WEBVTT

00:01.900 --> 00:02.200
Hello.

00:02.200 --> 00:08.380
In this lecture we're going to download the volatility test images to use as the memory forensics or

00:08.380 --> 00:09.430
other purposes.

00:09.430 --> 00:15.490
So in order to download it, you're going to get you're going to visit the GitHub Volatility Foundation

00:15.490 --> 00:18.280
official GitHub website.

00:18.280 --> 00:26.500
And here with this link, I'm going to share this link with you in the lectures attachment section.

00:26.500 --> 00:29.620
So you can click on this or you can just write it.

00:29.620 --> 00:31.120
So it's a short link here.

00:31.120 --> 00:39.910
So there is our test images provided by the public test images, test image samples for testing purposes.

00:39.910 --> 00:49.510
So here we have a mac OS here, Windows XP 86 and the 2003 SP zero service pack zero and we have Cridex

00:49.540 --> 00:55.960
malware, Shylock malware, R2D2, malware, Windows 7.

00:56.200 --> 00:57.820
We have nice here.

00:58.800 --> 00:59.400
Inside it.

00:59.400 --> 01:00.660
We have five samples.

01:00.660 --> 01:04.800
So but in this case today, we are not going to download it for now.

01:04.800 --> 01:11.130
So actually you can get more information and more test images from this official website here.

01:11.130 --> 01:17.370
You can also get the new datasets, popular datasets and like sources like that.

01:17.370 --> 01:26.300
But in this lecture, we're going to use the Windows XP image named Windows Malware, R2D2.

01:26.340 --> 01:27.630
Let's let's actually.

01:27.630 --> 01:28.110
Okay.

01:28.110 --> 01:40.020
So R2D2 and it's used on Windows XP infected operating system as Windows XP Service pack 232 bit here.

01:40.500 --> 01:44.790
And the password is as said here, infected here.

01:44.790 --> 01:45.960
So click on that.

01:45.960 --> 01:53.400
It's just one click and you're going to redirect, redirect it to the Mediafire here and click on download.

01:54.490 --> 01:56.080
Now click on Save file.

01:56.840 --> 02:02.930
Yes, since I have already installed the file name changed by one because the previously installed this

02:03.050 --> 02:04.670
for testing purposes.

02:06.060 --> 02:06.600
Here.

02:08.460 --> 02:09.420
Open here.

02:09.420 --> 02:11.400
And yeah, let's extract this.

02:11.400 --> 02:17.430
As you know, this has this one has the password which is infected.

02:17.610 --> 02:18.750
This is the password here.

02:18.750 --> 02:24.120
And as you can see, this is 200, 268.4MB.

02:24.150 --> 02:26.220
You can extract this like that.

02:27.260 --> 02:29.000
To the desktop here.

02:30.640 --> 02:38.410
Or you can also extract this image by using the terminal Unrar tool here.

02:50.800 --> 02:54.400
Zero 50s here.

02:59.680 --> 03:00.370
Okay.

03:01.030 --> 03:02.150
To move.

03:02.170 --> 03:05.170
To move this to home.

03:07.220 --> 03:10.490
Mom, Kelly Non-desktop.

03:13.580 --> 03:22.880
And, yeah, now we're gonna see the two home Cali desktop and and as you can see here, there is a,

03:23.570 --> 03:30.530
uh, there there is this is the, our file here that we moved to this directory and now we're going

03:30.530 --> 03:39.440
to unroll it so we can see, you can also see the list, the contents of the zero app is here.

03:39.830 --> 03:43.640
Let's here, let's actually move this.

03:43.640 --> 03:44.420
So.

03:46.150 --> 03:46.720
Okay.

03:46.720 --> 03:47.400
Yeah.

03:47.410 --> 03:48.570
We remove this and.

03:49.270 --> 03:49.780
Oops.

03:49.870 --> 03:59.760
Okay, so you can also list the comma, list the files inside RAR packager here with L command L and

03:59.770 --> 04:01.630
zero if T is here.

04:03.100 --> 04:03.850
Enter.

04:03.850 --> 04:09.670
And as you can see, this asks us for password enter the infected.

04:10.180 --> 04:17.050
And yes, you can see that we have one files size of this file, date of this created and time.

04:17.230 --> 04:20.390
So now we're going to honor it here.

04:20.410 --> 04:22.690
Let's see what what files we have.

04:22.990 --> 04:28.900
We have just a folder volatility, which is our volatility framework is installed in it and we have

04:28.900 --> 04:33.970
the RAR file which we're going to extract files from it by by files.

04:33.970 --> 04:38.050
I meant the the virtual memory fire file.

04:38.050 --> 04:40.420
So let's use the on RAR.

04:41.420 --> 04:46.910
Here on Ra, e or E here and R here.

04:46.940 --> 04:53.340
Now enter the zeros here and enter the your password infected.

04:54.080 --> 04:55.820
In fact.

04:57.740 --> 04:59.840
As you can see, it is extracted.

04:59.840 --> 05:03.820
And as you can see, the of virtual memory file is here.

05:03.830 --> 05:13.550
So once the memory file zeros has been extracted to the desktop or the location for your preference,

05:13.910 --> 05:18.980
we can now use the volatility framework framework to analyze the dump.

05:18.980 --> 05:25.610
So whilst dealing with we are within the desktop directory, we can still insert.

05:26.120 --> 05:33.530
As you can see, we installed the stable version of volatility in our previous lectures.

05:33.680 --> 05:38.660
So now we can just list the commands on previous lectures.

05:38.660 --> 05:44.150
So let's see what inside our volatility folder is.

05:44.150 --> 05:53.900
As you can see, there's a volatility 2.5 Linux standalone or CD volatility, and there is our files

05:54.080 --> 05:54.890
here.

05:55.970 --> 05:58.520
So now I'm going to move.

06:00.550 --> 06:01.970
Move this zeros up.

06:01.990 --> 06:12.220
If this memory to our volatility folder inside our volatility lives and create a new folder from in

06:12.220 --> 06:12.700
it.

06:12.820 --> 06:14.800
And so.

06:15.810 --> 06:24.930
No, we will not have to use every time directory to show the program where our virtual memory file

06:24.930 --> 06:25.200
is.

06:25.200 --> 06:29.220
So let's move it on.

06:29.850 --> 06:36.900
Kali desktop zero Ftest Virtual mem to home.

06:37.880 --> 06:38.270
Holly.

06:39.330 --> 06:39.660
Holly.

06:40.720 --> 06:41.680
Desktop.

06:42.040 --> 06:43.090
Desktop.

06:44.130 --> 06:44.440
Um.

06:44.460 --> 06:45.040
Here.

06:45.100 --> 06:46.080
Volatility.

06:46.380 --> 06:47.790
Volatility.

06:49.100 --> 06:49.730
And.

06:49.730 --> 06:50.330
Yeah.

06:51.280 --> 06:56.110
As you can see here, we move that zero feet memory to it.

06:56.110 --> 06:58.860
And now let's create a make.

06:58.870 --> 07:06.780
Let's create a new directory with make deer and deer here and let's case Oxley.

07:07.670 --> 07:09.880
Oxley case.

07:10.180 --> 07:13.990
Case 001 here.

07:13.990 --> 07:21.850
And we created the new folder here and let's move zero that here to Oxley case.

07:22.420 --> 07:26.920
Oxley case and yeah so now.

07:28.170 --> 07:31.500
Now let's list the commands we can use with volatility.

07:32.130 --> 07:35.700
Volatility, as you can see here, we need to.

07:37.860 --> 07:38.310
Right.

07:38.310 --> 07:41.910
Our toolpath with this characters.

07:42.900 --> 07:48.030
And volatility 64 bit and help common.

07:49.560 --> 07:56.430
Here with this command, with this help command, uh, shows the snippet of some of the many plugins

07:56.430 --> 07:58.600
within the volatility framework.

07:58.620 --> 08:06.300
Here, actually, volatility framework is a very rich and like popular framework in digital forensics

08:06.300 --> 08:07.170
community.

08:07.200 --> 08:15.150
That's why it's actually gone pretty long way and it has like very usable if you know how to use it.

08:15.180 --> 08:16.200
Volatility here.

08:16.230 --> 08:23.190
So I'm going to decrease the font size a little bit so we can see every description of this tools.

08:23.340 --> 08:32.430
Here we have also, as you can see here, shell bags scan, but we can also print the process list as

08:32.430 --> 08:33.090
a tree.

08:33.240 --> 08:36.880
Like we're going to do more examples with this little here.

08:36.900 --> 08:43.170
Don't worry, we will almost use all of this, uh, all of these plugins here.

08:43.350 --> 08:47.110
Here we can also import our plugins in volatility.

08:47.130 --> 08:51.340
Here we can also print a list of loaded details for each process.

08:51.370 --> 08:54.400
So this is like a pretty good tool for digital forensics.

08:54.400 --> 09:01.930
Examiner So the list comes in handy when performing analysis as each plugin comes with its own short

09:01.930 --> 09:03.400
description, as you can see here.

09:03.400 --> 09:10.690
So now we're going to use the image info file here, image info file here, we're going to identify

09:10.690 --> 09:12.880
information for the image.

