Tools

Astra

Volatility

It is a great tool for analysing memory dumps.

GitHub - volatilityfoundation/volatility3: Volatility 3.0 developmentGitHub

#Getting Image info
python3 volatility3/vol.py -f ./Image windows.info.Info

#List process
python3 volatility3/vol.py -f ./Image windows.pslist

#List process tree
python3 volatility3/vol.py -f ./Image windows.pstree

#Get exact command line
python3 volatility3/vol.py -f ./Image windows.cmdline | grep <process_name>

#Get network state
python3 volatility3/vol.py -f ./Image windows.netscan

#Get file  present in memory dump
python3 volatility3/vol.py -f ./Image windows.filescan

#memory dump of a particular PID
python3 volatility3/vol.py -f ./Image windows.memmap --pid 3476 --dump


/*sometimes pslist can't show every process, 
we can dump amcache to store data aboutstores metadata
about executables that have been run on the system*/
#only presenet in lastest vol3 build

python3 volatility3/vol.py -f ./Image windows.registry.amcache 

#we can dump a file from memory if we have its virtual address

#get file virtual address
vol3 -f memory.dmp windows.filescan | grep -i filename

#dump
vol3 -f memory.dmp windows.dumpfiles --virtaddr 0xce05c1bd1db0

Note: if vmware vmem and vmes file is given we can use vmss2core.exe tools to create memory.dmp file, running volatility on vmem file will result wrong and partial results.

vmss2core.exe -W8 Win10x64-456e5d85.vmss Win10x64-456e5d85.vmem

ctf: https://metactf.com/blog/flash-ctf-armorless/

It also has a predecessor which was written in python2 and has more plugins.

GitHub - volatilityfoundation/volatility: An advanced memory forensics frameworkGitHub

#Getting Image info
python2 vol.py -f ./Image imageinfo

#Getting clipboard content
python2 vol.py -f ./Image --profile=Win7SP1x64 clipboard #profile value changes depending upon what image you have, you can get this information from previous command.

#scan file system
python2 vol.py --profile=Win7SP1x64 -f >/Image filescan 

#Dumping a file at particular location
python2 vol.py --profile=Win7SP1x64 -f Image dumpfiles -n — dump-dir=lol -Q 0x000...

LDAP Time

An AD timestamp (AKA LDAP time, WinTime or FileTime) is the number of 100-nanoseconds since the year 01/01/1601 @ 00:00

Use this online tool to convert

LDAP, Active Directory & Filetime Timestamp Converterwww.epochconverter.com

If you need to convert to AD timestamp from originalFileLastModifTimestamp and originalFileLastModifTimestampHigh in windows then use this formula.

e.g 
originalFileLastModifTimestamp="-1354503710"
originalFileLastModifTimestampHigh="31047188"

2^32*high+actual_low 

where 

actual_low=(2^32)-originalFileLastModifTimestamp #without sign just the value.

Sherlock

Sherlock is a tool which can search for all website using a username if its used anywhere else to perform osint with username.

ALEAPP (Android Logs, Events, and Protobuf Parser (ALEAPP)

a forensic tool designed specifically for parsing Android file systems. ALEAPP is capable of analyzing Android artifacts such as application data, user activities, and system logs. This tool is particularly useful in reconstructing a device’s state and understanding the behavior of its user. By directing ALEAPP to the extracted file system of the victim's phone, we configured it to extract and process data from all available modules, including accounts, notifications, app interactions, and installed applications.

Link: https://github.com/abrignoni/ALEAPP I found windows executable pretty striaghtforward to work with.

PreviousBlue Team NextConcepts

Last updated 4 months ago