Category: Forensics

Finding Reflective DLL Injections

DLL injections that originate from a malicious DLL written to a disk are commonly detected by any decent AV product. Detecting reflective DLL injection, however, are not as straightforward. Malware injected directly into a process using reflective DLL injection typically will not exist on disk. A co-worker of mine developed a tool called Evil Injection Finder (EIF), which is designed to help you find those evil injections! Administrative rights are currently necessary to adequately examine the memory of running processes. Some memory pages will be unreadable if marked as protected processes by the OS, such as LSASS.

The example below demonstrates using EIF with a signature file to find injects in all processes on the system. A meterpreter has been loaded into MicrosoftEdge using reflective injection.

I wanted to run EIF on remote systems but it didn’t have that capability so I developed EIF_Parser, which provides the following capabilities:

  • Executes Evil Inject Finder (EIF) on a remote system or systems
  • Retrieves the data gathered by EIF on remote systems
  • On the local system, presents only the processes with ‘yes’ in the MZ or DOS column
  • Logs systems not accessible, for one reason or another

The tools can be found at the below links:

Hunting Self-signed Certificates

Self-signed certificates could be indicative of malicious behavior on a system and being able to identify them is a key task in responding to an incident. Having self-signed certificates in an environment isn’t always a bad thing but not being able to identify them and their purpose is! Nonetheless, taking to PowerShell we can search for them and there is a Certificate PSDrive that will assist with our process. A key indication of self-signed certificates is the issuer and subject being the same. It is also worth noting that a CA may issue a certificate to itself to support key rollover or changes in certificate policies.

This and more PowerShell scripts can be found on my GitHub.

Determining WinRM connections to a Machine

PSRemoting is an awesome feature in Microsoft Windows that serves as a ssh-like function. In Server 2012 and newer, it is enabled by default. You will, however, need to enable the feature on any client system you’d want to use it on. Some organizations feel having the service enabled throughout their organization is more of the burden than something that will increase productivity. Most of those of thoughts stem from not knowing who and is connecting or connected to systems. Luckily, there is a built-in cmdlet to should ease the worrying.

With suitable rights on a system, we can use the below to see who is connected to our system.

Below are the results.

To clean this up a little, we can do the following:

Our results are shown below and are a little easier to understand.

You could easily setup this up on some reoccurring schedule and output it to a file for further analysis.

Getting hashes with Microsoft’s File Checksum Integrity Verifier (FCIV)

Are you responding to an incident? Are you trying to hash particular portions of the disk for comparison with a known good hashes? Are you questioning whether or not to trust the binaries on the possibly compromised system disk in order to get said hashes? Well have no fear, Microsoft has a portable program called File Checksum Integrity Verifier (FCIV) that can help and it can be downloaded here. Since it comes from Microsoft, it will by signed by them as well.

The portable program can be executed from a CD\DVD, flash drive, or network share. With it, we can get MD5 and\or SHA1 hashes files on a system by either printing them to screen or outputting them to another file or database. With this in mind, we can feel better about our capture source and method and easily save the day! We can accomplish this using the below.

Recursively capturing hashes from a specified directory.


Parsing Registry files with RegRipper

The registry of a system contains a lot of good data that can be used forensic analysis. Parsing that data from dead box forensics (bit image) using RegRipper ( will provide you with a lot of useful information. RegRipper is an automated HIVE parser that can parse the forensic contents of the SAM, SECURITY, SYSTEM, SOFTWARE, and the NTUSER.DAT HIVES that it is pointed at. You can even use this to forensically mine the contents of restore point registry files. RegRipper utilizes plugins and aside from the default ones installed during installation, more are available online. The program is available for use on Linux or Windows. The Windows variant includes a GUI. can be invoked by pointing the -r HIVEFILE at the hive you would like to mine forensically. You also need to tell RegRipper the type of hive file it is (sam, security, software, system, ntuser). Hives can be found at C:\Windows\system32\config and the ntuser.dat is located on the root of the each users profile. Once RegRipper is installed on your system, you can use the below syntax to get started and useful options.