09:12.880 --> 09:20.320
So for the format plugin volatility, we're going to use the first volatile volatility here.

09:21.870 --> 09:27.300
Now we're going to use the F to specify the file name actually in volatility.

09:27.750 --> 09:30.150
I want to show you that how this is done.

09:30.150 --> 09:32.760
So there is an parameters.

09:32.760 --> 09:33.570
You can use it.

09:33.570 --> 09:34.770
This is the help.

09:34.800 --> 09:37.440
This is the debug volatility.

09:37.710 --> 09:48.300
This is file name We can also use with just a short f.here, lowercase f or just a to here to minus

09:48.480 --> 09:52.920
characters here and then file name equals and enter your file name here.

09:52.950 --> 09:57.420
You can also specify the profile and other parameters here.

09:58.670 --> 10:07.130
So now let's go down and yeah, let's use our file name in as, as you remember we moved.

10:08.180 --> 10:10.550
N.A. Ritual member file to this folder.

10:10.910 --> 10:12.820
Case Oaxaca Case.

10:12.830 --> 10:18.350
Here we've specified the file name and now we're going to use the plugin here.

10:19.460 --> 10:21.320
Image info.

10:21.320 --> 10:27.130
So I want to mention that after plugin you can also use the options, blah blah blah here.

10:27.140 --> 10:29.120
So you can choose also options here.

10:29.120 --> 10:34.520
But in this case I'm I'm not going to choose any options because I want to just show the image info

10:34.520 --> 10:41.450
of our virtual memory file here is determining profile based on CDBG search.

10:43.500 --> 10:43.890
Here.

10:43.890 --> 10:45.060
It's a good practice.

10:45.060 --> 10:46.200
As you can see here.

10:46.640 --> 10:56.490
We outputted and printed all of the information that containing our containing in our virtual memory

10:56.490 --> 10:56.970
file.

10:56.970 --> 11:03.990
So it's a good practice to have the volatility help commands open in the second terminal for easy access

11:03.990 --> 11:08.310
to the commands without having a constantly scroll up and down here.

11:08.310 --> 11:10.710
So we need to choose a profile.

11:10.710 --> 11:17.640
As you can see by the profile, I meant the operating system version to work with in volatility.

11:17.640 --> 11:20.040
So now we're going to choose the profile here.

11:20.040 --> 11:26.130
As you can see here, the suggested profiles is listed here, Windows XP Service Pack two and Windows

11:26.130 --> 11:28.770
XP Service Pack three.

11:29.130 --> 11:36.080
And as you can see here, both of them is 86 here, Architecture 32, which means 32 bit here.

11:36.090 --> 11:42.620
So what is the suggested profile or profile in volatility?

11:42.630 --> 11:46.710
So all operating systems store information in a RAM.

11:46.710 --> 11:52.950
However, they may be situated in different locations within the memory according to the operating system

11:52.950 --> 11:53.670
is used.

11:53.670 --> 12:01.890
So in volatility, we must choose a profile that best identifies the type of operating system and service

12:01.890 --> 12:09.030
pack that helps volatility in identifying locations that store certificates and useful information.

12:09.030 --> 12:17.490
So choosing a profile is relatively simple as what does all the work for us using the image info plugin.

12:17.490 --> 12:23.880
So as you can see, we just mentioned the file path and then mentioned the plugin and it showed us image

12:23.880 --> 12:29.180
info here, number of processors, image type and etcetera etcetera.

12:29.190 --> 12:30.720
So now we're going to.

12:32.250 --> 12:37.350
And here we insert the image info file so we know what we are working on.

12:37.680 --> 12:41.730
This is the memory file of Windows XP Service Pack two.

12:41.790 --> 12:42.900
So.

12:44.730 --> 12:50.870
So here we're going to identify the process processes and analysis.

12:50.880 --> 12:59.880
So to identify and link the processes, their IDs, time started and offset location within the memory,

13:00.960 --> 13:06.540
within the memory image, we will be using the four plugins to get us started.

13:06.630 --> 13:10.110
This is the P list here.

13:10.140 --> 13:11.370
PS list.

13:12.890 --> 13:14.030
History three.

13:14.970 --> 13:18.690
PS scan and ps x.

13:19.500 --> 13:20.370
View here.

13:23.530 --> 13:24.790
In next lectures.

13:24.970 --> 13:30.550
Actually, I will make four separate lectures for these plugins.

13:30.700 --> 13:33.910
So this is the main plugins for use here.

13:33.910 --> 13:38.440
So in next lecture you will learn about the list in this lecture.

13:38.470 --> 13:39.430
Next lecture here.

13:39.430 --> 13:41.170
So I'm waiting you in next lecture.