ForensicΒΆ

photorec /dev/loop6

VolatilityΒΆ

Identify system profileΒΆ

volatility -f <image> imageinfo

#sample command line
volatility -f <image> --profile=<profile plugin>

Scan for tcp connectionΒΆ

netscan

Command historyΒΆ

cmdscan

Identify rogue processΒΆ

pslist
pscan
pstree

Check for sign of rootkitΒΆ

psxview
modscan
ssdt
apihooks

Extract process,drivers,objectsΒΆ

dlldump
moddump
procdump
memdump  : volatility memdump --dump-dir ./outpu -p 868 #once extracted we can do a "strings" of the fil
dumpfiles

Get verboses informations like username,computer name,data etcΒΆ

volatility -f <image> --profile=<profile plugin> envars

Get passwordΒΆ

volatility -f <image> --profile=<profile plugin> hashdump > file.txt
#now you can try to brutforce the hash with john or hashcat

Find macro and analyze itΒΆ

#1 find the file
volatility -f <image> --profile=<profile plugin> filescan | grep <file format:doc,pdf ...> #or | grep WIN

#2 extract the file
volatility -f <image> --profile=<profile plugin> dumpfiles -D . -Q 0x0000000<number in the last command>

#3 search and anlyze macro
/../../vbaProject.bin #macro are usually here

# to serach faster for informations
strings <image> | grep FindProxyForURL -A5