# -r -f
[Useful Options]
-r Registry hive file to parse
-f Use(sam, security, software, system, ntuser)
-1 List all plugins
-h Help

Analyzing Various Memory Capture Formats

In a world where there are so many choices for capturing memory and analyzing it, I felt there would be some benefit in compiling a list for quick reference.

FTK Imager
– Outputs to .mem
– Can be analyzed in Volatility –f –profile=

VMWare (.vmem)
– .vmem and .vmsm are created when a VM is suspended
– Can be analyzed with Volatility (.vmem and .vmsm have to be in the same directory) –f –profile=

– Outputs to .raw
– Can be analyzed in Volatility –f –profile=

Hibernation file (hiberfile.sys)
– The File is created when a system is put into hibernation mode
– Located at the root of the C:\
– The file needs to be converted before using. It can be converted to .img using Volatility imagecopy –f hiberfile.sys –O –profile=
– After conversion to .img, it can be analyzed in Redline or Volatility –profile=

Mandiant Memoryze
– Outputs to .img
– Can be analyzed in Redline or Volatility –profile=

Crash Dumps
– Extension will be .dmp
– Will be written to C:\Windows\Minidump or C:\Windows by default
– Dumps can be forced to happen by adding the value called namedCrashOnCtrlScroll with a REG_DWORD value of 0x01 at HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\kbdhid\Parameters. After rebooting the machine, hold down the rightmost CTRL key and press the SCROLL LOCK key twice
– Can be analyzed with Volatility –profile= – Can be analyzed in Redline but must be converted to .img first imagecopy –f –O –profile=

Extracting Data with Bulk Extractor

When it comes to forensics, styles and methodologies may vary from person to person (or organization). Some methods take longer than others and results may vary. One tool/ technique that I lean to time and time again is using Bulk Extractor. Bulk Extractor is a program that enables you to extract key information from digital media. Its usage is valuable no matter the type of case you may be working. A list of the type of information it can extract is depicted on their webpage at

There is a Windows and Linux variant of the program both capable of running from the command line or GUI. It is 4-8 times faster than other tools like EnCase or FTK due to its multi-threading. The program is capable of handling image files, raw devices, or directories. After it completes, it outputs its findings to an .xml file, which can be read back into Bulk Extractor for analysis. The output will look similar to below.


The scanners that you selected to run against your image file have will out to a report in the reports column. Not all scanners generate their own report as they may bucket the information that they find with another report. The chart above can help you determine where a scanner will output. Also, when a selected scanner doesn’t return any suitable data, you will not see a report for it. When you do select a report, it will output its findings to the middle column. From there you can type in strings to search for our just scroll down to view the data. If you want to go further into it data, just click on one of the findings in the middle column and more output will appear in the image column all the way to the right. The image column by default will display the text and the location of the data in the image file. There is an option though to change the image output from text to hex.


Analyzing Memory in the Wonderful World of Redline

Redline is one of a few memory capture/analyzer programs that I keep in my toolkit. How it works is that the software needs to only be installed on the system that you will be analyzing the data on and from there, you would configure the options you want to include grabbing a copy of live memory and save the custom script from Redline. With said script in hand, you would then run it on the system from which memory will be captured. The output will be saved to the location from where the script ran from. With the output data in hand, you would then take it back to you analyst system and import the data into Redline.

Upon importing the data, you will be presented with a few options to aid you in your investigation and after that, you will be presented with a gui of said data. Redline will also provide an MRI (Malware Risk Index) score based on a multiple factors and if it considers it to be bad or very suspicious, it will have a red circle next to it as seen below.


Redline has the ability to analyze memory captures for Memoryze and other captures in the format of .img. I have tried other memory capture formats with 50/50 results.

Search Exchange 2010 Mailboxes

NOTE: The user you run the script with must have the “Discovery Management” RBAC Role.

This script will search all mailboxes for email with attachments named “document1” and “document2” regardless of the file extension. The script will then copy the email message to the “admin.mailbox” mailbox in a folder called “Search_07102014”. Once the script is complete open “admin.mailbox” in Outlook and you’ll see the “Search_11242015” folder under the Inbox containing all the results.

