of a system with version 31, so I’d expect it to work on at least those versions and the ones in between.

Like the core Volatility module iehistory, this module adds similar functionality for Firefox browsing history.  It can print output in the default table format or in CSV or bodyfile format.  This is useful for combining with other plugins to create a timeline.  According to W3Schools, Firefox and Chrome make up about 85% of the browser share as of July 2014, so this and my other plugin in the contest help round out Volatility’s browser coverage.

Usage and output for the plugins is below.

firefoxhistory

The firefoxhistory plugin extracts records from the Firefox moz_places table in the places.sqlite SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The full output from the sample image is copied below with all 31 records that are in the ff_places database linked to above, showing the plugin was able to locate them all. The output contains, among other fields, the URL, page title, number of visits, and the last visit date. The URL may occasionally be truncated, but the full URL can be displayed in CSV format. In addition, the last visit date timestamp is used in the bodyfile.

$ vol.py --plugins=plugins/ -f voltest.dmp firefoxhistory
Volatility Foundation Volatility Framework 2.4
ID     URL                                                                              Title                                                                            Rev Host                         Visits Hidden Typed Favicon ID Frecency Last Visit Date            GUID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------------- ------ ------ ----- ---------- -------- -------------------------- ------------
    30 http://software-files-a.cnet.com/s/soft...07af0b2aceb5cb&fileName=ccsetup417.exe ccsetup417.exe                                                                   moc.tenc.a-selif-erawtfos.            0      0     0                   0 2014-08-30 19:54:49.614000 1XZQkyF56qMJ
    29 http://download.cnet.com/CCleaner/3001-18512_4-10315544.html?hlndr=1             Thank you for downloading CCleaner from CNET Download.com                        moc.tenc.daolnwod.                    1      0     0         12      100 2014-08-30 19:54:45.947000 N5LRyDii8toO
    28 http://dw.cbsi.com/redir?ttag=download_...d=QCK-xqYz5LPFaJ0ebFV5qadurILbAkCQMAXl                                                                                  moc.isbc.wd.                          1      1     0                 100 2014-08-30 19:54:44.917000 fEjtASxUAxh6
    27 http://download.cnet.com/CCleaner/?tag=main;pop                                  CCleaner - Free download and software reviews - CNET Download.com                moc.tenc.daolnwod.                    1      0     0         12      100 2014-08-30 19:54:37.085000 pq1ZfeEKGvqZ
    26 http://download.cnet.com/windows/                                                Windows PC software downloads and reviews from CNET Download.com                 moc.tenc.daolnwod.                    1      0     0         11       -1 2014-08-30 19:54:28.723000 tfBwGHW8rHmc
    25 http://download.cnet.com/windows                                                                                                                                  moc.tenc.daolnwod.                    1      1     0                  -1 2014-08-30 19:54:28.286000 CDgZxQeKrwO3
    24 http://download.cnet.com/                                                                                                                                         moc.tenc.daolnwod.                    1      1     0                  -1 2014-08-30 19:54:28.130000 AcV1_jX9bz5r
    23 http://www.download.com/                                                                                                                                          moc.daolnwod.www.                     1      1     0                2000 2014-08-30 19:54:27.849000 KpFmHKTN0a9u
    22 http://download.com/                                                                                                                                              moc.daolnwod.                         1      1     1                2000 2014-08-30 19:54:27.724000 V1HFFdxEPjun
    21 https://twitter.com/                                                             Twitter                                                                          moc.rettiwt.                          2      0     0         10     2100 2014-08-30 19:54:23.325000 oKw7WQ22cahd
    20 http://twitter.com/                                                                                                                                               moc.rettiwt.                          1      0     1                2000 2014-08-30 19:54:21.920000 DMtScqP31_Xu
    19 http://www.msnbc.com/                                                            msnbc: news, video and progressive community. Lean Forward.                      moc.cbnsm.www.                        1      0     0          9     2000 2014-08-18 01:54:53.773000 5Gx2iLj1SjJW
    18 http://msnbc.com/                                                                                                                                                 moc.cbnsm.                            1      1     1                2000 2014-08-18 01:54:53.681000 ta4jLp2lyGh4
