Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
171 views7 pages

RAM Analysis with Volatility Guide

This document provides instructions for analyzing a RAM image using the Volatility framework. It describes how to: 1) Find the RAM image file and verify its integrity. 2) Start Volatility and view basic information about the RAM dump, including the operating system. 3) Use various Volatility plugins to view processes, commands, services, registry hives and extract password hashes from the SAM and SYSTEM hives. 4) Crack one of the extracted password hashes to reveal the password.

Uploaded by

Fernando Guerra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
171 views7 pages

RAM Analysis with Volatility Guide

This document provides instructions for analyzing a RAM image using the Volatility framework. It describes how to: 1) Find the RAM image file and verify its integrity. 2) Start Volatility and view basic information about the RAM dump, including the operating system. 3) Use various Volatility plugins to view processes, commands, services, registry hives and extract password hashes from the SAM and SYSTEM hives. 4) Crack one of the extracted password hashes to reveal the password.

Uploaded by

Fernando Guerra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Analyzing a RAM Image with Volatility

Finding the RAM Image to Examine


In your Kali Linux machine, open a Terminal window and execute these commands:
cd

cd Desktop

ls -l

Note that the last command is "LS -L" in lowercase.

You should see the memdump.mem file, which should be approximately 500 MB in size, as
shown below. If you do not, you may need to repeat a previous project to create the
memory image again.

Troubleshooting
If you can't get this to work, which is happening to a lot of students, try using my
memory dump from here:

memdump.7z

Extract and check the file with these commands in Linux:

7z e memdump.7z

md5sum memdump.mem
The correct hash is

b50ae13dc659ec9c8af66b539e5768d8
If you use it, explain that in the text part of the email you send in so my grader knows
your name won't be in the artifacts you find.

Starting Volatility
In your Kali Linux machine, in a Terminal window, execute these commands:

cd /usr/share/volatility

python vol.py -h

You see a long help message, as shown below:

The volatility help is long and confusing.

Fortunately, SANS has made a handy one-page cheat sheet which is much friendlier. The
part that is important to us is shown below:
Basic Volatilty Usage
Image Information

In your Kali Linux machine, in a Terminal window, execute this command:


python vol.py imageinfo -f /root/Desktop/memdump.mem
This shows basic information about the image, such as the operating system of the machine
that was imaged, and when the image was made, as shown below:

Volatility needs to know what operating system was imaged in order to interpret the
memory image correctly. The default profile is WinXPSP2x86, but we used
Win2008SP1x86, so we'll have to include that information in all future volatility command-
lines.
Running Processes

In your Kali Linux machine, in a Terminal window, execute this command:


python vol.py pslist --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem
This shows the processes that were running on the machine when the RAM image was
made, as shown below:

Notice these columns:

 Offset : The location in RAM of the process, in hexadecimal


 Name : The process name, as it would be shown in Task Manager
 PID : The process ID
 PPID : The parent process ID--that is, the process that launched this process. In the
example above, the "System" process is process 4, and it is the parent of the
"smss.exe" process.

Console Commands

In your Kali Linux machine, in a Terminal window, execute this command:


python vol.py consoles --profile=Win2008SP1x86 -f
/root/Desktop/memdump.mem
This shows the console commands that were recently executed on the Windows machine.

You should see the command you executed to create the user account with your own name,
as shown below:
Services

In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py svcscan --profile=Win2008SP1x86 -f


/root/Desktop/memdump.mem | more
This shows the first page of a long list of services, as shown below:

Registry Hives

In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py hivelist --profile=Win2008SP1x86 -f


/root/Desktop/memdump.mem
This shows the location in RAM of the Registry hives, as shown below:
Examine your output and find the two addresses outlined in green above: the virtual
addresses of the SAM and SYSTEM hives. Those two hives together contain enough
information to extract Windows password hashes.

Password Hashes

In your Kali Linux machine, in a Terminal window, execute the command below.

You will have to replace the two hexadecimal addresses with the correct virtual addresses
of your hives, in this format:

-y SYSTEM -s SAM

python vol.py hashdump --profile=Win2008SP1x86 -f


/root/Desktop/memdump.mem -y 0x86226008 -s 0x89c33450
When you get the command correct, you will see the login account names and hashed
passwords, including one showing your name, as shown below:

Cracking the Password Hash


Windows stores two hashes with each password, delimited by colons. The first one is an
extremely insecure, obsolete hash using the LANMAN algorithm. Windows operating
systems since Vista no longer use LANMAN hashes, so they are filled with a dummy value
starting with "aad".
The second hash is the newer NTLM hash, which is much better than LANMAN hashes,
but still extremely insecure and much more easily cracked than Linux or Mac OS X hashes.

To crack your password, highlight the hash value, as shown below, right-click it, and click
Copy.

On your host Windows 7 machine, open a Web browser and go to

https://crackstation.net/

Paste in the hash. On the right side, fill in the CAPTCHA and click the "Crack Hashes"
button.

The hash should crack, revealing the password of "SuperSecret!", as shown below.

You might also like