openhiberfil
hiberfil 时间:2021-01-30 阅读:()
ThischeatsheetsupportstheSANSFOR508AdvancedDigitalForensics,IncidentResponse,andThreatHunting&SANSFOR526MemoryForensicsIn-Depthcourses.
ItisnotintendedtobeanexhaustiveresourceforVolatilityorotherhighlightedtools.
VolatilityisatrademarkofVerizon.
TheSANSInstituteisnotsponsored,approvedbyoraffiliatedwithVerizon.
Thetimelinerpluginparsestime-stampedobjectsfoundinmemoryimages.
Outputissortedby:ProcesscreationtimeThreadcreationtimeDrivercompiletimeDLL/EXEcompiletimeNetworksocketcreationtimeMemoryresidentregistrykeylastwritetimeMemoryresidenteventlogentrycreationtimetimeliner--output-fileOptionalfiletowriteoutput--output=bodyBodyfileformat(alsotext,xlsx)--type=RegistryExtractregistrykeylastwritetimes#vol.
py-fmem.
imgtimeliner--output-fileout.
body--output=body--profile=Win10x64MemoryArtifactTimeliningPurposeHowToUseThisDocumentMemoryanalysisisoneofthemostpowerfultoolsavailabletoforensicexaminers.
Thisguidehopestosimplifytheoverwhelmingnumberofavailableoptions.
Analysiscangenerallybeaccomplishedinsixsteps:1.
IdentifyRogueProcesses2.
AnalyzeProcessDLLsandHandles3.
ReviewNetworkArtifacts4.
LookforEvidenceofCodeInjection5.
CheckforSignsofaRootkit6.
ExtractProcesses,Drivers,andObjectsWeoutlinethemostusefulVolatilitypluginssupportingthesesixstepshere.
Furtherinformationisprovidedfor:MemoryAcquisitionAlternateMemoryLocationsConvertingHibernationFilesandCrashDumpsMemoryArtifactTimeliningRegistryAnalysisPluginsRemembertoopencommandpromptasAdministratorwinpmem-oOutputfilelocation-pIncludepagefile-eExtractrawimagefromAFF4file-lLoaddriverforlivememoryanalysisC:\>winpmem_.
exe-oF:\mem.
aff4C:\>winpmem_.
exeF:\mem.
aff4-ePhysicalMemory-omem.
rawDumpIt/fOutputfilelocation/sHashfunctiontouse/tSendtoremotehost(setuplistenerwith/l)C:\>DumpIt.
exe/fF:\mem.
raw/s1MemoryAcquisitionHibernationFileCompressedRAMImage;availableinVolumeShadowCopies%SystemDrive%\hiberfil.
sysPageandSwapFiles%SystemDrive%\pagefile.
sys%SystemDrive%\swapfile.
sys(Win8+\2012+)MemoryDump%WINDIR%\MEMORY.
DMPAlternateMemoryLocationsMemoryForensicsCheatSheetv2.
0POCKETREFERENCEGUIDESANSInstitutebyChadTilburyhttps://digital-forensics.
sans.
orghttp://forensicmethods.
comhivelist-Findandlistavailableregistryhives#vol.
pyhivelisthivedump-Printallkeysandsubkeysinahive-oOffsetofregistryhivetodump(virtualoffset)#vol.
pyhivedump–o0xe1a14b60printkey-Outputaregistrykey,subkeys,andvalues-K"Registrykeypath"#vol.
pyprintkey–K"Microsoft\Windows\CurrentVersion\Run"dumpregistry-Extractallavailableregistryhives-oExtractusingvirtualoffsetofregistryhive--dump-dirDirectorytosaveextractedfiles#vol.
pydumpregistry--dump-dir.
/outputuserassist-Findandparseuserassistkeyvalues#vol.
pyuserassisthashdump-DumpuserNTLMandLanmanhashes#vol.
pyhashdumpautoruns-MapASEPstorunningprocesses-vShoweverything#vol.
pyautoruns-vRegistryAnalysisPluginsConvertingHibernationFilesandCrashDumpsimagecopy-Convertalternatememorysourcestoraw-fNameofsourcefile-OOutputfilename--profileSourceOSfromimageinfo#vol.
pyimagecopy-fhiberfil.
sys-Ohiber.
raw--profile=Win7SP1x64#vol.
pyimagecopy-fMEMORY.
DMP-Ocrashdump.
raw–-profile=Win2016x64_14393ExtractProcesses,Drivers,andObjectspslist-Highlevelviewofrunningprocesses#vol.
pypslistpsscan-ScanmemoryforEPROCESSblocks#vol.
pypsscanpstree-Displayparent-processrelationships#vol.
pypstreeIdentifyRogueProcessespsxview-Findhiddenprocessesusingcross-view#vol.
pypsxviewmodscan-Scanmemoryforloaded,unloaded,andunlinkeddrivers#vol.
pymodscanapihooks-FindAPI/DLLfunctionhooks-pOperateonlyonspecificPIDs-QOnlyscancriticalprocessesandDLLS#vol.
pyapihooksssdt-HooksinSystemServiceDescriptorTable#vol.
pyssdt|egrep–v'(ntoskrnl|win32k)'driverirp-IdentifyI/ORequestPacket(IRP)hooks-rAnalyzedriversmatchingREGEXnamepattern#vol.
pydriverirp–rtcpipidt-DisplayInterruptDescriptorTable#vol.
pyidtCheckforSignsofaRootkitdlldump-ExtractDLLsfromspecificprocesses-pDumpDLLsonlyforspecificPIDs-bDumpDLLusingbaseoffset-rDumpDLLsmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pydlldump--dump-dir.
/output–rmetsrvmoddump-Extractkerneldrivers-bDumpdriverusingoffsetaddress(frommodscan)-rDumpdriversmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pymoddump--dump-dir.
/output–rgaopdxprocdump-Dumpprocesstoexecutablesample-pDumponlyspecificPIDs-oSpecifyprocessbyphysicalmemoryoffset-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pyprocdump--dump-dir.
/output–p868memdump-Extracteverymemorysectionintoonefile-pDumpmemorysectionsfromthesePIDs-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pymemdump–-dump-dir.
/output–p868filescan-ScanmemoryforFILE_OBJECThandles#vol.
pyfilescandumpfiles-ExtractFILE_OBJECTsfrommemory-QDumpusingphysicaloffsetofFILE_OBJECT-rExtractusingaREGEX(add-iforcaseinsensitive)-nAddoriginalfilenametooutputname--dump-dirDirectorytosaveextractedfiles#vol.
pydumpfiles-n-i-r\\.
exe--dump-dir=.
/svcscan-ScanforWindowsServicerecordstructures-vShowserviceDLLforsvchostinstances#vol.
pysvcscan-vcmdscan-ScanforCOMMAND_HISTORYbuffers#vol.
pycmdscanconsoles-ScanforCONSOLE_INFORMATIONoutput#vol.
pyconsolesnetscan-ScanforTCPconnectionsandsockets#vol.
pynetscanNote:UseconnscanandsockscanforXPsystemsReviewNetworkArtifactsdlllist-Listofloadeddllsbyprocess-pShowinformationonlyforspecificprocesses(PIDs)#vol.
pydlllist–p1022,868getsids-Printprocesssecurityidentifiers-pShowinformationonlyforspecificPIDs#vol.
pygetsids–p868handles-Listofopenhandlesforeachprocess-pShowinformationonlyforspecificPIDs-tDisplayonlyhandlesofacertaintype{Process,Thread,Key,Event,File,Mutant,Token,Port}#vol.
pyhandles–p868–tFile,KeyAnalyzeProcessDLLsandHandlesmalfind-Findinjectedcodeanddumpsections-pShowinformationonlyforspecificPIDs-oProvidephysicaloffsetofsingleprocesstoscan--dump-dirDirectorytosavesuspiciousmemorysections#vol.
pymalfind--dump-dir.
/output_dirldrmodules-DetectunlinkedDLLs-pShowinformationonlyforspecificPIDs-vVerbose:showfullpathsfromthreeDLLlists#vol.
pyldrmodules–p868-vhollowfind-Detectprocesshollowingtechniques-pShowinformationonlyforspecificPIDs-DDirectorytosavesuspiciousmemorysections#vol.
pyhollowfind-D.
/output_dirLookforEvidenceofCodeInjectionGettingHelp#vol.
py–h(showoptionsandsupportedplugins)#vol.
pyplugin–h(showpluginusage)#vol.
pyplugin--info(showavailableOSprofiles)SampleCommandLine#vol.
py-fimage--profile=profilepluginIdentifySystemProfileimageinfo-Displaymemoryimagemetadata#vol.
py–fmem.
imgimageinfoUsingEnvironmentVariablesSetnameofmemoryimage(takesplaceof-f)#exportVOLATILITY_LOCATION=file:///images/mem.
imgSetprofiletype(takesplaceof--profile=)#exportVOLATILITY_PROFILE=Win10x64_14393GettingStartedwithVolatility
ItisnotintendedtobeanexhaustiveresourceforVolatilityorotherhighlightedtools.
VolatilityisatrademarkofVerizon.
TheSANSInstituteisnotsponsored,approvedbyoraffiliatedwithVerizon.
Thetimelinerpluginparsestime-stampedobjectsfoundinmemoryimages.
Outputissortedby:ProcesscreationtimeThreadcreationtimeDrivercompiletimeDLL/EXEcompiletimeNetworksocketcreationtimeMemoryresidentregistrykeylastwritetimeMemoryresidenteventlogentrycreationtimetimeliner--output-fileOptionalfiletowriteoutput--output=bodyBodyfileformat(alsotext,xlsx)--type=RegistryExtractregistrykeylastwritetimes#vol.
py-fmem.
imgtimeliner--output-fileout.
body--output=body--profile=Win10x64MemoryArtifactTimeliningPurposeHowToUseThisDocumentMemoryanalysisisoneofthemostpowerfultoolsavailabletoforensicexaminers.
Thisguidehopestosimplifytheoverwhelmingnumberofavailableoptions.
Analysiscangenerallybeaccomplishedinsixsteps:1.
IdentifyRogueProcesses2.
AnalyzeProcessDLLsandHandles3.
ReviewNetworkArtifacts4.
LookforEvidenceofCodeInjection5.
CheckforSignsofaRootkit6.
ExtractProcesses,Drivers,andObjectsWeoutlinethemostusefulVolatilitypluginssupportingthesesixstepshere.
Furtherinformationisprovidedfor:MemoryAcquisitionAlternateMemoryLocationsConvertingHibernationFilesandCrashDumpsMemoryArtifactTimeliningRegistryAnalysisPluginsRemembertoopencommandpromptasAdministratorwinpmem-oOutputfilelocation-pIncludepagefile-eExtractrawimagefromAFF4file-lLoaddriverforlivememoryanalysisC:\>winpmem_.
exe-oF:\mem.
aff4C:\>winpmem_.
exeF:\mem.
aff4-ePhysicalMemory-omem.
rawDumpIt/fOutputfilelocation/sHashfunctiontouse/tSendtoremotehost(setuplistenerwith/l)C:\>DumpIt.
exe/fF:\mem.
raw/s1MemoryAcquisitionHibernationFileCompressedRAMImage;availableinVolumeShadowCopies%SystemDrive%\hiberfil.
sysPageandSwapFiles%SystemDrive%\pagefile.
sys%SystemDrive%\swapfile.
sys(Win8+\2012+)MemoryDump%WINDIR%\MEMORY.
