1
00:00:01,900 --> 00:00:02,200
Hello.

2
00:00:02,200 --> 00:00:08,380
In this lecture we're going to download the volatility test images to use as the memory forensics or

3
00:00:08,380 --> 00:00:09,430
other purposes.

4
00:00:09,430 --> 00:00:15,490
So in order to download it, you're going to get you're going to visit the GitHub Volatility Foundation

5
00:00:15,490 --> 00:00:18,280
official GitHub website.

6
00:00:18,280 --> 00:00:26,500
And here with this link, I'm going to share this link with you in the lectures attachment section.

7
00:00:26,500 --> 00:00:29,620
So you can click on this or you can just write it.

8
00:00:29,620 --> 00:00:31,120
So it's a short link here.

9
00:00:31,120 --> 00:00:39,910
So there is our test images provided by the public test images, test image samples for testing purposes.

10
00:00:39,910 --> 00:00:49,510
So here we have a mac OS here, Windows XP 86 and the 2003 SP zero service pack zero and we have Cridex

11
00:00:49,540 --> 00:00:55,960
malware, Shylock malware, R2D2, malware, Windows 7.

12
00:00:56,200 --> 00:00:57,820
We have nice here.

13
00:00:58,800 --> 00:00:59,400
Inside it.

14
00:00:59,400 --> 00:01:00,660
We have five samples.

15
00:01:00,660 --> 00:01:04,800
So but in this case today, we are not going to download it for now.

16
00:01:04,800 --> 00:01:11,130
So actually you can get more information and more test images from this official website here.

17
00:01:11,130 --> 00:01:17,370
You can also get the new datasets, popular datasets and like sources like that.

18
00:01:17,370 --> 00:01:26,300
But in this lecture, we're going to use the Windows XP image named Windows Malware, R2D2.

19
00:01:26,340 --> 00:01:27,630
Let's let's actually.

20
00:01:27,630 --> 00:01:28,110
Okay.

21
00:01:28,110 --> 00:01:40,020
So R2D2 and it's used on Windows XP infected operating system as Windows XP Service pack 232 bit here.

22
00:01:40,500 --> 00:01:44,790
And the password is as said here, infected here.

23
00:01:44,790 --> 00:01:45,960
So click on that.

24
00:01:45,960 --> 00:01:53,400
It's just one click and you're going to redirect, redirect it to the Mediafire here and click on download.

25
00:01:54,490 --> 00:01:56,080
Now click on Save file.

26
00:01:56,840 --> 00:02:02,930
Yes, since I have already installed the file name changed by one because the previously installed this

27
00:02:03,050 --> 00:02:04,670
for testing purposes.

28
00:02:06,060 --> 00:02:06,600
Here.

29
00:02:08,460 --> 00:02:09,420
Open here.

30
00:02:09,420 --> 00:02:11,400
And yeah, let's extract this.

31
00:02:11,400 --> 00:02:17,430
As you know, this has this one has the password which is infected.

32
00:02:17,610 --> 00:02:18,750
This is the password here.

33
00:02:18,750 --> 00:02:24,120
And as you can see, this is 200, 268.4MB.

34
00:02:24,150 --> 00:02:26,220
You can extract this like that.

35
00:02:27,260 --> 00:02:29,000
To the desktop here.

36
00:02:30,640 --> 00:02:38,410
Or you can also extract this image by using the terminal Unrar tool here.

37
00:02:50,800 --> 00:02:54,400
Zero 50s here.

38
00:02:59,680 --> 00:03:00,370
Okay.

39
00:03:01,030 --> 00:03:02,150
To move.

40
00:03:02,170 --> 00:03:05,170
To move this to home.

41
00:03:07,220 --> 00:03:10,490
Mom, Kelly Non-desktop.

42
00:03:13,580 --> 00:03:22,880
And, yeah, now we're gonna see the two home Cali desktop and and as you can see here, there is a,

43
00:03:23,570 --> 00:03:30,530
uh, there there is this is the, our file here that we moved to this directory and now we're going

44
00:03:30,530 --> 00:03:39,440
to unroll it so we can see, you can also see the list, the contents of the zero app is here.

45
00:03:39,830 --> 00:03:43,640
Let's here, let's actually move this.