    17 https://www.google.com/?gws_rd=ssl                                               Google                                                                           moc.elgoog.www.                       1      0     0          7       -1 2014-08-18 01:54:39.623000 _Utv1EjcJ6Hu
    16 http://www.google.com/                                                                                                                                            moc.elgoog.www.                       1      1     0                2000 2014-08-18 01:54:39.522000 or6Wi4BgJ4oo
    15 http://google.com/                                                                                                                                                moc.elgoog.                           1      1     1                2000 2014-08-18 01:54:39.455000 w27D_5ORtyhc
    14 https://dl.google.com/tag/s/appguid%3D%...ser/update2/installers/ChromeSetup.exe ChromeSetup.exe                                                                  moc.elgoog.ld.                        0      0     0                   0 2014-08-18 01:53:04.856000 n4Jx86eFfMwg
    13 https://www.google.com/intl/en/chrome/b...u.html?installdataindex=defaultbrowser Chrome Browser                                                                   moc.elgoog.www.                       1      0     0          8      100 2014-08-18 01:53:04.603000 o4vAZ5aKWWyb
    12 https://www.google.com/chrome/browser/                                           Chrome Browser                                                                   moc.elgoog.www.                       1      0     0          8      100 2014-08-18 01:52:46.891000 3-zVrw5J9YQk
    10 https://www.google.com/search?q=chrome&...S:official&client=firefox-a&channel=sb chrome - Google Search                                                           moc.elgoog.www.                       1      0     0          7      100 2014-08-18 01:52:40.683000 fcu6-CJQ0C-5
     9 https://www.mozilla.org/en-US/firefox/31.0/firstrun/                             Welcome to Firefox                                                               gro.allizom.www.                      1      0     0          6      100 2014-08-18 01:52:31.981000 CFINbfipczLN
     3 https://www.mozilla.org/en-US/firefox/customize/                                                                                                                  gro.allizom.www.                      0      0     0          2      140                            3hOL_TOgRnCn
     8 place:type=6&sort=14&maxResults=10                                                                                                                                                                      0      1     0                   0                            3lY95yoWx2XB
     7 place:folder=BOOKMARKS_MENU&folder=UNFI...sort=12&maxResults=10&excludeQueries=1                                                                                                                        0      1     0                   0                            mdM4Mp9kd8g3
     1 https://www.mozilla.org/en-US/firefox/central/                                                                                                                    gro.allizom.www.                      0      0     0                 140                            kYVGjmJ-047k
    11 https://www.google.com/chrome/                                                                                                                                    moc.elgoog.www.                       1      1     0                 100 2014-08-18 01:52:46.769000 zLswYKJFEaUD
     5 https://www.mozilla.org/en-US/about/                                                                                                                              gro.allizom.www.                      0      0     0          4      140                            dOQyh56nW4RJ
     4 https://www.mozilla.org/en-US/contribute/                                                                                                                         gro.allizom.www.                      0      0     0          3      140                            yEpWj7pAkHw3
     2 https://www.mozilla.org/en-US/firefox/help/                                                                                                                       gro.allizom.www.                      0      0     0                 140                            06n0M4Af3U2S
     6 place:sort=8&maxResults=10                                                                                                                                                                              0      1     0                   0                            zm8cJXPL3Nt1
    31 http://download.cnet.com/CCleaner/3055-18512_4-10315544.html?tag=pdl-redir       Free Software Downloads and Sof                                     1      0     0          0        0 0
    31 http://download.cnet.com/CCleaner/3055-18512_4-10315544.html?tag=pdl-redir       Free Software Downloads and Software Reviews - CNET Download.com                 moc.tenc.daolnwod.                    1      0     0         12      100 2014-08-30 19:56:46.244000 4oOcy_AZUX9v
     2 https://www.mozilla.org/en-US/firefox/help/                                                                                                                       grUqtqU�⥥Υ3K                      0      0     0                6039                            �-�U:�lNٌ

