I've been wanting to post some analyses here, but haven't really had the time. In trying to solve a puzzle on an analysis, I was told how to do some string mapping in memory. Not very complicated, but there have been many times where I wished I knew which process contained a string. Well, now I can find out =) So now my memscan script looks like this (apologies for the awkward formatting, I blame blogger):
#Simply runs a bunch of my most commonly used volatility plugins
if [ $# -lt 2 ]
#I added the script to /usr/bin/memscan and gave it execute
echo "Useage: memscan imagename profile"
if [ ! -d dump ];
#The script doesn't use this folder, but I do ;)
for plugin in pslist pstree psxview malfind hivelist dlllist
echo "Running $plugin"
python /usr/share/volatility/vol.py -f $1 --profile=$2 $plugin > $plugin.txt
echo "Running autoruns"
python /usr/share/volatility/vol.py --plugins=/usr/share/volatility/contrib/plugins/autoruns /usr/share/volatility/vol.py/contrib/plugins/autoruns-f $1 -- profile=$2 autoruns > autoruns.txt
echo "Running mimikatz"
python /usr/share/volatility/vol.py --plugins=/usr/share/volatility/contrib/plugins -f $1 --profile=$2 mimikatz > passwords.txt
echo "Creating timeline"
python /usr/share/volatility/vol.py -f $1 --profile=$2 mftparser --output=body --output-file=mftparser.txt
mactime -b mftparser.txt -d -z UTC-6 > timeline.txt
echo "Mapping strings"
strings -a -td $1 > full_strings.txt
strings -a -td -el $1 >> full_strings.txt # Second pass for unicode
python /usr/share/volatility/vol.py -f $1 --profile=$2 strings -s full_strings.txt --output-file=mapped_strings.txt