46
00:03:43,640 --> 00:03:44,420
So.

47
00:03:46,150 --> 00:03:46,720
Okay.

48
00:03:46,720 --> 00:03:47,400
Yeah.

49
00:03:47,410 --> 00:03:48,570
We remove this and.

50
00:03:49,270 --> 00:03:49,780
Oops.

51
00:03:49,870 --> 00:03:59,760
Okay, so you can also list the comma, list the files inside RAR packager here with L command L and

52
00:03:59,770 --> 00:04:01,630
zero if T is here.

53
00:04:03,100 --> 00:04:03,850
Enter.

54
00:04:03,850 --> 00:04:09,670
And as you can see, this asks us for password enter the infected.

55
00:04:10,180 --> 00:04:17,050
And yes, you can see that we have one files size of this file, date of this created and time.

56
00:04:17,230 --> 00:04:20,390
So now we're going to honor it here.

57
00:04:20,410 --> 00:04:22,690
Let's see what what files we have.

58
00:04:22,990 --> 00:04:28,900
We have just a folder volatility, which is our volatility framework is installed in it and we have

59
00:04:28,900 --> 00:04:33,970
the RAR file which we're going to extract files from it by by files.

60
00:04:33,970 --> 00:04:38,050
I meant the the virtual memory fire file.

61
00:04:38,050 --> 00:04:40,420
So let's use the on RAR.

62
00:04:41,420 --> 00:04:46,910
Here on Ra, e or E here and R here.

63
00:04:46,940 --> 00:04:53,340
Now enter the zeros here and enter the your password infected.

64
00:04:54,080 --> 00:04:55,820
In fact.

65
00:04:57,740 --> 00:04:59,840
As you can see, it is extracted.

66
00:04:59,840 --> 00:05:03,820
And as you can see, the of virtual memory file is here.

67
00:05:03,830 --> 00:05:13,550
So once the memory file zeros has been extracted to the desktop or the location for your preference,

68
00:05:13,910 --> 00:05:18,980
we can now use the volatility framework framework to analyze the dump.

69
00:05:18,980 --> 00:05:25,610
So whilst dealing with we are within the desktop directory, we can still insert.

70
00:05:26,120 --> 00:05:33,530
As you can see, we installed the stable version of volatility in our previous lectures.

71
00:05:33,680 --> 00:05:38,660
So now we can just list the commands on previous lectures.

72
00:05:38,660 --> 00:05:44,150
So let's see what inside our volatility folder is.

73
00:05:44,150 --> 00:05:53,900
As you can see, there's a volatility 2.5 Linux standalone or CD volatility, and there is our files

74
00:05:54,080 --> 00:05:54,890
here.

75
00:05:55,970 --> 00:05:58,520
So now I'm going to move.

76
00:06:00,550 --> 00:06:01,970
Move this zeros up.

77
00:06:01,990 --> 00:06:12,220
If this memory to our volatility folder inside our volatility lives and create a new folder from in

78
00:06:12,220 --> 00:06:12,700
it.

79
00:06:12,820 --> 00:06:14,800
And so.

80
00:06:15,810 --> 00:06:24,930
No, we will not have to use every time directory to show the program where our virtual memory file

81
00:06:24,930 --> 00:06:25,200
is.

82
00:06:25,200 --> 00:06:29,220
So let's move it on.

83
00:06:29,850 --> 00:06:36,900
Kali desktop zero Ftest Virtual mem to home.

84
00:06:37,880 --> 00:06:38,270
Holly.

85
00:06:39,330 --> 00:06:39,660
Holly.

86
00:06:40,720 --> 00:06:41,680
Desktop.

87
00:06:42,040 --> 00:06:43,090
Desktop.

88
00:06:44,130 --> 00:06:44,440
Um.

89
00:06:44,460 --> 00:06:45,040
Here.

90
00:06:45,100 --> 00:06:46,080
Volatility.

91
00:06:46,380 --> 00:06:47,790
Volatility.

92
00:06:49,100 --> 00:06:49,730
And.

93
00:06:49,730 --> 00:06:50,330
Yeah.

94
00:06:51,280 --> 00:06:56,110
As you can see here, we move that zero feet memory to it.

