Introduction to Memory Forensics
Vložit
- čas přidán 24. 05. 2017
- An introduction to memory forensics and a sample exercise using Volatility 2.6 to analyze a Windows 10 image.
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MemoryForensics - Věda a technologie
5 years later and this video still incredible. Amazing explanation, make things much easier to understand how it works. congrats and thank you for share your knowledge with us .
I’ve been using this channel to reinforce what I’ve been learning in the SANS FOR508 and course and it’s helped me so much. Thank you!
This is a perfect primer! Thanks a lot for the effort and sharing it to the community. Huge fun of your work :)
Richard , Thanks for such wonderful Explanation , I completed SANS508 because of this
Very good tutorial for forensic analysis of memory. Keep up the good work.
Hi,
A very informative tutorial for learning memory forensics. Nicely presented. Thanks
wonderful Explanation. thanks for sharing this contents with us
I learned a lot from ur video
Really ur videos are awesome and
Thank You So Much For The Video
Great Sir. Nice and clean info with demo on memory forensic.
Thank you for the informative video on memory forensics. I am a beginner and found this video very helpful.
Incredible content, presented so well! Thanks for doing this.
Great video - thank you!
Awesome video sir!
i didn't understand anything in class but you can clearly explain this and makes me understand! thank you!
Sorry to be offtopic but does someone know a trick to log back into an Instagram account?
I somehow lost the password. I would appreciate any assistance you can offer me
@@louisarturo5111 sus
best video about volatility ever
AWESOME video man. You have a great caster voice, you should do voiceovers or commercials.
awesome content
Great video... Thanks...
Perfect class❤️
Awesome series Richard! keep up these great videos!!
Great video, I learned a lot. I will have to check out this red line tool as well.
How do I find out who is in control of any assets that I didn’t know I had.
great great video, tqu for this usefull video sir
Amazing- Thank you
This was nice to watch.
Absolutely 👍
Well done! thanks!
L Barrera Thanks! Be sure to check out the playlist for the remaining episodes in the series, as there are plenty more.
Hello sir. Are we going to use writeblocker while capturing ram?
Hey Richard, thank you for the videos, I started to fiddle with volatility, is it normal that imageinfo takes hours to run and still doesnt complete? I tried it on a 32GB memdump and a 16GB one, on the 32GB it ran for 2.5 hours before I hit control+c, the 16GB is running now for close to an hour without any output. (Drive is an ssd, hardware is modern 4 core processor, not much processor utilization but always max I/O read on drive.)
Also just wanted to say thank you for turning me into digital forensics, these past few weeks I've religiously went through your Windows Forensics series taking notes, now starting this one, then I guess onto your other videos. Always heard that you could do these things and all this information is available you just gotta know how to get it from the system... well now I know some of it and thats thanks to you, so again just wanted to say your work being appreciated. :)
Hi, thank you for the great feedback! Regarding imageinfo, yes, it can take a long while. Two things - 1) try to use kdbgscan. However, keep in mind that if you know the build number for the version of Windows from which the memory capture was acquired, there is no need to run this. Just specify the correct Volatility profile. You can view the installed profiles by running vol.py --info. 2) Volatility 3, which is now in public beta, will (soon) replace version 2. The new version 3 no longer requires profiles to be specified. Check out the episode I made covering it.
@@13Cubed Hey, thanks for the reply
just got to the Volatility Profiles video which made some things clear, the OS version was 18363, while volatility only has 18362 profile. Even still it did work with that profile with pslist, but imageinfo (nor kdbgscan) still cant handle the .mem file itself... I set the debug flag in the command and it just went around with Trying one after the other, then came back with "No suitable address space mapping found" after i maxed the niceness of the process... anyway, not having to figure out profiles is gonna be a great addition, definitely gonna check out version 3!
What software do you use to aquire the memory dump? Is there a good free alternative available?
DumpIt, winpmem, Magnet RAM Capture, FTK Imager are all available for free, just to name a few.
Great training video. Thank you for sharing your knowledge with us peasants
Great presentation. Can you make available the Windows 10 image.
Detectware CTF I have a new episode in the Memory Forensics series coming later this month. The corresponding memory image will be released alongside it. I think you will find it very useful.
Hi, 13Cubed! I just wanted to know if it is possible to track your computer's activity for a given day. Example, if I wanted to know what files were opened, how long a file was opened, etc. I have not finished watching your videos yet but this is the reason why I am watching them. If you have something that does that, can you please point me to the right direction? Thanks!