    31 http://download.cnet.com/CCleaner/3055-1                                                                                                            1      0     0                   0 0

Back to top

firefoxcookies

The firefoxcookies plugin extracts records from the Firefox moz_cookies table in the cookies.sqlite SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. Just a snippet of the output is pasted below because, while the limited browsing in the test image created only 31 history entries, there are hundreds of cookies. The output contains, among other fields, the domain, cookie name, path, and cookie value, though the value is often truncated in table format. It’s fully displayed in the CSV format. In addition, there are three timestamps for the creation time, last accessed time, and expiration time. These are all printed, and also included in the bodyfile for timeline generation.

$ vol.py --plugins=plugins/ -f 2014contest/voltest.dmp firefoxcookies | more
Volatility Foundation Volatility Framework 2.4
Row ID Base Domain                  App Id InBrowserElement Name                     Value                            Host                             Path                             Expiry               Last Accessed              Creation Time              Secure HttpOnly
------ ---------------------------- ------ ---------------- ------------------------ -------------------------------- -------------------------------- -------------------------------- -------------------- -------------------------- -------------------------- ------ --------
     9                                                    3                                                                                                                             1970-01-01 00:00:00  1970-01-01 00:00:00        1996-11-11 19:32:25.943048      0        0
   309 pubmatic.com                      0                0 KRTBCOOKIE_22            488-pcv:1|uid:6...35249447496254 .pubmatic.com                    /                                2017-08-29 19:54:40  2014-08-30 19:56:48.361000 2014-08-30 19:54:40.689000      0        0
   307 pubmatic.com                      0                0 KADUSERCOOKIE            892465A3-2C7F-4...7-A796CBE943D6 .pubmatic.com                    /                                2015-08-30 19:54:40  2014-08-30 19:56:48.361000 2014-08-30 19:54:40.565000      0        0
   446 turn.com                          0                0 uid                      6925335249447496254              .turn.com                        /                                2015-02-26 19:54:51  2014-08-30 19:54:51.564000 2014-08-30 19:54:40.549000      0        0
   305 mathtag.com                       0                0 uuid                     a1995402-2bff-4...d-e79b6350092f .mathtag.com                     /                                2015-08-30 19:54:40  2014-08-30 19:54:40.533000 2014-08-30 19:54:40.533000      0        0
   303 pubmatic.com                      0                0 KRTBCOOKIE_80            4031-CAESEKPqsq...vWPTGmwJGWwWo0 .pubmatic.com                    /                                2014-11-28 19:54:40  2014-08-30 19:56:48.361000 2014-08-30 19:54:40.440002      0        0
   301 pubmatic.com                      0                0 KRTBCOOKIE_57            476-uid:8258907743645875089      .pubmatic.com                    /                                2017-08-29 19:54:40  2014-08-30 19:56:48.361000 2014-08-30 19:54:40.440000      0        0