95
00:06:56,110 --> 00:06:58,860
And now let's create a make.

96
00:06:58,870 --> 00:07:06,780
Let's create a new directory with make deer and deer here and let's case Oxley.

97
00:07:07,670 --> 00:07:09,880
Oxley case.

98
00:07:10,180 --> 00:07:13,990
Case 001 here.

99
00:07:13,990 --> 00:07:21,850
And we created the new folder here and let's move zero that here to Oxley case.

100
00:07:22,420 --> 00:07:26,920
Oxley case and yeah so now.

101
00:07:28,170 --> 00:07:31,500
Now let's list the commands we can use with volatility.

102
00:07:32,130 --> 00:07:35,700
Volatility, as you can see here, we need to.

103
00:07:37,860 --> 00:07:38,310
Right.

104
00:07:38,310 --> 00:07:41,910
Our toolpath with this characters.

105
00:07:42,900 --> 00:07:48,030
And volatility 64 bit and help common.

106
00:07:49,560 --> 00:07:56,430
Here with this command, with this help command, uh, shows the snippet of some of the many plugins

107
00:07:56,430 --> 00:07:58,600
within the volatility framework.

108
00:07:58,620 --> 00:08:06,300
Here, actually, volatility framework is a very rich and like popular framework in digital forensics

109
00:08:06,300 --> 00:08:07,170
community.

110
00:08:07,200 --> 00:08:15,150
That's why it's actually gone pretty long way and it has like very usable if you know how to use it.

111
00:08:15,180 --> 00:08:16,200
Volatility here.

112
00:08:16,230 --> 00:08:23,190
So I'm going to decrease the font size a little bit so we can see every description of this tools.

113
00:08:23,340 --> 00:08:32,430
Here we have also, as you can see here, shell bags scan, but we can also print the process list as

114
00:08:32,430 --> 00:08:33,090
a tree.

115
00:08:33,240 --> 00:08:36,880
Like we're going to do more examples with this little here.

116
00:08:36,900 --> 00:08:43,170
Don't worry, we will almost use all of this, uh, all of these plugins here.

117
00:08:43,350 --> 00:08:47,110
Here we can also import our plugins in volatility.

118
00:08:47,130 --> 00:08:51,340
Here we can also print a list of loaded details for each process.

119
00:08:51,370 --> 00:08:54,400
So this is like a pretty good tool for digital forensics.

120
00:08:54,400 --> 00:09:01,930
Examiner So the list comes in handy when performing analysis as each plugin comes with its own short

121
00:09:01,930 --> 00:09:03,400
description, as you can see here.

122
00:09:03,400 --> 00:09:10,690
So now we're going to use the image info file here, image info file here, we're going to identify

123
00:09:10,690 --> 00:09:12,880
information for the image.

124
00:09:12,880 --> 00:09:20,320
So for the format plugin volatility, we're going to use the first volatile volatility here.

125
00:09:21,870 --> 00:09:27,300
Now we're going to use the F to specify the file name actually in volatility.

126
00:09:27,750 --> 00:09:30,150
I want to show you that how this is done.

127
00:09:30,150 --> 00:09:32,760
So there is an parameters.

128
00:09:32,760 --> 00:09:33,570
You can use it.

129
00:09:33,570 --> 00:09:34,770
This is the help.

130
00:09:34,800 --> 00:09:37,440
This is the debug volatility.

131
00:09:37,710 --> 00:09:48,300
This is file name We can also use with just a short f.here, lowercase f or just a to here to minus

132
00:09:48,480 --> 00:09:52,920
characters here and then file name equals and enter your file name here.

133
00:09:52,950 --> 00:09:57,420
You can also specify the profile and other parameters here.

134
00:09:58,670 --> 00:10:07,130
So now let's go down and yeah, let's use our file name in as, as you remember we moved.

135
00:10:08,180 --> 00:10:10,550
N.A. Ritual member file to this folder.

136
00:10:10,910 --> 00:10:12,820
Case Oaxaca Case.

137
00:10:12,830 --> 00:10:18,350
Here we've specified the file name and now we're going to use the plugin here.

138
00:10:19,460 --> 00:10:21,320
Image info.

