Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
34 views9 pages

Cybersecurity RAM Analysis Guide

This document provides instructions for analyzing a RAM image using the Volatility forensic analysis tool in Kali Linux. It describes downloading a sample memory image file, using Volatility to get information about the image such as the operating system and timestamp. It then demonstrates commands to list processes, console commands, services, and registry hives in the memory image. Finally, it shows extracting password hashes from the image and cracking one hash to reveal the password.

Uploaded by

Nurzsalsa Uum
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
34 views9 pages

Cybersecurity RAM Analysis Guide

This document provides instructions for analyzing a RAM image using the Volatility forensic analysis tool in Kali Linux. It describes downloading a sample memory image file, using Volatility to get information about the image such as the operating system and timestamp. It then demonstrates commands to list processes, console commands, services, and registry hives in the memory image. Finally, it shows extracting password hashes from the image and cracking one hash to reveal the password.

Uploaded by

Nurzsalsa Uum
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

APU Certified Cybersecurity Practitioner Module 25

Analyzing a RAM Image with Volatility

What You Need for This Project


 The Kali Linux virtual machine 2016
 Memdump file

Start Your Kali Linux Machine


Launch your Kali Linux machine. log in as  root with the password toor.

Finding the RAM Image to Examine


Drag the memdump.mem file and drop it on the Kali machine desktop.
In your Kali Linux machine, open a Terminal window and execute these
commands:
cd

cd Desktop

ls -l

Note that the last command is "LS -L" in lowercase.

You should see the memdump.mem file, as shown below. If you do not, you may
need to repeat a previous project to create the memory image again.

Asia Pacific University of Technology & Innovation (APU) Page 1 of 3


APU Certified Cybersecurity Practitioner Module 25

Starting Volatility
In your Kali Linux machine, in a Terminal window, execute these commands:

apt-get install volatility


cd /usr/share/volatility

python vol.py -h

You see a long help message, as shown below:

The volatility help is long and confusing.

Fortunately, SANS has made a handy one-page cheat sheet which is much


friendlier. The part that is important to us is shown below:

Asia Pacific University of Technology & Innovation (APU) Page 2 of 3


APU Certified Cybersecurity Practitioner Module 25

Basic Volatility Usage


Image Information

In your Kali Linux machine, in a Terminal window, execute this command:

Kali : python vol.py imageinfo -f /root/memdump.mem

This shows basic information about the image, such as the operating system of the
machine that was imaged, and when the image was made, as shown below:

Asia Pacific University of Technology & Innovation (APU) Page 3 of 3


APU Certified Cybersecurity Practitioner Module 25

Volatility needs to know what operating system was imaged in order to interpret
the memory image correctly. The default profile is WinXPSP2x86, but we used
Win2008SP1x86, so we'll have to include that information in all future volatility
command-lines.

Running Processes

In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py pslist --profile=Win2008SP1x86 -f /root/memdump.mem

This shows the processes that were running on the machine when the RAM image
was made, as shown below:

Notice these columns:

 Offset : The location in RAM of the process, in hexadecimal


 Name : The process name, as it would be shown in Task Manager
 PID : The process ID

Asia Pacific University of Technology & Innovation (APU) Page 4 of 3


APU Certified Cybersecurity Practitioner Module 25

 PPID : The parent process ID--that is, the process that launched this
process. In the example above, the "System" process is process 4, and it is
the parent of the "smss.exe" process.

Console Commands

In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py consoles --profile=Win2008SP1x86 -f /root/memdump.mem

This shows the console commands that were recently executed on the Windows
machine.

You should see the command you executed to create the user account with your
own name, as shown below:

Services
In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py svcscan --profile=Win2008SP1x86 -f /root/memdump.mem | more

This shows the first page of a long list of services, as shown below:

Asia Pacific University of Technology & Innovation (APU) Page 5 of 3


APU Certified Cybersecurity Practitioner Module 25

Registry Hives
In your Kali Linux machine, in a Terminal window, execute this command:

python vol.py hivelist --profile=Win2008SP1x86 -f /root/memdump.mem

This shows the location in RAM of the Registry hives, as shown below:

Asia Pacific University of Technology & Innovation (APU) Page 6 of 3


APU Certified Cybersecurity Practitioner Module 25

Examine your output and find the two addresses outlined in green above: the
virtual addresses of the SAM and SYSTEM hives. Those two hives together
contain enough information to extract Windows password hashes.

Password Hashes
In your Kali Linux machine, in a Terminal window, execute the command
below.

You will have to replace the two hexadecimal addresses with the correct virtual
addresses of your hives, in this format: -y SYSTEM -s SAM

python vol.py hashdump --profile=Win2008SP1x86 -f /root/memdump.mem -y


0x86226008 -s 0x89c33450

When you get the command correct, you will see the login account names and
hashed passwords, including one showing your name, as shown below:

Cracking the Password Hash


Windows stores two hashes with each password, delimited by colons. The first
one is an extremely insecure, obsolete hash using the LANMAN algorithm.
Windows operating systems since Vista no longer use LANMAN hashes, so
they are filled with a dummy value starting with "aad".

Asia Pacific University of Technology & Innovation (APU) Page 7 of 3


APU Certified Cybersecurity Practitioner Module 25

The second hash is the newer NTLM hash, which is much better than
LANMAN hashes, but still extremely insecure and much more easily cracked
than Linux or Mac OS X hashes.

To crack your password, highlight the hash value, as shown below, right-click
it, and click Copy.

On your host Windows machine, open a Web browser and go to

https://crackstation.net/

Paste in the hash. On the right side, fill in the CAPTCHA and click the "Crack
Hashes" button.

The hash should crack, revealing the password of "SuperSecret!", as shown below.

Asia Pacific University of Technology & Innovation (APU) Page 8 of 3


APU Certified Cybersecurity Practitioner Module 25

-THE END-

Asia Pacific University of Technology & Innovation (APU) Page 9 of 3

You might also like