This modification will search for all “.doc” and “.pdf” files and copy them to the same mailbox and folder.

To search for keywords use this modification.

Detecting Alternate Data Streams with PowerShell and DOS

Alternate Data Streams (ADS) are nothing new and there are a few ways to detect them within a NTFS filesystem. My tools of choice for detecting an ADS is LADS (List Alternate Data Streams) by Frank Heyne or SysInternals’ Streams… both of which work rather well. My issue though is that I, much like the customer, normally wants to limit and lessen the amount of external tools that are added to any of their systems. Resident to Microsoft Windows, we have a way to do some detection using one of two ways but one provides a little more capability than the other. Let’s check them both out.

The DOS way depicted below will recursively search a directory (/s), search for ADS (/s), and then look at the string “:DATA”.

The PowerShell way is depicted below. Be advised that the cmdlet used below goes back as far as version 2. The –Stream option was not available until version 4.

If you just executed these commands, you probably noticed how a number of the files might have popped up matching the (more…)

Bare Monkey (Volatility)

I’ve been working on Bare Monkey for a few months now. Bare Monkey inputs a Windows memory capture and runs it against all Volatility plugins and outputs them to a text file. Afterwards, it deletes the generated files that are empty and then compresses the files left. It also creates a tarball and a MD5 hash. The README and code can be found on my github at

You will have to change the extension to .sh and chmod 755.

Some of the benefits of the program are that Volatility will no longer be needed after the program runs, you can analyze the output with a text editor, and grep through the data rather quickly.

Converting a DD image into a VM – pt. 2

This is part 2 of the tutorial to convert a DD image into a VM. The below instruction picks up from the position that one already got a DD image and has it unzipped and uncompressed. To finish the task, please read on.

1. Copy the target_image from your linux forensics system to your Windows forensics system

2. To convert the raw file into a virtual machine using Live View, change the extension of the targetimage raw file to .dd

3. Create a folder on the desktop of your Windows forensics system for which we will put the VM after conversion.

4. Open Live View 0.8 short cut on desktop

5. When the program opens, make the following changes. Once complete, your screen should look like the below.

– Ram size: 1024 (default is 512)

– Operating system: Linux


Converting a DD image into a VM – pt. 1


A good buddy of mine introduced me to LiveView, which creates virtual machines from DD images. There were a number of other programs out there that can do the same thing but didn’t seem as smooth as LiveView is.

One may be wondering why what is the need for all of this? Well, let’s say you are inspecting a suspected or known compromised system. Good practice is to not do anything (or at least as little as possible) to the system in question. In order for one to preserve the system and get an image to work off of, we can make a DD (binary) image. From there, we can use LiveView and convert the DD image into a working virtual machine. From there, one can get a memory capture and/or begin any other forensics on the system yet not affect the original hard drive. LiveView can be found at You will need to install it on your Windows forensics system prior to continuing.


Below are the instructions on using the software that my buddy made.

1. Access the target from the forensics system (linux) using SSH

2. Elevate privileges


Memory Capture with FTK Imager

I previously wrote about using DumpIt for Windows memory captures. If all you need from a system is to capture memory, it fits the bill rather well. There have been some times where it’s given me some issue grabbing memory over 8GB. Nonetheless, what if you need to do more? Let’s say you need to get a binary image also, DumpIt can’t help you there. FTK Imager will do both and more. Today I’ll speak on the memory capture piece and will visit the binary image capture at a later time. To get a capture, follow the below very simple directions.

1. Download FTK Imager from their official site at

2. Once downloaded and installed, open the program.

3. Click ‘File’ and select ‘Capture Memory’ as depicted in the below picture.



Parse and Extract PST and OST Mailboxes

Libpff is a powerful mail examination tool. The tool will allow you to examine and extract data without having to attach the PST to Outlook and has the ability to view emails that are encrypted. In my example below, I will be using the tool via the SANS SIFT workstation as it is already installed. If you want to the program on a different distribution, the source code can be found at While I have an example below of parsing the information, I encourage you to check out the man pages as it is pretty short and straightforward.

Note: the PST I am using is called target_pst.pst

1) Export the PST.

2) Verify that a target.pst.export, target.pst.orphans, and target.pst.recovered directory are now present.

Parsing Metadata with ExifTool

Its one thing to have a piece of data but its another thing to be able to get the metadata about said data. ExifTool ( is a tool that will allow just that. Its command line based but there is a GUI version as well called pyExifTool ( The tool not only allows you to read the metadata but also change it, if necessary. A person could also add his or her own custom tags as well. Below is an example of using the program.

Note: My JPG file name is called pic11.jpg

1) Examine the file using ExifTool


Windows Memory Capture using DumpIt

One of the simplest tools for capturing memory from a Windows system is DumpIt. The program is very portable and saves the capture to wherever the program is ran from. Most people will run it from a flash drive but depending on your company’s security policy that may not be an option so one can run it from a network share as well. It is advised not to save the program to the system you want to capture from and run it from I was going to document the steps but there is no need, it is just that simple. Below is the link for the software and if need be, there is a video depicting the steps.

Memory Capture via Hibernation File

If you are having a hard time getting a memory capture using commercial tools, have no fear, Microsoft to the rescue! Starting with Win2K, each version of Windows has supported OS hibernation. When you put a system into hibernation, it creates a hiberfil.sys file on the root of the filesystem (in most cases, C:\). That in itself is a capture of memory. The only problem is that you can’t just right-click and copy the file as it is locked. You could possibly copy by booting into safe mode (I haven’t tried it), slave the hard drive to another system and copy that way, or use some third-party program. The one that I recommend is X-ways WinHex. There is a free version of the software but due to the size of the hibernation file, you will need the licensed version, which costs $222.

Assuming you have the licensed version, below are the steps to copy the hibernation file.

1) Verify there is a hiberfil.sys file on the root of your filesystem (most likely c:\). If the file is not there, ensure hibernation is enabled and then put your system into hibernation. Once powered off, turn it back on and check again.


Determining what profile to use when analyzing Windows memory in Volatility

No need to guess or experiment with different profiles, let Volatility figure that out for you. In testing, this worked with all formats that Volatility supports. If you were the one to do the memory dump or if the file was labeled OS information, this wouldn’t be a concern or a needed step. To let the magic happen, follow the below.

This analyzes the memory capture metadata and displays which profile is suggested to be used.

The output will be something similiar to this:

Forensics Posters

Anybody getting into forensics knows its like putting on a pair of glasses and seeing things in a whole new light. Part of being able to identify bad or evil is being able to identify normal. In my opinion, SANS did a pretty good job depicting some common things to look for when beginning the forensics process. The posters can be found at the below link.

Building a profile for Volatility

After capturing Linux memory using LiME (or your program of choice), we can analyze it using Volatility. In order to do so, you will need to build a profile for Volatility to use. The profile is based on the kernel/version of the system in which the memory capture was done on. The maintainers of the Volatility Project have a repo of pre-built profiles on their page located at Carnegie Mellon University also has prebuilt profiles as well and they are located at
In order to build a profile, following the below instructions. For this demo, I am using a Kali 1.0.9 (Debian) system to build my profile on an Ubuntu system to do the analyzing on.

1) Install dwarfdump. On RedHat(Fedora)-based systems, this can be done by typing ‘yum install dwarfdump’

2) Download the necessary source code to compile the module.dwarf file

3) Change directory into the newly created vol-mem-profile directory


Linux Memory Capture with LiME

When doing forensics, grabbing a capture of the live memory is vital. There are a few different programs out there to accomplish the task but in my testing, I felt LiME was the best choice. It wasn’t intrusive at all on the system and was pretty straightforward. Once I compiled it, I loaded it up on my flash drive and on I went. Below are the steps I took to achieve it all.

Notes: I am using a Kali system and will be moving the compiled LiME program to the target using a flash drive.

1) Make a directory for LiME.

2) Change Directory into the newly created lime directory.