WEBVTT

00:01.450 --> 00:04.120
D l l analysis.

00:04.150 --> 00:13.390
Dynamic link libraries are specific to Microsoft and contains code that can be used by multiple programs

00:13.390 --> 00:14.710
simultaneously.

00:15.190 --> 00:23.020
Inspection of a processes running dlls and the version information of files and products may insist

00:23.020 --> 00:31.120
in correlating processes so processes and information should be analyzed as they relate to the user

00:31.120 --> 00:31.530
account.

00:31.540 --> 00:38.500
So for this task there are the plugins mainly used, so there's actually more than three plugins in

00:38.500 --> 00:43.420
volatility, but these are the mainly used plugins for DLL analysis here.

00:43.450 --> 00:52.000
The first is where where info here where info dll list and get sits here.

00:52.030 --> 00:58.270
So let's we're going to in this lecture we're going to start with the where info here the where info

00:58.270 --> 00:59.130
plugin.

00:59.140 --> 01:08.570
So this command lists the version information where info about portable executable files p files.

01:08.570 --> 01:14.480
So the output of this file is usually quite lengthy and so can be run in separate terminal should be

01:14.480 --> 01:21.320
investigated not wish to continue to scroll through the current terminal to retrieve the past plugin

01:21.320 --> 01:23.390
command list and outputs.

01:23.390 --> 01:30.470
So the where info is actually pretty rich, has pretty rich output and contains lots of information.

01:30.470 --> 01:30.980
Here.

01:31.100 --> 01:35.630
Very info and click on enter and yeah, the.

01:35.690 --> 01:35.860
Yeah.

01:35.870 --> 01:42.770
Don't worry, we're going to like copy this here and put it into next file text editor here so we can

01:42.860 --> 01:45.620
analyze it more easily.

01:59.430 --> 02:00.000
Yeah.

02:12.520 --> 02:20.710
Much as you can see, we now it's volatility just consumed 25% of CPU here.

02:21.530 --> 02:23.660
And yeah, this is our output.

02:23.690 --> 02:24.660
Now we're going to.

02:27.050 --> 02:27.500
Here.

02:34.610 --> 02:34.850
H.

02:35.000 --> 02:35.660
I'm sorry.

02:35.870 --> 02:36.580
I can just.

02:36.590 --> 02:37.910
Oh, no, we can't, can we?

02:37.930 --> 02:38.690
Can we use.

02:38.720 --> 02:39.290
Yeah.

02:39.290 --> 02:40.340
No, we can't.

02:44.960 --> 02:45.620
Yeah.

03:00.210 --> 03:04.200
And as you can see, there is an output that we can analyze here.

03:04.320 --> 03:05.730
So now I'm going to.

03:06.550 --> 03:08.230
Copy the selections.

03:10.500 --> 03:14.530
Oops actions file.

03:14.550 --> 03:18.000
Actually in Linux we have to like use the copy.

03:19.600 --> 03:20.230
Here.

03:22.300 --> 03:24.400
Keyboard cruiser, hide windows.

03:24.400 --> 03:25.090
Borders.

03:25.090 --> 03:25.780
Help.

03:31.180 --> 03:31.690
Here.

03:31.810 --> 03:39.400
No, actually, we don't have we don't have the option to copy all of these files.

03:41.820 --> 03:43.920
So now we're just gonna.

03:44.640 --> 03:50.100
We're just gonna scroll it until the file is down and we got an information.

03:50.130 --> 03:57.810
Or we can just decrease the font size to, like, smallest possible size.

03:58.230 --> 04:00.600
Yeah, this is the smallest here.

04:00.600 --> 04:01.890
And we can.

04:03.000 --> 04:06.510
And it will took less time to copy all of this here.

04:08.370 --> 04:08.850
Yeah.

04:14.790 --> 04:15.270
It will.

04:15.420 --> 04:15.750
Yeah.

04:16.020 --> 04:18.450
We are halfway through it.

04:23.570 --> 04:24.110
Yeah.

04:25.870 --> 04:27.130
Ramos copied it.

04:27.130 --> 04:27.550
Yeah.

04:27.550 --> 04:34.120
And I will share this text files with you in the attachment sections of our lecture in.

04:34.210 --> 04:34.720
Yeah.

04:34.720 --> 04:36.730
Yeah, it's completely okay.

04:38.650 --> 04:39.580
And.

04:41.050 --> 04:41.530
Y.

04:42.020 --> 04:42.610
Y.

04:45.420 --> 04:45.810
What?

04:53.940 --> 04:54.300
Yeah.

04:54.300 --> 04:55.530
We now we're gonna.

04:56.910 --> 04:58.350
Their info.

05:05.630 --> 05:06.530
Or, uh, we're gonna.

05:06.560 --> 05:07.640
We can also use the.

05:08.940 --> 05:11.190
Now we're going to firstly use the info.

05:18.190 --> 05:23.320
I'm going to pause the video here and copy to the text file and analyze it further.

05:24.760 --> 05:31.030
And here in Linux I found I have to copy the all of the files.

05:31.030 --> 05:32.680
So shift here.

