-
Notifications
You must be signed in to change notification settings - Fork 20
Expand file tree
/
Copy path02_script_volatility_process.sh
More file actions
executable file
·148 lines (140 loc) · 4.65 KB
/
02_script_volatility_process.sh
File metadata and controls
executable file
·148 lines (140 loc) · 4.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#/bin/bash
#
# This scrip is designed to do the basic inistial investigation for a memory image.
# By: Matthew Ulm
# Date: Auguest 8, 2014
#
### Set some variables
##########################
RDIR="/home/sansforensics";
HOME="/cases";
VOL="vol.py";
DSVT="/home/sansforensics/volgui/tools/dsvtsearch.py";
HEADER="Accept: text/html"
UA21="Mozilla/5.0 Gecko/20100101 Firefox/21.0"
UA22="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13; ) Gecko/20101203"
TODAY=$(date +"%Y-%m-%d")
FTIME="$(date)"
#
#
# Get the case name from the user
echo "What is the case name? :"
read CASE
# What is the memory file name
echo "What is the memory file name? :"
read FILE
#
#
# Checking for these things needs to be written yet.
mkdir -p $HOME/$CASE/evidence
mkdir -p $HOME/$CASE/text
cd $HOME/$CASE;
#
# Add to the log file
echo "Today is $TODAY. "
echo "Today is $FTIME. " >> $HOME/$CASE/evidence/$CASE.log
echo "This script is meant to pull information about a particular process."
echo "This script is meant to pull information about a particular process." >> $HOME/$CASE/evidence/$CASE.log
echo "------------------------------------------------------------" >> $HOME/$CASE/evidence/$CASE.log
echo "Today is $(date)" >> $HOME/$CASE/evidence/$CASE.log
echo "The file being analyzed is: $FILE" >> $HOME/$CASE/evidence/$CASE.log
echo "I am going to take an MD5 sum of the file now. "
echo "I am going to take an MD5 sum of the file now. " >> $HOME/$CASE/evidence/$CASE.log
md5sum $HOME/$CASE/$FILE >> $HOME/$CASE/evidence/$CASE.log
echo " "; sleep 1; echo " ";
echo "I am going to take a SHA 1 sum of the file now. "
echo "I am going to take a SHA 1 sum of the file now. " >> $HOME/$CASE/evidence/$CASE.log
sha1sum $HOME/$CASE/$FILE >> $HOME/$CASE/evidence/$CASE.log
echo "------------------------------------------------------------" >> $HOME/$CASE/evidence/$CASE.log
echo " "; sleep 1; echo " ";
#
# What is the profile
echo "What is the profile? :"
read PRFL
#
# Get the process number from the user
echo "What process do you want to look at? :"
read NMBR
mkdir -p procpulls/$NMBR
#
#
# Print some stuff to the screen.
echo " I will know pull some information from the memory sample "
echo " "
cd procpulls/$NMBR;
#
# Run the scans on the input files
echo "Today is $FTIME. " >> $HOME/$CASE/evidence/$CASE.$NMBR.log
echo "This script is meant to pull information about a particular process." >> $HOME/$CASE/evidence/$CASE.$NMBR.log
echo "------------------------------------------------------------" >> $HOME/$CASE/evidence/$CASE.$NMBR/log
singleprocpull=( dlldump vaddump malfind memdump )
for i in "${singleprocpull[@]}"; do
if [ ! -d "$i" ]; then
mkdir -p $i
else
echo "I see the $i directory already present "
echo " "; sleep 1;echo " ";
fi
done
echo " "
#
#
for i in "${singleprocpull[@]}" do
cd $HOME/$CASE/procpulls/$NMBR/$i; echo $i;
vol.py -f $HOME/$CASE/$FILE --profile=$PRFL $i -p $NMBR -D $i
echo "Copleted the $i on process $NMBR at $FTIME."
echo "Copleted the $i on process $NMBR at $FTIME." >> $HOME/$CASE/evidence/$CASE.$NMBR.log
echo " "; sleep 1; echo " "; echo " " >> $HOME/$CASE/evidence/$CASE.$NMBR.log
done
#
#
#
#
#
#
# Let's do some vaddump work now on our files.
cd $HOME/$CASE/procpulls/$NMBR/vaddump;
for i in *.dmp; do file $i >> vaddump.file.w.txt; done
cat vaddump.file.w.txt | grep PE32 | awk '{ print $1 }' | cut -c 1-46 >> vaddump.file.pe32.txt;
while read p; do
md5sum $p >> vaddump.file.pe.md5.txt
done < vaddump.file.pe32.txt
cat vaddump.file.pe.md5.txt | cut -c 1-32 >> vaddump.file.md5.txt;
#
# Pull the code for the Didier Stevens uploads, and/or searches.
#
#
#
#
#
cd $HOME/$CASE/procpulls/$NMBR;
singleproctext=( dlllist apihooks callbacks ldrmodules ssdt )
for i in "${singleproctext[@]}"
do
echo $i
vol.py -f $HOME/$CASE/$FILE --profile=$PRFL $i -p $NMBR >> $i.$NMBR.txt
echo "Completed the $i pull on process $NMBR at $FTIME. ";
echo "Copleted the $i on process $NMBR at $FTIME."
echo "Copleted the $i on process $NMBR at $FTIME." >> $HOME/$CASE/evidence/$CASE.$NMBR.log
echo " "; sleep 1; echo " "; echo " " >> $HOME/$CASE/evidence/$CASE.$NMBR.log
done
#
# Print some stuff to the screen.
echo " I am done pulling text based information. "
echo " You can start going through those for pertinent data. "
echo " "
echo " In the meantime I will pull the DLLs for this process. "
echo " and do a similar comparison wiht the process dumper routine "
echo " "
#
#
#
#
#
# Let's work with the dlllist output now.
cd $HOME/$CASE/procpulls/$NMBR;
cat dlllist.$NMBR.txt | grep -i -v system32 >> dlllist.$NMBR.nosys32.txt
echo "I have pulled out the System32 DLLs now. ";
echo " "; sleep 1; echo " ";
#
# EOF