forensicskween

Memory Analysis Cheatsheet & Tools

Memory Analysis Cheatsheet & Tools

Analysis

Volatility2

Volatility is the go to for memory analysis. There are two versions: Volatility for Python 2 and Volatility3 for Python3. They are quite similar, but Volatility for Python2 has more plug-ins and open-source contributions.

If Python2 is not installed you can install it likeso:

				
					sudo apt install python2
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
python2 get-pip.py

Then, install volatility 2 with these Installation Instructions.
If you installed using the commands above, then instead of using pip directly, you will need to use python2 -m pip instead

Volatility3

				
					vol3 -f /path/to/memory/dump [pluginname]

Rekall

Rekall is depreciated, so you will need to install it manually and do some tweaks to make sure it works on your system. The only reason I suggest installing rekall is because it is required by pypykatz.

Rekall only works up to Python 3.6, so you will have to install that version of python on your system.

				
					sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt-get update
sudo apt install python3.6
sudo apt install python3.6-distutils
virtualenv --python=/usr/bin/python3.6 rekall_env
				
			
				
					source rekall_env/bin/activate
python3.6 -m pip install --upgrade setuptools pip wheel
python3.6 -m pip install rekall-agent rekall
python3.6 -m pip install pypykatz

swap_digger

This is useful when you are dealing with a Linux disk image. It will analyze the swapfile.

				
					sudo ./swap_digger.sh  /path/to/swapfile

Artifact Analysis: Credentials

pypykatz

LOVE this package, it mimics mimikatz but in a non-Windows environment. 

				
					pypykatz lsa rekall /path/to/memory.dump

Windows Debugger + mimilib.dll

If you are using a Windows VM/environment, you can use this combo to dump credentials/secrets from a memory dump.

First, download Windbg and mimilib.dll. Then, load your memory file as a crash dump. Once that’s done do the following in the console:

				
					 .load /path/to/mimilib.dll
!process 0 0 lsass.exe
.process /r /p #address of EProcess
!mimikatz

The last command will normally print the secrets in the memory dump.

Dpapi Dumper

				
					sudo mkdir /mnt/Windows

FindAES

This is a good tool, especially as it gives the offset where the key was found. You can then check the memory dump in a hex viewer to find the context for the found keys.

				
					./findaes /path/to/memory.dump

Artifact Analysis: Misc

Strings

Basic, and honestly reliable.

				
					strings -E l -A /path/to/memorydump > memorydump.txt

Binwalk

This is especially usefull when dumping single process full memory. 

				
					binwalk --dd="*.extension" /path/to/process.dump
forensicskween

Leave a ReplyCancel reply

Twitter
Reddit
Facebook
••• You Might Also Enjoy

Socials

Twitter Github

Copyright © 2022 forensicskween

Discover more from forensicskween

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%