mac_arp
This plugin prints the ARP table, including sent/recv statistics, time the entry was created, and its expiration.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_arp
Volatile Systems Volatility Framework 2.3_alpha
Source IP Dest. IP Name Sent Recv Time Exp. Delta
------------------------ ------------------------ ---------- ------------------ ------------------ ------------------------------ ---------- -----
192.168.228.255 ff:ff:ff:ff:ff:ff vmnet8 10 0 2013-03-29 12:13:59 UTC+0000 39913 0
172.16.244.255 ff:ff:ff:ff:ff:ff vmnet1 10 0 2013-03-29 12:13:59 UTC+0000 39913 0
10.0.1.255 ff:ff:ff:ff:ff:ff en1 12 0 2013-03-29 12:13:59 UTC+0000 39913 0
10.0.1.8 e8:8d:28:cb:67:07 en1 19 924 2013-03-29 11:56:30 UTC+0000 40065 1201
10.0.1.2 ac:16:2d:32:fc:d7 en1 1 47 2013-03-29 11:56:02 UTC+0000 40037 1201
10.0.1.1 00:26:bb:6c:8e:64 en1 4551 4517 2013-03-29 01:08:53 UTC+0000 40318 40310
This information is very useful when tracking lateral movement as systems that the investigated computer interacted with can be determined.
mac_ifconfig
mac_ifconfig prints each interface on the system as well its IP addresses.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_ifconfig
Volatile Systems Volatility Framework 2.3_alpha
Interface Address
---------- -------
lo0 fe80:1::1
lo0 127.0.0.1
lo0 ::1
gif0
stf0
en1 8c:2d:aa:41:1e:3b
en1 fe80:4::8e2d:aaff:fe41:1e3b
en1 10.0.1.3
en0 10:dd:b1:9f:d5:ce
p2p0 0e:2d:aa:41:1e:3b
fw0 00:0a:27:02:00:4b:19:5c
vmnet1 00:50:56:c0:00:01
vmnet1 172.16.244.1
vmnet8 00:50:56:c0:00:08
vmnet8 192.168.228.1
mac_netstat
The netstat plugin prints each active connection on a system along with its state. Analysis of listening sockets can reveal backdoors and established connections reveal remote connections.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_netstat
Volatile Systems Volatility Framework 2.3_alpha
UNIX -
UNIX /var/tmp/launchd/sock
UNIX -
UNIX /var/tmp/com.barebones.authd.socket
UNIX /var/run/com.apple.ActivityMonitor.socket
TCP :::548 :::0 TIME_WAIT
TCP 0.0.0.0:548 0.0.0.0:0 TIME_WAIT
UDP 127.0.0.1:60762 0.0.0.0:0
UNIX /var/run/mDNSResponder
UNIX /var/rpc/ncacn_np/lsarpc
UNIX /var/rpc/ncalrpc/lsarpc
TCP 10.0.1.3:49179 173.194.76.125:5222 TIME_WAIT
TCP 10.0.1.3:49188 205.188.248.150:443 TIME_WAIT
TCP 10.0.1.3:49189 205.188.254.208:443 TIME_WAIT
TCP 10.0.1.3:50614 205.188.13.76:443 TIME_WAIT
UDP 0.0.0.0:137 0.0.0.0:0
UDP 0.0.0.0:138 0.0.0.0:0
UNIX /var/run/vpncontrol.sock
UNIX /var/run/portmap.socket
TCP :::5900 :::0 TIME_WAIT
[snip]
mac_route
The mac_route plugin prints the system's routing table. It also prints the number of packets sent and received on each route. This can especially useful during internal network breach investigations.
$ python vol.py --profile=MacMountainLion_10_8_3_AMDx64 -f ~/10.8.3.mmr.macho mac_route
Volatile Systems Volatility Framework 2.3_alpha
Source IP Dest. IP Name Sent Recv Time Exp. Delta
------------------------ ------------------------ ---------- ------------------ ------------------ ------------------------------ ---------- -----
0.0.0.0 10.0.1.1 en1 4342 50431 2013-03-29 01:08:55 UTC+0000 0 0
10.0.1.0 en1 8331 31691 2013-03-29 01:08:56 UTC+0000 8 0
10.0.1.1 00:26:bb:6c:8e:64 en1 4551 4517 2013-03-29 01:08:53 UTC+0000 40318 40310
10.0.1.2 ac:16:2d:32:fc:d7 en1 1 47 2013-03-29 11:56:02 UTC+0000 40037 1201
10.0.1.3 127.0.0.1 lo0 0 6168 2013-03-29 01:08:55 UTC+0000 0 0
10.0.1.8 e8:8d:28:cb:67:07 en1 19 924 2013-03-29 11:56:30 UTC+0000 40065 1201
10.0.1.255 ff:ff:ff:ff:ff:ff en1 12 0 2013-03-29 12:13:59 UTC+0000 39913 0
17.171.4.15 10.0.1.1 en1 39 39 2013-03-29 01:08:55 UTC+0000 0 0
17.172.232.105 10.0.1.1 en1 2 60 2013-03-29 01:09:16 UTC+0000 0 0
17.172.238.203 10.0.1.1 en1 0 58 2013-03-29 01:09:46 UTC+0000 0 0
[snip]
No comments:
Post a Comment