Extract live data f...
 
Notifications
Clear all

Extract live data from a memory dump

12 Posts
5 Users
0 Likes
2,063 Views
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Hi.

I have a Windows memory dump and I am analyzing it with Volatility.

I have seen many interesting processes. However, I would need to get some live data regarding these processes.
Such as linked Paths, opened documents, passwords entered, and so on.

¿How can achieve this?

Many thanks!

 
Posted : 02/07/2019 10:18 pm
(@deefir)
Posts: 49
Eminent Member
 

Which Windows profile are you using?

SANS have a Volatility cheat sheet here; https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf

What are you hoping to achieve? Just a snapshot of *all* of the activity, or something more specific? When you say passwords, do you mean system passwords? If so, try the mimikatz plugin.

Are you able to contextualise what you're actually seeking?

 
Posted : 15/07/2019 5:32 am
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

Which Windows profile are you using?

SANS have a Volatility cheat sheet here; https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf

What are you hoping to achieve? Just a snapshot of *all* of the activity, or something more specific? When you say passwords, do you mean system passwords? If so, try the mimikatz plugin.

Are you able to contextualise what you're actually seeking?

Hi!

Profile WinXPSP2

I'm trying to access the contents of files opened by process TrueCrypt.exe. Or else, the password used to mount the ciphered volume so I can access the whole contents of the container.

Thanks!

 
Posted : 15/07/2019 3:39 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

You can use Belkasoft for extractig artifacts like chat, web history, documents, processes, images …etc., from the memory dump.

 
Posted : 15/07/2019 6:30 pm
(@deefir)
Posts: 49
Eminent Member
 

In that case, I suggest you use Volatility’s imageinfo to identify the correct system profile, then use the truecrypt plugin to locate the volume key. Should be fairly straightforward with XP.

 
Posted : 15/07/2019 9:56 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

In that case, I suggest you use Volatility’s imageinfo to identify the correct system profile, then use the truecrypt plugin to locate the volume key. Should be fairly straightforward with XP.

It isn't that easy, unfortunately. The plugin shows the container, the file location, the encryption algorithm, but the passphrase plugin shows empty. Maybe the key isn't cached in the memory. All I can have is a masterkey dump.

You can use Belkasoft for extractig artifacts like chat, web history, documents, processes, images …etc., from the memory dump.

I didn't know of that software. I'll give it a try.

Thanks!

 
Posted : 16/07/2019 6:55 pm
(@deefir)
Posts: 49
Eminent Member
 

If it’s not cached, it’s not cached. Try running aeskeyfind against your raw memory dump and see if it locates anything.

 
Posted : 16/07/2019 10:17 pm
(@banderas20)
Posts: 29
Eminent Member
Topic starter
 

If it’s not cached, it’s not cached. Try running aeskeyfind against your raw memory dump and see if it locates anything.

Hi. Yes, it yields the following

25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
affd67a85f33c38e95a4d6ca39b97578
74c49a8db21d10bc39c71178cb55c4dd
affd67a85f33c38e95a4d6ca39b97578
affd67a85f33c38e95a4d6ca39b97578
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab
74c49a8db21d10bc39c71178cb55c4dd
74c49a8db21d10bc39c71178cb55c4dd
affd67a85f33c38e95a4d6ca39b97578
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
affd67a85f33c38e95a4d6ca39b97578
74c49a8db21d10bc39c71178cb55c4dd
Keyfind progress 100%

How do I use this?

Thanks!

 
Posted : 17/07/2019 6:40 am
(@deefir)
Posts: 49
Eminent Member
 

Hi. Yes, it yields the following


25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab

How do I use this?

Thanks!

https://github.com/AmNe5iA/MKDecrypt

They're likely your 256bit AES keys. Combine them for your 512bit AES key and use MKD to mount it.

 
Posted : 17/07/2019 7:20 am
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Try

25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f88925204e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
and then try

04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252

 
Posted : 17/07/2019 7:48 am
Page 1 / 2
Share: