Time
4 hours 15 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Hi. Welcome back to the curse in this lab. We're going to analyze a memory Don't file with volatility on open source memory. Foreign six framework for insulin response on malware analysis
00:10
There's no way this type of information is called volatile is because it is a story in the system memory on When the computer get star enough, this information in memory disappears
00:19
for this. Love you, Lena Window Greatest insistent on our bro, sir, to unload the tool.
00:25
You listen to your secret program. Social seven seed will see where we are
00:30
and you will need us. Well, a memory don't file. It can be arrived. Remain. Or the MP file and many others. Imaginary one using tools such as D D dump it or the windows crashed Dump utility.
00:44
First, you need to log in your windows machine,
00:48
open a web browser
00:51
because we need to alert volatility from the website.
00:56
You can go there and visit the website, but accurately foundation that organ
00:59
Don't Lord it.
01:03
We're gonna load the latest version of volatility.
01:07
I'm saving our computer.
01:08
I'm gonna save is in my local this day under a folder named Temp.
01:19
No, we're goingto sleep it,
01:26
but just the X
01:29
file, the exit file
01:32
that is located in the folder,
01:34
which is executed vel.
01:49
Make sure that you have
01:52
the memory dump in the same folder. A stool? In my case, I have this file
01:59
called Memory that men
02:01
in this folder on this file is this is the one they don't go to analyze.
02:06
Now, open a common prompt window by typing cmd in the start menu.
02:15
No, you need to
02:16
changed the bus
02:19
or the location. The bath with volatilities located in my case is in the local dicks. D
02:24
But let me see the on the fast lane.
02:29
I'm going to change this location.
02:32
I have, in my fault, their name temp.
02:38
You know, we gotta start
02:39
typing belittling comments.
02:51
But, Toby,
02:53
he must be four, which is the first command that we're gonna use.
02:58
But I think they will give you some information about the file on the list.
03:01
The same taxable agility
03:07
is this funny here?
03:09
1st 1 to
03:12
type the name off their secure able followed by F, which is the file over. Go to analyze funding.
03:19
The other comments
03:22
in my case and gonna type.
03:23
He's funny. Here
03:25
make sure that you replace memory that remains for German Marie file
03:31
presente.
03:40
And as we can see what a pretty still enough
03:46
that this image file
03:50
corresponds to a willow's ex P
03:53
machine.
03:54
In this case, this is just a profile. Our windows expensive because to Toby back three.
04:01
But
04:02
by taking a look,
04:04
but the most type
04:06
or so, the spark
04:09
it is too.
04:12
We are now sure that the windows
04:15
the restaurant off windows is windows expensively backs, too.
04:25
Now, to know what provides that supported by the special fertility,
04:30
you can type
04:31
dash E for command.
04:34
You will see the list with all the proof. I sw
04:41
this trait
04:54
because you can see here is the least
04:57
with all the commands
04:59
and the profile supported by dispersion of fertility.
05:06
Now see the least off processes that were running in the machine
05:10
when they must fight was generated.
05:13
We will use the command P s list
05:18
the same Texas same.
05:20
So we thought
05:24
co opium paste these over there
05:28
in the common pumped.
05:31
The only change in here is that we now we're gonna use the profile
05:35
go
05:36
to let politically know that we're dealing with the Windows experience a report to Martine
05:46
My sort of chains
05:48
thinks this profile
05:50
Philip Riff, Iet,
05:53
in your
05:55
he must file
05:56
or memory files
06:06
B s least we'll give you the process name and I d a more information about the processes such as the date when you started and so on.
06:19
Because here the
06:21
the full list of processes
06:31
No, we're gonna use the
06:33
command.
06:35
Yes. Three.
06:38
This is to analyze the purse placed in a tree. For my type,
06:44
the syntax is the same. But in this case, instead of Pierce list, we're gonna tie ps three.
06:50
I'm pressed. Enter.
06:54
You will see the same processes but were nicer view
06:57
unless details
06:59
No, we will use the common B s canto underlies the terminated processes.
07:05
He come in a case that the Mylar process was no in execution at this moment
07:10
in this case, this common couldn't find it,
07:14
but would be a scum.
07:15
We can't find it.
07:18
So instead of ps three,
07:21
we should die B s, it's come.
07:28
You can see here the least off terminated processes.
07:31
No, he coming It is that you
07:34
may want to safe these results in a text file
07:39
to save any result
07:42
toe a fire,
07:44
you can type
07:46
the normal relativity command
07:48
followed
07:50
by the same boat. Greater town
07:55
on the name
07:56
off the text file,
07:59
Generate.
08:00
In this case, I'm gonna name a result
08:03
dot t x t.
08:05
I'm first entered.
08:09
The fight is going to be saved in the same folder where the tool is located.
08:16
This chicken
08:18
and we can see that there. Is there a soul doctor JST Fine.
08:26
With the result off the command,
08:35
he's in the command. P s ex view were confined here and processes which will show us a combination of both B s list MPs scan if a process isn't discount but not in P s list. It is probably a healing process,
08:52
so the syntax is the same.
08:54
But the termination in this case
09:00
will be B s X.
09:03
Phew!
09:05
I'm press enter
09:09
and you will be able to see the process list in a more detailed way.
09:13
If you can see
09:15
you, can
09:16
you can check if the process is in the B s least or be scanned
09:20
are many other commands.
09:24
I know it is useful.
09:26
Command in volatility is the least which provides a least off dynamic link libraries that were associated with the process is in question
09:37
there many. Are
09:39
you fool
09:43
commands in volatility? You can try tapping the command.
09:46
Thus age to see the complete least
09:50
off comments or blue jeans.
09:54
Don't forget to check the references on supplementary material for more information,
10:01
and next morning we're going to see one of the windows for six centuries, the security identifiers.

Up Next

Windows Forensics and Tools

The Windows Forensics and Tools course focuses on building digital forensics knowledge of Microsoft Windows operating systems, as well as some compatible software or tools that can be used to obtain or process information in such systems.

Instructed By

Instructor Profile Image
Adalberto Jose Garcia
Information Security Analyst at Bigazi
Instructor