It been a while i did'nt talk about Digital Forensic And Incident Response .

As a core part of cybersecurity ; we must know some concepts related to memory dump analysis !

Here is the picture ; i'm gonna show you how we triggers information from your dump files / RAM /USB KEY ............

 

 

 

 

 Let's Dive in with this machine : FORENSICS coming from tryhackme.com

 


1 - Introduction to Memory Dump Analysis



Memory dump analysis is a very important step of the Incident Response process. The RAM (memory) dump of a running compromised machine usually very helpful in reconstructing the events/activities that the attacker performed on the machine.

 

 

So that rude ; to be simple , using a tool called Volatiltity is pretty helpull when doing stuff with memory dump 

If you haven't installed yet , check out this link   https://github.com/volatilityfoundation/volatility3/releases/tag/v2.8.0
 

 

Let's go ! ! ! 

 

 


 


Answer : 

when you installed it succesfull ; do 

    python3 vol.py -f [imagefile] imageInfo 

Note : In some versions like what i'm using , there's no option imageinfo ; 

according to the OS you faced , you have linux.info / window.info .....






Next question : 



Answer : 

python3 vol.py -f [imageinfo] windows.pslist

 

Note : for this question , like if processes tree are multiples ; pipe the ouput of above command with " grep [nameyouwannagrep] "


 



Next Question : 


 

Answer:

My version of volatility doesn't include shellbags yet but here is how to do it so 

    python3 vol.py -f [imageinfo] shellbags




Thanks ! , i will upload the next part later ; i'm running out of coffee


                                                                                            pleasure ; artemis6X

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

Image
  Sherlock Santa Krampus :  OpTinselTrace24-1: Sneaky Cookies                               I-  Scenario     QUESTION 1: Krampus, a notorious threat actor, possibly social-engineered bingle as email security filters were offline for maintenance. Find any suspicious files under Bingle Jollybeard User directory and get back to us with the full file name explanation: After succesfully unzip the downloaded file , make a tree on it and look for any suspicious coming from Bingle \Jollybeard   user           Answer : QUESTION 2: Using the malicious file sent as part of phishing, the attacker abused a legitimate binary to download and execute a C&C stager. What is the full command used to download and execute the C&C Binary?   explanation : Ok , Inside of the directory where the shorcut file is located , use " lnkinfo"...
Read more »
Image
  Day 18 - ADVENT OF CYBER 2024 TRYHACKME : I could use a little AI interaction! Storyline Hyped with their latest release, a "health checker" service that tracks the health and uptime of the Wareville systems, the Wareville developers envisage the day in which the inhabitants of Wareville have a one-stop shop for seeking the answers to life's mysteries and aiding them in their day-to-day jobs. As an initial first stage, the Wareville developers create an alpha version of WareWise - Wareville's intelligent assistant. Aware of the potential dangers of intelligent AI being interacted with, the developers decided to slowly roll out the chatbot and its features. The IT department is the first to get hands-on with WareWise. For the IT department, WareWise has been integrated with the "health checker" service, making it much easier for the IT department to query the status of their servers and workstations. Learning Objectives In today's task, ...
Read more »