| Ethscan: volatility memory forensics framework plugin for recovering ethernet frames from memory. |
Ethscan gives you the ability to scan any type of memory image (Windows, OSX, Linux - 32/64, Vmware Snapshot images .vmem, etc..) or raw file using volatility to extract valid or invalid Ethernet frames (depending on if you're using the Checksum option)
Some Options/features for Ethscan are (please see the README.txt file for all options):
IPv4 and IPv6 support!
Options:
-R, --save-raw Create binary files of each packet found in memory
5__131.107.115.254__47873__172.16.176.143__3332__TCP.bin
3__172.16.176.1__35566__172.16.176.255__35072__UDP.bin
1__172.16.176.1__35054__172.16.176.255__35072__UDP.bin
2__172.16.176.1__34030__172.16.176.255__35072__UDP.bin
-C SAVE_PCAP, --save-pcap=SAVE_PCAP
Create a pcap file from recovered packets of given
name: "Example: -C out.pcap" (requires dpkt)
Every packet ethscan finds in memory can be written to a single pcap file using dpkt for further inspection under wireshark. (Note: some recovered IPv6 packets will cause dpkt to except upon writing, I suggest using the -R option when using the pcap option).
-P, --enable-proc Enable Packet to Process Association: Windows Only
(SLOW)
This option will attempt to associate recovered packets with a Process name/PID (this currently works for valid windows memory images only):
Example:
| ProcName: wuauclt.exe PID: 1732 Base Address: 0x15e000 End Address: 0x1000 |
| Ethernet: Src: (00:50:56:f1:2d:82) Dst: (00:0c:29:a4:81:79) |
| Type: IPv4 (0x0800) |
| IPv4: Src: 131.107.115.254:47873 Dst: 172.16.176.143:3332 |
| Protocol: TCP (6) |
| Packet Size: (54) Bytes |
| 0x00000000 00 0c 29 a4 81 79 00 50 56 f1 2d 82 08 00 45 00 ..)..y.PV.-...E. |
| 0x00000010 00 28 29 85 00 00 80 06 bd 41 83 6b 73 fe ac 10 .()......A.ks... |
| 0x00000020 b0 8f 01 bb 04 0d 79 7e 45 77 d8 8d 3f 5e 50 10 ......y~Ew..?^P. |
| 0x00000030 fa f0 84 30 00 00 ...0.. |
Using a memory image from the Volatility wiki here is a short example with no options.
https://code.google.com/p/volatility/wiki/SampleMemoryImages
Example:
$ python vol.py ethscan -f be2.vmem
Volatile Systems Volatility Framework 2.2
Packets Found: 1
Ethernet: Src: (00:50:56:c0:00:08) Dst: (ff:ff:ff:ff:ff:ff)
Type: IPv4 (0x0800)
IPv4: Src: 172.16.176.1:35054 Dst: 172.16.176.255:35072
Protocol: UDP (17)
Packet Size: (92) Bytes
0x00000000 ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00 .......PV.....E.
0x00000010 00 4e 77 fa 00 00 40 11 49 83 ac 10 b0 01 ac 10 .Nw...@.I.......
0x00000020 b0 ff ee 88 00 89 00 3a 72 c0 3b 07 01 10 00 01 .......:r.;.....
0x00000030 00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45 .......ABACFPFPE
0x00000040 4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46 NFDECFCEPFHFDEFF
0x00000050 50 46 50 41 43 41 42 00 00 20 00 01 PFPACAB.....
Packets Found: 2
Ethernet: Src: (00:50:56:c0:00:08) Dst: (ff:ff:ff:ff:ff:ff)
Type: IPv4 (0x0800)
IPv4: Src: 172.16.176.1:34030 Dst: 172.16.176.255:35072
Protocol: UDP (17)
Packet Size: (92) Bytes
0x00000000 ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00 .......PV.....E.
0x00000010 00 4e 9b e5 00 00 40 11 25 98 ac 10 b0 01 ac 10 .N....@.%.......
0x00000020 b0 ff ee 84 00 89 00 3a 79 33 34 98 01 10 00 01 .......:y34.....
