Volatility - Dumpfi...
Clear all

Volatility - Dumpfiles

1 Posts
1 Users
Posts: 1
New Member
Topic starter

Hi everyone,

I have searched for a long time but couldn't find the answer. I'm currently doing some memory forensic on a system. I've managed to find the malicious installer "drpbx.exe", leading to a jigsaw ransomware. However, when I extract the file with the plugin "dumpfiles", I get two files "file.None.0xfffffa8000e88ea0.drpbx.exe.img" and "file.None.0xfffffa8001a29f10.drpbx.exe.dat". What's the difference between them ? I have checked http://media.blackhat.com/bh-us-11/Butler/BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf explaining that .img file come from the ImageSectionObject and .dat DataSectionObject. " ImageSectionObjects represent binaries also called images" and "DataSectionObjectsare is similar to ImageSectionObjects".

I would like to do some reverse engineering, but I'm wondering why I have two files after extracting the .exe file "drpbx.exe".

Anyone got the answer with a simple explanation ?

Posted : 20/12/2020 2:46 pm