Introduction to Memory Forensics

Рет қаралды 78,574

Күн бұрын

Пікірлер: 81

@ktenbz 2 жыл бұрын

5 years later and this video still incredible. Amazing explanation, make things much easier to understand how it works. congrats and thank you for share your knowledge with us .

@ElCyberWizard 3 жыл бұрын

I’ve been using this channel to reinforce what I’ve been learning in the SANS FOR508 and course and it’s helped me so much. Thank you!

@salvodercrasto1511 6 жыл бұрын

Richard , Thanks for such wonderful Explanation , I completed SANS508 because of this

@cybervee_ 4 жыл бұрын

i didn't understand anything in class but you can clearly explain this and makes me understand! thank you!

@louisarturo5111 3 жыл бұрын

Sorry to be offtopic but does someone know a trick to log back into an Instagram account? I somehow lost the password. I would appreciate any assistance you can offer me

@ElCyberWizard 3 жыл бұрын

@@louisarturo5111 sus

@Bleedx9393 4 жыл бұрын

wonderful Explanation. thanks for sharing this contents with us

@themyxa 3 жыл бұрын

This is a perfect primer! Thanks a lot for the effort and sharing it to the community. Huge fun of your work :)

@nilanjana25 2 жыл бұрын

Thank you for the informative video on memory forensics. I am a beginner and found this video very helpful.

@EdwinCloud 6 жыл бұрын

best video about volatility ever

@cyberkeshav Жыл бұрын

great great video, tqu for this usefull video sir

@universalponcho 3 жыл бұрын

This was nice to watch.

@bjach 7 жыл бұрын

Great Sir. Nice and clean info with demo on memory forensic.

@riazjafaq1401 6 жыл бұрын

Hi, A very informative tutorial for learning memory forensics. Nicely presented. Thanks

@forenzikacsi884 7 жыл бұрын

Very good tutorial for forensic analysis of memory. Keep up the good work.

@moretwocome21 6 жыл бұрын

Awesome video sir!

@nanduanil8587 3 жыл бұрын

Perfect class❤️

@dkdk-pd1vn 7 жыл бұрын

Incredible content, presented so well! Thanks for doing this.

@emranemran29 6 жыл бұрын

I learned a lot from ur video Really ur videos are awesome and Thank You So Much For The Video

@orlandop4sun 3 жыл бұрын

AWESOME video man. You have a great caster voice, you should do voiceovers or commercials.

@IBITZEE 5 жыл бұрын

Great video... Thanks...

@noahchrisbell 7 жыл бұрын

Awesome series Richard! keep up these great videos!!

@wookl007 6 жыл бұрын

awesome content

@b1ue2211 4 жыл бұрын

Hey Richard, thank you for the videos, I started to fiddle with volatility, is it normal that imageinfo takes hours to run and still doesnt complete? I tried it on a 32GB memdump and a 16GB one, on the 32GB it ran for 2.5 hours before I hit control+c, the 16GB is running now for close to an hour without any output. (Drive is an ssd, hardware is modern 4 core processor, not much processor utilization but always max I/O read on drive.) Also just wanted to say thank you for turning me into digital forensics, these past few weeks I've religiously went through your Windows Forensics series taking notes, now starting this one, then I guess onto your other videos. Always heard that you could do these things and all this information is available you just gotta know how to get it from the system... well now I know some of it and thats thanks to you, so again just wanted to say your work being appreciated. :)

@13Cubed 4 жыл бұрын

Hi, thank you for the great feedback! Regarding imageinfo, yes, it can take a long while. Two things - 1) try to use kdbgscan. However, keep in mind that if you know the build number for the version of Windows from which the memory capture was acquired, there is no need to run this. Just specify the correct Volatility profile. You can view the installed profiles by running vol.py --info. 2) Volatility 3, which is now in public beta, will (soon) replace version 2. The new version 3 no longer requires profiles to be specified. Check out the episode I made covering it.

