Perl Script to Look for Meterpreter with Volatility Output

So I do not know if you guys read my blog posting which talked about memory analysis.One of the things I mentioned was looking for dll's meterpreter uses in processes where they normally should not be. That was based on a post originating from Command Line Kung Foo (we're not worthy! we're not worthy!). So I had to do some meterpreter stuff for work and decided I would do a blog posting about forensics about it.One of the things I did was a memory dump and ran the dlllist module. I started using Mandiant's Highlighter (a pretty awesome tool, wish I started using it sooner) and started to get a bit lazy. I thought.... wouldn't it be awesome if there was a script which would list all processes and then if they used either rsaenh.dll or iphlpapi.dll....

So as I am not feeling too well and sitting here watching my hockey team even though I am +5 from the east coast, I decided why not write a script to do just that. It's not hard!

So here you have my Meterpreter Finder Script!

Its pretty easy to navigate. If you are running from Windows, make sure you have ActiveState Perl installed. It asks for your input file (your dlllist output from Volatility) as well as where you want to direct the output to.

Entering Your Input/Output

It should not take too long and you should then be presented with the following screen. This reminds you which processes uses the two dll's regularly (and valid usage too).

Script Done!

So the output file is not pretty by any means but it gets the jo(r)b done.

Snippet of Output File

So I know there are many ways to do this, YARA would probably work, another meterpreter script, a bit more fiddling with Highlighter... so just consider this (yet another) possibility to quickly see what processes are running these two dll's. If you see the dll's being used by a process other than the normal ones listed and you are unsure if they are normally used... run the program on a known clean system, do a memory dump then run volatility module dlllist and check the process yourself.

Mounting E01 and VMDK in Linux

So I know there is plenty of documentation out there, but it always seems I have exceptions where these things never work 100% like that are supposed to. Hence I figure why not throw one more HOWTO to the mix, so if someone encounters the same issues they do not have to fret.

E01 files--
So the SANS blog covers this pretty well so I feel no need to expound on it too much. Here are my suggestions:

• Switch to root right away and save the heartache 
• When using the mount command and mounting a NTFS, set the type as ntfs-3g
• I noticed SiFT 2.1 does not have ewfmount, has a better backup tool been installed in its place?

VMDK files--

So I had been pointed to a post on Digensics, but I had problems starting with mmls. I first discovered I had to add the '-i aff' parameter to get mmls to determine the disk structure of the vmdk file. And I do not know why, but mounting just was not working, even trying different options. 

Sadly... I get this error a lot 

I needed to figure out a workaround. I found it here: the Virtual Disk Development Kit from VMWare. Download for your appropriate OS (in my case Linux), untar the file, then run the perl script 'vmware-install.pl'. Let her rip! This installs a few useful tools for us, but the one I am most interested in vmware-mount. You can see the documentation here. 

So once the VDDK is installed you can invoke the vmware-mount command. The basic parameters it takes are:

vmware-mount diskPath [partition number] mountPoint

Read the documentation or just run 'vmware-mount' to see all the paramters it accepts. A useful one for forensics is the read-only parameter (-r). So I simply pointed it to my vmdk file and where I wanted it mounted on my Linux workstation.

Currently Trying to Figure Out How to Fix the Error... Still the Command DID Execute Successfully

So now if you have created snapshots, you can only modify the last one, which in my case is 000022.vmdk, so it is telling me 'Sorry I can only mount the one you are asking for as read-only'. Which is fine for me!

The whole point of this was being able to run log2timeline-sift on more than just DD files, I think timeline is a great asset to have when you have a case. Running the tool seemed to work pretty well (ie no errors), but I might just test it but running all the commands myself and comparing the output. Has anyone ran into discrepancies between the automated and the DIY process of log2timeline?

UPDATE: If you get the same VixDiskLib error I did, check out this message board posting. Benichou's fix worked for  me,  pointing the links to the correct library. Score.