   300 yimg.com                          0                0 fpc                      1000958395862%3...7%7C8TY7TsoTH7 s.yimg.com                       /                                2015-08-30 19:54:40  2014-08-30 19:56:46.909000 2014-08-30 19:54:40.409001      0        0
   478 adnxs.com                         0                0 uuid2                    8258907743645875089              .adnxs.com                       /                                2014-11-28 19:56:48  2014-08-30 19:56:48.684000 2014-08-18 01:54:59.048000      0        1
   294 pubmatic.com                      0                0 SyncRTB                  2_1410033280.3_....74_1410638080 .ads.pubmatic.com                /                                2015-06-26 19:54:39  2014-08-30 19:54:39.987000 2014-08-30 19:54:39.987000      0        0
   464 cnet.com                          0                0 WRUID                    0                                download.cnet.com                /                                2015-08-30 19:56:47  2014-08-31 13:18:29.617000 2014-08-30 19:54:38.037002      0        0
   292 pubmatic.com                      0                0 KTPCACOOKIE              YES                              .pubmatic.com                    /                                2015-06-26 19:54:39  2014-08-30 19:56:48.361000 2014-08-30 19:54:39.925000      0        0
   291 yimg.com                          0                0 ywandp                   1000958395862%3A1432287649       s.yimg.com                       /                                2024-08-27 19:54:39  2014-08-30 19:56:46.909000 2014-08-30 19:54:39.488000      0        0
   273 cnet.com                          0                0 bwp2                     53d5c62aff9dff4...42286428349,v1 .download.cnet.com               /                                2015-09-15 15:00:01  2014-08-31 13:18:29.617000 2014-08-30 19:54:38.162000      0        0
   272 cnet.com                          0                0 _udl_sessionId           en8N9q16psTV                     download.cnet.com                /CCleaner/                       2014-08-30 20:24:38  2014-08-30 19:57:46.012000 2014-08-30 19:54:38.068000      0        0
   398 chango.com                        0                0 _vt                      0                                .chango.com                      /                                2014-09-29 19:54:50  2014-08-30 19:54:50.846000 2014-08-30 19:54:50.846001      0        0
   463 cnet.com                          0                0 __CT_Data                gpv=3&apv_11583_www08=3          download.cnet.com                /                                2015-08-30 19:56:47  2014-08-31 13:18:29.617000 2014-08-30 19:54:38.037000      0        0
   268 cnet.com                          0                0 LDCLGFbrowser            6003425c-6a57-4...b-f9c896e81eee download.cnet.com                /                                2024-08-27 19:54:37  2014-08-31 13:18:29.617000 2014-08-30 19:54:37.585000      0        0
   257 everesttech.net                   0                0 ev_t                     3-VAIr@gAABc1hxA14               .everesttech.net                 /                                2014-09-29 19:54:35  2014-08-30 19:56:48.118000 2014-08-30 19:54:35.478001      0        0
   256 everesttech.net                   0                0 gglck                    CAESEIFDIEoc5OXo637KcYakDk8      .everesttech.net                 /                                2014-09-29 19:54:35  2014-08-30 19:56:48.118000 2014-08-30 19:54:35.478000      0        0

Back to top

firefoxdownloads

The firefoxdownloads plugin extracts records from the Firefox moz_downloads table in the downloads.sqlite SQLite database file. The downloads.sqlite file was removed in Firefox 26. This data was moved into the moz_annos table in places.sqlite. A quick look at this table looks like it should be locatable; however, I haven’t worked on it yet. The test image that was provided has Firefox 31 installed so this plugin will not locate download records. However, I did have an old downloads.sqlite file that I built the plugin off of and it extracts all the records from the actual database file, so it should work on a memory image with the applicable version installed. The output below is an excerpt from running the plugin against that database file.

It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The output contains, among other fields, the filename, source URL, target path being saved to, and bytes downloaded. In addition, there are timestamps for the start and end times of the download. These are both printed, and also included in the bodyfile for timeline generation.

$ vol.py --plugins=plugins/ -f downloads.sqlite firefoxdownloads
Volatility Foundation Volatility Framework 2.4
Row Id Name                             Source                                                                           Target                                                       Temp Path                        Start Time                 End Time                   State Referrer                                                     Entity ID Current Bytes Max Bytes    MIME Type            Prefer App       Prefer Action Auto Resume
------ -------------------------------- -------------------------------------------------------------------------------- ------------------------------------------------------------ -------------------------------- -------------------------- -------------------------- ----- ------------------------------------------------------------ --------- ------------- ------------ -------------------- ---------------- ------------- -----------
     2 Wireshark-win64-1.12.0(1).exe    http://wiresharkdownloads.riverbed.com/...shark/win64/Wireshark-win64-1.12.0.exe file:///Users/dave/Downloads/Wireshark-win64-1.12.0(1).exe                                    2014-08-06 19:06:40.462456 2014-08-06 19:07:39.180254     1 https://..._=iMVZ42DWnZQPvsWG&flshenb=1                35531552     35531552 applicati...-program                              0           0
     1 Wireshark-win64-1.12.0.exe       https://2.na.dl.wireshark.org/win64/Wireshark-win64-1.12.0.exe                   file:///Users/dave/Downloads/Wireshark-win64-1.12.0.exe                                       2014-08-06 03:15:57.461410 2014-08-06 03:16:50.061426     1 https://www.wireshark.org/download.html                35531552     35531552 applicati...-program                              0           0

Back to top

by

Volatility Plugin – SQLite Helper

No comments yet

Categories: Forensics, Volatility

This is a module used by both the chromehistory and firefoxhistory groups of plugins I wrote for the 2014 Volatility Plugin Contest. It provides a number of functions for locating and converting data found in SQLite databases. The functions provided are described below.

The following links are very helpful for understanding the structure of SQLite databases:

The section on the Variable Length Integer Format in the first link above is especially relevant for many of the functions below. SQLite database store integers in a variable integer format which is anywhere from 1 to 9 bytes. This allows small integer values to only use 1 or 2 bytes. It also means all negative numbers are 9 bytes.

unix_time(dt)

Converts a Python datetime object to a Unix epoch based timestamp.

get_wintime_from_msec(msec)

Takes as input the number of microseconds since 1601/01/01 and outputs a Python datetime object.

get_nixtime_from_sec(sec)

Takes as input the number of seconds since 1970/01/01 and outputs a Python datetime object.

get_nixtime_from_msec(msec)

Takes as input the number of microseconds since 1970/01/01 and outputs a Python datetime object.

varint_type_to_length(varint)

The lengths in the header section for integers aren’t actual lengths, but map to different values, as described in the Database Record Format in the first link above. This function maps these values to the actual lengths of the data fields.

ones_comp(bin_str)

Takes a binary number represented as a string of 0s and 1s, and returns the one’s complement in string format. This is used varints that hold a negative number.

find_varint(buff, start, direct)

This function locates the next variable length integer, in either a forward or backward direction as specified in the buffer buff from the starting index start. The last byte in a varint will be less than 128 and can be used to determine where a varint ends when moving forwards or where the previous varint ends when going backwards.

varint_to_int(buff)

Converts a varint to an integer value.

varint_to_blob_length(l)

Converts the header length field to the actual data length which is (length-12)/2

varint_to_text_length(l)

Converts the header length field to the actual data length which is (length-13)/2

sql_unpack(buff)

Converts a 1, 2, 3, 4, 6, or 8 byte value into an integer. Integers are stored in the data portion of the SQLite record, while varints are used in the header portion.

by

Volatility Plugin – Java IDX Parser

1 comment

Categories: Forensics, Volatility

As part of the 2014 Volatility Plugin Contest, I created a plugin called idxparser, based off of Brian Baskin’s Java IDX Parser script. A sample IDX file is available at sample.idx and a sample memory image is available at voltest.zip. The plugin can be found on my volatility-plugins repo on GitHub.

I typically see a lot of drive by Java exploits and can usually trace where the malicious JAR file came from through a Java .idx file that was left behind. Often, these files are small enough that they are MFT-resident. Since this plugin works on a physical address space, you can actually pass an IDX file itself, an extracted MFT file, or a full memory dump to Volatility and have it extract any IDX files it finds.  It’s a useful plugin for quickly finding any IDX files in a memory image of a system that may have been compromised by a Java exploit.

