Hi.
I have a Windows memory dump and I am analyzing it with Volatility.
I have seen many interesting processes. However, I would need to get some live data regarding these processes.
Such as linked Paths, opened documents, passwords entered, and so on.
¿How can achieve this?
Many thanks!
Which Windows profile are you using?
SANS have a Volatility cheat sheet here; https://
What are you hoping to achieve? Just a snapshot of *all* of the activity, or something more specific? When you say passwords, do you mean system passwords? If so, try the mimikatz plugin.
Are you able to contextualise what you're actually seeking?
Which Windows profile are you using?
SANS have a Volatility cheat sheet here; https://
digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf What are you hoping to achieve? Just a snapshot of *all* of the activity, or something more specific? When you say passwords, do you mean system passwords? If so, try the mimikatz plugin.
Are you able to contextualise what you're actually seeking?
Hi!
Profile WinXPSP2
I'm trying to access the contents of files opened by process TrueCrypt.exe. Or else, the password used to mount the ciphered volume so I can access the whole contents of the container.
Thanks!
You can use Belkasoft for extractig artifacts like chat, web history, documents, processes, images …etc., from the memory dump.
In that case, I suggest you use Volatility’s imageinfo to identify the correct system profile, then use the truecrypt plugin to locate the volume key. Should be fairly straightforward with XP.
In that case, I suggest you use Volatility’s imageinfo to identify the correct system profile, then use the truecrypt plugin to locate the volume key. Should be fairly straightforward with XP.
It isn't that easy, unfortunately. The plugin shows the container, the file location, the encryption algorithm, but the passphrase plugin shows empty. Maybe the key isn't cached in the memory. All I can have is a masterkey dump.
You can use Belkasoft for extractig artifacts like chat, web history, documents, processes, images …etc., from the memory dump.
I didn't know of that software. I'll give it a try.
Thanks!
If it’s not cached, it’s not cached. Try running aeskeyfind against your raw memory dump and see if it locates anything.
If it’s not cached, it’s not cached. Try running aeskeyfind against your raw memory dump and see if it locates anything.
Hi. Yes, it yields the following
25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
affd67a85f33c38e95a4d6ca39b97578
74c49a8db21d10bc39c71178cb55c4dd
affd67a85f33c38e95a4d6ca39b97578
affd67a85f33c38e95a4d6ca39b97578
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab
74c49a8db21d10bc39c71178cb55c4dd
74c49a8db21d10bc39c71178cb55c4dd
affd67a85f33c38e95a4d6ca39b97578
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
affd67a85f33c38e95a4d6ca39b97578
74c49a8db21d10bc39c71178cb55c4dd
Keyfind progress 100%
How do I use this?
Thanks!
Hi. Yes, it yields the following
25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab
How do I use this?Thanks!
https://
They're likely your 256bit AES keys. Combine them for your 512bit AES key and use MKD to mount it.
Try
25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f88925204e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
and then try
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252