Volatility

this tool allows you to work with images of volatile memory, analyse them, obtain data on past states of the system.

  1. use imageinfo plugin to find out the dump system.

sudo python vol.py -f memorydumpname imageinfo

  1. you can find another general information of the image using -info:

sudo python vol.py -f memorydumpname imageinfo -info

  1. list running process:

sudo python vol.py -f memorydumpname --profile=profile_identified pstree or pslist

  1. command line: ( process - pid - cmdline ):

sudo vol.py  -f memorydumpname --profile=profile_identified cmdline or cmdlist

  1. filescan : display open files on the system + hidden files by malicious software:

sudo vol.py  -f memorydumpname --profile=profile_identified filescan

  1. netscan : list open connections and will list active network connections+determine where traffic was coming from or going to

sudo vol.py  -f memorydumpname --profile=profile_identified netscan

  1. extract the password hash + display the hashed credentials for user accounts

sudo vol.py  -f memorydumpname --profile=profile_identified hashdump

  • if they asked about the ntlm hash → its highlighted in green ^

  • if they asked how many users → 3 (admin-guest-halaomr)

if there is no information found we can use :

  1. hivelist : List the registry hives to determine the virtual address of SAM file where all the users passwords are stored

sudo vol.py  -f memorydumpname --profile=profile_identified hivelist

  1. Use the virtual address of System and SAM to dump the hashes via writing the following command:

sudo vol.py  -f memorydumpname --profile=profile_identified hashdump
-y Systmaddress -s SAMAddress > hashes.txt

  • Mftparser - this command is used to scan the MFT entries in the memory dump and prints out the information for certain types of file attributes.

sudo vol.py -f memorydumpname --profile=profile_identified mftparser > mft.txt

The result will be a text file with all the MFT records existed in plaintext.

  • you should find from searching A record for anyfile.txt and because the file is (small in size ==resident) you can find the $DATA attribute and you can read data inside it.

NextEmbed and Export Tools

Last updated