0x00000030 00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45 .......ABACFPFPE
0x00000040 4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46 NFDECFCEPFHFDEFF
0x00000050 50 46 50 41 43 41 42 00 00 20 00 01 PFPACAB.....
Packets Found: 3
Ethernet: Src: (00:50:56:c0:00:08) Dst: (ff:ff:ff:ff:ff:ff)
Type: IPv4 (0x0800)
IPv4: Src: 172.16.176.1:35566 Dst: 172.16.176.255:35072
Protocol: UDP (17)
Packet Size: (92) Bytes
0x00000000 ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00 .......PV.....E.
0x00000010 00 4e b2 89 00 00 40 11 0e f4 ac 10 b0 01 ac 10 .N....@.........
0x00000020 b0 ff ee 8a 00 89 00 3a 65 8d 48 38 01 10 00 01 .......:e.H8....
0x00000030 00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45 .......ABACFPFPE
0x00000040 4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46 NFDECFCEPFHFDEFF
0x00000050 50 46 50 41 43 41 42 00 00 20 00 01 PFPACAB.....
Packets Found: 4
Ethernet: Src: (00:50:56:f1:2d:82) Dst: (00:0c:29:a4:81:79)
Type: IPv4 (0x0800)
IPv4: Src: 131.107.115.254:47873 Dst: 172.16.176.143:3332
Protocol: TCP (6)
Packet Size: (58) Bytes
0x00000000 00 0c 29 a4 81 79 00 50 56 f1 2d 82 08 00 45 00 ..)..y.PV.-...E.
0x00000010 00 2c 29 7d 00 00 80 06 bd 45 83 6b 73 fe ac 10 .,)}.....E.ks...
0x00000020 b0 8f 01 bb 04 0d 79 7e 33 45 d8 8d 3c ef 60 12 ......y~3E..<.`.
0x00000030 fa f0 81 13 00 00 02 04 05 b4 ..........
Packets Found: 5
Ethernet: Src: (00:50:56:f1:2d:82) Dst: (00:0c:29:a4:81:79)
Type: IPv4 (0x0800)
IPv4: Src: 131.107.115.254:47873 Dst: 172.16.176.143:3332
Protocol: TCP (6)
Packet Size: (54) Bytes
0x00000000 00 0c 29 a4 81 79 00 50 56 f1 2d 82 08 00 45 00 ..)..y.PV.-...E.
0x00000010 00 28 29 7e 00 00 80 06 bd 48 83 6b 73 fe ac 10 .()~.....H.ks...
0x00000020 b0 8f 01 bb 04 0d 79 7e 33 46 d8 8d 3d 55 50 10 ......y~3F..=UP.
0x00000030 fa f0 98 6a 00 00 ...j..
Packets Found: 6
Ethernet: Src: (00:50:56:c0:00:08) Dst: (ff:ff:ff:ff:ff:ff)
Type: IPv4 (0x0800)
IPv4: Src: 172.16.176.1:35310 Dst: 172.16.176.255:35072
Protocol: UDP (17)
Packet Size: (92) Bytes
0x00000000 ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00 .......PV.....E.
0x00000010 00 4e 8c fd 00 00 40 11 34 80 ac 10 b0 01 ac 10 .N....@.4.......
0x00000020 b0 ff ee 89 00 89 00 3a 6c f3 40 d3 01 10 00 01 .......:l.@.....
0x00000030 00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45 .......ABACFPFPE
0x00000040 4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46 NFDECFCEPFHFDEFF
0x00000050 50 46 50 41 43 41 42 00 00 20 00 01 PFPACAB.....
Packets Found: 7
Ethernet: Src: (00:50:56:f1:2d:82) Dst: (00:0c:29:a4:81:79)
Type: IPv4 (0x0800)
IPv4: Src: 131.107.115.254:47873 Dst: 172.16.176.143:3332
Protocol: TCP (6)
Packet Size: (1422) Bytes
0x00000000 00 0c 29 a4 81 79 00 50 56 f1 2d 82 08 00 45 00 ..)..y.PV.-...E.
