1 00:00:01,450 --> 00:00:04,120 D l l analysis. 2 00:00:04,150 --> 00:00:13,390 Dynamic link libraries are specific to Microsoft and contains code that can be used by multiple programs 3 00:00:13,390 --> 00:00:14,710 simultaneously. 4 00:00:15,190 --> 00:00:23,020 Inspection of a processes running dlls and the version information of files and products may insist 5 00:00:23,020 --> 00:00:31,120 in correlating processes so processes and information should be analyzed as they relate to the user 6 00:00:31,120 --> 00:00:31,530 account. 7 00:00:31,540 --> 00:00:38,500 So for this task there are the plugins mainly used, so there's actually more than three plugins in 8 00:00:38,500 --> 00:00:43,420 volatility, but these are the mainly used plugins for DLL analysis here. 9 00:00:43,450 --> 00:00:52,000 The first is where where info here where info dll list and get sits here. 10 00:00:52,030 --> 00:00:58,270 So let's we're going to in this lecture we're going to start with the where info here the where info 11 00:00:58,270 --> 00:00:59,130 plugin. 12 00:00:59,140 --> 00:01:08,570 So this command lists the version information where info about portable executable files p files. 13 00:01:08,570 --> 00:01:14,480 So the output of this file is usually quite lengthy and so can be run in separate terminal should be 14 00:01:14,480 --> 00:01:21,320 investigated not wish to continue to scroll through the current terminal to retrieve the past plugin 15 00:01:21,320 --> 00:01:23,390 command list and outputs. 16 00:01:23,390 --> 00:01:30,470 So the where info is actually pretty rich, has pretty rich output and contains lots of information. 17 00:01:30,470 --> 00:01:30,980 Here. 18 00:01:31,100 --> 00:01:35,630 Very info and click on enter and yeah, the. 19 00:01:35,690 --> 00:01:35,860 Yeah. 20 00:01:35,870 --> 00:01:42,770 Don't worry, we're going to like copy this here and put it into next file text editor here so we can 21 00:01:42,860 --> 00:01:45,620 analyze it more easily. 22 00:01:59,430 --> 00:02:00,000 Yeah. 23 00:02:12,520 --> 00:02:20,710 Much as you can see, we now it's volatility just consumed 25% of CPU here. 24 00:02:21,530 --> 00:02:23,660 And yeah, this is our output. 25 00:02:23,690 --> 00:02:24,660 Now we're going to. 26 00:02:27,050 --> 00:02:27,500 Here. 27 00:02:34,610 --> 00:02:34,850 H. 28 00:02:35,000 --> 00:02:35,660 I'm sorry. 29 00:02:35,870 --> 00:02:36,580 I can just. 30 00:02:36,590 --> 00:02:37,910 Oh, no, we can't, can we? 31 00:02:37,930 --> 00:02:38,690 Can we use. 32 00:02:38,720 --> 00:02:39,290 Yeah. 33 00:02:39,290 --> 00:02:40,340 No, we can't. 34 00:02:44,960 --> 00:02:45,620 Yeah. 35 00:03:00,210 --> 00:03:04,200 And as you can see, there is an output that we can analyze here. 36 00:03:04,320 --> 00:03:05,730 So now I'm going to. 37 00:03:06,550 --> 00:03:08,230 Copy the selections. 38 00:03:10,500 --> 00:03:14,530 Oops actions file. 39 00:03:14,550 --> 00:03:18,000 Actually in Linux we have to like use the copy. 40 00:03:19,600 --> 00:03:20,230 Here. 41 00:03:22,300 --> 00:03:24,400 Keyboard cruiser, hide windows. 42 00:03:24,400 --> 00:03:25,090 Borders. 43 00:03:25,090 --> 00:03:25,780 Help. 44 00:03:31,180 --> 00:03:31,690 Here. 45 00:03:31,810 --> 00:03:39,400 No, actually, we don't have we don't have the option to copy all of these files. 46 00:03:41,820 --> 00:03:43,920 So now we're just gonna. 47 00:03:44,640 --> 00:03:50,100 We're just gonna scroll it until the file is down and we got an information. 48 00:03:50,130 --> 00:03:57,810 Or we can just decrease the font size to, like, smallest possible size. 49 00:03:58,230 --> 00:04:00,600 Yeah, this is the smallest here. 50 00:04:00,600 --> 00:04:01,890 And we can. 51 00:04:03,000 --> 00:04:06,510 And it will took less time to copy all of this here. 52 00:04:08,370 --> 00:04:08,850 Yeah. 53 00:04:14,790 --> 00:04:15,270 It will. 54 00:04:15,420 --> 00:04:15,750 Yeah. 55 00:04:16,020 --> 00:04:18,450 We are halfway through it. 56 00:04:23,570 --> 00:04:24,110 Yeah. 57 00:04:25,870 --> 00:04:27,130 Ramos copied it. 58 00:04:27,130 --> 00:04:27,550 Yeah. 59 00:04:27,550 --> 00:04:34,120 And I will share this text files with you in the attachment sections of our lecture in. 60 00:04:34,210 --> 00:04:34,720 Yeah. 61 00:04:34,720 --> 00:04:36,730 Yeah, it's completely okay. 62 00:04:38,650 --> 00:04:39,580 And. 63 00:04:41,050 --> 00:04:41,530 Y. 64 00:04:42,020 --> 00:04:42,610 Y. 65 00:04:45,420 --> 00:04:45,810 What? 66 00:04:53,940 --> 00:04:54,300 Yeah. 67 00:04:54,300 --> 00:04:55,530 We now we're gonna. 68 00:04:56,910 --> 00:04:58,350 Their info. 69 00:05:05,630 --> 00:05:06,530 Or, uh, we're gonna. 70 00:05:06,560 --> 00:05:07,640 We can also use the. 71 00:05:08,940 --> 00:05:11,190 Now we're going to firstly use the info. 72 00:05:18,190 --> 00:05:23,320 I'm going to pause the video here and copy to the text file and analyze it further. 73 00:05:24,760 --> 00:05:31,030 And here in Linux I found I have to copy the all of the files. 74 00:05:31,030 --> 00:05:32,680 So shift here. 75 00:05:36,060 --> 00:05:38,850 And you're gonna go all the way up. 76 00:05:40,640 --> 00:05:41,180 Here. 77 00:05:45,950 --> 00:05:54,500 And we're gonna we're gonna zoom in out with this control plus minus button. 78 00:05:54,500 --> 00:05:59,330 And in the at the top, we're gonna choose it and go down. 79 00:06:05,760 --> 00:06:06,360 Here. 80 00:06:18,820 --> 00:06:19,390 Yeah. 81 00:06:19,930 --> 00:06:27,970 And we got all the information we need and then paste it on the text file here. 82 00:06:30,020 --> 00:06:34,070 Now we have another plugin we're going to use. 83 00:06:34,100 --> 00:06:36,410 It's named the. 84 00:06:36,410 --> 00:06:41,540 Yeah, we can, we can just zoom reset here and. 85 00:06:43,470 --> 00:06:44,820 Preferences. 86 00:06:45,480 --> 00:06:47,270 Fix the font size or bigger. 87 00:06:47,280 --> 00:06:48,300 Let's make it bigger. 88 00:06:48,300 --> 00:06:49,770 The font size here. 89 00:06:51,410 --> 00:06:52,100 Yeah. 90 00:06:52,130 --> 00:06:53,960 14 is okay. 91 00:06:55,630 --> 00:06:56,230 Okay. 92 00:06:56,560 --> 00:06:57,970 Clear the terminal signs. 93 00:06:57,970 --> 00:07:06,220 We copied our output and now we're going to use the volatility plugin named list. 94 00:07:08,730 --> 00:07:10,820 This is our list here. 95 00:07:10,830 --> 00:07:15,810 It's actually not like big as the previous output. 96 00:07:16,020 --> 00:07:19,470 It just took like 2 or 3 minutes to copy it. 97 00:07:19,470 --> 00:07:22,530 But it's worth it because I'm going to share it with you. 98 00:07:24,580 --> 00:07:25,180 Okay. 99 00:07:26,120 --> 00:07:26,480 Also. 100 00:07:26,480 --> 00:07:27,380 Copy this. 101 00:07:29,290 --> 00:07:33,400 And what's the Yeah list? 102 00:07:34,310 --> 00:07:36,200 And paste it here. 103 00:07:38,310 --> 00:07:39,180 So. 104 00:07:40,500 --> 00:07:46,740 And this plugin lists all the running dlls at the time in memory. 