1
00:00:01,110 --> 00:00:09,510
In this lecture we will learn about more with the list command or plugin so the responders can also

2
00:00:09,510 --> 00:00:14,340
check that loaded files associated with the process.

3
00:00:14,370 --> 00:00:22,740
This allows the analysis to determine whether a suspect process accessed these files when it was executed.

4
00:00:22,740 --> 00:00:29,430
So, for example, if a responder would like to examine the DLL file associated with one of the suspect

5
00:00:29,430 --> 00:00:32,010
processes, for example process ID

6
00:00:33,270 --> 00:00:42,300
11640, then you will need to run the command volatility.

7
00:00:44,010 --> 00:00:45,090
Uh, 60.

8
00:00:45,120 --> 00:00:46,830
Yeah, 64.

9
00:00:47,220 --> 00:00:48,390
And.

10
00:00:48,780 --> 00:00:51,620
Okay, we'll take the 64 the first.

11
00:00:51,630 --> 00:00:54,540
As you remember, we inserted the file here.

12
00:00:55,200 --> 00:00:58,380
In this case, it's file in here.

13
00:00:58,380 --> 00:01:01,350
And then we're going to select a profile.

14
00:01:01,350 --> 00:01:07,080
As you remember, our profile was the win Windows XP Service Pack two.

15
00:01:07,980 --> 00:01:12,540
Uh, and x 86 here.

16
00:01:13,820 --> 00:01:24,620
And then we're going to use the P2P parameter to specify the process in this memory file, that running

17
00:01:24,620 --> 00:01:25,070
process.

18
00:01:25,070 --> 00:01:28,340
In this case, it's 1640.

19
00:01:30,560 --> 00:01:39,080
And as you can see in Moderna's platform, yeah, there is no such an option with P volatility.

20
00:01:39,990 --> 00:01:41,040
H here.

21
00:01:44,430 --> 00:01:44,760
Oops.

22
00:01:47,230 --> 00:01:47,800
Yeah.

23
00:01:47,980 --> 00:01:48,460
Uh.

24
00:01:48,760 --> 00:01:49,330
Help.

25
00:01:50,330 --> 00:01:54,500
And as you can see here, we're going to have some commands named.

26
00:01:56,440 --> 00:01:59,160
Peer help debug plugins.

27
00:02:00,860 --> 00:02:01,580
Here.

28
00:02:07,830 --> 00:02:10,230
Verbose here, key here.

29
00:02:10,650 --> 00:02:13,590
And yeah, now we're going to use the.

30
00:02:16,630 --> 00:02:20,770
The ll list and then p process.

31
00:02:20,800 --> 00:02:22,270
1640.

32
00:02:25,280 --> 00:02:25,610
Okay.

33
00:02:25,610 --> 00:02:26,690
1640.

34
00:02:30,260 --> 00:02:33,370
As you can see, there is a node process named 1614.

35
00:02:33,380 --> 00:02:39,710
So now we're going to use the list to determine which process is.

36
00:02:39,710 --> 00:02:43,670
Yeah, you need to pass list plugin.

37
00:02:45,440 --> 00:02:45,980
Here.

38
00:02:48,610 --> 00:02:51,350
Oh, why so.

39
00:02:51,880 --> 00:02:55,030
Image info with with it.

40
00:02:55,180 --> 00:02:59,260
Enter at the wrong image info operating system file profile.

41
00:02:59,890 --> 00:03:01,150
Yeah it's.

42
00:03:01,880 --> 00:03:02,630
Searching.

43
00:03:02,630 --> 00:03:08,240
And as you can see, Windows XP Service Pack 286.

44
00:03:10,980 --> 00:03:11,430
Okay.

45
00:03:11,430 --> 00:03:12,540
It's same, actually.

46
00:03:14,180 --> 00:03:14,840
Profile.

47
00:03:16,490 --> 00:03:17,090
Okay.

48
00:03:17,300 --> 00:03:20,630
As you can see here, we've listed our processes.

49
00:03:21,650 --> 00:03:22,150
Run.

50
00:03:22,250 --> 00:03:28,970
And we can find the associated executable or DLL files from it.

51
00:03:28,970 --> 00:03:32,990
So, for example, if I want to get the.

52
00:03:34,260 --> 00:03:38,250
The loss of here, for example.

