How to retrieve user’s passwords from a Windows memory dump using Volatility

About Volatility i have written a lot of tutorials, now let’s try to use this information in a real context extracting the password hashes from a windows memory dump, in 4 simple steps. 1. Identify the memory profile First, we need to identify the correct profile of the system: [email protected]:~# volatility imageinfo -f test.elf Volatility…

Volatility, my own cheatsheet (Part 8): Filesystem

With this part, we ended the series dedicated to Volatility: the last ‘episode’ is focused on file system. If you want to read the other parts, take a look to this index: Image Identification Processes and DLLs Process Memory Kernel Memory and Objects Networking Windows Registry Analyze and convert crash dumps and hibernation files Filesystem And…

Volatility, my own cheatsheet (Part 7): Analyze and convert crash dumps and hibernation files

Volatility supports memory dumps in several different formats, to ensure the highest compatibility with different acquisition tools. You can analyze hibernation files, crash dumps, virtualbox core dumps, etc in the same way as any raw memory dump and Volatility will detect the underlying file format and apply the appropriate address space. You can also convert…

Volatility, my own cheatsheet (Part 6): Windows Registry

Volatility has the ability to carve the Windows registry data. (Other articles about Volatility: https://www.andreafortuna.org/category/volatility) hivescan To find the physical addresses of CMHIVEs (registry hives) in memory, use the hivescan command. For more information: Enumerating Registry Hives The Windows registry can be an important forensic resource. Harlan Carvey has written extensively on various aspects of…moyix.blogspot.it This…

Volatility, my own cheatsheet (Part 5): Networking

This time we try to analyze the network connections, valuable material during the analysis phase. connections To view TCP connections that were active at the time of the memory acquisition, use the connections command. This walks the singly-linked list of connection structures pointed to by a non-exported symbol in the tcpip.sys module. This command is…

Volatility, my own cheatsheet (Part 4): Kernel Memory and Objects

Let’s go down a bit more deeply in the system, and let’s go to find kernel modules into the memory dump. modules To view the list of kernel drivers loaded on the system, use the modules command. This walks the doubly-linked list of LDR_DATA_TABLE_ENTRY structures pointed to by PsLoadedModuleList. Similar to the pslist command, this relies on…