±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35875
New Yesterday: 3 Visitors: 140

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Extract live data from a memory dump

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

banderas20
Member
 

Extract live data from a memory dump

Post Posted: Jul 02, 19 22:18

Hi.

I have a Windows memory dump and I am analyzing it with Volatility.

I have seen many interesting processes. However, I would need to get some live data regarding these processes.
Such as linked Paths, opened documents, passwords entered, and so on.

¿How can achieve this?

Many thanks!  
 
  

deeFIR
Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 15, 19 05:32

Which Windows profile are you using?

SANS have a Volatility cheat sheet here; digital-forensics.sans...-sheet.pdf

What are you hoping to achieve? Just a snapshot of *all* of the activity, or something more specific? When you say passwords, do you mean system passwords? If so, try the mimikatz plugin.

Are you able to contextualise what you're actually seeking?  
 
  

banderas20
Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 15, 19 15:39

- deeFIR
Which Windows profile are you using?

SANS have a Volatility cheat sheet here; digital-forensics.sans...-sheet.pdf

What are you hoping to achieve? Just a snapshot of *all* of the activity, or something more specific? When you say passwords, do you mean system passwords? If so, try the mimikatz plugin.

Are you able to contextualise what you're actually seeking?


Hi!

Profile WinXPSP2

I'm trying to access the contents of files opened by process TrueCrypt.exe. Or else, the password used to mount the ciphered volume so I can access the whole contents of the container.

Thanks!  
 
  

Igor_Michailov
Senior Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 15, 19 18:30

You can use Belkasoft for extractig artifacts like chat, web history, documents, processes, images ...etc., from the memory dump.
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 
 
  

deeFIR
Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 15, 19 21:56

In that case, I suggest you use Volatility’s imageinfo to identify the correct system profile, then use the truecrypt plugin to locate the volume key. Should be fairly straightforward with XP.  
 
  

banderas20
Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 16, 19 18:55

- deeFIR
In that case, I suggest you use Volatility’s imageinfo to identify the correct system profile, then use the truecrypt plugin to locate the volume key. Should be fairly straightforward with XP.


It isn't that easy, unfortunately. The plugin shows the container, the file location, the encryption algorithm, but the passphrase plugin shows empty. Maybe the key isn't cached in the memory. All I can have is a masterkey dump.

- Igor_Michailov

You can use Belkasoft for extractig artifacts like chat, web history, documents, processes, images ...etc., from the memory dump.


I didn't know of that software. I'll give it a try.

Thanks!  
 
  

deeFIR
Member
 

Re: Extract live data from a memory dump

Post Posted: Jul 16, 19 22:17

If it’s not cached, it’s not cached. Try running aeskeyfind against your raw memory dump and see if it locates anything.  
 

Page 1 of 2
Page 1, 2  Next