In digital forensics, the term logical extraction is typically used to refer to extractions that do not recover deleted data, or do not include a full bit-by-bit copy of the evidence, analogously to copying and pasting a folder in order to extract data from a system.
So, this process will only copy files that the user can access and see: if any hidden or deleted files are present in the folder being copied, they will not be in the pasted version of the folder.
[email protected]:~# volatility imageinfo -f test.elf
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/root/test.elf)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80001a4a110L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80001a4bd00L
KPCR for CPU 1 : 0xfffff880009c5000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2017-11-03 09:22:45 UTC+0000
Image local date and time : 2017-11-03 10:22:45 +0100
2. List the registry hive
With the correct profile, we can use the “hivelist’ plugin in order to extract the list of registry hive in the memory dump: [email protected]:~# volatility -f test.elf hivelist --profile=Win2008R2SP1x64_23418
Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
0xfffff8a000610010 0x00000001178a6010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000e55010 0x000000010df7e010 \SystemRoot\System32\Config\SECURITY 0xfffff8a000e77010 0x000000010d067010 \SystemRoot\System32\Config\SAM
0xfffff8a000ec8410 0x000000010c552410 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a000ed8010 0x000000010c967010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a0016a5010 0x00000000dadb3010 \??\C:\Users\GuestUser\ntuser.dat
0xfffff8a00178b010 0x00000000dac4f010 \??\C:\Users\GuestUser\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a001d4e010 0x00000000d1d08010 \??\C:\System Volume Information\Syscache.hve
0xfffff8a004314410 0x0000000116368410 \SystemRoot\System32\Config\DEFAULT
0xfffff8a008d69010 0x000000009ec82010 \??\C:\Windows\System32\config\COMPONENTS
0xfffff8a00000f010 0x0000000115010010 [no name] 0xfffff8a000025010 0x000000011501c010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000053010 0x000000000224b010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a00058e010 0x0000000117ad6010 \Device\HarddiskVolume1\Boot\BCD
Windows registry contains information that are helpful during a forensic analysis
Windows registry is an excellent source for evidential data, and knowing the type of information that could possible exist in the registry and location is critical during the forensic analysis process.
This key maintains a list of recently opened or saved files via Windows Explorer-style dialog boxes (Open/Save dialog box).
For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser are maintained.
Documents that are opened or saved via Microsoft Office programs are not maintained.
Whenever a new entry is added to OpenSaveMRU key, registry value is created or updated in
This key correlates to the previous OpenSaveMRU key to provide extra information: each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it.
The list of files recently opened directly from Windows Explorer are stored into
This key contains a listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows Explorer address bar: the key will only show links that are fully typed, automatically completed while typing, or links that are selected from the list of stored URLs in IE address bar.
Websites that are accessed via IE Favorites are not recorded, and if the user clears the URL history using Clear History via IE Internet Options menu, this key will be completely removed.
This key maintains the configuration of Windows virtual memory: the paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown.
This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns (by default, windows will not clear the paging file).
During a forensic analysis you should check this value before shutting down a suspect computer!
This key contains recent search terms using Windows default search.
There may be up to four subkeys:
5001: Contains list of terms used for the Internet Search Assistant
5603: Contains the list of terms used for the Windows files and folders search
5604: Contains list of terms used in the “word or phrase in a file” search
5647: Contains list of terms used in the “for computers or people” search
All programs listed in Control Panel>Add/Remove Programs correspond to one subkey into this key:
which is located under the respective device GUID subkey and in the binary registry value named Data.
This key is a point of interest during a forensic analysis: the key records shares on remote systems such C$, Temp$, etc.
The existence of ProcDump indicates the dumping of credentials within lsass.exe address space. Sc.exe indicates the adding of persistence such as Run keys or services. The presence of .rar files may indicate data exfiltration.
The history of recent mapped network drives is store into
This first key usually contains programs or components paths that are automatically run during system startup without requiring user interaction: malware usually leaves trace in this key to be persistent whenever system reboots.
RunOnce and RunOnceEx (only Win98/Me)
These keys identifies programs that run only once, at startup and can be assigned to a specific user account or to the machine:
Modification to this key requires administrative privilege.
This feature could be exploited to launch a completely different program under the cover of the initial program.
This key contains instruction to execute any .exe extension file:
Normally, this key contains one default value with data “%1” %*, but if the value’s data is changed to something similar to somefilename.exe “%1” %* , investigator should suspect some other hidden program is invoked automatically when the actual .exe file is executed.
Malware normally modify this value to load itself covertly
This technique apply to other similar keys, including: