Extracting Username/Passwords from RAM Dump : Volatility Framework makes it Easy

1.  For those of you who have started reading this post coz of the tempting post title claiming extracting username/passwords from a RAM Dump,I must assure you it is possible easily in few steps using Volatility Framework.In the post ahead I have a RAM dump of a Windows 7 OS and I have been able to extract the user names and passwords of these users in three simple steps using Volatility Framework.Well,I will quickly get to the steps with screenshots :

Setup Required

 - Volatility Framework Installed.
[How to Install at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html]

- Taking Ram Dump from Windows
[How to take RAM dump at para 3 of http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html]

Here I am using two commands basically ie hivelist and hashdump

HIVELIST

Hivelist is used to locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk.

Command Usage

python vol.py --profile=Win7SP0x86 -f /home/cuckoo/Desktop/windows_7_ramdump.raw hivelist

You get a similar output as seen below :

CLICK TO ENLARGE

Note Virtual Address for SYSTEM as highlighted
CLICK TO ENLARGE

Note Virtual Address for SAM as highlighted
CLICK TO ENLARGE

HASHDUMP

Hashdump is used to extract and decrypt cached domain credentials stored in the registry.

Command Usage

To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s, as shown below:

python vol.py --profile=Win7SP0x86 hashdump -f /home/cuckoo/Desktop/windows_7_ramdump.raw -y 0x8901a360 -s 0x8faff008

Hashdump output seen with user names and NTLM dump
CLICK TO ENLARGE

As we see vide above screen shot we have been able to extract names of users as stalin,VOLA and TILITY with hash of passwords against their names.Now we will decrypt these hashes.

DECRYPTING NTLM hash

Now comes decrypting this hash as we have got vide hashdump above.Hashes can now be cracked using John the Ripper, rainbow tables, etc.Now no need to install these crackers separately.Simply google for online decryptos and you will get the password too.I used this site at http://www.hashkiller.co.uk/ntlm-decrypter.aspx

Screen shots below:

Password extracted is test_1234
CLICK TO ENLARGE

Password extracted is test_123
CLICK TO ENLARGE

Password extracted is test
CLICK TO ENLARGE

So in all two terminal commands running volatility hivelist and hashdump followed by decrypting the hash online will give you the usernames and passwords from the RAM dump.Any queries and questions or advises are most welcome.Thanks

Volatility-Advanced Memory Forensics Framework : Installation@Ubuntu

1.   The Volatility Framework is a completely open collection of tools, implemented in Python for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile.The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.Vide this post, I am sharing how to install volatility in Ubuntu 12.04 in a step wise manner.The post includes screen-shots and ready to shoot terminal commands for installing other dependent libraries.

Firstly : Installing Dependencies

sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y

Secondly : Installing PyCrypto

First download PyCRypto from https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz

Go to ~/..../Downloads/

tar -zxvf pycrypto-2.6.1.tar.gz

cd pycrypto-2.6.1

python setup.py build

sudo python setup.py build install

Thirdly: Installing Distrom
Distrom ,a disassemble library for x86/AMD64 can be downloaded from https://github.com/gdabah/distorm

Goto downloads where the file is likely downloaded :

unzip distorm3.zip

cd distorm3/

python setup.py build

python setup.py build install

Fourthly: Installing Yara 

Volatility needs another important dependency known as Yara,that can be installed as follows:

wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz

tar -zxvf yara-1.4.tar.gz

cd yara-1.4/

sudo ./configure

sudo make

sudo make install

Fifthly : Installing Yara-Python





Download the tar.gz from https://yara-project.googlecode.com/files/yara-python-1.4a.tar.gz

tar -zxvf yara-python-1.4a.tar.gz

cd yara-python-1.4a/

python setup.py build

python setup.py build install

sudo echo “/usr/local/lib” >> /etc/ld.so.conf

sudo ldconfig

Now through with the installation of dependencies,we go ahead to install Volatility after we download the tar ball from https://code.google.com/p/volatility/downloads/detail?name=volatility-2.3.1.tar.gz&can=2&q=

~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build

~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build install

The installation is complete now and you should get a similar screen as seen below on running the command python vol.py -h