Volatility
this tool allows you to work with images of volatile memory, analyse them, obtain data on past states of the system.
use imageinfo plugin to find out the dump system.
you can find another general information of the image using -info:
list running process:
command line: ( process - pid - cmdline ):
filescan : display open files on the system + hidden files by malicious software:
netscan : list open connections and will list active network connections+determine where traffic was coming from or going to
extract the password hash + display the hashed credentials for user accounts
if they asked about the ntlm hash → its highlighted in green ^
if they asked how many users → 3 (admin-guest-halaomr)
if there is no information found we can use :
hivelist : List the registry hives to determine the virtual address of SAM file where all the users passwords are stored
Use the virtual address of System and SAM to dump the hashes via writing the following command:
Mftparser - this command is used to scan the MFT entries in the memory dump and prints out the information for certain types of file attributes.
The result will be a text file with all the MFT records existed in plaintext.
you should find from searching A record for anyfile.txt and because the file is (small in size ==resident) you can find the $DATA attribute and you can read data inside it.
Last updated