Targets/Modules wishlist

[AndrewRathbun]

Is there anything KAPE is currently missing? Let me know and I'm happy to fulfill requests.

[berakuda-cyber]

Currently the memory module uses the binary 'volatility_2.6_win64_standalone.exe'. The stand alone executable appears to be last updated in 2016 and only lists the following Windows 10 profiles:
Profiles

Win10x64 - A Profile for Windows 10 x64
Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x86 - A Profile for Windows 10 x86
Win10x86_10586 - A Profile for Windows 10 x86 (10.0.10586.420 / 2016-05-28)
Win10x86_14393 - A Profile for Windows 10 x86 (10.0.14393.0 / 2016-07-16)

• because the memory captures being analyzed are from versions of Windows 10 that are current, the above profiles do not produce any results when the KAPE memory modules are run.

An updated version of Volatility lists the following Windows 10 profiles:
$ vol.py --info | grep x64
Volatility Foundation Volatility Framework 2.6.1
Win10x64 - A Profile for Windows 10 x64
Win10x64_10240_17770 - A Profile for Windows 10 x64 (10.0.10240.17770 / 2018-02-10)
Win10x64_10586 - A Profile for Windows 10 x64 (10.0.10586.306 / 2016-04-23)
Win10x64_14393 - A Profile for Windows 10 x64 (10.0.14393.0 / 2016-07-16)
Win10x64_15063 - A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04)
Win10x64_16299 - A Profile for Windows 10 x64 (10.0.16299.0 / 2017-09-22)
Win10x64_17134 - A Profile for Windows 10 x64 (10.0.17134.1 / 2018-04-11)
Win10x64_17763 - A Profile for Windows 10 x64 (10.0.17763.0 / 2018-10-12)
Win10x64_18362 - A Profile for Windows 10 x64 (10.0.18362.0 / 2019-04-23)
Win10x64_19041 - A Profile for Windows 10 x64 (10.0.19041.0 / 2020-04-17)

• using the updated profiles in a Linux forensics build (SIFT Workstation), usable output is generated.

Is it possible to update the profiles used by the stand alone Volatility executable?
or
How can the KAPE modules be re-written to use a python application installed on a Windows 10 workstation used to perform the KAPE module analysis?

[stuxnet999]

Hi @berakuda-cyber,

You can use pyinstaller to build the executable directly from source. For info please look here: https://github.com/volatilityfoundation/volatility/wiki/Compiling-Binaries-with-Pyinstaller#windows

Once the executable is compiled, you can then head over to KapeFiles/Modules/Memory/ and change the Executable name to the newly compiled volatility_2.6.1_win64_standalone.exe. That should work for you.

[berakuda-cyber]

In order to compile my own version of a volatility standalone executable, I would need to install the following:

Compiling Binaries with Pyinstaller
gleeda edited this page on Nov 5, 2015 · 4 revisions
Dependencies
In order to have complete support, you should install the following:
Python 2.7
Pyinstaller
Distorm
PyCrypto (Windows Binaries)
Yara (Windows Binaries)
OpenPyxl
PIL

For Windows binaries, you may need a couple more dependencies:
Microsoft Visual C++ Compiler for Python 2.7
Visual Studio or at least the VS C++ 2008 Redistributable Package (x86)

I am busy security practitioner that is trying keep my head above water, not a developer.
Is the someone who has already gone through the steps and is willing to share an updated version with community?

[EricZimmerman]

So your time is more valuable than ours is what you are saying?

You can ask the volatility people to do it I suppose, but it's not our job to do something you consider to be a waste of your time.

[berakuda-cyber]

Wow, that is pretty harsh reply to fair question. After being told to pound sand here, I checked the Volatility git hub issues and found that a number of people are making a similar request - only to get similar responses. Given that Volatility hasn't updated the standalone program in 5 years, one can presume they have no intention to ever update it.
Foolish me thought that the DFIR community would be willing to help out fellow comrades in arms, but it appears the each & every one who wants & needs to the memory analysis modules to work will need to recompile the code & update the KAPE modules on their own.

[EricZimmerman]

except its not a fair question to ask us to do it, because its not a KAPE issue at all.

if the volatility people are not willing, it would be up to someone else to do it. Perhaps. someone that wants the windows version updated, or someone that has made a request for the version to be updated.

Since you asked Volatility and they haven't got around to it, and no one else has decided to step up and get it done, we are left with pretty much no other options.

now, if you wanted to step up (vs expecting everyone else (me, Andrew, Volatility people, people asking volatility people about it, etc) to do so) and build the new volatility exe, think of the accolades and appreciation from all the DFIR people out there!

I don't recall anyone saying for you to pound sand, but its pretty presumptuous of you to think we have all the time in the world to build that for you when you do not feel you should have to (for whatever reason).

in the future, perhaps just posting what the requirements would be to build the exe is enough without mentioning why you cant be bothered to do it.

I get it. its frustrating, but this really isn't a KAPE issue.

[berakuda-cyber]

I get it that KAPE is not responsible for maintaining the programs that it utilizes. KAPE does a wonderful job for every module I have used expect for memory. With memory, if someone installs KAPE & follows instructions in the modules, but runs it against a memory dump from a recent version of Windows 10, no useful output is generated. To help others from getting burned like I did, I have attached updated copies of the KAPE Volatility Modules with the following comments added:

PLEASE BE AWARE: Volatility Foundation no longer maintains the standalone executable.

Memory analysis for Windows 10 x64 (10.0.15063.0 / 2017-04-04) and later are not supported by the standalone executable.

For instructions for creating your own executable with current profiles, refer to: https://github.com/volatilityfoundation/volatility/wiki/Compiling-Binaries-with-Pyinstaller

VolatilityModules.zip

If you actually read my request, I was looking for someone willing to share their that has already been done. The only "extra" lift is to upload a copy to this forum. I am willing to update the KAPE modules to use the updated executable.

However, since I found a functioning work around, I really don't need your "help" any more.