53
00:03:39,380 --> 00:03:43,430
Let's let's it's actually a reader Excel file is quite suspicious.

54
00:03:43,430 --> 00:03:47,540
So that's why I'm going to choose the process to.

55
00:03:47,570 --> 00:03:47,800
Yeah.

56
00:03:47,840 --> 00:03:55,310
As you can see here, the process IDs is up here and we're going to choose the 228.

57
00:03:58,680 --> 00:03:59,030
Okay.

58
00:03:59,040 --> 00:04:04,560
As you can see here, we got these data files associated with the running process.

59
00:04:06,340 --> 00:04:06,880
Here.

60
00:04:06,880 --> 00:04:16,730
So this output indicates that there are several files that are loaded as part of the reader SL dot X

61
00:04:16,750 --> 00:04:17,320
process.

62
00:04:17,320 --> 00:04:23,650
Later in this lecture, the DLL files will be acquired for further examination here.

63
00:04:24,310 --> 00:04:27,940
And we also have the handles plug in here.

64
00:04:27,940 --> 00:04:33,160
So the handles plugin actually I will, I will copy this.

65
00:04:33,160 --> 00:04:40,690
So for further examination and I will also share it with you so you can look at it.

66
00:04:40,870 --> 00:04:41,620
Yeah.

67
00:04:42,280 --> 00:04:48,880
This is the, let's mention it here that this is the output of.

68
00:04:49,670 --> 00:04:51,950
This is the output of this command.

69
00:04:54,840 --> 00:04:55,440
Okay.

70
00:04:56,820 --> 00:04:57,660
So.

71
00:04:58,470 --> 00:05:00,990
Now we're gonna use the handles.

72
00:05:01,530 --> 00:05:04,770
Pro Handles plugin.

73
00:05:05,280 --> 00:05:06,480
So let's.

74
00:05:07,730 --> 00:05:10,580
Actually the close this and yeah.

75
00:05:11,370 --> 00:05:21,120
So the handles plugin here allows analysis to view what type of handles are open in existing existing

76
00:05:21,120 --> 00:05:21,570
process.

77
00:05:21,570 --> 00:05:27,540
So these handles are references to resources that are managed by the operating system.

78
00:05:27,540 --> 00:05:34,230
So this data provides to responder an understanding of the specific blocks of memory and application

79
00:05:34,230 --> 00:05:35,640
or processes using.

80
00:05:35,640 --> 00:05:41,520
So this includes a wide variety of information, including registry keys and files associated with that

81
00:05:41,520 --> 00:05:42,600
process too.

82
00:05:42,600 --> 00:05:51,420
And yeah, so to identify the open handles for process IDs, for example, our process ID in this case

83
00:05:51,420 --> 00:05:59,280
228, and now we're going to use this process ID Okay.

84
00:06:00,120 --> 00:06:02,460
First use this process here.

85
00:06:03,830 --> 00:06:05,920
As you can see here, the, uh.

86
00:06:06,200 --> 00:06:12,110
But in this case we are just going to delete the data list plugin because we are not going to use it

87
00:06:12,110 --> 00:06:12,890
anymore.

88
00:06:13,100 --> 00:06:17,720
And here, 228 and.

89
00:06:18,860 --> 00:06:22,310
The process here and use the handles.

90
00:06:23,840 --> 00:06:24,320
Log in.

91
00:06:24,320 --> 00:06:26,930
And as you can see, we got these output here.

92
00:06:27,020 --> 00:06:38,660
So the command here is produce the port here, the thread file and directory and other information here.

93
00:06:38,660 --> 00:06:47,060
So as this output indicates, the suspect process has several open handle processes, threads and register

94
00:06:47,060 --> 00:06:47,690
keys.

95
00:06:48,050 --> 00:06:55,610
So this may become important data points moving forward and give some indication of the behavior of

96
00:06:55,610 --> 00:06:58,790
reader that is executable here.

97
00:07:00,620 --> 00:07:05,210
So I want to mention another plugin here named Aldea Modules.

98
00:07:05,210 --> 00:07:11,090
So a common practice with malware codes is something to hide the activities of the malware.

99
00:07:11,120 --> 00:07:17,540
So one technique is to attempt to hide the DLL files associated with the malicious code so this can

100
00:07:17,540 --> 00:07:25,340
be accomplished by unlocking the suspect from the process environment block named PEB.

101
00:07:25,610 --> 00:07:31,280
So while this may provide some obfuscation on the server, there is a stealth trace evidence of the

102
00:07:31,640 --> 00:07:35,930
existence contained within the virtual address descriptor.

103
00:07:36,500 --> 00:07:43,430
So the VAD is a mechanism that identifies a DLL file based address and full path.

104
00:07:43,430 --> 00:07:47,660
So the all the LDR modules.

105
00:07:48,480 --> 00:07:56,130
Plug in and compare the list of the processes and determines if they are in the PEB named process environment.

106
00:07:56,130 --> 00:08:03,180
BLOCK And so now let's run the all the modules plugin here.

107
00:08:03,870 --> 00:08:08,670
And as you can see here, this is the output we get when using this command.

108
00:08:08,670 --> 00:08:15,030
So a review of this, the outputs reveals some entry.

109
00:08:15,980 --> 00:08:22,550
Uh, in the reader reader dot exe file named here.

110
00:08:24,440 --> 00:08:25,300
Actually it's.

111
00:08:25,310 --> 00:08:25,820
Yeah.

112
00:08:26,240 --> 00:08:27,800
Decrease the size a little bit.

113
00:08:32,920 --> 00:08:43,720
And here, as you can see here from this output, this reader is that process does appear to have an

114
00:08:43,720 --> 00:08:46,570
issue associated with the file.

115
00:08:46,690 --> 00:08:54,100
So this indicator, the indicator that is the process is suspect is the false here in in it is false,

116
00:08:54,100 --> 00:08:55,030
as you can see here.

117
00:08:55,030 --> 00:09:01,300
But there is nothing false, another nothing and another code here.

118
00:09:01,300 --> 00:09:07,240
So as you can see, this is the suspicious this is suspicious that the other file is tampered here.

119
00:09:07,240 --> 00:09:16,420
So this indicates that the executable, the executable has delinked the files and the the reader that

120
00:09:16,420 --> 00:09:20,140
Excel file warrants further investigation.

121
00:09:32,380 --> 00:09:36,910
And we're going to copy this, so I'm going to share it with you.

122
00:09:38,070 --> 00:09:38,490
And.

123
00:09:38,490 --> 00:09:41,580
Yeah, place it under this command.

124
00:09:42,720 --> 00:09:45,090
Okay, The command is shown here.

125
00:09:45,120 --> 00:09:49,800
So now I'm going to I want to mention the.

126
00:09:50,710 --> 00:09:52,000
X we process.

127
00:09:52,570 --> 00:09:55,880
So P is equal.

128
00:09:55,900 --> 00:10:01,720
And as you remember in previous lectures, we did some examples of it, but it's just an demonstration

129
00:10:01,720 --> 00:10:05,050
of how this command run and how to use it.

130
00:10:05,050 --> 00:10:11,470
But in this lecture, like as you can see here, we are like investigating the P reader Excel that Excel

131
00:10:11,470 --> 00:10:11,830
file.

132
00:10:11,830 --> 00:10:16,570
And this is a suspicious file as we as we seen.

133
00:10:16,570 --> 00:10:23,080
So we're going to investigate and analyze this executable file.

134
00:10:23,530 --> 00:10:28,270
Actually, it's run as you as you remember, this is this virtual memory file.

135
00:10:28,270 --> 00:10:29,560
This is another storage file.

136
00:10:29,560 --> 00:10:35,080
This is actually the memory file here that captured from the random access memory.

137
00:10:36,240 --> 00:10:36,840
So.

138
00:10:37,560 --> 00:10:39,060
And here.

139
00:10:45,220 --> 00:10:46,300
We're going to use the.

140
00:10:48,560 --> 00:10:49,360
Ps6.

141
00:10:49,420 --> 00:10:50,810
V file ps6.

142
00:10:50,810 --> 00:10:53,080
V more plugin here.

143
00:10:53,090 --> 00:11:01,150
So this is another good plugin that aids in discovering heating processes in the ps6 with here.

144
00:11:01,160 --> 00:11:10,820
So this plugin compares the active processes indicated with an active process heat with any other possible

145
00:11:10,820 --> 00:11:12,200
sources with the memory image.

