![]() Run Winpmemįirst, after I staged my malicious activity, I downloaded winpmem 3.3 RC3 onto the victim Windows machine. You can download the latest release of winpmem from here. Winpmem is a part of the Pmem Suite, a suite of memory acquisition tools for Windows, Linux, and Mac OS. Then, using Volatility on Kali, I'll walk through how to analyze the raw memory dump. Nothing too fancy, I just wanted to showcase how to distinguish legitimate and illegitimate processes. I simulated an attack where I, as the attacker, uploaded netcat as a listener. I set up a virtual Windows machine for a CTF I ran back in 2018 called Guardians CTF you'll see some references to it as I walk through my analysis. In this blog, I'll be going over how to capture Windows memory using winpmem and how to analyze it with Volatility. But before you can even use Volatility, you'll need to capture the memory using another tool like winpmem. Using a tool like Volatility to analyze a memory dump helps discover evidence of an attack. That means that, if a computer is hacked or compromised and is restarted, you'll lose a lot of information that tells the story about how the system was compromised. Each time a computer is restarted, it flushes its memory from RAM. Random Access Memory (RAM) is considered volatile - meaning that it doesn't live long. Sometimes, after a system has been compromised or hacked, it's important to extract forensically-relevant information.
0 Comments
Leave a Reply. |