ForensicΒΆ
photorec /dev/loop6
VolatilityΒΆ
Identify system profileΒΆ
volatility -f <image> imageinfo
#sample command line
volatility -f <image> --profile=<profile plugin>
Scan for tcp connectionΒΆ
netscan
Command historyΒΆ
cmdscan
Identify rogue processΒΆ
pslist
pscan
pstree
Check for sign of rootkitΒΆ
psxview
modscan
ssdt
apihooks
Extract process,drivers,objectsΒΆ
dlldump
moddump
procdump
memdump : volatility memdump --dump-dir ./outpu -p 868 #once extracted we can do a "strings" of the fil
dumpfiles
Get verboses informations like username,computer name,data etcΒΆ
volatility -f <image> --profile=<profile plugin> envars
Get passwordΒΆ
volatility -f <image> --profile=<profile plugin> hashdump > file.txt
#now you can try to brutforce the hash with john or hashcat
Find macro and analyze itΒΆ
#1 find the file
volatility -f <image> --profile=<profile plugin> filescan | grep <file format:doc,pdf ...> #or | grep WIN
#2 extract the file
volatility -f <image> --profile=<profile plugin> dumpfiles -D . -Q 0x0000000<number in the last command>
#3 search and anlyze macro
/../../vbaProject.bin #macro are usually here
# to serach faster for informations
strings <image> | grep FindProxyForURL -A5