内存取证

volatility

https://blog.csdn.net/m0_68012373/article/details/127419463

https://blog.csdn.net/zjjcxy_long/article/details/108315214

vol2

与python对应

https://github.com/volatilityfoundation/volatility.git

  1. git clone之后cd volatility
  2. sudo python2 setup.py install
  3. pip2 install pycryptodome
  4. pip2 install distorm3

vol.py -f 1.raw imageinfo#获取镜像详细信息

vol.py -f 1.raw –profile=Win7SP1x64 pslist#查看进程

vol.py -f 1.raw –profile=Win7SP1x64 psscan#查看进程且能检测到隐藏或者解链的进程

#提取进程

vol.py -f 1.raw –profile=Win7SP1x64 memdump -n iexplore.exe -D ./#导出为dmp

vol.py -f 1.vmem –profile=Win7SP1x64 procdump -n iexplore.exe -D ./#导出为exe

vol.py -f 1.vmem –profile=Win7SP1x64 dlldump -n iexplore.exe -D ./#将进程的所有dll导出

vol.py -f 1.vmem –profile=Win7SP1x64 dumpregistry -D ./#提取注册表数据

vol.py –plugins volatility/plugins/ -f 1.raw –profile=Win7SP1x64 mimikatz#获取密码,也可能是clipboard

vol.py -f 1.vmem –profile=Win7SP1x64 iehistory#查看浏览器历史记录

vol.py -f 1.raw –profile=Win7SP0x64 dumpfiles -Q 0x000000001e742dd0 -D ./#根据编号提取文件

vol.py -f 1.raw –profile=Win7SP1x64 envars | grep ‘FLAG’#查看环境变量

vol.py -f 1.raw –profile=Win7SP1x64 hivelist#查看当前内存中装载的注册表

vol.py -f 1.raw –profile=Win7SP1x64 hivedump -o 0xfffff8a00148a420 #dump某个内存地址中的注册表

cat mem.vmem | strings | grep “flag”#查找字符串flag

磁盘取证

#取证
内存取证
http://example.com/2024/09/10/内存取证/
Author
chaye
Posted on
September 10, 2024
Licensed under