Volatility: Difference between revisions

From Server STB
Jump to navigation Jump to search
No edit summary
No edit summary
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
Perintah
   vol.exe -f chall1.raw imageinfo
   vol.exe -f chall1.raw imageinfo
   vol.exe -f chall1.raw --profile Win7SP1x86 pslist
   vol.exe -f chall1.raw --profile Win7SP1x86 pslist
   vol.exe -f chall1.raw --profile Win7SP1x86 cmdscan
   vol.exe -f chall1.raw --profile Win7SP1x86 cmdscan
   vol.exe -f chall1.raw --profile Win7SP1x86 consoles
   vol.exe -f chall1.raw --profile Win7SP1x86 consoles
   vol.exe -f chall1.raw --profile Win7SP1x86 hashdump
   vol.exe -f chall1.raw --profile Win7SP1x86 hashdump
keyword login windows
  ntlm login
  vol.exe -f chall2.raw --profile Win7SP1x64 memdump -p 2424 -D .
rename 2424.dmp to 2424.data
  vol.exe -f chall2.raw --profile Win7SP1x64 filescan
  vol.exe -f chall2.raw --profile Win7SP1x64 filescan | findstr ".rar"
  vol.exe -f chall2.raw --profile Win7SP1x64 dumpfiles -Q 0x000000003fb48bc0 -D .
rename .dat extensi .rar
Tool untuk dump
  https://github.com/MagnetForensics/dumpit-linux

Latest revision as of 05:13, 12 August 2024

Perintah 

 vol.exe -f chall1.raw imageinfo
 vol.exe -f chall1.raw --profile Win7SP1x86 pslist
 vol.exe -f chall1.raw --profile Win7SP1x86 cmdscan
 vol.exe -f chall1.raw --profile Win7SP1x86 consoles
 vol.exe -f chall1.raw --profile Win7SP1x86 hashdump

keyword login windows 

 ntlm login

 vol.exe -f chall2.raw --profile Win7SP1x64 memdump -p 2424 -D .

rename 2424.dmp to 2424.data 

 vol.exe -f chall2.raw --profile Win7SP1x64 filescan
 vol.exe -f chall2.raw --profile Win7SP1x64 filescan | findstr ".rar"

 vol.exe -f chall2.raw --profile Win7SP1x64 dumpfiles -Q 0x000000003fb48bc0 -D .

rename .dat extensi .rar

Tool untuk dump 

 https://github.com/MagnetForensics/dumpit-linux
Retrieved from "http://wiki.serverstb.com/index.php?title=Volatility&oldid=854"