05:36.060 --> 05:38.850
And you're gonna go all the way up.

05:40.640 --> 05:41.180
Here.

05:45.950 --> 05:54.500
And we're gonna we're gonna zoom in out with this control plus minus button.

05:54.500 --> 05:59.330
And in the at the top, we're gonna choose it and go down.

06:05.760 --> 06:06.360
Here.

06:18.820 --> 06:19.390
Yeah.

06:19.930 --> 06:27.970
And we got all the information we need and then paste it on the text file here.

06:30.020 --> 06:34.070
Now we have another plugin we're going to use.

06:34.100 --> 06:36.410
It's named the.

06:36.410 --> 06:41.540
Yeah, we can, we can just zoom reset here and.

06:43.470 --> 06:44.820
Preferences.

06:45.480 --> 06:47.270
Fix the font size or bigger.

06:47.280 --> 06:48.300
Let's make it bigger.

06:48.300 --> 06:49.770
The font size here.

06:51.410 --> 06:52.100
Yeah.

06:52.130 --> 06:53.960
14 is okay.

06:55.630 --> 06:56.230
Okay.

06:56.560 --> 06:57.970
Clear the terminal signs.

06:57.970 --> 07:06.220
We copied our output and now we're going to use the volatility plugin named list.

07:08.730 --> 07:10.820
This is our list here.

07:10.830 --> 07:15.810
It's actually not like big as the previous output.

07:16.020 --> 07:19.470
It just took like 2 or 3 minutes to copy it.

07:19.470 --> 07:22.530
But it's worth it because I'm going to share it with you.

07:24.580 --> 07:25.180
Okay.

07:26.120 --> 07:26.480
Also.

07:26.480 --> 07:27.380
Copy this.

07:29.290 --> 07:33.400
And what's the Yeah list?

07:34.310 --> 07:36.200
And paste it here.

07:38.310 --> 07:39.180
So.

07:40.500 --> 07:46.740
And this plugin lists all the running dlls at the time in memory.

07:46.740 --> 07:52.860
So the alerts are composed of code that can be used by multiple programs simultaneously.

07:52.860 --> 07:54.990
And yeah, this is the output.

07:54.990 --> 07:57.180
It shows the all DLLs.

07:58.250 --> 08:01.040
In Windows at the runtime here.

08:02.670 --> 08:07.620
We have another plugin named gets its here.

08:07.710 --> 08:11.730
Get gets as IDs.

08:13.260 --> 08:18.000
So this security identifier is IDs.

08:18.630 --> 08:26.940
A gets command has four very useful items in the order in which processes were started.

08:27.330 --> 08:29.430
Refer to list and PS3.

08:29.700 --> 08:36.060
So these results here, as you can see here we have s.

08:37.510 --> 08:41.980
Now I'm going to explain one by one what this means.

08:42.070 --> 08:44.590
And yeah, this is not the get sides.

08:44.590 --> 08:46.720
Yeah, this is the get side is.

08:47.520 --> 08:48.240
Output here.

08:48.240 --> 08:50.100
Now, I'm going to also copy this.

08:51.140 --> 08:57.020
And so I'm going to I have to share it with you guys because some of you might struggle getting these

08:57.020 --> 08:57.800
codes here.

08:59.270 --> 09:04.460
But if you just downloaded the same image file, you will get the same results.

09:05.120 --> 09:14.420
So this is, this is the output of this gets, uh, security identifiers here.

09:14.930 --> 09:16.640
Security identifier IDs.

09:17.390 --> 09:22.330
And yeah, this is the system, the process name.

09:22.340 --> 09:23.450
The first is the system.

09:23.450 --> 09:24.590
For example, this is the process.

09:24.590 --> 09:25.340
Name Winlogon.

09:25.340 --> 09:26.180
Process Name.

09:27.130 --> 09:38.260
And after, as you can see here, this is and this is the process IDs here (500) 536-6346

09:38.260 --> 09:40.090
32688.

09:40.090 --> 09:47.530
And like that here this is the process ID is this is the process names uh, as long here and this is

09:47.530 --> 09:48.760
the interesting part here.

09:48.790 --> 09:53.800
This is the security security identifier IDs.

09:54.920 --> 10:00.320
And yeah, and here and this is the user who started it.

10:01.380 --> 10:04.470
Some of it user, some of it like service.

10:04.620 --> 10:05.370
Some of it.

10:05.400 --> 10:06.800
Administrator Some of it.

10:06.810 --> 10:07.650
Everyone.

10:07.890 --> 10:10.740
So if the last number here, this is the tip here.

10:10.740 --> 10:23.470
If the last number of the ID is in the range of 500, this indicates a user with administrator privileges.

10:23.490 --> 10:35.760
For example, here, S1, S1 32 545 is the administrator.

10:38.640 --> 10:39.600
Here, as you can see.

10:44.380 --> 10:51.490
And so far we have found some very interesting certificates, including programs that were running and

10:51.490 --> 10:54.790
users who were logged onto the machine.

10:55.420 --> 11:00.370
Now, in the next lecture, we're going to perform the registry analysis.