Join Us!

Extract live data f...
 
Notifications
Clear all

Extract live data from a memory dump  

  RSS
banderas20
(@banderas20)
Junior Member

Hi.

I have a Windows memory dump and I am analyzing it with Volatility.

I have seen many interesting processes. However, I would need to get some live data regarding these processes.
Such as linked Paths, opened documents, passwords entered, and so on.

¿How can achieve this?

Many thanks!

Quote
Posted : 02/07/2019 11:18 pm
deeFIR
(@deefir)
Junior Member

Which Windows profile are you using?

SANS have a Volatility cheat sheet here; https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf

What are you hoping to achieve? Just a snapshot of *all* of the activity, or something more specific? When you say passwords, do you mean system passwords? If so, try the mimikatz plugin.

Are you able to contextualise what you're actually seeking?

ReplyQuote
Posted : 15/07/2019 6:32 am
banderas20
(@banderas20)
Junior Member

Which Windows profile are you using?

SANS have a Volatility cheat sheet here; https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-sheet.pdf

What are you hoping to achieve? Just a snapshot of *all* of the activity, or something more specific? When you say passwords, do you mean system passwords? If so, try the mimikatz plugin.

Are you able to contextualise what you're actually seeking?

Hi!

Profile WinXPSP2

I'm trying to access the contents of files opened by process TrueCrypt.exe. Or else, the password used to mount the ciphered volume so I can access the whole contents of the container.

Thanks!

ReplyQuote
Posted : 15/07/2019 4:39 pm
Igor_Michailov
(@igor_michailov)
Senior Member

You can use Belkasoft for extractig artifacts like chat, web history, documents, processes, images …etc., from the memory dump.

ReplyQuote
Posted : 15/07/2019 7:30 pm
deeFIR
(@deefir)
Junior Member

In that case, I suggest you use Volatility’s imageinfo to identify the correct system profile, then use the truecrypt plugin to locate the volume key. Should be fairly straightforward with XP.

ReplyQuote
Posted : 15/07/2019 10:56 pm
banderas20
(@banderas20)
Junior Member

In that case, I suggest you use Volatility’s imageinfo to identify the correct system profile, then use the truecrypt plugin to locate the volume key. Should be fairly straightforward with XP.

It isn't that easy, unfortunately. The plugin shows the container, the file location, the encryption algorithm, but the passphrase plugin shows empty. Maybe the key isn't cached in the memory. All I can have is a masterkey dump.

You can use Belkasoft for extractig artifacts like chat, web history, documents, processes, images …etc., from the memory dump.

I didn't know of that software. I'll give it a try.

Thanks!

ReplyQuote
Posted : 16/07/2019 7:55 pm
deeFIR
(@deefir)
Junior Member

If it’s not cached, it’s not cached. Try running aeskeyfind against your raw memory dump and see if it locates anything.

ReplyQuote
Posted : 16/07/2019 11:17 pm
banderas20
(@banderas20)
Junior Member

If it’s not cached, it’s not cached. Try running aeskeyfind against your raw memory dump and see if it locates anything.

Hi. Yes, it yields the following

25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
affd67a85f33c38e95a4d6ca39b97578
74c49a8db21d10bc39c71178cb55c4dd
affd67a85f33c38e95a4d6ca39b97578
affd67a85f33c38e95a4d6ca39b97578
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab
74c49a8db21d10bc39c71178cb55c4dd
74c49a8db21d10bc39c71178cb55c4dd
affd67a85f33c38e95a4d6ca39b97578
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
affd67a85f33c38e95a4d6ca39b97578
74c49a8db21d10bc39c71178cb55c4dd
Keyfind progress 100%

How do I use this?

Thanks!

ReplyQuote
Posted : 17/07/2019 7:40 am
deeFIR
(@deefir)
Junior Member

Hi. Yes, it yields the following


25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252
04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
5825e3d30e5e6977f7e6e9890820cacfb9aa0574b6daa7b062c162d49bc955ab

How do I use this?

Thanks!

https://github.com/AmNe5iA/MKDecrypt

They're likely your 256bit AES keys. Combine them for your 512bit AES key and use MKD to mount it.

ReplyQuote
Posted : 17/07/2019 8:20 am
AmNe5iA
(@amne5ia)
Active Member

Try

25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f88925204e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d
and then try

04e1afe7b6434ac1f0b73bcf6893f97867aa3ea79df231760a4331b6afb3399d25eb8884034c1f4f5acba47a0b98caaeede6dbf1beca68045250469d3f889252

ReplyQuote
Posted : 17/07/2019 8:48 am
banderas20
(@banderas20)
Junior Member

I'll give it a try and post the results.

Thanks! D

ReplyQuote
Posted : 18/07/2019 4:53 pm
Mathieuc
(@mathieuc)
New Member

Hello,
This article might interest you https://aio-forensics.com/recover-windows-passwords-Forensics .

ReplyQuote
Posted : 14/01/2020 9:03 pm
Share: