Collaborate Disseminate
I have captured a memory dump of recent Ubuntu 22.04 kernel 6.2.0-39-generic.
captured image with LiMe and analyzed with volatility3.
did a yarascan against all known rules and found a suspicious amount of matches for spyeye.
Here is the o… Continue reading Examining linux memory dump with signs of compromise in yarascan
Morning, I recently had need to check for malware on my PC by dumping the memory and searching for unwanted processes which could be malware, my question it’s, is it possibile for malware to detect memory dumping, I am going to analyze the… Continue reading Can malware detect memory dumping?
I am analyzing a mem and trying to recover a file that an attacker used to exploit drupalgeddon2 vulnerability. I discover that the process with pid 11046 executes the request with the file h38x.php (the one the attacker submitted).
I need… Continue reading Get file from the linux_volshell from volatility
I’m trying to recover files from a .mem file with volatility. The mem file is from a Linux machine. I have already loaded the profile and it works fine. I have discovered that the drupalgeddon2 vulnerability was exploited but I need eviden… Continue reading How to recover a file with volatility from a linux profile
I’m trying to add a linux profile to volatility (I am using a kali linux VM) and in theory I should just paste de .zip in the folder:
/usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux
But then when I execute vol.py … Continue reading add linux profile in volatility
I am trying to analyze the .vmem file from HoneyNet challenge 3: Banking Troubles (HoneyNet) using volatility3. But I can’t seem to get past this error:
PS C:\Users\<user>\Desktop\HoneyNet\volatility3> python vol.py -f C:\Users\&l… Continue reading Volatility: AutoMagic Symbol Table error
I am experimenting with the volatility2 tool.
I have created a memorydump of a windows 7 machine where i had a batch script file on the desktop of the machine.
I used the mftparser command as :
volatility -f memdump.mem –profile=Win7SP1x6… Continue reading How to extract a .bat file with volatility
Do PCRs (Platform Configuration Registers) on TPMs (Trusted Platform Modules) retain their data on reboot?
I’m trying to find out if all (or some) of the PCRs on a TPM are volatile (will loose their memory on power loss) or nonvolatile (wi… Continue reading Are TPM PCRs volatile, non-volatile, or both?
I have created a memory dump of a Windows 7 VM and I am trying to find the password hint of the user and then decode it as this answer implies in a similar question: Is there a way to get Windows login password hint from SAM hive with vola… Continue reading How to read "HKLM\SAM\SAM\Domains\Account\Users<userkey>\UserPasswordHint" from a Windows 7 memory dump with Volatility?
We know that every user in Windows has a password hint. This password hint is stored in the SAM hive, more specifically in the SAM\Domains\Account\Users path. Is there a way to extract this password hint of a user with volatility if we hav… Continue reading Is there a way to get Windows login password hint from SAM hive with volatility?