https://github.com/stuxnet999/MemLabs
Lab_1:
$ vol.py -f MemoryDump_Lab1.raw kdbgscan
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 procdump --dump-dir procdump > procdump/procdump.txt
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 dumpfiles -n -u --dump-dir dumpfiles > dumpfiles/dumpfiles.txt
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 screenshot --dump-dir screenshot
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 mutantscan > mutantscan.txt
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 mutantscan symlinkscan > symlinkscan.txt
thrdscan
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 filescan > filescan.txt
0x000000003fa3ebc0 1 0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 dumpfiles -n -u -Q 0x000000003fa3ebc0 --dump-dir dumpfiles
DataSectionObject 0x3fa3ebc0 None \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 hivelist
Volatility Foundation Volatility Framework 2.6.1
Virtual Physical Name
------------------ ------------------ ----
0xfffff8a00000d010 0x000000002783f010 [no name]
0xfffff8a000024010 0x00000000276a4010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a00004e010 0x00000000276ce010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a0000b9010 0x0000000037113010 \??\C:\Users\SmartNet\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a0000c1010 0x0000000036d9b010 \??\C:\Users\SmartNet\ntuser.dat
0xfffff8a000264010 0x0000000025d61010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a001032010 0x00000000252b4010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a0012ff300 0x000000002199c300 \SystemRoot\System32\Config\DEFAULT
0xfffff8a001491010 0x000000001df34010 \SystemRoot\System32\Config\SECURITY
0xfffff8a0014e9010 0x000000001d7ed010 \SystemRoot\System32\Config\SAM
0xfffff8a0015ab410 0x000000001cd57410 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a001626010 0x000000001c9a4010 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a00227a010 0x00000000123d0010 \??\C:\Users\Alissa Simpson\ntuser.dat
0xfffff8a0022dc010 0x000000000b296010 \??\C:\Users\Alissa Simpson\AppData\Local\Microsoft\Windows\UsrClass.dat
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 hashdump -y 0xfffff8a0014e9010
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SmartNet:1001:aad3b435b51404eeaad3b435b51404ee:4943abb39473a6f32c11301f4987e7e0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f0fc3d257814e08fea06e63c5762ebd5:::
Alissa Simpson:1003:aad3b435b51404eeaad3b435b51404ee:f4ff64c8baac57d22f22edc681055ba6:::
f4ff64c8baac57d22f22edc681055ba6 NTLM goodmorningindia
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 clipboard
Volatility Foundation Volatility Framework 2.6.1
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
2 WinSta0 CF_UNICODETEXT 0x0 ------------------
2 WinSta0 0x0L 0x10 ------------------
2 WinSta0 0x100ffL 0x200000000000 ------------------
2 WinSta0 CF_TEXT 0x1 ------------------
1 WinSta0 CF_UNICODETEXT 0x1801bf 0xfffff900c00f34e0 St4G3$1
1 WinSta0 CF_TEXT 0x10 ------------------
1 WinSta0 0xb01ebL 0x200000000000 ------------------
1 WinSta0 CF_TEXT 0x1 ------------------
1 ------------- ------------------ 0xb01eb 0xfffff900c2194390
2 ------------- ------------------ 0x100ff 0xfffff900c1fed490
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 modules -P
$ vol.py -f MemoryDump_Lab1.raw --profile Win7SP1x64 modscan
Last active
January 7, 2020 21:43
-
-
Save marcelmaatkamp/119708bebacfc0848b73428275cbe5aa to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment