Volatility: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Perintah | |||
vol.exe -f chall1.raw imageinfo | vol.exe -f chall1.raw imageinfo | ||
vol.exe -f chall1.raw --profile Win7SP1x86 pslist | vol.exe -f chall1.raw --profile Win7SP1x86 pslist | ||
Line 7: | Line 8: | ||
keyword login windows | keyword login windows | ||
ntlm login | ntlm login | ||
vol.exe -f chall2.raw --profile Win7SP1x64 memdump -p 2424 -D . | |||
rename 2424.dmp to 2424.data | |||
vol.exe -f chall2.raw --profile Win7SP1x64 filescan | |||
vol.exe -f chall2.raw --profile Win7SP1x64 filescan | findstr ".rar" | |||
vol.exe -f chall2.raw --profile Win7SP1x64 dumpfiles -Q 0x000000003fb48bc0 -D . | |||
rename .dat extensi .rar | |||
Tool untuk dump | |||
https://github.com/MagnetForensics/dumpit-linux |
Latest revision as of 05:13, 12 August 2024
Perintah
vol.exe -f chall1.raw imageinfo vol.exe -f chall1.raw --profile Win7SP1x86 pslist vol.exe -f chall1.raw --profile Win7SP1x86 cmdscan vol.exe -f chall1.raw --profile Win7SP1x86 consoles vol.exe -f chall1.raw --profile Win7SP1x86 hashdump
keyword login windows
ntlm login
vol.exe -f chall2.raw --profile Win7SP1x64 memdump -p 2424 -D .
rename 2424.dmp to 2424.data
vol.exe -f chall2.raw --profile Win7SP1x64 filescan vol.exe -f chall2.raw --profile Win7SP1x64 filescan | findstr ".rar" vol.exe -f chall2.raw --profile Win7SP1x64 dumpfiles -Q 0x000000003fb48bc0 -D .
rename .dat extensi .rar
Tool untuk dump
https://github.com/MagnetForensics/dumpit-linux