WEBVTT

00:01.110 --> 00:09.510
In this lecture we will learn about more with the list command or plugin so the responders can also

00:09.510 --> 00:14.340
check that loaded files associated with the process.

00:14.370 --> 00:22.740
This allows the analysis to determine whether a suspect process accessed these files when it was executed.

00:22.740 --> 00:29.430
So, for example, if a responder would like to examine the DLL file associated with one of the suspect

00:29.430 --> 00:32.010
processes, for example process ID

00:33.270 --> 00:42.300
11640, then you will need to run the command volatility.

00:44.010 --> 00:45.090
Uh, 60.

00:45.120 --> 00:46.830
Yeah, 64.

00:47.220 --> 00:48.390
And.

00:48.780 --> 00:51.620
Okay, we'll take the 64 the first.

00:51.630 --> 00:54.540
As you remember, we inserted the file here.

00:55.200 --> 00:58.380
In this case, it's file in here.

00:58.380 --> 01:01.350
And then we're going to select a profile.

01:01.350 --> 01:07.080
As you remember, our profile was the win Windows XP Service Pack two.

01:07.980 --> 01:12.540
Uh, and x 86 here.

01:13.820 --> 01:24.620
And then we're going to use the P2P parameter to specify the process in this memory file, that running

01:24.620 --> 01:25.070
process.

01:25.070 --> 01:28.340
In this case, it's 1640.

01:30.560 --> 01:39.080
And as you can see in Moderna's platform, yeah, there is no such an option with P volatility.

01:39.990 --> 01:41.040
H here.

01:44.430 --> 01:44.760
Oops.

01:47.230 --> 01:47.800
Yeah.

01:47.980 --> 01:48.460
Uh.

01:48.760 --> 01:49.330
Help.

01:50.330 --> 01:54.500
And as you can see here, we're going to have some commands named.

01:56.440 --> 01:59.160
Peer help debug plugins.

02:00.860 --> 02:01.580
Here.

02:07.830 --> 02:10.230
Verbose here, key here.

02:10.650 --> 02:13.590
And yeah, now we're going to use the.

02:16.630 --> 02:20.770
The ll list and then p process.

02:20.800 --> 02:22.270
1640.

02:25.280 --> 02:25.610
Okay.

02:25.610 --> 02:26.690
1640.

02:30.260 --> 02:33.370
As you can see, there is a node process named 1614.

02:33.380 --> 02:39.710
So now we're going to use the list to determine which process is.

02:39.710 --> 02:43.670
Yeah, you need to pass list plugin.

02:45.440 --> 02:45.980
Here.

02:48.610 --> 02:51.350
Oh, why so.

02:51.880 --> 02:55.030
Image info with with it.

02:55.180 --> 02:59.260
Enter at the wrong image info operating system file profile.

02:59.890 --> 03:01.150
Yeah it's.

03:01.880 --> 03:02.630
Searching.

03:02.630 --> 03:08.240
And as you can see, Windows XP Service Pack 286.

03:10.980 --> 03:11.430
Okay.

03:11.430 --> 03:12.540
It's same, actually.

03:14.180 --> 03:14.840
Profile.

03:16.490 --> 03:17.090
Okay.

03:17.300 --> 03:20.630
As you can see here, we've listed our processes.

03:21.650 --> 03:22.150
Run.

03:22.250 --> 03:28.970
And we can find the associated executable or DLL files from it.

03:28.970 --> 03:32.990
So, for example, if I want to get the.

03:34.260 --> 03:38.250
The loss of here, for example.

03:39.380 --> 03:43.430
Let's let's it's actually a reader Excel file is quite suspicious.

03:43.430 --> 03:47.540
So that's why I'm going to choose the process to.

03:47.570 --> 03:47.800
Yeah.

03:47.840 --> 03:55.310
As you can see here, the process IDs is up here and we're going to choose the 228.

03:58.680 --> 03:59.030
Okay.

03:59.040 --> 04:04.560
As you can see here, we got these data files associated with the running process.

04:06.340 --> 04:06.880
Here.

04:06.880 --> 04:16.730
So this output indicates that there are several files that are loaded as part of the reader SL dot X

04:16.750 --> 04:17.320
process.

04:17.320 --> 04:23.650
Later in this lecture, the DLL files will be acquired for further examination here.

04:24.310 --> 04:27.940
And we also have the handles plug in here.

04:27.940 --> 04:33.160
So the handles plugin actually I will, I will copy this.

04:33.160 --> 04:40.690
So for further examination and I will also share it with you so you can look at it.

04:40.870 --> 04:41.620
Yeah.

04:42.280 --> 04:48.880
This is the, let's mention it here that this is the output of.

04:49.670 --> 04:51.950
This is the output of this command.

04:54.840 --> 04:55.440
Okay.

04:56.820 --> 04:57.660
So.

04:58.470 --> 05:00.990
Now we're gonna use the handles.

05:01.530 --> 05:04.770
Pro Handles plugin.

05:05.280 --> 05:06.480
So let's.

05:07.730 --> 05:10.580
Actually the close this and yeah.

05:11.370 --> 05:21.120
So the handles plugin here allows analysis to view what type of handles are open in existing existing

05:21.120 --> 05:21.570
process.

05:21.570 --> 05:27.540
So these handles are references to resources that are managed by the operating system.

05:27.540 --> 05:34.230
So this data provides to responder an understanding of the specific blocks of memory and application

05:34.230 --> 05:35.640
or processes using.

05:35.640 --> 05:41.520
So this includes a wide variety of information, including registry keys and files associated with that

05:41.520 --> 05:42.600
process too.

05:42.600 --> 05:51.420
And yeah, so to identify the open handles for process IDs, for example, our process ID in this case

05:51.420 --> 05:59.280
228, and now we're going to use this process ID Okay.

06:00.120 --> 06:02.460
First use this process here.

06:03.830 --> 06:05.920
As you can see here, the, uh.

06:06.200 --> 06:12.110
But in this case we are just going to delete the data list plugin because we are not going to use it

06:12.110 --> 06:12.890
anymore.

06:13.100 --> 06:17.720
And here, 228 and.

06:18.860 --> 06:22.310
The process here and use the handles.

06:23.840 --> 06:24.320
Log in.

06:24.320 --> 06:26.930
And as you can see, we got these output here.

06:27.020 --> 06:38.660
So the command here is produce the port here, the thread file and directory and other information here.

06:38.660 --> 06:47.060
So as this output indicates, the suspect process has several open handle processes, threads and register

06:47.060 --> 06:47.690
keys.

06:48.050 --> 06:55.610
So this may become important data points moving forward and give some indication of the behavior of

06:55.610 --> 06:58.790
reader that is executable here.

07:00.620 --> 07:05.210
So I want to mention another plugin here named Aldea Modules.

07:05.210 --> 07:11.090
So a common practice with malware codes is something to hide the activities of the malware.

07:11.120 --> 07:17.540
So one technique is to attempt to hide the DLL files associated with the malicious code so this can

07:17.540 --> 07:25.340
be accomplished by unlocking the suspect from the process environment block named PEB.

07:25.610 --> 07:31.280
So while this may provide some obfuscation on the server, there is a stealth trace evidence of the

07:31.640 --> 07:35.930
existence contained within the virtual address descriptor.

07:36.500 --> 07:43.430
So the VAD is a mechanism that identifies a DLL file based address and full path.

07:43.430 --> 07:47.660
So the all the LDR modules.

07:48.480 --> 07:56.130
Plug in and compare the list of the processes and determines if they are in the PEB named process environment.

07:56.130 --> 08:03.180
BLOCK And so now let's run the all the modules plugin here.

08:03.870 --> 08:08.670
And as you can see here, this is the output we get when using this command.

08:08.670 --> 08:15.030
So a review of this, the outputs reveals some entry.

08:15.980 --> 08:22.550
Uh, in the reader reader dot exe file named here.

08:24.440 --> 08:25.300
Actually it's.

08:25.310 --> 08:25.820
Yeah.

08:26.240 --> 08:27.800
Decrease the size a little bit.

08:32.920 --> 08:43.720
And here, as you can see here from this output, this reader is that process does appear to have an

08:43.720 --> 08:46.570
issue associated with the file.

08:46.690 --> 08:54.100
So this indicator, the indicator that is the process is suspect is the false here in in it is false,

08:54.100 --> 08:55.030
as you can see here.

08:55.030 --> 09:01.300
But there is nothing false, another nothing and another code here.

09:01.300 --> 09:07.240
So as you can see, this is the suspicious this is suspicious that the other file is tampered here.

09:07.240 --> 09:16.420
So this indicates that the executable, the executable has delinked the files and the the reader that

09:16.420 --> 09:20.140
Excel file warrants further investigation.

09:32.380 --> 09:36.910
And we're going to copy this, so I'm going to share it with you.

09:38.070 --> 09:38.490
And.

09:38.490 --> 09:41.580
Yeah, place it under this command.

09:42.720 --> 09:45.090
Okay, The command is shown here.

09:45.120 --> 09:49.800
So now I'm going to I want to mention the.

09:50.710 --> 09:52.000
X we process.

09:52.570 --> 09:55.880
So P is equal.

09:55.900 --> 10:01.720
And as you remember in previous lectures, we did some examples of it, but it's just an demonstration

10:01.720 --> 10:05.050
of how this command run and how to use it.

10:05.050 --> 10:11.470
But in this lecture, like as you can see here, we are like investigating the P reader Excel that Excel

10:11.470 --> 10:11.830
file.

10:11.830 --> 10:16.570
And this is a suspicious file as we as we seen.

10:16.570 --> 10:23.080
So we're going to investigate and analyze this executable file.

10:23.530 --> 10:28.270
Actually, it's run as you as you remember, this is this virtual memory file.

10:28.270 --> 10:29.560
This is another storage file.

10:29.560 --> 10:35.080
This is actually the memory file here that captured from the random access memory.

10:36.240 --> 10:36.840
So.

10:37.560 --> 10:39.060
And here.

10:45.220 --> 10:46.300
We're going to use the.

10:48.560 --> 10:49.360
Ps6.

10:49.420 --> 10:50.810
V file ps6.

10:50.810 --> 10:53.080
V more plugin here.

10:53.090 --> 11:01.150
So this is another good plugin that aids in discovering heating processes in the ps6 with here.

11:01.160 --> 11:10.820
So this plugin compares the active processes indicated with an active process heat with any other possible

11:10.820 --> 11:12.200
sources with the memory image.

11:12.200 --> 11:16.610
So to run this plugin you just you can just.

11:18.870 --> 11:22.650
Delete the process file here because we are not using on this process.

11:22.650 --> 11:28.680
We're going to scan all of this and use the Ps6 view.

11:32.870 --> 11:34.610
And I'm going to copy this also.

11:34.610 --> 11:38.240
So share it with you on lecture attachment.

11:40.970 --> 11:41.490
Here.

11:47.800 --> 11:50.020
So this is the opposite.

11:50.050 --> 11:52.670
I actually copied the wrong here.

11:52.690 --> 11:55.300
Actually, they are the same, but I accidentally.

11:55.600 --> 11:56.580
Yeah, yeah, yeah.

11:56.590 --> 11:56.950
No, they.

11:56.950 --> 11:58.210
They are not the same here.

11:59.470 --> 12:00.340
But I have copied.

12:00.370 --> 12:01.240
They are the same.

12:01.240 --> 12:02.080
Was the same.

12:02.080 --> 12:02.680
So.

12:04.520 --> 12:05.780
The output is like that.

12:06.760 --> 12:10.330
This is this is the output we got from the plugin.

12:10.330 --> 12:17.080
So it falls within the column indicates that the process is not found in that area.

12:18.350 --> 12:23.450
And yeah, this is as you can see, there is a false here.

12:24.260 --> 12:30.920
So and this allows this plugin allows us to actually Yeah yeah.

12:31.010 --> 12:38.270
This this plugin is allows us to leave that list and determine whether there is legitimate reason that

12:38.270 --> 12:44.470
the process may not be there or if it is an indicative of an attempt to hide process.

12:44.480 --> 12:47.900
So as you remember in previous lectures the.

12:49.670 --> 12:50.140
Previous.

12:50.750 --> 12:59.420
In previous code here, we used the reader slot and we suspected that because when we scan it, it does

12:59.420 --> 13:02.690
actually come out pretty suspicious.

13:04.130 --> 13:05.240
Output here and.

13:05.240 --> 13:07.820
Yeah, let's, let's Yeah.

13:07.820 --> 13:10.520
This was the second command we used.

13:12.480 --> 13:14.430
And as you can see here.

13:17.340 --> 13:19.830
There is the suspicious file here.

13:24.080 --> 13:33.170
And while and by suspicious I meant that the dll file is delinked from this.

13:33.350 --> 13:35.720
But is that an.

13:36.720 --> 13:37.440
Like.

13:39.890 --> 13:41.180
As you can see here.

13:42.180 --> 13:43.620
It wasn't an accident.

13:43.650 --> 13:46.100
It wasn't a system that did it.

13:46.110 --> 13:54.660
It just an executable malware code that did hit the hide, the hidden, the DLL file in somewhere in

13:54.660 --> 13:55.320
the system.

13:55.320 --> 13:56.130
So.

13:56.870 --> 13:58.610
This is actually a pretty suspicious here.

13:58.910 --> 14:03.860
And we also hear this was the last quote here.

14:03.890 --> 14:11.600
In next lecture, we're going to go in more depth about the volatility network and volatility network

14:11.600 --> 14:12.470
analysis.

14:12.920 --> 14:17.840
And as you remember in previous lecture, we did some network plugins.

14:17.940 --> 14:20.810
We used some networking plugins in volatility.

14:20.810 --> 14:29.900
But in next lecture we specially will analyze the networking plugin with this, the suspicious executable

14:29.900 --> 14:31.220
or running file here.

14:31.220 --> 14:33.050
So I'm waiting you in the next lecture.