Posted by shinigami at 01:10
Read our previous post
Today I was learn about Memory Forensic. My target is windows xp, before I have been dump memory from windows xp using AccessData FTK. After dumping memory, I copied the dump memory into backtrack, and then open it using Volatile.# ./vol.py -f /path/of/memorydump.mem imageinfoafter run the command above, you will see some information about memory info.
Using volatile you can see proccess,networking, and much more.
The image above will show some feature of Volatile tool.
I think we can dump password for windows machine using volatile. You can use hashdump and havelist.
Images below show me how many connections in my windows machine. We can see that someone with ip address 192.168.56.102 connected to my machine with port 6660 and 4444 in the same PID. May be someone was attack my machine using vulnerability on BigAnt and connect back with opening port 4444.
In this case, we can see history of cmd command typed by user before memory dumped using FTK.
No comments:
Post a Comment