|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     

Last changed: 12.07.2019


During malware analysis it can be required to analyze the disk of an infected machine or even its memory while the malware is running.


Disk analysis


With the open source tool sleuthkit you can examine partitions and contained files in a disk image without having to mount them. Deleted files which are still in the $MFT are also displayed.

mmls image.dd
fls -pro <partition_offset> image.dd > file_listing.txt
grep -f iocs.txt file_listing.txt
istat -o <partition_offset> image.dd <inum>
icat -o <partition_offset> image.dd <inum> > malware.exe

fsstat -o <partition_offset> image.dd

timestamp analysis

fls -r -m C: /mnt/ewf/ewf1 > bodyfile.txt
mactime -d -b bodyfile.txt -z CEST <YYYY-MM-DD to start> > timeline.txt

mount partition from disk image

To mount a specific partition from a disk image you have to find its position first. To avoid modification of the image file you should mount them read only.

fdisk -l disk_image.dd
mount -o ro,loop,offset=$((512 * <START>)),sizelimit=$$((512 * <SECTORS>)) disk_image.dd /mnt/part_X

Alternativly use losetup with the partscan option (-P)

losetup -fP disk_image.dd
losetup -a
mount -o ro /dev/loop0p1 /mnt/part_1

Expert Witness Disk Image Format (EWF)

Many forensic aquisition tools use the compressed ewf file format for output. The following commands can be used to mount them.

ewfmount image.E01 /mnt/ewf/
ls -l /mnt/ewf/
mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/win

Volume Shadow Copy Service (VSS)

Windows volume shadow copies can contain older versions or deleted files.

vshadowinfo -o <partition_offset> image.dd
vshadowmount /mnt/ewf/ewf1 /mnt/vss
mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/vss/vss1 /mnt/win_vss1

mount lvm volumes

vgscan --cache
vgchange -ay <VOLUME_GROUP>
mount -o ro,loop /dev/<VOLUME_GROUP/<VOLUME> /mnt/lvm_volume

Other tools to show lvm information are lvmdiskscan and lvmdisplay.

Virtual Disk Images (vdi/vmdk)

Converting and mounting virual disk can be needed when analyzing them.

convert to virtual disk

xmount --in raw image.dd --cache /tmp/image.overlay --out vdi /tmp/virtual_disk
VBoxManage convertdd /dev/sdb test.vdi --format VDI

convert from virtual disk

VBoxManage clonehd image.vmdk image.raw --format raw
qemu-img convert -f vmdk -O raw image.vmdk image.raw

mount a virtual disk

A virtual disk can be mounted without conversion with qemu-nbd. To do so read-only use the following commands.

modprobe nbd
qemu-nbd -r -c /dev/nbd1 image.vmdk
mount -o ro /dev/nbd1p1 /mnt/partition1
umount /mnt/partition1
qemu-nbd -d /dev/nbd1

File analysis

Windows has builtin tools to calculate hashes or to decode base64.


certutil -hashfile malware.exe MD5


certutil -encode test.txt test.base64
certutil -decode test.base64 test.txt

base64 (powershell)


verify file signatures

The windows SDK containts signtool which can be used to verify the signature of a PE file.

signtool verify /pa /v program.exe

Alternativly, in Sysinternals there is sigcheck[64].exe

sigcheck.exe -accepteula program.exe

find malicious files

The Sysinternals can also be used to scan for unsigned binaries on disk or unsigned dlls loaded by processes

sigcheck.exe -u -e c:\windows\*
listdll -u *

Another way to find malicious files is to scan with autoruns, which is also from `Sysinternals. Here you can select the following filters in the options to ease the search.

Memory analysis

The open source tool volatility can be used to analyze memory dumps.

volatility --info
volatility <PLUGIN> -h

dump memory from virtualbox

vboxmanage debugvm 'VM Name' dumpvmcore --filename memory.elf
volatility -f memory.elf imageinfo
volatility -f memory.elf vboxinfo
volatility -f memory.elf --profile=Win7SP1x64 imagecopy -O memory.raw

extract binary from memory image

volatility -f memory.elf --profile=Win7SP1x64 pslist | grep evil.exe
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> -D . procdump
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> -D . procdump -m
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> -D . memdump
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> dlllist | grep evil.dll
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> -b <BASE> dlldump -D .
volatility -f memory.elf --profile=Win7SP1x64 modules
volatility -f memory.elf --profile=Win7SP1x64 -b <BASE> -D . moddump
volatility -f memory.elf --profile=Win7SP1x64 unloadedmodules

get binary filesize

readpe -S evil.exe | grep Pointer -B 1

console history

volatility -f memory.elf --profile=Win7SP1x64 consoles
volatility -f memory.elf --profile=Win7SP1x64 cmdscan

file system information

volatility -f memory.elf --profile=Win7SP1x64 mftparser

data carving

The strings tool offers a parameter to print file offsets of its findings.

strings -td | grep NEEDLE

bulk_extractor carves files for known patterns and generates a report which can be opened in BEViewer.

bulk_extractor memory.image -o dump_directory

Other carving tools to mention are photorec and foremost.

Some plugins of volatility also do carving for known kernel objects.

volatility -f memory.elf --profile=Win7SP1x64 psscan
volatility -f memory.elf --profile=Win7SP1x64 netscan
volatility -f memory.elf --profile=Win7SP1x64 filescan
volatility -f memory.elf --profile=Win7SP1x64 hivescan
volatility -f memory.elf --profile=Win7SP1x64 mutantscan -s

dump cleartext credentials from crashdump

A memory image can be converted to a crashdump with volatility

volatility -f memory.elf --profile=Win7SP1x64 raw2dmp -O memory.dmp

This crashdump can be opened in windbg. To dump cleartext credentials the mimikatz dll has to be loaded.

.load /path/to/mimilib.dll
!process 0 0 lsass.exe
.process /r /p <ADDRESS>

analysing kernel objects in volshell


The Kernel Debugging Data Block (KDBG) virtual address can be found with volatilitys imageinfo or kdbgscan plugins.


Interesting content:

Volatility plugins:

volatility -f memory.elf --profile=Win7SP1x64 pslist
volatility -f memory.elf --profile=Win7SP1x64 modules


dt('_LIST_ENTRY', <PsActiveProcessHead>)
dt('_EPROCESS', <Flink>-0x188)

Interesting content:



Interesting content:

Volatility plugins:

volatility -f memory.elf --profile=Win7SP1x64 sessions


Interesting content:

Volatility plugins:

volatility -f memory.elf --profile=Win7SP1x64 -p <PID> dlllist


Interesting content:

The content of the environment variables can be displayed with


Volatility plugins:

volatility -f memory.elf --profile=Win7SP1x64 -p <PID> cmdline
volatility -f memory.elf --profile=Win7SP1x64 -p <PID> envars