DIGITAL FORENSICS:Retrieve the hostname from a memory dump
วันนี้เรามาหา Computer name จาก memory dump มี lab ให้ทดลองทำครับ
This tutorial explains how to retrieve the hostname of the machine from which the memory dump has been taken.
Memory Forensics Lab
- Download Memory
-Volatility Framework 2.6.1
First, we want to get the profile:
.\volatility.exe --plugins="C:\Users\AAA\Downloads\VolatilityWorkbench-v2.1\profiles" --filename="F:\18 Computer Forensics\CTF\Hackfest.tn\Q1\MEM\lab.raw" imageinfo
Then, we dump the hives to get the offset of the ones where we will find the hostname:
.\volatility.exe --plugins="C:\Users\AAA\Downloads\VolatilityWorkbench-v2.1\profiles" --filename="F:\18 Computer Forensics\CTF\Hackfest.tn\Q1\MEM\lab.raw" --profile=Win7SP1x64_23418 --kdbg=0xf80002846070 hivelist
Now, let's dump the registry key where the hostname will be revealed:
.\volatility.exe --plugins="C:\Users\AAA\Downloads\VolatilityWorkbench-v2.1\profiles" --filename="F:\18 Computer Forensics\CTF\Hackfest.tn\Q1\MEM\lab.raw" --profile=Win7SP1x64_23418 --kdbg=0xf80002846070 printkey -o 0xfffff8a000024010 -K 'ControlSet001\Control\ComputerName\ComputerName'
Ref:
https://www.aldeid.com/wiki/Volatility/Retrieve-hostname
https://www.aldeid.com/wiki/Volatility#connections
https://www.aldeid.com/wiki/Volatility#connections
No comments:
Post a Comment