top of page

Supporters

Public·125 members
Aiden Davis
Aiden Davis

Dump.7z



Finding the RAM Image to ExamineIn your Kali Linux machine, open a Terminalwindow and execute these commands:cdcd Desktopls -lNote that the last command is"LS -L" in lowercase.You should see the memdump.mem file, whichshould be approximately 500 MB in size,as shown below. If you do not, you may needto repeat a previous project to create thememory image again.TroubleshootingIf you can't get this to work, which is happeningto a lot of students, try using mymemory dump from here:memdump.7zExtract and check the file with these commands inLinux:7z e memdump.7zmd5sum memdump.memThe correct hash isb50ae13dc659ec9c8af66b539e5768d8If you use it, explain that in the text part of theemail you send in so my grader knows your name won't bein the artifacts you find.Starting VolatilityIn your Kali Linux machine, in a Terminalwindow, execute these commands:cd /usr/share/volatilitypython vol.py -hYou see a long help message,as shown below:The volatility help is long and confusing.Fortunately, SANS has made ahandy one-pagecheat sheetwhich is much friendlier.The part that is important to us is shownbelow:Basic Volatilty UsageImage InformationIn your Kali Linux machine, in a Terminalwindow, execute this command:python vol.py imageinfo -f /root/Desktop/memdump.memThis shows basic information about the image,such as the operating system of the machinethat was imaged, and when the image was made,as shown below:Volatility needs to know what operating systemwas imaged in order to interpret the memoryimage correctly. The default profile is WinXPSP2x86,but we used Win2008SP1x86, so we'll have to includethat information in all future volatility command-lines.Running ProcessesIn your Kali Linux machine, in a Terminalwindow, execute this command:python vol.py pslist --profile=Win2008SP1x86 -f /root/Desktop/memdump.memThis shows the processes that were runningon the machine when the RAM image was made,as shown below:Notice these columns:Offset : The location in RAM of the process, in hexadecimalName : The process name, as it would be shown in Task ManagerPID : The process IDPPID : The parent process ID--that is, the process that launched this process. In the example above, the "System" process is process 4, and it is the parent of the "smss.exe" process.Console CommandsIn your Kali Linux machine, in a Terminalwindow, execute this command:python vol.py consoles --profile=Win2008SP1x86 -f /root/Desktop/memdump.memThis shows the console commands that wererecently executed on the Windows machine.You should see the command you executedto create the user account with your ownname,as shown below:Saving a Screen ImageMake sure YOUR-NAME and the Linux commandprompt root@kali arevisible.Click the taskbar at the bottom of your host Windows 7 desktop, to make the host machine listen to the keyboard, instead of the virtual machine.Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!On the host machine, not the virtual machine, click Start.Type mspaint into the Search box and press the Enter key.Click in the untitled - Paint window, and press Ctrl+V on the keyboard. The desktop appears in the Paint window.Save the document with the filename "YOUR NAME Proj 4a", replacing "YOUR NAME" with your real name.ServicesIn your Kali Linux machine, in a Terminalwindow, execute this command:python vol.py svcscan --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem moreThis shows the first page of a long list of services,as shown below:Registry HivesIn your Kali Linux machine, in a Terminalwindow, execute this command:python vol.py hivelist --profile=Win2008SP1x86 -f /root/Desktop/memdump.memThis shows the location in RAM of the Registryhives,as shown below:Examine your output and find the twoaddresses outlined in green above:the virtual addresses of the SAM andSYSTEM hives. Those two hives togethercontain enough information to extractWindows password hashes.Password HashesIn your Kali Linux machine, in a Terminalwindow, execute the command below.You will have toreplace the two hexadecimal addresses with thecorrect virtual addresses of your hives, in this format:-y SYSTEM -s SAM




dump.7z

041b061a72


About

Welcome to the group! You can connect with other members, ge...

Members

bottom of page