@b1ue2211 4 жыл бұрын

@@13Cubed Hey, thanks for the reply just got to the Volatility Profiles video which made some things clear, the OS version was 18363, while volatility only has 18362 profile. Even still it did work with that profile with pslist, but imageinfo (nor kdbgscan) still cant handle the .mem file itself... I set the debug flag in the command and it just went around with Trying one after the other, then came back with "No suitable address space mapping found" after i maxed the niceness of the process... anyway, not having to figure out profiles is gonna be a great addition, definitely gonna check out version 3!

@vq8gef32 Жыл бұрын

Amazing- Thank you

@NoEgg4u 6 жыл бұрын

Greetings, At the 20:32 time mark, you ran: volatility -f -memdump.mem --profile=Win10x64_14393 -h Part of the output from that command included: truecryptmaster Recover TrueCrypt 7.1a Master Keys truecryptpassphrase TrueCrypt Cached Passphrase Finder truecryptsummary TrueCrypt Summary Would you please explain, under what circumstances, TrueCrypt is vulnerable? Is it specific to only version 7.1a? The virtues of truecrypt and veracrypt are that they are open source, and supposedly have no known technical (or design) vulnerabilities (other than user errors -- such as using "password1" for a passphrase or having a keylogger in the OS, etc). So seeing the above truecrypt references is news to me. Is VeraCrypt also susceptible or vulnerable via "volatility" or any other forensics software? It would be good to know if the vault a person is using can be opened by others. What should the user do to keep their encrypted volumes from being compromised? I am not asking how to break into other people's encrypted volumes. I am asking how to keep my encrypted volumes safe from an attacker. Can I trust VeraCrypt? Thank you.

@gakind 5 жыл бұрын

Great video - thank you!

@lbarrera2197 5 жыл бұрын

Well done! thanks!

@13Cubed 5 жыл бұрын

L Barrera Thanks! Be sure to check out the playlist for the remaining episodes in the series, as there are plenty more.

@TheKiller7276 7 жыл бұрын

Great video, I learned a lot. I will have to check out this red line tool as well.

@franzandrae 4 жыл бұрын

Hey there, what does PID -1 mean when running the netscan command?

@13Cubed 4 жыл бұрын

The plug-in did not properly parse that information from memory. Occasionally you'll see output like that.

@franzandrae 4 жыл бұрын

@@13Cubed Thank you for your quick answer, subscribers +1 :)

@franzandrae 4 жыл бұрын

@@13Cubed Oh man, turns out I had to use a different Profile - now I have the correct PID :)

@richardatkins5249 3 жыл бұрын

Great training video. Thank you for sharing your knowledge with us peasants

@auggiedomingo7888 7 жыл бұрын

Hi, 13Cubed! I just wanted to know if it is possible to track your computer's activity for a given day. Example, if I wanted to know what files were opened, how long a file was opened, etc. I have not finished watching your videos yet but this is the reason why I am watching them. If you have something that does that, can you please point me to the right direction? Thanks!

@13Cubed 7 жыл бұрын

A super timeline creation tool like Log2Timeline would enable you to profile a large number of forensic artifacts, and then using Excel you could filter/sort to extract data from the time period in which you're interested. I've got an upcoming video covering this, but it's still in production now.

@hyunwooson2819 6 жыл бұрын

Hello, does this still uses Volatility or solely Log2Timeline?

@smh4536 4 жыл бұрын

Quick question, I get nothing back when i run cmdscan or consoles on a win 10 memory image. Why is that?

@13Cubed 4 жыл бұрын

I haven't had much success with those plugins in Windows 10. Try dumping process memory (memdump, not procdump) associated with any conhost.exe processes and extracting data with strings. That's sometimes useful.

@audreymciver4863 5 жыл бұрын

How do I find out who is in control of any assets that I didn’t know I had.

@dimman87 6 жыл бұрын

What software do you use to aquire the memory dump? Is there a good free alternative available?

@13Cubed 6 жыл бұрын

DumpIt, winpmem, Magnet RAM Capture, FTK Imager are all available for free, just to name a few.

@detectwarectf7706 6 жыл бұрын

Great presentation. Can you make available the Windows 10 image.

@13Cubed 6 жыл бұрын

Detectware CTF I have a new episode in the Memory Forensics series coming later this month. The corresponding memory image will be released alongside it. I think you will find it very useful.

@vilaysackvorachack2395 3 жыл бұрын

How can we know which profile to use?

@frankvictory8948 4 жыл бұрын

What was the python script for netscan? Abibas?

@13Cubed 4 жыл бұрын

Abeebus - got an episode coming out about that. github.com/13Cubed/Abeebus

@SuperChelseaSW6 5 жыл бұрын

Hello sir. Are we going to use writeblocker while capturing ram?

@juancastro8073 3 жыл бұрын

Hello, I am a starter in Volatility. I am getting a volatility.debug error (file doesn't exist). Also I can't locate the memory dump in my Kali Linux VM. I really appreciate your help!!

@13Cubed 3 жыл бұрын

You should be able to point to the memory file you want to analyze via the -f flag. Make sure the path after -f points to a valid file (full path and filename).

@PrashantJaiswalbhaiji 5 жыл бұрын

a question. you knew which profile to use. in case i don't is it back to trial and error or is there a better way?

@13Cubed 5 жыл бұрын

Prashant Jaiswal Use imageinfo or kdbgscan. Check out the Introduction to Memory Forensics playlist. I think you’ll find it very useful.

@PrashantJaiswalbhaiji 5 жыл бұрын

@@13Cubed thank you! .. I'll do that right now. :)

@amokostephen4206 4 жыл бұрын

Absolutely 👍

@lamarisdts6738 4 жыл бұрын

I need 30 hours of DFIR training. How could I get documented training?

@13Cubed 4 жыл бұрын

SANS has numerous free webcasts you can sign up for and earn CPE credits.

@lamarisdts6738 4 жыл бұрын

@@13Cubed Thanks. I will look on there again

@audreymciver4863 5 жыл бұрын

I never use plug ins and I think a lot of data was added by hackers in my network and pinging or remote acess and SIM cards being remotely inserted.

@busyhacker63 4 жыл бұрын

no1 tutorial on memory forensics on youtube.

@PrashantJaiswalbhaiji 5 жыл бұрын

what tool would you use to analyze a process dump file? (in this case : 3960.dmp)

@13Cubed 5 жыл бұрын

If you dump the process binary itself, say with procdump in Volatility, you can reverse it and analyze it as you would any other binary. If you dump the process memory, say with Volatility's memdump plugin, strings may be your best bet to extract anything valuable therein.

@PrashantJaiswalbhaiji 5 жыл бұрын

@@13Cubed thank you very much for your quick reply. it helps newbies like me quite a bit :)

@SarathKumariamawesome 5 жыл бұрын

is it possibleto detect kernel level rookits using Volatility 2.6 ??

@13Cubed 5 жыл бұрын

sarath kumar Sure, though rootkits are less common present day than they used to be.

@cvnikhil1131 5 жыл бұрын

when i used hashdump,cmdscan,console plugins i got nothing in output can anyone tell me why is it happening like that i used windows 10 memory image and volatility

@13Cubed 5 жыл бұрын

Those plugins no longer work with newer builds of Windows 10. You can dump the process memory (memdump) for conhost.exe processes and run strings against them to extract command line output. Also check out the public beta for Volatility 3, which includes a plugin called "windows.cmdline.CmdLine", which, in my brief testing, does appear to support Windows 10.

@audreymciver4863 5 жыл бұрын

We need to identify why Microsoft software is even on my mobile device?

@Trendnet18 6 жыл бұрын

is this tied to 508 or 526 ?

@13Cubed 6 жыл бұрын

Neither - this is my own material, created from practice labs. That said, some of the topics explored here will definitely be covered in more depth within both courses.

@audreymciver4863 5 жыл бұрын

I did reset a friends phone because it had a bug. And I believe it was a danger.