0x00000010 05 80 29 7f 00 00 80 06 b7 ef 83 6b 73 fe ac 10 ..)........ks...
0x00000020 b0 8f 01 bb 04 0d 79 7e 33 46 d8 8d 3d 55 50 18 ......y~3F..=UP.
0x00000030 fa f0 83 08 00 00 16 03 00 11 e9 02 00 00 46 03 ..............F.
0x00000040 00 4c 62 3e 86 1c 84 f1 cb cd fc be 83 d9 b3 31 .Lb>...........1
0x00000050 5b 1d ed e8 37 1b b6 38 31 37 bc 01 cd f0 99 d2 [...7..817......
0x00000060 15 20 30 0d 00 00 cc 24 42 11 1a 50 f3 dc cf 74 ..0....$B..P...t
0x00000070 c4 04 7a f5 da 1b 93 9c 51 f4 46 64 43 b2 55 17 ..z.....Q.FdC.U.
0x00000080 48 f0 00 04 00 0b 00 11 97 00 11 94 00 04 89 30 H..............0
0x00000090 82 04 85 30 82 03 6d a0 03 02 01 02 02 0a 61 12 ...0..m.......a.
0x000000a0 df 52 00 00 00 00 00 12 30 0d 06 09 2a 86 48 86 .R......0...*.H.
0x000000b0 f7 0d 01 01 05 05 00 30 81 a3 31 0b 30 09 06 03 .......0..1.0...
0x000000c0 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 U....US1.0...U..
0x000000d0 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e ..Washington1.0.
0x000000e0 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e ..U....Redmond1.
0x000000f0 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 0...U....Microso
0x00000100 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2b ft.Corporation1+
0x00000110 30 29 06 03 55 04 03 13 22 4d 69 63 72 6f 73 6f 0)..U..."Microso
0x00000120 66 74 20 50 72 6f 64 75 63 74 20 53 65 63 75 72 ft.Product.Secur
0x00000130 65 20 53 65 72 76 65 72 20 43 41 31 20 30 1e 06 e.Server.CA1.0..
0x00000140 09 2a 86 48 86 f7 0d 01 09 01 16 11 70 6b 69 40 .*.H........pki@
0x00000150 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 30 1e 17 microsoft.com0..
0x00000160 0d 30 39 31 30 31 35 32 32 30 30 33 38 5a 17 0d .091015220038Z..
0x00000170 31 32 30 31 31 35 32 32 30 30 33 38 5a 30 6f 31 120115220038Z0o1
0x00000180 0b 30 09 06 03 55 04 06 13 02 55 53 31 10 30 0e .0...U....US1.0.
0x00000190 06 03 55 04 08 13 07 52 65 64 6d 6f 6e 64 31 0b ..U....Redmond1.
0x000001a0 30 09 06 03 55 04 07 13 02 57 41 31 12 30 10 06 0...U....WA1.0..
0x000001b0 03 55 04 0a 13 09 4d 69 63 72 6f 73 6f 66 74 31 .U....Microsoft1
0x000001c0 0d 30 0b 06 03 55 04 0b 13 04 42 47 4f 53 31 1e .0...U....BGOS1.
0x000001d0 30 1c 06 03 55 04 03 13 15 77 70 61 2e 6f 6e 65 0...U....wpa.one
0x000001e0 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 30 81 .microsoft.com0.
0x000001f0 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 .0...*.H........
0x00000200 03 81 8d 00 30 81 89 02 81 81 00 be ca f6 17 88 ....0...........
0x00000210 0c a9 e5 de 4d ef 6c 21 e0 46 58 c2 21 20 a3 e3 ....M.l!.FX.!...
0x00000220 7e 6d b0 eb 44 d6 f7 90 cd 56 c3 4b 99 97 09 09 ~m..D....V.K....
0x00000230 da db 68 57 87 e4 0f 19 b8 b8 57 c7 f7 03 75 9a ..hW......W...u.
0x00000240 f4 4e 51 c8 96 9a cb bd 34 fe eb 22 91 88 2b 1f .NQ.....4.."..+.
0x00000250 9a 36 8d d9 35 d3 f4 8d 75 09 a8 2c 31 c3 48 d3 .6..5...u..,1.H.
