First download a memory dump tool like DumpIt.
Then generate a memory dump by running the tool against the desired machine.
DumpIt.exe
Move the memory dump to your analysis vm.
Determine what Image type you're going to use.
python.exe vol.py imageinfo -f WIN7-20151012-174426.raw
Run queries against the dump like "pslist" (process list)
python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw pslist
"pstree" (process tree)
python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw pstree
"netscan" (connections)
python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw netscan
Find all registry hives and query one for a key
python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw hivelist
python.exe vol.py --profile=Win7SP0x86 -f WIN7-20151012-174426.raw printkey -o 0x90839008 -K "Google\Update"
Find all the amazing volatility commands here!
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment