Thursday, July 18, 2013

Ethscan: volatility memory forensics framework plugin for recovering Ethernet frames from memory.

For the The 1st Annual Volatility Framework Plugin Contest: today I turned in my first of (3) plugins called Ethscan.

Ethscan: volatility memory forensics framework plugin for recovering ethernet frames from memory.

Ethscan gives you the ability to scan any type of memory image (Windows, OSX, Linux - 32/64, Vmware Snapshot images .vmem, etc..) or raw file using volatility to extract valid or invalid Ethernet frames (depending on if you're using the Checksum option)

Some Options/features for Ethscan are (please see the README.txt file for all options):

IPv4 and IPv6 support!

Options:
  -R, --save-raw        Create binary files of each packet found in memory

5__131.107.115.254__47873__172.16.176.143__3332__TCP.bin
3__172.16.176.1__35566__172.16.176.255__35072__UDP.bin
1__172.16.176.1__35054__172.16.176.255__35072__UDP.bin
2__172.16.176.1__34030__172.16.176.255__35072__UDP.bin

  -C SAVE_PCAP, --save-pcap=SAVE_PCAP
                        Create a pcap file from recovered packets of given
                        name: "Example: -C out.pcap" (requires dpkt)

Every packet ethscan finds in memory can be written to a single pcap file using dpkt for further inspection under wireshark.  (Note: some recovered IPv6 packets will cause dpkt to except upon writing, I suggest using the -R option when using the pcap option).

  -P, --enable-proc     Enable Packet to Process Association: Windows Only
                        (SLOW)

This option will attempt to associate recovered packets with a Process name/PID (this currently works for valid windows memory images only):
Example:

ProcName: wuauclt.exe PID: 1732 Base Address: 0x15e000 End Address: 0x1000
Ethernet: Src: (00:50:56:f1:2d:82) Dst: (00:0c:29:a4:81:79)
Type: IPv4 (0x0800)
IPv4: Src: 131.107.115.254:47873 Dst: 172.16.176.143:3332
Protocol: TCP (6)
Packet Size: (54) Bytes
0x00000000 00 0c 29 a4 81 79 00 50 56 f1 2d 82 08 00 45 00 ..)..y.PV.-...E.
0x00000010 00 28 29 85 00 00 80 06 bd 41 83 6b 73 fe ac 10 .()......A.ks...
0x00000020 b0 8f 01 bb 04 0d 79 7e 45 77 d8 8d 3f 5e 50 10 ......y~Ew..?^P.
0x00000030 fa f0 84 30 00 00 ...0..


Using a memory image from the Volatility wiki here is a short example with no options.

https://code.google.com/p/volatility/wiki/SampleMemoryImages

Example:

$ python vol.py ethscan -f be2.vmem 
Volatile Systems Volatility Framework 2.2
Packets Found: 1
Ethernet:    Src: (00:50:56:c0:00:08)       Dst: (ff:ff:ff:ff:ff:ff)
Type:        IPv4 (0x0800)
IPv4:        Src: 172.16.176.1:35054       Dst: 172.16.176.255:35072
Protocol:    UDP (17)
Packet Size: (92) Bytes
0x00000000  ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00   .......PV.....E.
0x00000010  00 4e 77 fa 00 00 40 11 49 83 ac 10 b0 01 ac 10   .Nw...@.I.......
0x00000020  b0 ff ee 88 00 89 00 3a 72 c0 3b 07 01 10 00 01   .......:r.;.....
0x00000030  00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45   .......ABACFPFPE
0x00000040  4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46   NFDECFCEPFHFDEFF
0x00000050  50 46 50 41 43 41 42 00 00 20 00 01               PFPACAB.....

Packets Found: 2
Ethernet:    Src: (00:50:56:c0:00:08)       Dst: (ff:ff:ff:ff:ff:ff)
Type:        IPv4 (0x0800)
IPv4:        Src: 172.16.176.1:34030       Dst: 172.16.176.255:35072
Protocol:    UDP (17)
Packet Size: (92) Bytes
0x00000000  ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00   .......PV.....E.
0x00000010  00 4e 9b e5 00 00 40 11 25 98 ac 10 b0 01 ac 10   .N....@.%.......
0x00000020  b0 ff ee 84 00 89 00 3a 79 33 34 98 01 10 00 01   .......:y34.....
0x00000030  00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45   .......ABACFPFPE
0x00000040  4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46   NFDECFCEPFHFDEFF
0x00000050  50 46 50 41 43 41 42 00 00 20 00 01               PFPACAB.....

Packets Found: 3
Ethernet:    Src: (00:50:56:c0:00:08)       Dst: (ff:ff:ff:ff:ff:ff)
Type:        IPv4 (0x0800)
IPv4:        Src: 172.16.176.1:35566       Dst: 172.16.176.255:35072
Protocol:    UDP (17)
Packet Size: (92) Bytes
0x00000000  ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00   .......PV.....E.
0x00000010  00 4e b2 89 00 00 40 11 0e f4 ac 10 b0 01 ac 10   .N....@.........
0x00000020  b0 ff ee 8a 00 89 00 3a 65 8d 48 38 01 10 00 01   .......:e.H8....
0x00000030  00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45   .......ABACFPFPE
0x00000040  4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46   NFDECFCEPFHFDEFF
0x00000050  50 46 50 41 43 41 42 00 00 20 00 01               PFPACAB.....

Packets Found: 4
Ethernet:    Src: (00:50:56:f1:2d:82)       Dst: (00:0c:29:a4:81:79)
Type:        IPv4 (0x0800)
IPv4:        Src: 131.107.115.254:47873       Dst: 172.16.176.143:3332
Protocol:    TCP (6)
Packet Size: (58) Bytes
0x00000000  00 0c 29 a4 81 79 00 50 56 f1 2d 82 08 00 45 00   ..)..y.PV.-...E.
0x00000010  00 2c 29 7d 00 00 80 06 bd 45 83 6b 73 fe ac 10   .,)}.....E.ks...
0x00000020  b0 8f 01 bb 04 0d 79 7e 33 45 d8 8d 3c ef 60 12   ......y~3E..<.`.
0x00000030  fa f0 81 13 00 00 02 04 05 b4                     ..........

Packets Found: 5
Ethernet:    Src: (00:50:56:f1:2d:82)       Dst: (00:0c:29:a4:81:79)
Type:        IPv4 (0x0800)
IPv4:        Src: 131.107.115.254:47873       Dst: 172.16.176.143:3332
Protocol:    TCP (6)
Packet Size: (54) Bytes
0x00000000  00 0c 29 a4 81 79 00 50 56 f1 2d 82 08 00 45 00   ..)..y.PV.-...E.
0x00000010  00 28 29 7e 00 00 80 06 bd 48 83 6b 73 fe ac 10   .()~.....H.ks...
0x00000020  b0 8f 01 bb 04 0d 79 7e 33 46 d8 8d 3d 55 50 10   ......y~3F..=UP.
0x00000030  fa f0 98 6a 00 00                                 ...j..

Packets Found: 6
Ethernet:    Src: (00:50:56:c0:00:08)       Dst: (ff:ff:ff:ff:ff:ff)
Type:        IPv4 (0x0800)
IPv4:        Src: 172.16.176.1:35310       Dst: 172.16.176.255:35072
Protocol:    UDP (17)
Packet Size: (92) Bytes
0x00000000  ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00   .......PV.....E.
0x00000010  00 4e 8c fd 00 00 40 11 34 80 ac 10 b0 01 ac 10   .N....@.4.......
0x00000020  b0 ff ee 89 00 89 00 3a 6c f3 40 d3 01 10 00 01   .......:l.@.....
0x00000030  00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45   .......ABACFPFPE
0x00000040  4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46   NFDECFCEPFHFDEFF
0x00000050  50 46 50 41 43 41 42 00 00 20 00 01               PFPACAB.....

Packets Found: 7
Ethernet:    Src: (00:50:56:f1:2d:82)       Dst: (00:0c:29:a4:81:79)
Type:        IPv4 (0x0800)
IPv4:        Src: 131.107.115.254:47873       Dst: 172.16.176.143:3332
Protocol:    TCP (6)
Packet Size: (1422) Bytes
0x00000000  00 0c 29 a4 81 79 00 50 56 f1 2d 82 08 00 45 00   ..)..y.PV.-...E.
0x00000010  05 80 29 7f 00 00 80 06 b7 ef 83 6b 73 fe ac 10   ..)........ks...
0x00000020  b0 8f 01 bb 04 0d 79 7e 33 46 d8 8d 3d 55 50 18   ......y~3F..=UP.
0x00000030  fa f0 83 08 00 00 16 03 00 11 e9 02 00 00 46 03   ..............F.
0x00000040  00 4c 62 3e 86 1c 84 f1 cb cd fc be 83 d9 b3 31   .Lb>...........1
0x00000050  5b 1d ed e8 37 1b b6 38 31 37 bc 01 cd f0 99 d2   [...7..817......
0x00000060  15 20 30 0d 00 00 cc 24 42 11 1a 50 f3 dc cf 74   ..0....$B..P...t
0x00000070  c4 04 7a f5 da 1b 93 9c 51 f4 46 64 43 b2 55 17   ..z.....Q.FdC.U.
0x00000080  48 f0 00 04 00 0b 00 11 97 00 11 94 00 04 89 30   H..............0
0x00000090  82 04 85 30 82 03 6d a0 03 02 01 02 02 0a 61 12   ...0..m.......a.
0x000000a0  df 52 00 00 00 00 00 12 30 0d 06 09 2a 86 48 86   .R......0...*.H.
0x000000b0  f7 0d 01 01 05 05 00 30 81 a3 31 0b 30 09 06 03   .......0..1.0...
0x000000c0  55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08   U....US1.0...U..
0x000000d0  13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e   ..Washington1.0.
0x000000e0  06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e   ..U....Redmond1.
0x000000f0  30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f   0...U....Microso
0x00000100  66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2b   ft.Corporation1+
0x00000110  30 29 06 03 55 04 03 13 22 4d 69 63 72 6f 73 6f   0)..U..."Microso
0x00000120  66 74 20 50 72 6f 64 75 63 74 20 53 65 63 75 72   ft.Product.Secur
0x00000130  65 20 53 65 72 76 65 72 20 43 41 31 20 30 1e 06   e.Server.CA1.0..
0x00000140  09 2a 86 48 86 f7 0d 01 09 01 16 11 70 6b 69 40   .*.H........pki@
0x00000150  6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 30 1e 17   microsoft.com0..
0x00000160  0d 30 39 31 30 31 35 32 32 30 30 33 38 5a 17 0d   .091015220038Z..
0x00000170  31 32 30 31 31 35 32 32 30 30 33 38 5a 30 6f 31   120115220038Z0o1
0x00000180  0b 30 09 06 03 55 04 06 13 02 55 53 31 10 30 0e   .0...U....US1.0.
0x00000190  06 03 55 04 08 13 07 52 65 64 6d 6f 6e 64 31 0b   ..U....Redmond1.
0x000001a0  30 09 06 03 55 04 07 13 02 57 41 31 12 30 10 06   0...U....WA1.0..
0x000001b0  03 55 04 0a 13 09 4d 69 63 72 6f 73 6f 66 74 31   .U....Microsoft1
0x000001c0  0d 30 0b 06 03 55 04 0b 13 04 42 47 4f 53 31 1e   .0...U....BGOS1.
0x000001d0  30 1c 06 03 55 04 03 13 15 77 70 61 2e 6f 6e 65   0...U....wpa.one
0x000001e0  2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 30 81   .microsoft.com0.
0x000001f0  9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00   .0...*.H........
0x00000200  03 81 8d 00 30 81 89 02 81 81 00 be ca f6 17 88   ....0...........
0x00000210  0c a9 e5 de 4d ef 6c 21 e0 46 58 c2 21 20 a3 e3   ....M.l!.FX.!...
0x00000220  7e 6d b0 eb 44 d6 f7 90 cd 56 c3 4b 99 97 09 09   ~m..D....V.K....
0x00000230  da db 68 57 87 e4 0f 19 b8 b8 57 c7 f7 03 75 9a   ..hW......W...u.
0x00000240  f4 4e 51 c8 96 9a cb bd 34 fe eb 22 91 88 2b 1f   .NQ.....4.."..+.
0x00000250  9a 36 8d d9 35 d3 f4 8d 75 09 a8 2c 31 c3 48 d3   .6..5...u..,1.H.
0x00000260  9c b8 c2 b9 67 70 cc 32 1e 93 16 98 f0 c8 12 47   ....gp.2.......G
0x00000270  5d 7e f7 2b c9 36 65 b1 4e 3a d6 dd ce d8 35 56   ]~.+.6e.N:....5V
0x00000280  76 56 d8 62 ed 7c b0 c9 e1 52 0d 02 03 01 00 01   vV.b.|...R......
0x00000290  a3 82 01 70 30 82 01 6c 30 0e 06 03 55 1d 0f 01   ...p0..l0...U...
0x000002a0  01 ff 04 04 03 02 04 f0 30 13 06 03 55 1d 25 04   ........0...U.%.
0x000002b0  0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 1d 06   .0...+.......0..
0x000002c0  03 55 1d 0e 04 16 04 14 d1 e7 5a 77 0b fb 90 eb   .U........Zw....
0x000002d0  b5 10 1f b9 b3 b7 d9 64 38 07 07 c0 30 1f 06 03   .......d8...0...
0x000002e0  55 1d 23 04 18 30 16 80 14 9e 49 93 71 e6 fa ed   U.#..0....I.q...
0x000002f0  97 80 08 89 3e 3c f3 29 cc 71 6d ef 5c 30 81 a6   ....><.).qm.\0..
0x00000300  06 03 55 1d 1f 04 81 9e 30 81 9b 30 81 98 a0 81   ..U.....0..0....
0x00000310  95 a0 81 92 86 47 68 74 74 70 3a 2f 2f 63 72 6c   .....Ghttp://crl
0x00000320  2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70   .microsoft.com/p
0x00000330  6b 69 2f 63 72 6c 2f 70 72 6f 64 75 63 74 73 2f   ki/crl/products/
0x00000340  4d 69 63 50 72 6f 53 65 63 53 65 72 43 41 5f 32   MicProSecSerCA_2
0x00000350  30 30 37 2d 31 32 2d 30 34 2e 63 72 6c 86 47 68   007-12-04.crl.Gh
0x00000360  74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73   ttp://www.micros
0x00000370  6f 66 74 2e 63 6f 6d 2f 70 6b 69 2f 63 72 6c 2f   oft.com/pki/crl/
0x00000380  70 72 6f 64 75 63 74 73 2f 4d 69 63 50 72 6f 53   products/MicProS
0x00000390  65 63 53 65 72 43 41 5f 32 30 30 37 2d 31 32 2d   ecSerCA_2007-12-
0x000003a0  30 34 2e 63 72 6c 30 5c 06 08 2b 06 01 05 05 07   04.crl0\..+.....
0x000003b0  01 01 04 50 30 4e 30 4c 06 08 2b 06 01 05 05 07   ...P0N0L..+.....
0x000003c0  30 02 86 40 68 74 74 70 3a 2f 2f 77 77 77 2e 6d   0..@http://www.m
0x000003d0  69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69   icrosoft.com/pki
0x000003e0  2f 63 65 72 74 73 2f 4d 69 63 50 72 6f 53 65 63   /certs/MicProSec
0x000003f0  53 65 72 43 41 5f 32 30 30 37 2d 31 32 2d 30 34   SerCA_2007-12-04
0x00000400  2e 63 72 74 30 0d 06 09 2a 86 48 86 f7 0d 01 01   .crt0...*.H.....
0x00000410  05 05 00 03 82 01 01 00 18 5f 91 4e 9d d6 d9 cf   ........._.N....
0x00000420  4a 31 44 77 20 87 f8 af e8 a3 ef 18 11 c9 fb 4d   J1Dw...........M
0x00000430  c9 e5 09 db 22 91 57 d7 db b7 b7 40 c4 0a 44 74   ....".W....@..Dt
0x00000440  14 cf eb a8 d4 41 7e ab f7 72 f4 c1 fd bb 15 49   .....A~..r.....I
0x00000450  e8 20 3c 4e a3 4b 05 e0 ad a6 4a 14 e6 f6 25 b2   ..<N.K....J...%.
0x00000460  90 26 ac 96 68 43 8c fd 4b 3a 9e a3 09 19 81 de   .&..hC..K:......
0x00000470  51 f8 99 47 86 cc 5b 40 a8 d6 f8 a9 b6 b8 0f 5e   Q..G..[@.......^
0x00000480  51 ce 1b 84 1b de 38 c2 86 08 34 62 a5 4c ab 4f   Q.....8...4b.L.O
0x00000490  b1 91 70 69 7c ec 61 ce 56 44 0e 7a 2e 35 47 86   ..pi|.a.VD.z.5G.
0x000004a0  53 44 4d 08 1a 95 bd 65 c2 7d 47 d1 6e 0a 1c 83   SDM....e.}G.n...
0x000004b0  ff b4 d2 5f 04 1d 65 37 01 07 4c ba 2d 66 be 0f   ..._..e7..L.-f..
0x000004c0  89 10 91 7a 3b c8 ec 7e 53 07 b8 6b 2b ab 2c 5b   ...z;..~S..k+.,[
0x000004d0  c4 78 55 14 72 40 78 93 8f 74 de 29 b1 28 70 24   .xU.r@x..t.).(p$
0x000004e0  34 d1 42 82 17 65 1f 1f da 2a 0f 4f ec 71 ad 28   4.B..e...*.O.q.(
0x000004f0  aa d4 aa 2c b2 e5 cc 07 00 19 4c f9 7d 63 13 01   ...,......L.}c..
0x00000500  af 62 59 ee 89 c5 b5 ad c0 0d 88 af 98 10 45 53   .bY...........ES
0x00000510  e2 01 e5 a0 41 4e 03 61 00 05 c6 30 82 05 c2 30   ....AN.a...0...0
0x00000520  82 04 aa a0 03 02 01 02 02 0a 61 09 bd fa 00 01   ..........a.....
0x00000530  00 00 00 0f 30 0d 06 09 2a 86 48 86 f7 0d 01 01   ....0...*.H.....
0x00000540  05 05 00 30 81 ac 31 20 30 1e 06 09 2a 86 48 86   ...0..1.0...*.H.
0x00000550  f7 0d 01 09 01 16 11 70 6b 69 40 6d 69 63 72 6f   .......pki@micro
0x00000560  73 6f 66 74 2e 63 6f 6d 31 0b 30 09 06 03 55 04   soft.com1.0...U.
0x00000570  06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a   ...US1.0...U....
0x00000580  57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e         Washington1.0.

