# Tools ### Volatility It is a great tool for analysing memory dumps. {% embed url="" %} ```bash #Getting Image info python3 volatility3/vol.py -f ./Image windows.info.Info #List process python3 volatility3/vol.py -f ./Image windows.pslist #List process tree python3 volatility3/vol.py -f ./Image windows.pstree #Get exact command line python3 volatility3/vol.py -f ./Image windows.cmdline | grep #Get network state python3 volatility3/vol.py -f ./Image windows.netscan #Get file present in memory dump python3 volatility3/vol.py -f ./Image windows.filescan #memory dump of a particular PID python3 volatility3/vol.py -f ./Image windows.memmap --pid 3476 --dump /*sometimes pslist can't show every process, we can dump amcache to store data aboutstores metadata about executables that have been run on the system*/ #only presenet in lastest vol3 build python3 volatility3/vol.py -f ./Image windows.registry.amcache #we can dump a file from memory if we have its virtual address #get file virtual address vol3 -f memory.dmp windows.filescan | grep -i filename #dump vol3 -f memory.dmp windows.dumpfiles --virtaddr 0xce05c1bd1db0 ``` Note: if vmware vmem and vmes file is given we can use `vmss2core.exe` tools to create memory.dmp file, running volatility on vmem file will result wrong and partial results. ``` vmss2core.exe -W8 Win10x64-456e5d85.vmss Win10x64-456e5d85.vmem ``` \ ctf: It also has a predecessor which was written in python2 and has more plugins. {% embed url="" %} ``` #Getting Image info python2 vol.py -f ./Image imageinfo #Getting clipboard content python2 vol.py -f ./Image --profile=Win7SP1x64 clipboard #profile value changes depending upon what image you have, you can get this information from previous command. #scan file system python2 vol.py --profile=Win7SP1x64 -f >/Image filescan #Dumping a file at particular location python2 vol.py --profile=Win7SP1x64 -f Image dumpfiles -n — dump-dir=lol -Q 0x000... ``` ### LDAP Time An AD timestamp (AKA LDAP time, WinTime or FileTime) is the number of 100-nanoseconds since the year 01/01/1601 @ 00:00 Use this online tool to convert {% embed url="" %} If you need to convert to AD timestamp from `originalFileLastModifTimestamp` and `originalFileLastModifTimestampHigh` in windows then use this formula. ``` e.g originalFileLastModifTimestamp="-1354503710" originalFileLastModifTimestampHigh="31047188" 2^32*high+actual_low where actual_low=(2^32)-originalFileLastModifTimestamp #without sign just the value. ``` ### Sherlock Sherlock is a tool which can search for all website using a username if its used anywhere else to perform osint with username. ### ALEAPP (Android Logs, Events, and Protobuf Parser (ALEAPP) a forensic tool designed specifically for parsing Android file systems. ALEAPP is capable of analyzing Android artifacts such as application data, user activities, and system logs. This tool is particularly useful in reconstructing a device’s state and understanding the behavior of its user. By directing ALEAPP to the extracted file system of the victim's phone, we configured it to extract and process data from all available modules, including accounts, notifications, app interactions, and installed applications. Link: I found windows executable pretty striaghtforward to work with. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://newrouge.gitbook.io/roguebook1/group/blue-team/tools.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.