Archive for October 2009

Prayer to Cron

Cron, I have never scripted you before.  I had no use for it.  No one, not even you will remember if your purpose was updates or backup, why we scripted or why you died.  No, all that matters is that you were working when I walked away, that’s what’s important.  Vim pleases you, Cron, so grant me one request, grant me Rsync! And if you do not ls, then to kill -9 with you!

Volatility and Memory forensics

My latest endeavor has been to figure out memory forensics using volatility or any other tool currently available.  We have a copy of Encase Forensics so I’m comparing and contrasting which is better.  It’s most likely that we will end up using both, but trying them out.  Currently the biggest problem I have noticed in the latest version of Volatility is that is does not meet current python standards.  It makes use of the sha module where sha has been replaced by the hashlib module.

So far the use of Volatility has not impressed me much.  Most of what I have encountered can be accomplished with Sysinternals tools.  There are a few things that I would find useful.  Sysinternals does rely on the internal libraries on a system that it is being run against, while Volatility will actually search the memory for items that are running.  This will give a forensic examiner the ability to check for hidden rootkits etc.. While I find this useful it appears to be ‘flaky’.  I’m planning on running some test comparisons with some Malware that is somewhat hidden within the system.  If I can compare what I see to what Volatility sees it may prove useful yet to make Volatility a standard in my forensic investigations.

Another interesting tool that I have found is PyFlag.  While this tool has not yet reached it’s 1.0 version it looks like it may be very useful.  Seeing as both these tools are written in Python I am more interested than some of the other tools that are currently available out there.

I prefer Python over other tools out there.  I have used multiple tools in Perl (there is a very good suite of tools available for Forensics as part of the book Windows Forensic Analysis Toolkit) and a handful of tools within the Ruby scripting language.

I’ll update this blog entry as I find research more information.  I have been working on my personal blog lately and neglecting the Archlinux blog.  I should be able to focus on both more frequently however.