🔏
roguebook
  • group
    • Web
      • Concepts
      • OAuth 2.0
      • File upload
      • API testing
      • Web Cache Decpetion
      • CORS
      • CSRF
      • Cross site web socket hijacking
      • XS-Leaks
    • Bug Bounty
      • Recon
        • Dorking
          • SSL Checker
        • Wordlists
          • Twitter wordlist suggestions
      • Tips & Tricks
        • Combined
        • CSP Bypasses & open redirect
        • 403 Bypass
        • Arrays in JSON
        • Open Redirect
        • Next.js Application
        • Locla File Read
        • External Link
        • xss bypass
        • CSRF cors bypass
        • ssrf
      • Talks/Interviews/Podcasts
        • Bug Bounty Talks
        • Podcasts
          • Critical Thinking - Bug Bounty Podcast
            • Learning
      • Tools
    • Android
      • Getting Started
      • Intent Attack Surface
      • Broadcast Receivers
      • Android Permissions
      • Android Services
      • Content and FileProvider
      • WebView & CustomTabs
      • Insecure Storage
      • Tips & Tricks
    • Thick Client
      • Lab Setup
      • Information Gathering
      • Traffic analysis
      • Insecure Data storage
      • Input validation
      • DLL hijacking
      • Forensics
      • Extra resources
    • OSINT
      • OpSec
    • Malware Analysis
      • Lab Setup
      • Networking
      • Tools
      • Malware source
      • Basic Static Analysis
      • Basic Dynamic Analysis
      • Advanced Analysis
      • Advanced Static Analysis
      • Advanced Dynamic Analysis
      • Malicious Document Analysis
      • Shellcode Analysis
    • Malware Development
    • Blue Team
      • Tools
      • Malware Analysis
        • Basic Static Analysis
    • Assembly
      • Instructions
    • Binary Exploitation
    • Infographics
    • Malware Analysis
    • Threat Modeling
Powered by GitBook
On this page
  • Volatility
  • LDAP Time
  1. group
  2. Blue Team

Tools

Astra

PreviousBlue TeamNextMalware Analysis

Last updated 1 year ago

Volatility

It is a great tool for analysing memory dumps.

#Getting Image info
python3 volatility3/vol.py -f ./Image windows.info.Info

#List process
python3 volatility3/vol.py -f ./Image windows.pslist

#memory dump of a particular PID
python3 volatility3/vol.py -f ./Image windows.memmap --pid 3476 --dump

It also has a predecessor which was written in python2 and has more plugins.

#Getting Image info
python2 vol.py -f ./Image imageinfo

#Getting clipboard content
python2 vol.py -f ./Image --profile=Win7SP1x64 clipboard #profile value changes depending upon what image you have, you can get this information from previous command.

#scan file system
python2 vol.py --profile=Win7SP1x64 -f >/Image filescan 

#Dumping a file at particular location
python2 vol.py --profile=Win7SP1x64 -f Image dumpfiles -n — dump-dir=lol -Q 0x000...

LDAP Time

An AD timestamp (AKA LDAP time, WinTime or FileTime) is the number of 100-nanoseconds since the year 01/01/1601 @ 00:00

Use this online tool to convert

If you need to convert to AD timestamp from originalFileLastModifTimestamp and originalFileLastModifTimestampHigh in windows then use this formula.

e.g 
originalFileLastModifTimestamp="-1354503710"
originalFileLastModifTimestampHigh="31047188"

2^32*high+actual_low 

where 

actual_low=(2^32)-originalFileLastModifTimestamp #without sign just the value.
LogoGitHub - volatilityfoundation/volatility3: Volatility 3.0 developmentGitHub
LogoGitHub - volatilityfoundation/volatility: An advanced memory forensics frameworkGitHub
LogoLDAP, Active Directory & Filetime Timestamp Converter