Section 4 of the IDX file has sections identified by different opcodes. Brian Baskin’s original code limits the number of unknown opcodes printed to 5 before exiting. This plugin will print all the data in section 4 by default. The -U (for UNKNOWN) option will limit the plugin to only printing 5.

Below are samples of running it against an IDX file from a malicious JAR and a memory dump containing some IDX files associated with a Java game.

IDX File

$ vol.py --plugins=../plugins/ -f sample.idx idxparser
Volatility Foundation Volatility Framework 2.4
--------------------------------------------------------------------------------

[*] Section 1 (Metadata) found:
Content length: 7162
Last modified date: Thu, 26 Jul 2001 05:00:00 GMT (epoch: 996123600)
Section 2 length: 365
Section 3 length: 167
Section 4 length: 15

[*] Section 2 (Download History) found:
URL: http://83d2c156f3.gshjsawsf.su:82/forum/dare.php?hsh=6&key=b34a24eac5c7b57265d5b3d3f0abd2ab
IP: 50.7.219.70
<null>: HTTP/1.1 200 OK
content-length: 7162
last-modified: Mon, 26 Jul 2001 05:00:00 GMT
content-type: application/x-java-archive
date: Sun, 13 Jan 2013 16:22:01 GMT
server: nginx/1.0.15
deploy-request-content-type: application/x-java-archive

[*] Section 3 (Jar Manifest) found:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.3
X-COMMENT: Main-Class will be added automatically by build
Class-Path:
Created-By: 1.7.0_07-b11 (Oracle Corporation)

[*] Section 4 (Code Signer) found:
[*] Found: Data block. Length: 4
Data: Hex: 00000000
[*] Found: Data block. Length: 3
Data: 0 Hex: 300d0a
--------------------------------------------------------------------------------

Memory Dump

$ vol.py --plugins=../plugins/ -f voltest.dmp idxparser
Volatility Foundation Volatility Framework 2.4
--------------------------------------------------------------------------------

[*] Section 1 (Metadata) found:
Content length: 61699
Last modified date: Fri, 10 Oct 2008 20:25:10 GMT (epoch: 1223670310)
Section 2 length: 438
Section 3 length: 22
Section 4 length: 15

[*] Section 2 (Download History) found:
URL: http://javagameplay.com/offroadrally/inthejar.jar
IP: 209.188.88.156
: HTTP/1.1 200 OK
content-length: 61699
last-modified: Fri, 10 Oct 2008 20:25:10 GMT
content-type: text/plain
date: Sat, 30 Aug 2014 19:53:56 GMT
server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
deploy-request-content-type: application/x-java-archive

[*] Section 3 (Jar Manifest) found:


[*] Section 4 (Code Signer) found:
[*] Found: Data block. Length: 4
Data:       	Hex: 00000000
[*] Found: Data block. Length: 3
Data: 0         	Hex: 300d0a
--------------------------------------------------------------------------------

[*] Section 1 (Metadata) found:
Content length: 158471
Last modified date: Fri, 10 Oct 2008 20:25:23 GMT (epoch: 1223670323)
Section 2 length: 434
Section 3 length: 22
Section 4 length: 15

[*] Section 2 (Download History) found:
URL: http://javagameplay.com/offroadrally/res.jar
IP: 209.188.88.156
: HTTP/1.1 200 OK
content-length: 158471
last-modified: Fri, 10 Oct 2008 20:25:23 GMT
content-type: text/plain
date: Sat, 30 Aug 2014 19:53:57 GMT
server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
deploy-request-content-type: application/x-java-archive

[*] Section 3 (Jar Manifest) found:


[*] Section 4 (Code Signer) found:
[*] Found: Data block. Length: 4
Data:       	Hex: 00000000
[*] Found: Data block. Length: 3
Data: 0         	Hex: 300d0a
--------------------------------------------------------------------------------

