4.3 Other Tools

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 15 minutes
Difficulty
Beginner
CEU/CPE
4
Video Transcription
00:00
Hi. Welcome back to the curse in this lab. We're going to analyze a memory Don't file with volatility on open source memory. Foreign six framework for insulin response on malware analysis
00:10
There's no way this type of information is called volatile is because it is a story in the system memory on When the computer get star enough, this information in memory disappears
00:19
for this. Love you, Lena Window Greatest insistent on our bro, sir, to unload the tool.
00:25
You listen to your secret program. Social seven seed will see where we are
00:30
and you will need us. Well, a memory don't file. It can be arrived. Remain. Or the MP file and many others. Imaginary one using tools such as D D dump it or the windows crashed Dump utility.
00:44
First, you need to log in your windows machine,
00:48
open a web browser
00:51
because we need to alert volatility from the website.
00:56
You can go there and visit the website, but accurately foundation that organ
00:59
Don't Lord it.
01:03
We're gonna load the latest version of volatility.
01:07
I'm saving our computer.
01:08
I'm gonna save is in my local this day under a folder named Temp.
01:19
No, we're goingto sleep it,
01:26
but just the X
01:29
file, the exit file
01:32
that is located in the folder,
01:34
which is executed vel.
01:49
Make sure that you have
01:52
the memory dump in the same folder. A stool? In my case, I have this file
01:59
called Memory that men
02:01
in this folder on this file is this is the one they don't go to analyze.
02:06
Now, open a common prompt window by typing cmd in the start menu.
02:15
No, you need to
02:16
changed the bus
02:19
or the location. The bath with volatilities located in my case is in the local dicks. D
02:24
But let me see the on the fast lane.
02:29
I'm going to change this location.
02:32
I have, in my fault, their name temp.
02:38
You know, we gotta start
02:39
typing belittling comments.
02:51
But, Toby,
02:53
he must be four, which is the first command that we're gonna use.
02:58
But I think they will give you some information about the file on the list.
03:01
The same taxable agility
03:07
is this funny here?
03:09
1st 1 to
03:12
type the name off their secure able followed by F, which is the file over. Go to analyze funding.
03:19
The other comments
03:22
in my case and gonna type.
03:23
He's funny. Here
03:25
make sure that you replace memory that remains for German Marie file
03:31
presente.
03:40
And as we can see what a pretty still enough
03:46
that this image file
03:50
corresponds to a willow's ex P
03:53
machine.
03:54
In this case, this is just a profile. Our windows expensive because to Toby back three.
04:01
But
04:02
by taking a look,
04:04
but the most type
04:06
or so, the spark
04:09
it is too.
04:12
We are now sure that the windows
04:15
the restaurant off windows is windows expensively backs, too.
04:25
Now, to know what provides that supported by the special fertility,
04:30
you can type
04:31
dash E for command.
04:34
You will see the list with all the proof. I sw
04:41
this trait
04:54
because you can see here is the least
04:57
with all the commands
04:59
and the profile supported by dispersion of fertility.
05:06
Now see the least off processes that were running in the machine
05:10
when they must fight was generated.
05:13
We will use the command P s list
05:18
the same Texas same.
05:20
So we thought
05:24
co opium paste these over there
05:28
in the common pumped.
05:31
The only change in here is that we now we're gonna use the profile
05:35
go
05:36
to let politically know that we're dealing with the Windows experience a report to Martine
05:46
My sort of chains
05:48
thinks this profile
05:50
Philip Riff, Iet,
05:53
in your
05:55
he must file
05:56
or memory files
06:06
B s least we'll give you the process name and I d a more information about the processes such as the date when you started and so on.
06:19
Because here the
06:21
the full list of processes
06:31
No, we're gonna use the
06:33
command.
06:35
Yes. Three.
06:38
This is to analyze the purse placed in a tree. For my type,
06:44
the syntax is the same. But in this case, instead of Pierce list, we're gonna tie ps three.
06:50
I'm pressed. Enter.
06:54
You will see the same processes but were nicer view
06:57
unless details
06:59
No, we will use the common B s canto underlies the terminated processes.
07:05
He come in a case that the Mylar process was no in execution at this moment
07:10
in this case, this common couldn't find it,
07:14
but would be a scum.
07:15
We can't find it.
07:18
So instead of ps three,
07:21
we should die B s, it's come.
07:28
You can see here the least off terminated processes.
07:31
No, he coming It is that you
07:34
may want to safe these results in a text file
07:39
to save any result
07:42
toe a fire,
07:44
you can type
07:46
the normal relativity command
07:48
followed
07:50
by the same boat. Greater town
07:55
on the name
07:56
off the text file,
07:59
Generate.
08:00
In this case, I'm gonna name a result
08:03
dot t x t.
08:05
I'm first entered.
08:09
The fight is going to be saved in the same folder where the tool is located.
08:16
This chicken
08:18
and we can see that there. Is there a soul doctor JST Fine.
08:26
With the result off the command,
08:35
he's in the command. P s ex view were confined here and processes which will show us a combination of both B s list MPs scan if a process isn't discount but not in P s list. It is probably a healing process,
08:52
so the syntax is the same.
08:54
But the termination in this case
09:00
will be B s X.
09:03
Phew!
09:05
I'm press enter
09:09
and you will be able to see the process list in a more detailed way.
09:13
If you can see
09:15
you, can
09:16
you can check if the process is in the B s least or be scanned
09:20
are many other commands.
09:24
I know it is useful.
09:26
Command in volatility is the least which provides a least off dynamic link libraries that were associated with the process is in question
09:37
there many. Are
09:39
you fool
09:43
commands in volatility? You can try tapping the command.
09:46
Thus age to see the complete least
09:50
off comments or blue jeans.
09:54
Don't forget to check the references on supplementary material for more information,
10:01
and next morning we're going to see one of the windows for six centuries, the security identifiers.
Up Next