Secondary vocational group network security - memory Forensics

volatility -f test2.raw imageinfo

Get image details profile Parameters are important It will be used later

volatility -f test2.raw --profile=Win7SP1x64 hashdump

Get mirrored hash Value and user name After obtaining, you can use john Tools for dictionary decryption Or use ophcrack Crack

If there is mimikatz plug-in unit You can use it directly mimikatz To crack Direct password

The other is lsadump Can come out intermittent password It's not complete

volatility -f test2.raw --profile=Win7SP1x64 netscan Check the network connection

A lot of information will come out here ip According to the open port, we judge that 10.30.21.96 Go to the virtual machine to detect So it is

volatility -f test2.raw --profile=Win7SP1x64 envars | grep USERNAME

You can view the host name , Be careful to remove the back $ Symbol

obtain flag Document ideas ：

1. Get the desktop file name , Guess its content

volatility -f test2.raw --profile=Win7SP1x64 filescan | grep Desktop

You can see the files on the desktop But can't read its contents

2. Maybe the desktop opens a notepad Program Use notepad You can see

volatility -f test2.raw --profile=Win7SP1x64 notepad

Mining process ideas ：

1. First find the process with abnormal name such as Explore.exe The original system process is explorer.exe

2. In the case of Wei Guo in the previous way, the start time of the monitoring system process Judging from the starting time

3. Anyway, only the port and ip, Find external ip Try one by one

volatility -f test2.raw --profile=Win7SP1x64 netscan/connscan

volatility -f test2.raw --profile=Win7SP1x64 svcscan

volatility -f test2.raw --profile=Win7SP1x64 hivelist

Get browser history

volatility -f test2.raw iehistory

I'll give you one url From the parameters inside, you can see what has been searched