139
00:10:21,320 --> 00:10:27,130
So I want to mention that after plugin you can also use the options, blah blah blah here.

140
00:10:27,140 --> 00:10:29,120
So you can choose also options here.

141
00:10:29,120 --> 00:10:34,520
But in this case I'm I'm not going to choose any options because I want to just show the image info

142
00:10:34,520 --> 00:10:41,450
of our virtual memory file here is determining profile based on CDBG search.

143
00:10:43,500 --> 00:10:43,890
Here.

144
00:10:43,890 --> 00:10:45,060
It's a good practice.

145
00:10:45,060 --> 00:10:46,200
As you can see here.

146
00:10:46,640 --> 00:10:56,490
We outputted and printed all of the information that containing our containing in our virtual memory

147
00:10:56,490 --> 00:10:56,970
file.

148
00:10:56,970 --> 00:11:03,990
So it's a good practice to have the volatility help commands open in the second terminal for easy access

149
00:11:03,990 --> 00:11:08,310
to the commands without having a constantly scroll up and down here.

150
00:11:08,310 --> 00:11:10,710
So we need to choose a profile.

151
00:11:10,710 --> 00:11:17,640
As you can see by the profile, I meant the operating system version to work with in volatility.

152
00:11:17,640 --> 00:11:20,040
So now we're going to choose the profile here.

153
00:11:20,040 --> 00:11:26,130
As you can see here, the suggested profiles is listed here, Windows XP Service Pack two and Windows

154
00:11:26,130 --> 00:11:28,770
XP Service Pack three.

155
00:11:29,130 --> 00:11:36,080
And as you can see here, both of them is 86 here, Architecture 32, which means 32 bit here.

156
00:11:36,090 --> 00:11:42,620
So what is the suggested profile or profile in volatility?

157
00:11:42,630 --> 00:11:46,710
So all operating systems store information in a RAM.

158
00:11:46,710 --> 00:11:52,950
However, they may be situated in different locations within the memory according to the operating system

159
00:11:52,950 --> 00:11:53,670
is used.

160
00:11:53,670 --> 00:12:01,890
So in volatility, we must choose a profile that best identifies the type of operating system and service

161
00:12:01,890 --> 00:12:09,030
pack that helps volatility in identifying locations that store certificates and useful information.

162
00:12:09,030 --> 00:12:17,490
So choosing a profile is relatively simple as what does all the work for us using the image info plugin.

163
00:12:17,490 --> 00:12:23,880
So as you can see, we just mentioned the file path and then mentioned the plugin and it showed us image

164
00:12:23,880 --> 00:12:29,180
info here, number of processors, image type and etcetera etcetera.

165
00:12:29,190 --> 00:12:30,720
So now we're going to.

166
00:12:32,250 --> 00:12:37,350
And here we insert the image info file so we know what we are working on.

167
00:12:37,680 --> 00:12:41,730
This is the memory file of Windows XP Service Pack two.

168
00:12:41,790 --> 00:12:42,900
So.

169
00:12:44,730 --> 00:12:50,870
So here we're going to identify the process processes and analysis.

170
00:12:50,880 --> 00:12:59,880
So to identify and link the processes, their IDs, time started and offset location within the memory,

171
00:13:00,960 --> 00:13:06,540
within the memory image, we will be using the four plugins to get us started.

172
00:13:06,630 --> 00:13:10,110
This is the P list here.

173
00:13:10,140 --> 00:13:11,370
PS list.

174
00:13:12,890 --> 00:13:14,030
History three.

175
00:13:14,970 --> 00:13:18,690
PS scan and ps x.

176
00:13:19,500 --> 00:13:20,370
View here.

177
00:13:23,530 --> 00:13:24,790
In next lectures.

178
00:13:24,970 --> 00:13:30,550
Actually, I will make four separate lectures for these plugins.

179
00:13:30,700 --> 00:13:33,910
So this is the main plugins for use here.

180
00:13:33,910 --> 00:13:38,440
So in next lecture you will learn about the list in this lecture.

181
00:13:38,470 --> 00:13:39,430
Next lecture here.

182
00:13:39,430 --> 00:13:41,170
So I'm waiting you in next lecture.