To use them, grab either the zip or the tarball and extract it to your Volatility directory. You'll get the following new plugins (along with some supporting files):
- hivescan: finds the physical address of CMHIVE structures, which represent a registry hives in memory
- hivelist: takes a physical address of one CMHIVE, returns the virtual address of all hives, and their names
- printkey: takes a virtual address of a hive and a key name (e.g., 'ControlSet001\Control'), and display the key's timestamp, values and subkeys
- hashdump: dump the LanMan and NT hashes from the registry (deobfuscated). See this post for more details on how this is accomplished.
- lsadump: dump the LSA secrets (decrypted) from the registry. See this post for more information.
- cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain. See this post for more details.
- Use hivescan to find the physical address of a hive.
- Pass one of those (any of them should do) to hivelist using the -o option. This will give you the virtual address of each of the hives in memory.
- With this list in hand, you can now examine individual keys within a hive using printkey, or use hashdump, lsadump, or cachedump to extract credentials from the memory image. The latter three need the virtual addresses of specific hives (SYSTEM and SAM for hashdump, SYSTEM and SECURITY for lsadump and cachedump).
If you're curious how registry access works under the hood, you can read my DFRWS paper or presentation, or check out the blog posts I wrote while doing that research: Enumerating Registry Hives, Reading Open Keys, and Cell Index Translation. And, of course, you can always just look at the source code :)
Some final, closing thoughts. Harlan Carvey's RegRipper has been a huge sucess, and has shown a lot of people how much forensic information is stored in the registry. It would be awesome if this great tool could be applied to memory forensics, but unfortunately I have not yet figured out a way to integrate the two. However, this perl module looks promising; perhaps someone could write a Python wrapper around my registry code that would expose an interface compatible with Parse::Win32Registry, allowing RegRipper to run against a memory image with only slight modifications.
Of course, since RegRipper plugins are all written in Perl, you could also just see what they're doing and reimplement it as a Volatility plugin! To make that easier, here's a quick guide to using the new registry API in Volatility:
- Start by opening a hive and assigning it to an address space. The HiveAddressSpace represents a hive in memory, and takes a virtual address space and offset to a hive as a base. Also, because the registry types are not part of Volatility's standard types, you need to add them in.
from forensics.win32.hive2 import HiveAddressSpace
from forensics.win32.regtypes import regtypes
syshive = HiveAddressSpace(addr_space, types, syshive_address)
- Next, use the get_root() function to find the root key of the hive. You need to pass in the current profile.
from forensics.win32.rawreg import *
from forensics.object2 import Profile
theProfile = Profile()
root = get_root(syshive, theProfile)
- To open a key, use open_key():
key = open_key(root, ["ControlSet001", "Control", "Lsa"])
- To get a list of subkeys of a key, use subkeys():
for sk in subkeys(key):
- To get the values of a key, use values():
for v in values(key):
- To parse the value data and return it in a more meaningful representation, use value_data():
for v in values(key):
val_type, val_data = value_data(v)
print v.Name, val_type, val_data
That's pretty much all you need to know! You can access other attributes of keys and values as members of the Python objects returned. The attributes available can be found in regtypes.py; keys are _CM_KEY_NODE objects and values are _CM_KEY_VALUE objects.
I don't have time to write any more, unfortunately, but I hope these will be useful to people! I'll try to post an example of a RegRipper plugin converted to a Volatility one soon so there's a concrete example to work with. Until then, enjoy and feel free to e-mail me (or leave comments) with any questions!