Tuesday, January 26, 2016

Using Volatility with Hyper-V

Assuming you have a Hyper-V image with Win7x64 and you want to use Volatility to do
memory forensic analysis.

1.  Set _NT_SYMBOL_PATH=srv*c:\symbols*https://msdl.microsoft.com/download/symbols

2.  Install debugging tools for Windows
     Microsoft make it hard to just get the debugging tools by itself, you will need to download
     the SDK setup, run it, and from the component selection menu select only the debugging
     tools option. You may also get it from this site, CodeMachine downloads.

3.  Install SysInternals LiveKD
     We will use LiveKD to dump memory from RAM for analysis

4.  Run your Hyper-V VM

5.  List currently running VMs (Administrative privilege required)
     >livekd.exe -hvl

6. Use previous listed name to dump memory
    >livekd.exe -hv name -p -o c:\memory.dmp

    If you get any errors about kdversionblock or cannot resolve symbols for ntoskrnl, make sure your
    symbols are correct. You may also have to start up livekd in debugging mode and force
    downloading of symbols
    >livekd.exe -hv name
              >>.reload /f

    Verify your symbols folder contain the symbol files.

7. Convert from memory to raw dump (OPTIONAL, try if first with the memory dump)
    >volatility-X.X.standalone.exe -f c:\memory.dmp --profile=Win7SP1x64 imagecopy
                -O c:\memory.dd

8. Run Volatility commands
    >volatility-X.X.standalone.exe -f c:\memory.dd --profile=Win7SP1x64 psscan


References
www.wyattroersma.com 
Good blog with various post on Volatility and VMs

No comments:

Post a Comment