146
00:11:12,200 --> 00:11:16,610
So to run this plugin you just you can just.

147
00:11:18,870 --> 00:11:22,650
Delete the process file here because we are not using on this process.

148
00:11:22,650 --> 00:11:28,680
We're going to scan all of this and use the Ps6 view.

149
00:11:32,870 --> 00:11:34,610
And I'm going to copy this also.

150
00:11:34,610 --> 00:11:38,240
So share it with you on lecture attachment.

151
00:11:40,970 --> 00:11:41,490
Here.

152
00:11:47,800 --> 00:11:50,020
So this is the opposite.

153
00:11:50,050 --> 00:11:52,670
I actually copied the wrong here.

154
00:11:52,690 --> 00:11:55,300
Actually, they are the same, but I accidentally.

155
00:11:55,600 --> 00:11:56,580
Yeah, yeah, yeah.

156
00:11:56,590 --> 00:11:56,950
No, they.

157
00:11:56,950 --> 00:11:58,210
They are not the same here.

158
00:11:59,470 --> 00:12:00,340
But I have copied.

159
00:12:00,370 --> 00:12:01,240
They are the same.

160
00:12:01,240 --> 00:12:02,080
Was the same.

161
00:12:02,080 --> 00:12:02,680
So.

162
00:12:04,520 --> 00:12:05,780
The output is like that.

163
00:12:06,760 --> 00:12:10,330
This is this is the output we got from the plugin.

164
00:12:10,330 --> 00:12:17,080
So it falls within the column indicates that the process is not found in that area.

165
00:12:18,350 --> 00:12:23,450
And yeah, this is as you can see, there is a false here.

166
00:12:24,260 --> 00:12:30,920
So and this allows this plugin allows us to actually Yeah yeah.

167
00:12:31,010 --> 00:12:38,270
This this plugin is allows us to leave that list and determine whether there is legitimate reason that

168
00:12:38,270 --> 00:12:44,470
the process may not be there or if it is an indicative of an attempt to hide process.

169
00:12:44,480 --> 00:12:47,900
So as you remember in previous lectures the.

170
00:12:49,670 --> 00:12:50,140
Previous.

171
00:12:50,750 --> 00:12:59,420
In previous code here, we used the reader slot and we suspected that because when we scan it, it does

172
00:12:59,420 --> 00:13:02,690
actually come out pretty suspicious.

173
00:13:04,130 --> 00:13:05,240
Output here and.

174
00:13:05,240 --> 00:13:07,820
Yeah, let's, let's Yeah.

175
00:13:07,820 --> 00:13:10,520
This was the second command we used.

176
00:13:12,480 --> 00:13:14,430
And as you can see here.

177
00:13:17,340 --> 00:13:19,830
There is the suspicious file here.

178
00:13:24,080 --> 00:13:33,170
And while and by suspicious I meant that the dll file is delinked from this.

179
00:13:33,350 --> 00:13:35,720
But is that an.

180
00:13:36,720 --> 00:13:37,440
Like.

181
00:13:39,890 --> 00:13:41,180
As you can see here.

182
00:13:42,180 --> 00:13:43,620
It wasn't an accident.

183
00:13:43,650 --> 00:13:46,100
It wasn't a system that did it.

184
00:13:46,110 --> 00:13:54,660
It just an executable malware code that did hit the hide, the hidden, the DLL file in somewhere in

185
00:13:54,660 --> 00:13:55,320
the system.

186
00:13:55,320 --> 00:13:56,130
So.

187
00:13:56,870 --> 00:13:58,610
This is actually a pretty suspicious here.

188
00:13:58,910 --> 00:14:03,860
And we also hear this was the last quote here.

189
00:14:03,890 --> 00:14:11,600
In next lecture, we're going to go in more depth about the volatility network and volatility network

190
00:14:11,600 --> 00:14:12,470
analysis.

191
00:14:12,920 --> 00:14:17,840
And as you remember in previous lecture, we did some network plugins.

192
00:14:17,940 --> 00:14:20,810
We used some networking plugins in volatility.

193
00:14:20,810 --> 00:14:29,900
But in next lecture we specially will analyze the networking plugin with this, the suspicious executable

194
00:14:29,900 --> 00:14:31,220
or running file here.

195
00:14:31,220 --> 00:14:33,050
So I'm waiting you in the next lecture.