A super timeline creation tool like Log2Timeline would enable you to profile a large number of forensic artifacts, and then using Excel you could filter/sort to extract data from the time period in which you're interested. I've got an upcoming video covering this, but it's still in production now.
Hello, does this still uses Volatility or solely Log2Timeline?
Greetings,
At the 20:32 time mark, you ran:
volatility -f -memdump.mem --profile=Win10x64_14393 -h
Part of the output from that command included:
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
Would you please explain, under what circumstances, TrueCrypt is vulnerable?
Is it specific to only version 7.1a?
The virtues of truecrypt and veracrypt are that they are open source, and supposedly have no known technical (or design) vulnerabilities (other than user errors -- such as using "password1" for a passphrase or having a keylogger in the OS, etc). So seeing the above truecrypt references is news to me.
Is VeraCrypt also susceptible or vulnerable via "volatility" or any other forensics software?
It would be good to know if the vault a person is using can be opened by others.
What should the user do to keep their encrypted volumes from being compromised?
I am not asking how to break into other people's encrypted volumes.
I am asking how to keep my encrypted volumes safe from an attacker. Can I trust VeraCrypt?
Thank you.
Quick question, I get nothing back when i run cmdscan or consoles on a win 10 memory image. Why is that?
I haven't had much success with those plugins in Windows 10. Try dumping process memory (memdump, not procdump) associated with any conhost.exe processes and extracting data with strings. That's sometimes useful.
Hey there, what does PID -1 mean when running the netscan command?
The plug-in did not properly parse that information from memory. Occasionally you'll see output like that.
@@13Cubed Thank you for your quick answer, subscribers +1 :)
@@13Cubed Oh man, turns out I had to use a different Profile - now I have the correct PID :)
How can we know which profile to use?
I never use plug ins and I think a lot of data was added by hackers in my network and pinging or remote acess and SIM cards being remotely inserted.
no1 tutorial on memory forensics on youtube.
what tool would you use to analyze a process dump file? (in this case : 3960.dmp)
If you dump the process binary itself, say with procdump in Volatility, you can reverse it and analyze it as you would any other binary. If you dump the process memory, say with Volatility's memdump plugin, strings may be your best bet to extract anything valuable therein.
@@13Cubed thank you very much for your quick reply. it helps newbies like me quite a bit :)
is it possibleto detect kernel level rookits using Volatility 2.6 ??
sarath kumar Sure, though rootkits are less common present day than they used to be.
a question. you knew which profile to use. in case i don't is it back to trial and error or is there a better way?
Prashant Jaiswal Use imageinfo or kdbgscan. Check out the Introduction to Memory Forensics playlist. I think you’ll find it very useful.
@@13Cubed thank you! .. I'll do that right now. :)
What was the python script for netscan? Abibas?
Abeebus - got an episode coming out about that. github.com/13Cubed/Abeebus
Hello, I am a starter in Volatility. I am getting a volatility.debug error (file doesn't exist). Also I can't locate the memory dump in my Kali Linux VM. I really appreciate your help!!
You should be able to point to the memory file you want to analyze via the -f flag. Make sure the path after -f points to a valid file (full path and filename).
when i used hashdump,cmdscan,console plugins i got nothing in output can anyone tell me why is it happening like that i used windows 10 memory image and volatility
Those plugins no longer work with newer builds of Windows 10. You can dump the process memory (memdump) for conhost.exe processes and run strings against them to extract command line output. Also check out the public beta for Volatility 3, which includes a plugin called "windows.cmdline.CmdLine", which, in my brief testing, does appear to support Windows 10.
We need to identify why Microsoft software is even on my mobile device?
I did reset a friends phone because it had a bug. And I believe it was a danger.
is this tied to 508 or 526 ?
Neither - this is my own material, created from practice labs. That said, some of the topics explored here will definitely be covered in more depth within both courses.
I need 30 hours of DFIR training. How could I get documented training?
SANS has numerous free webcasts you can sign up for and earn CPE credits.
@@13Cubed Thanks. I will look on there again
My only child is grown born in the 80’s
Hello! Thank you for informative video content. I would like to know how to get the file memdump.mem?
You would use a memory capture utility such as WinPmem, Magnet RAM Capture, etc.
I believe it may be caused by a hacker
I have not dumped any files
Anything evil is spam
I do not have any children