[*] Section 1 (Metadata) found:
Content length: 139622
Last modified date: Fri, 10 Oct 2008 20:25:16 GMT (epoch: 1223670316)
Section 2 length: 435
Section 3 length: 22
Section 4 length: 15

[*] Section 2 (Download History) found:
URL: http://javagameplay.com/offroadrally/jpct.jar
IP: 209.188.88.156
: HTTP/1.1 200 OK
content-length: 139622
last-modified: Fri, 10 Oct 2008 20:25:16 GMT
content-type: text/plain
date: Sat, 30 Aug 2014 19:53:56 GMT
server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
deploy-request-content-type: application/x-java-archive

[*] Section 3 (Jar Manifest) found:


[*] Section 4 (Code Signer) found:
[*] Found: Data block. Length: 4
Data:       	Hex: 00000000
[*] Found: Data block. Length: 3
Data: 0         	Hex: 300d0a
--------------------------------------------------------------------------------

by

Volatility Plugin – Office Trust Records

No comments yet

Categories: Forensics, Volatility

As part of the 2014 Volatility Plugin Contest, I created a simple plugin that queries the registry for Office TrustRecords. This post contains details about this registry key. It’s basically used to record Office files that were opened from an untrusted location and manually “trusted” by the user by clicking a prompt to edit the document or enable content. Along with this record of opening the document, the data in the value is the time that the document was opened. This plugin locates the registry key for Word, Excel, Access, and PowerPoint and prints the list of files and their timestamps.

I don’t have a memory sample to provide, but here is some sample output of the plugin.

$ vol.py -f memory.vmem --profile=Win7SP1x86 trustrecords
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \??\C:\Users\voltest\ntuser.dat
Key path: Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\TrustRecords
Key name: TrustRecords (S)
Last updated: 2014-09-09 03:37:16 UTC+0000

Values:
2014-09-09 03:34:44.081925	%USERPROFILE%/Desktop/Doc1.docm
2014-09-09 03:37:07.689334	%USERPROFILE%/Desktop/newDoc.docm

by

Christmas 2011 Hacking Challenge

No comments yet

Categories: Challenges, Forensics

I spent a couple nights over my Christmas vacation working on the Christmas 2011 Hacking Challenge on the SANS Pen Test blog. This is the first year I’ve done the challenge, and I had a lot of fun with it. I may have gone a little overboard with the report, but I wanted to try to make it somewhat realistic.

I ended up getting honorable mention when the results were posted. I was pretty happy with that, even though it meant I didn’t win a copy of Ed Skoudis’s book. That wasn’t a big deal since I ended up winning a copy during NetWars at SANS2012 in Orlando, and I wouldn’t really need two copies. I had always meant to post my report when the challenge was over, and I’m just now getting around to that.

Here’s a link to my report and here is what Ed had to say about it in the results post:

Dave Lassalle: Your report was very detailed, and was a close second. You explained the Apple Software Update component of the attack well, explained all of the fields in the CellLocation table, mentioned the GPS anomalies and the duplicate timestamps, and included a great map showing all of the places. You also extracted and ran the iTunesSetup.exe malware and wrote your own handler for it, which was very impressive. Amazing work, beautifully executed.

2011HolidayHackChallenge

by

srch_strings_wrap — history and examples

1 comment

Categories: Forensics, Tags: , ,

I recently took SANS FOR508 with Rob Lee in Las Vegas.  It was a great class and I highly recommend it to everyone interested in Digital Forensics.  I’m new to forensics and learned so much from the class.

One of the topics covered is using the srch_strings command from the Sleuth Kit on a filesystem image to obtain not just the strings within the file, but also the byte offset of each string.  This is done using the “-t d” option:

$ srch_strings -a -t d sda1.img
 7208 vmlinuz-2.2.14-5.0
 7336 System.map-2.2.14-5.0smp
 7464 module-info-2.2.14-5.0
 262176 lost+found
 262196 kernel.h
 262212 System.map-2.2.14-5.0
 262244 module-info-2.2.14-5.0

Then, after obtaining the block size of the filesystem using fsstat, we figure out which block each of these strings is in.  For example, this is an image of a filesystem with 1024 byte blocks, so divide each byte offset by 1024:

Block  String
 7     vmlinuz-2.2.14-5.0
 7     System.map-2.2.14-5.0smp
 7     module-info-2.2.14-5.0
 256   lost+found
 256   kernel.h
 256   System.map-2.2.14-5.0
 256   module-info-2.2.14-5.0

During class, I got tired of opening the calculator to figure out these blocks, so I came up with a little one liner to do everything at once:

$ strings -a -t d sda1.img | tee file | awk '{print $1"/1024"}' | bc | paste - file
7       7208 vmlinuz-2.2.14-5.0
7       7336 System.map-2.2.14-5.0smp
7       7464 module-info-2.2.14-5.0
256     262176 lost+found
256     262196 kernel.h
256     262212 System.map-2.2.14-5.0
256     262244 module-info-2.2.14-5.0

Eventually, I got tired of typing that out and turned it into a script after getting back home after class.  I emailed Rob Lee about it and he put me in touch with Hal Pomeranz, who had been working on a similar script.  Hal and I had some other ideas of where this could be taken, and that’s what eventually became srch_strings_wrap.

In a previous post, I gave an overview of the command line options and functionality, so now I’d just like to show some examples. Continue reading →

by

srch_strings_wrap — forensics tool

No comments yet

Categories: Forensics, Tags: ,

I wrote a tool called srch_strings_wrap (available at GitHub – https://github.com/superponible/Search-Strings-Extension) that extends the functionality of the srch_strings command in the Sleuth Kit.  The idea came from repeatedly having to determine the block that corresponded to the results of srch_strings during FOR508.  I contacted Rob Lee about what I had written and he put me in touch with Hal Pomeranz, who had a similar script and some other ideas.

There are other scripts in my repository that are previous versions of this script, but they are not as fully functional as srch_strings_wrap.

The original srch_strings will pull out the strings within a file and gives the byte offset if requested.  My script srch_strings_wrap will obtain the byte offset, but also will use that byte offset to determine, if available, the block, inode, and filename that string is in.  Several command line options exists for filtering results, modifying output, and automatically carving matched files/inodes/blocks.

Currently, the command line options include:

If no special options are given, srch_strings_wrap can be used in place of srch_strings.

The blocksize of the filesystem can be specified (-b) or automatically determined from the image (-d).  Multiple filesystem images can be given as arguments, but only one full disk image can be specified.  The output can be grouped by file/inode/block (-O) or printed out line by line (default).  It supports custom delimiters (-F) and can output to CSV (-C).  Output can be written, if desired with a header (-H), to a file (-w), to standard out (default), or not at all (-N).  Grep terms can be passed on the command line (-g) or in a dirty word file (-G), with case insensitivity (-i).

If full lookups to the filename layer are not needed, the level can be specified to decrease runtime: byte (-l0, no different from “srch_strings -t d”), block (-l1), inode (-l2), and filename (-l3, the default).  There is an option to autocarve (-A) which will carve out all matching strings at the highest level available.

And if multiple grep searches will be conducted, “srch_strings -a -t d fs.img > output.asc” can be run on an image to capture all the strings and save the output to a file, then -P can be used to accept the output of that file piped in (“cat output.asc | srch_strings_wrap -P -I fs.img“).

See my overview post for some more examples and a little history on the tool.  It should be available in future versions of the SANS Investigative Forensics Toolkit (SIFT) Workstation.

* Link to this post: http://blog.superponible.com/2011/11/17/srch_strings_wrap-forensics-tool/
* Link to the examples: http://blog.superponible.com/2011/11/17/srch_strings_wrap-history-and-examples/
 * Link to GitHub repository: https://github.com/superponible/Search-Strings-Extension