Enumerating Disk Artifacts in Memory
In my earlier article, I have listed out ways how to enumerate different structures like page tables, processes, VAD, PEB, etc. (For more information on these check out these articles). In this article let's take a look at the how to enumerate various disk artifacts like MFT in memory using Volatility's plugin. Before starting I would like to make it clear that we might not see complete information in memory for particular disk artifacts since there is a greater chance that some information is paged out.
Master File Table
Windows has a special file known as Master File Table (MFT) which is an index to all the files located on the system. All the entries in the MFT file are 1024 bytes long and contain metadata and other attributes about a file like $STANDARD_INFOMRATION, $DATA, etc. Most of this data is usually found in the single line of record and is called resident data but mostly since data in files are long enough to be not able to fit in memory, so they have to reside outside the record and are called non-resident. Note that if data is small enough to be accompanied in the 1024 bytes long record, then the data will also be resident. We can use Volatility's MFT parser plugin to extract MFT entries from memory. This plugin will extract important attributes such as $FILE_NAME, $STANDARD_INFORMATION, $DATA.
FREE role-guided training plans
Below is a screenshot for MFT parser in action
As you can see, it parses $FILE_NAME, $STANDARD_INFORMATION, $DATA. Also, it can also find the Alternative Data Streams (ADS). If we have to dump the $DATA into a raw file, we can do it with this plugin itself by using the –D switch.
This output of MFT parser can also be done in body format which can be further parsed using mactime utility. We can use the MFT parser plugin output to look out for other things using simple grep like looking for prefetch files(.pf). Below we can see that cmd.exe prefetch file got created on the system.
Sometimes it happens that when the data is small, it gets stored in the MFT itself. In that case, make sure to run the MFT parser plugin in the verbose mode. That will help to extract the data stored within MFT itself. Another great use of MFT parser is to find the ADS (Alternate data Stream) content. ADS is often used by attackers to hide malicious files in the system because these hidden cannot normally be enumerated by the scan. Volatility plugin MFT parser can be used to extract these hidden files. Also, MFT parser output can be used to determine the user execution of several documents. It can be detected with the presence of various LNK files which will not only show that the file existed on the system but also user interacted with by double clicking it.
Volatility's dump file and file scan
So far we have seen that the MFT parser plugin is good in enumerating the metadata about the file like MFT record number, the path of the file and even contents in $DATA attribute (if the data is less than 700 bytes). But what about larger files, how to view their contents (even partially) from memory? We can use Volatility's dump files plugin. Dump files will extract exe's, DLLs, registry hives, PDF and even office document.
Volatility's dump file plugin works by enumerating handle table and VAD for FILE_Objects. Each FILE_Object contain following section pointers:
- DataSectionObject: Pointes to memory mapped files
- SharedCacheMap: Points to file cached by Windows Cache Manager. Windows cache manager works with Windows memory manager. Memory manager controls which part of the file will be in memory and cache manager uses that information to cache data within virtual address control blocks.
- ImageSectionObject: Points to memory mapped binaries.
Below is an example of dump files plugin in action:
Here I have used dump file plugin following switches:
-r: It is a regular expression. Looking for *.exe in this example
-n: It says to reference the original file name in the output.
As stated earlier, since dump files work by querying handles or BAD tree, there are still some important areas that this plugin misses like $MFT which is not in VAD. We can use file scan to enumerate FILE objects within memory.
Below is an example of file scan in action.
If we have some file of interest that we want to investigate, then we can use the offset provided by file scan as a parameter wit –Q to dump that file/executable.
What should you learn next?
Therefore, we have seen that how various disk artifacts can be recovered from memory which can be used to set the context on the investigation.
In this Series
- Enumerating Disk Artifacts in Memory
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness