Volatility, my own cheatsheet (Part 5): Networking

This time we try to analyze the network connections, valuable material during the analysis phase. connections To view TCP connections that were active at the time of the memory acquisition, use the connections command. This walks the singly-linked list of connection structures pointed to by a non-exported symbol in the tcpip.sys module. This command is…

How to recover event logs from a Windows memory image

Using Volatility and EVTXtract Usually i use a different approach based on Windows version: Windows XP and 2003 machines Simply use the evtlogs plugin of Volatility: The evtlogs command extracts and parses binary event logs from memory. Binary event logs are found on Windows XP and 2003 machines, therefore this plugin only works on these architectures….

Volatility, my own cheatsheet (Part 4): Kernel Memory and Objects

Let’s go down a bit more deeply in the system, and let’s go to find kernel modules into the memory dump. modules To view the list of kernel drivers loaded on the system, use the modules command. This walks the doubly-linked list of LDR_DATA_TABLE_ENTRY structures pointed to by PsLoadedModuleList. Similar to the pslist command, this relies on…

Hindsight: Internet history forensics for Google Chrome/Chromium

An Open Source tool for analyzing web artifacts. Hindsight is a open source tool for parsing a user’s Chrome browser data. Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies). Once…