Friday, 4 May 2012

Volatility taster


On our Backtrack system lets setup a quick samba to accept the memory dump on
  • apt-get install samba
  • vi /etc/samba/smb.conf (comment all the shares and add just the following)
[btshare] 
   comment = btshare 
   path = /btshare 
   read only = no 
   guest ok = yes 
   browsable = yes
save and exit
  • mkdir /btshare
  • chmod 777 /btshare
  • service smbd restart

On our target system open the USB stick that has DEFT in it.
Run deft extra an decide where your audit log will go
Go to Acquire and launch the trusted shell in order to run win32dd or win64dd
  • win64dd /r /f \\192.168.1.7\btshare\win7memory.img
  • cd /root/Tools/
  • svn checkout http://volatility.googlecode.com/svn/trunk Volatility
  • cd Volatility
  • chmod +x vol.py
  • ./vol.py -f /btshare/win7memory.img imageinfo
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 pslist
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 connections
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 connscan
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 hivescan
  • ./vol.py -f /btshare/win7memory.img --profile Win7SP1x64 hivelist 0x031da010

More to come :)

No comments:

Post a Comment