Friday, January 23, 2009

Registry Code Updates

I've found a couple bugs in the registry code I released recently, and at least one is significant enough that a new release is warranted. Teach me to release code I wrote in a couple hours on a plane ;)

The list of fixes is:
  • Fix a bug that prevented any volatile subkeys from appearing when using the subkeys() function.
  • Add a check for None when using lsadump (reported by Paul Bobby, thanks!)
  • Add appropriate license statements at the top of each file (thanks AAron!). For the record, the license is the GNU General Public License (GPL).
You can download the new version as a zip or tarball, and install it exactly as the previous version, by extracting it into your Volatility directory. If you have a previous version installed, this should just overwrite it (though you may have to tell your unzip program that's okay). As before, PyCrypto is required for the credential extraction modules.

One final note: I have seen some crashes when people attempt to use the hash extraction code, but pass the wrong address for the hive in memory. I'd like to fix this, but I don't yet have a good way of checking to make sure that a given hive is the SYSTEM or SAM or SECURITY hive. I'll try to find something that works, though, and release it with the next update.

8 comments:

ForensicZone said...

First of all “Nice Job”!!!
I'm having a problem running hashdump, lsadump, and cachedump. I grabbed PyCrypto and installed (with an error: “...Python was built with Visual Studio 2003...”) onto a WindowsXPSP2 System. The build looks pretty good but running Volatility it errors out to the following:

*** Unable to load module cachedump: cannot import name MD4
*** Unable to load module hashdump: cannot import name MD4
*** Unable to load module lsadump: cannot import name MD4
*** Unable to load module cachedump: cannot import name MD4
*** Unable to load module hashdump: cannot import name MD4
*** Unable to load module lsadump: cannot import name MD4

I do have HMAC, MD5 RIPEMD160, RIPEMD and SHA(.py) python files in the HASH folder (C:\Python25\Lib\site-package\Crypto\Cipher).
I really could use your help to figure this out

Thanks
Rick
Forensiczone.com

moyix said...

It looks as though PyCrypto has portions that are written in C and need to be compiled. If you don't have Visual Studio installed on the machine, you will probably need to find a binary package of PyCrypto for Windows and your Python version.

This page appears to have some, though I don't have a Windows machine handy right now and so I can't vouch for their correctness. I'll try to give this a try on Windows within the next couple days.

Cheers,
Brendan

ForensicZone said...

Brendan
Got It!! I down loaded the compiled self-extracting PyCrypto and installed it with no problems. LSADump and Hashdump are working great(I don't have any files to test cachedump). Your programs are simply "awesome". Thanks again for all the work.

Rick
ForensicZone.com

dEViLpOiSeD said...

I copied the 3 folders into the volatility directory but it does not show me the list of installed plugins while running

moyix said...

The easiest way to install it is to extract the zipfile or tarball directly into the Volatility directory -- not all the folders go into the base directory. After unpacking, you should have these files, in these locations (assuming your Volatility directory is called Volatility-1.3_Beta):

Volatility-1.3_Beta/memory_plugins/registry/cachedump.py
Volatility-1.3_Beta/memory_plugins/registry/hashdump.py
Volatility-1.3_Beta/memory_plugins/registry/hivedump.py
Volatility-1.3_Beta/memory_plugins/registry/hivelist.py
Volatility-1.3_Beta/memory_plugins/registry/hivescan2.py
Volatility-1.3_Beta/memory_plugins/registry/lsadump.py
Volatility-1.3_Beta/memory_plugins/registry/printkey.py
Volatility-1.3_Beta/memory_objects/Windows/registry.py
Volatility-1.3_Beta/forensics/win32/regtypes.py
Volatility-1.3_Beta/forensics/win32/rawreg.py
Volatility-1.3_Beta/forensics/win32/lsasecrets.py
Volatility-1.3_Beta/forensics/win32/hive2.py
Volatility-1.3_Beta/forensics/win32/hashdump.py
Volatility-1.3_Beta/forensics/win32/domcachedump.py
Volatility-1.3_Beta/forensics/win32/regdump.py

dEViLpOiSeD said...

Directory structure is exactly the same but still not showing plugins..Not sure if it has to do something with OS (Windows XP3) or the Python compiler being used. (http://sourceforge.net/projects/pywin32/)

moyix said...

Are you running Volatility from within the Volatility directory? At the moment Volatility can only see plugins if it is run from within the main Volatility directory (IIRC it just looks at the memory_plugins directory in the current working directory).

Do other plugins show up? You should at least be able to see the example plugins like pslist_ex_1 and memmap_ex_2.

dEViLpOiSeD said...

Yes.. i am running it within the volatility directory..

\Volatility-1.3_Beta\Volatility-1.3_Beta\volatility

\Volatility-1.3_Beta\Volatility-1.3_Beta\volatility\memory_plugins

I don't see even the example plugins..