0x00000260 9c b8 c2 b9 67 70 cc 32 1e 93 16 98 f0 c8 12 47 ....gp.2.......G
0x00000270 5d 7e f7 2b c9 36 65 b1 4e 3a d6 dd ce d8 35 56 ]~.+.6e.N:....5V
0x00000280 76 56 d8 62 ed 7c b0 c9 e1 52 0d 02 03 01 00 01 vV.b.|...R......
0x00000290 a3 82 01 70 30 82 01 6c 30 0e 06 03 55 1d 0f 01 ...p0..l0...U...
0x000002a0 01 ff 04 04 03 02 04 f0 30 13 06 03 55 1d 25 04 ........0...U.%.
0x000002b0 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 1d 06 .0...+.......0..
0x000002c0 03 55 1d 0e 04 16 04 14 d1 e7 5a 77 0b fb 90 eb .U........Zw....
0x000002d0 b5 10 1f b9 b3 b7 d9 64 38 07 07 c0 30 1f 06 03 .......d8...0...
0x000002e0 55 1d 23 04 18 30 16 80 14 9e 49 93 71 e6 fa ed U.#..0....I.q...
0x000002f0 97 80 08 89 3e 3c f3 29 cc 71 6d ef 5c 30 81 a6 ....><.).qm.\0..
0x00000300 06 03 55 1d 1f 04 81 9e 30 81 9b 30 81 98 a0 81 ..U.....0..0....
0x00000310 95 a0 81 92 86 47 68 74 74 70 3a 2f 2f 63 72 6c .....Ghttp://crl
0x00000320 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 .microsoft.com/p
0x00000330 6b 69 2f 63 72 6c 2f 70 72 6f 64 75 63 74 73 2f ki/crl/products/
0x00000340 4d 69 63 50 72 6f 53 65 63 53 65 72 43 41 5f 32 MicProSecSerCA_2
0x00000350 30 30 37 2d 31 32 2d 30 34 2e 63 72 6c 86 47 68 007-12-04.crl.Gh
0x00000360 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 ttp://www.micros
0x00000370 6f 66 74 2e 63 6f 6d 2f 70 6b 69 2f 63 72 6c 2f oft.com/pki/crl/
0x00000380 70 72 6f 64 75 63 74 73 2f 4d 69 63 50 72 6f 53 products/MicProS
0x00000390 65 63 53 65 72 43 41 5f 32 30 30 37 2d 31 32 2d ecSerCA_2007-12-
0x000003a0 30 34 2e 63 72 6c 30 5c 06 08 2b 06 01 05 05 07 04.crl0\..+.....
0x000003b0 01 01 04 50 30 4e 30 4c 06 08 2b 06 01 05 05 07 ...P0N0L..+.....
0x000003c0 30 02 86 40 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 0..@http://www.m
0x000003d0 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 70 6b 69 icrosoft.com/pki
0x000003e0 2f 63 65 72 74 73 2f 4d 69 63 50 72 6f 53 65 63 /certs/MicProSec
0x000003f0 53 65 72 43 41 5f 32 30 30 37 2d 31 32 2d 30 34 SerCA_2007-12-04
0x00000400 2e 63 72 74 30 0d 06 09 2a 86 48 86 f7 0d 01 01 .crt0...*.H.....
0x00000410 05 05 00 03 82 01 01 00 18 5f 91 4e 9d d6 d9 cf ........._.N....
0x00000420 4a 31 44 77 20 87 f8 af e8 a3 ef 18 11 c9 fb 4d J1Dw...........M
0x00000430 c9 e5 09 db 22 91 57 d7 db b7 b7 40 c4 0a 44 74 ....".W....@..Dt
0x00000440 14 cf eb a8 d4 41 7e ab f7 72 f4 c1 fd bb 15 49 .....A~..r.....I
0x00000450 e8 20 3c 4e a3 4b 05 e0 ad a6 4a 14 e6 f6 25 b2 ..<N.K....J...%.
0x00000460 90 26 ac 96 68 43 8c fd 4b 3a 9e a3 09 19 81 de .&..hC..K:......
0x00000470 51 f8 99 47 86 cc 5b 40 a8 d6 f8 a9 b6 b8 0f 5e Q..G..[@.......^
0x00000480 51 ce 1b 84 1b de 38 c2 86 08 34 62 a5 4c ab 4f Q.....8...4b.L.O
0x00000490 b1 91 70 69 7c ec 61 ce 56 44 0e 7a 2e 35 47 86 ..pi|.a.VD.z.5G.
0x000004a0 53 44 4d 08 1a 95 bd 65 c2 7d 47 d1 6e 0a 1c 83 SDM....e.}G.n...
0x000004b0 ff b4 d2 5f 04 1d 65 37 01 07 4c ba 2d 66 be 0f ..._..e7..L.-f..
0x000004c0 89 10 91 7a 3b c8 ec 7e 53 07 b8 6b 2b ab 2c 5b ...z;..~S..k+.,[
0x000004d0 c4 78 55 14 72 40 78 93 8f 74 de 29 b1 28 70 24 .xU.r@x..t.).(p$
0x000004e0 34 d1 42 82 17 65 1f 1f da 2a 0f 4f ec 71 ad 28 4.B..e...*.O.q.(
0x000004f0 aa d4 aa 2c b2 e5 cc 07 00 19 4c f9 7d 63 13 01 ...,......L.}c..
0x00000500 af 62 59 ee 89 c5 b5 ad c0 0d 88 af 98 10 45 53 .bY...........ES
0x00000510 e2 01 e5 a0 41 4e 03 61 00 05 c6 30 82 05 c2 30 ....AN.a...0...0
0x00000520 82 04 aa a0 03 02 01 02 02 0a 61 09 bd fa 00 01 ..........a.....
0x00000530 00 00 00 0f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 ....0...*.H.....
0x00000540 05 05 00 30 81 ac 31 20 30 1e 06 09 2a 86 48 86 ...0..1.0...*.H.
0x00000550 f7 0d 01 09 01 16 11 70 6b 69 40 6d 69 63 72 6f .......pki@micro
0x00000560 73 6f 66 74 2e 63 6f 6d 31 0b 30 09 06 03 55 04 soft.com1.0...U.
0x00000570 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a ...US1.0...U....
0x00000580 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e Washington1.0.
Packets Found: 8
Ethernet: Src: (00:50:56:c0:00:08) Dst: (ff:ff:ff:ff:ff:ff)
Type: IPv4 (0x0800)
IPv4: Src: 172.16.176.1:33262 Dst: 172.16.176.255:35072
Protocol: UDP (17)
Packet Size: (92) Bytes
0x00000000 ff ff ff ff ff ff 00 50 56 c0 00 08 08 00 45 00 .......PV.....E.
0x00000010 00 4e cf e4 00 00 40 11 f1 98 ac 10 b0 01 ac 10 .N....@.........
0x00000020 b0 ff ee 81 00 89 00 3a 91 a0 1c 2e 01 10 00 01 .......:........
0x00000030 00 00 00 00 00 00 20 41 42 41 43 46 50 46 50 45 .......ABACFPFPE
0x00000040 4e 46 44 45 43 46 43 45 50 46 48 46 44 45 46 46 NFDECFCEPFHFDEFF
0x00000050 50 46 50 41 43 41 42 00 00 20 00 01 PFPACAB.....
--snip---
README.TXT
ETHSCAN.PY
Check out bulk extractor - it does all this and more :-)
ReplyDeletehttp://www.forensicswiki.org/wiki/Bulk_extractor
Not quite. It does not do packet to process association for one
ReplyDeleteAnother alternative tool for extracting packets from memory is CapLoader. It doesn't do pricess association either, but it carves the packets faster and with much better precision! I prefer to carve packets with CapLoader and do process association with Volatility's connscan2.
ReplyDeletehttp://caploader.com
Caploader is $900.00?
ReplyDeleteEthscan is not in use in the latest versions of volatility, bulk extractor is unable to carve things effectively from memory, nor does it give you a pcap output.
ReplyDelete