######## Forensic ######## .. code-block:: photorec /dev/loop6 | ********** Volatility ********** Identify system profile ********************** .. code-block:: volatility -f imageinfo #sample command line volatility -f --profile= | Scan for tcp connection ********************** .. code-block:: netscan | Command history ********************** .. code-block:: cmdscan | Identify rogue process ********************* .. code-block:: pslist pscan pstree | Check for sign of rootkit ************************ .. code-block:: psxview modscan ssdt apihooks | Extract process,drivers,objects ****************************** .. code-block:: dlldump moddump procdump memdump : volatility memdump --dump-dir ./outpu -p 868 #once extracted we can do a "strings" of the fil dumpfiles | Get verboses informations like username,computer name,data etc ************************************************************ .. code-block:: volatility -f --profile= envars | Get password ************ .. code-block:: volatility -f --profile= hashdump > file.txt #now you can try to brutforce the hash with john or hashcat | Find macro and analyze it ************************ .. code-block:: #1 find the file volatility -f --profile= filescan | grep #or | grep WIN #2 extract the file volatility -f --profile= dumpfiles -D . -Q 0x0000000 #3 search and anlyze macro /../../vbaProject.bin #macro are usually here # to serach faster for informations strings | grep FindProxyForURL -A5 |