Packets Found: 8
Ethernet:    Src: (00:50:56:c0:00:08)       Dst: (ff:ff:ff:ff:ff:ff)
Type:        IPv4 (0x0800)
IPv4:        Src: 172.16.176.1:33262       Dst: 172.16.176.255:35072
Protocol:    UDP (17)
Packet Size: (92) Bytes
0x00000000  ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00   .......PV.....E.
0x00000010  00 4e cf e4 00 00 40 11 f1 98 ac 10 b0 01 ac 10   .N....@.........
0x00000020  b0 ff ee 81 00 89 00 3a 91 a0 1c 2e 01 10 00 01   .......:........
0x00000030  00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45   .......ABACFPFPE
0x00000040  4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46   NFDECFCEPFHFDEFF
0x00000050  50 46 50 41 43 41 42 00 00 20 00 01               PFPACAB.....

--snip---

README.TXT

ETHSCAN.PY

Thanks to MHL, Jamie and Cem for your help in learning the Volatility Framework.  Your input was invaluable.  

4 comments:

  1. Check out bulk extractor - it does all this and more :-)

    http://www.forensicswiki.org/wiki/Bulk_extractor

    ReplyDelete
  2. Not quite. It does not do packet to process association for one

    ReplyDelete
  3. Another alternative tool for extracting packets from memory is CapLoader. It doesn't do pricess association either, but it carves the packets faster and with much better precision! I prefer to carve packets with CapLoader and do process association with Volatility's connscan2.

    http://caploader.com

    ReplyDelete