105 00:07:46,740 --> 00:07:52,860 So the alerts are composed of code that can be used by multiple programs simultaneously. 106 00:07:52,860 --> 00:07:54,990 And yeah, this is the output. 107 00:07:54,990 --> 00:07:57,180 It shows the all DLLs. 108 00:07:58,250 --> 00:08:01,040 In Windows at the runtime here. 109 00:08:02,670 --> 00:08:07,620 We have another plugin named gets its here. 110 00:08:07,710 --> 00:08:11,730 Get gets as IDs. 111 00:08:13,260 --> 00:08:18,000 So this security identifier is IDs. 112 00:08:18,630 --> 00:08:26,940 A gets command has four very useful items in the order in which processes were started. 113 00:08:27,330 --> 00:08:29,430 Refer to list and PS3. 114 00:08:29,700 --> 00:08:36,060 So these results here, as you can see here we have s. 115 00:08:37,510 --> 00:08:41,980 Now I'm going to explain one by one what this means. 116 00:08:42,070 --> 00:08:44,590 And yeah, this is not the get sides. 117 00:08:44,590 --> 00:08:46,720 Yeah, this is the get side is. 118 00:08:47,520 --> 00:08:48,240 Output here. 119 00:08:48,240 --> 00:08:50,100 Now, I'm going to also copy this. 120 00:08:51,140 --> 00:08:57,020 And so I'm going to I have to share it with you guys because some of you might struggle getting these 121 00:08:57,020 --> 00:08:57,800 codes here. 122 00:08:59,270 --> 00:09:04,460 But if you just downloaded the same image file, you will get the same results. 123 00:09:05,120 --> 00:09:14,420 So this is, this is the output of this gets, uh, security identifiers here. 124 00:09:14,930 --> 00:09:16,640 Security identifier IDs. 125 00:09:17,390 --> 00:09:22,330 And yeah, this is the system, the process name. 126 00:09:22,340 --> 00:09:23,450 The first is the system. 127 00:09:23,450 --> 00:09:24,590 For example, this is the process. 128 00:09:24,590 --> 00:09:25,340 Name Winlogon. 129 00:09:25,340 --> 00:09:26,180 Process Name. 130 00:09:27,130 --> 00:09:38,260 And after, as you can see here, this is and this is the process IDs here (500) 536-6346 131 00:09:38,260 --> 00:09:40,090 32688. 132 00:09:40,090 --> 00:09:47,530 And like that here this is the process ID is this is the process names uh, as long here and this is 133 00:09:47,530 --> 00:09:48,760 the interesting part here. 134 00:09:48,790 --> 00:09:53,800 This is the security security identifier IDs. 135 00:09:54,920 --> 00:10:00,320 And yeah, and here and this is the user who started it. 136 00:10:01,380 --> 00:10:04,470 Some of it user, some of it like service. 137 00:10:04,620 --> 00:10:05,370 Some of it. 138 00:10:05,400 --> 00:10:06,800 Administrator Some of it. 139 00:10:06,810 --> 00:10:07,650 Everyone. 140 00:10:07,890 --> 00:10:10,740 So if the last number here, this is the tip here. 141 00:10:10,740 --> 00:10:23,470 If the last number of the ID is in the range of 500, this indicates a user with administrator privileges. 142 00:10:23,490 --> 00:10:35,760 For example, here, S1, S1 32 545 is the administrator. 143 00:10:38,640 --> 00:10:39,600 Here, as you can see. 144 00:10:44,380 --> 00:10:51,490 And so far we have found some very interesting certificates, including programs that were running and 145 00:10:51,490 --> 00:10:54,790 users who were logged onto the machine. 146 00:10:55,420 --> 00:11:00,370 Now, in the next lecture, we're going to perform the registry analysis.