Tools
Astra
Volatility
It is a great tool for analysing memory dumps.
#Getting Image info
python3 volatility3/vol.py -f ./Image windows.info.Info
#List process
python3 volatility3/vol.py -f ./Image windows.pslist
#List process tree
python3 volatility3/vol.py -f ./Image windows.pstree
#Get exact command line
python3 volatility3/vol.py -f ./Image windows.cmdline | grep <process_name>
#Get network state
python3 volatility3/vol.py -f ./Image windows.netscan
#Get file present in memory dump
python3 volatility3/vol.py -f ./Image windows.filescan
#memory dump of a particular PID
python3 volatility3/vol.py -f ./Image windows.memmap --pid 3476 --dump
/*sometimes pslist can't show every process,
we can dump amcache to store data aboutstores metadata
about executables that have been run on the system*/
#only presenet in lastest vol3 build
python3 volatility3/vol.py -f ./Image windows.registry.amcache
#we can dump a file from memory if we have its virtual address
#get file virtual address
vol3 -f memory.dmp windows.filescan | grep -i filename
#dump
vol3 -f memory.dmp windows.dumpfiles --virtaddr 0xce05c1bd1db0
Note: if vmware vmem and vmes file is given we can use vmss2core.exe tools to create memory.dmp file, running volatility on vmem file will result wrong and partial results.
vmss2core.exe -W8 Win10x64-456e5d85.vmss Win10x64-456e5d85.vmemctf: https://metactf.com/blog/flash-ctf-armorless/
It also has a predecessor which was written in python2 and has more plugins.
#Getting Image info
python2 vol.py -f ./Image imageinfo
#Getting clipboard content
python2 vol.py -f ./Image --profile=Win7SP1x64 clipboard #profile value changes depending upon what image you have, you can get this information from previous command.
#scan file system
python2 vol.py --profile=Win7SP1x64 -f >/Image filescan
#Dumping a file at particular location
python2 vol.py --profile=Win7SP1x64 -f Image dumpfiles -n — dump-dir=lol -Q 0x000...
LDAP Time
An AD timestamp (AKA LDAP time, WinTime or FileTime) is the number of 100-nanoseconds since the year 01/01/1601 @ 00:00
Use this online tool to convert
If you need to convert to AD timestamp from originalFileLastModifTimestamp and originalFileLastModifTimestampHigh in windows then use this formula.
e.g
originalFileLastModifTimestamp="-1354503710"
originalFileLastModifTimestampHigh="31047188"
2^32*high+actual_low
where
actual_low=(2^32)-originalFileLastModifTimestamp #without sign just the value.Sherlock
Sherlock is a tool which can search for all website using a username if its used anywhere else to perform osint with username.
ALEAPP (Android Logs, Events, and Protobuf Parser (ALEAPP)
a forensic tool designed specifically for parsing Android file systems. ALEAPP is capable of analyzing Android artifacts such as application data, user activities, and system logs. This tool is particularly useful in reconstructing a device’s state and understanding the behavior of its user. By directing ALEAPP to the extracted file system of the victim's phone, we configured it to extract and process data from all available modules, including accounts, notifications, app interactions, and installed applications.
Link: https://github.com/abrignoni/ALEAPP I found windows executable pretty striaghtforward to work with.
Last updated