DMPAlternateMemoryLocationsMemoryForensicsCheatSheetv2.
0POCKETREFERENCEGUIDESANSInstitutebyChadTilburyhttps://digital-forensics.
sans.
orghttp://forensicmethods.
comhivelist-Findandlistavailableregistryhives#vol.
pyhivelisthivedump-Printallkeysandsubkeysinahive-oOffsetofregistryhivetodump(virtualoffset)#vol.
pyhivedump–o0xe1a14b60printkey-Outputaregistrykey,subkeys,andvalues-K"Registrykeypath"#vol.
pyprintkey–K"Microsoft\Windows\CurrentVersion\Run"dumpregistry-Extractallavailableregistryhives-oExtractusingvirtualoffsetofregistryhive--dump-dirDirectorytosaveextractedfiles#vol.
pydumpregistry--dump-dir.
/outputuserassist-Findandparseuserassistkeyvalues#vol.
pyuserassisthashdump-DumpuserNTLMandLanmanhashes#vol.
pyhashdumpautoruns-MapASEPstorunningprocesses-vShoweverything#vol.
pyautoruns-vRegistryAnalysisPluginsConvertingHibernationFilesandCrashDumpsimagecopy-Convertalternatememorysourcestoraw-fNameofsourcefile-OOutputfilename--profileSourceOSfromimageinfo#vol.
pyimagecopy-fhiberfil.
sys-Ohiber.
raw--profile=Win7SP1x64#vol.
pyimagecopy-fMEMORY.
DMP-Ocrashdump.
raw–-profile=Win2016x64_14393ExtractProcesses,Drivers,andObjectspslist-Highlevelviewofrunningprocesses#vol.
pypslistpsscan-ScanmemoryforEPROCESSblocks#vol.
pypsscanpstree-Displayparent-processrelationships#vol.
pypstreeIdentifyRogueProcessespsxview-Findhiddenprocessesusingcross-view#vol.
pypsxviewmodscan-Scanmemoryforloaded,unloaded,andunlinkeddrivers#vol.
pymodscanapihooks-FindAPI/DLLfunctionhooks-pOperateonlyonspecificPIDs-QOnlyscancriticalprocessesandDLLS#vol.
pyapihooksssdt-HooksinSystemServiceDescriptorTable#vol.
pyssdt|egrep–v'(ntoskrnl|win32k)'driverirp-IdentifyI/ORequestPacket(IRP)hooks-rAnalyzedriversmatchingREGEXnamepattern#vol.
pydriverirp–rtcpipidt-DisplayInterruptDescriptorTable#vol.
pyidtCheckforSignsofaRootkitdlldump-ExtractDLLsfromspecificprocesses-pDumpDLLsonlyforspecificPIDs-bDumpDLLusingbaseoffset-rDumpDLLsmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pydlldump--dump-dir.
/output–rmetsrvmoddump-Extractkerneldrivers-bDumpdriverusingoffsetaddress(frommodscan)-rDumpdriversmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pymoddump--dump-dir.
/output–rgaopdxprocdump-Dumpprocesstoexecutablesample-pDumponlyspecificPIDs-oSpecifyprocessbyphysicalmemoryoffset-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pyprocdump--dump-dir.
/output–p868memdump-Extracteverymemorysectionintoonefile-pDumpmemorysectionsfromthesePIDs-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pymemdump–-dump-dir.
/output–p868filescan-ScanmemoryforFILE_OBJECThandles#vol.
pyfilescandumpfiles-ExtractFILE_OBJECTsfrommemory-QDumpusingphysicaloffsetofFILE_OBJECT-rExtractusingaREGEX(add-iforcaseinsensitive)-nAddoriginalfilenametooutputname--dump-dirDirectorytosaveextractedfiles#vol.
pydumpfiles-n-i-r\\.
exe--dump-dir=.
/svcscan-ScanforWindowsServicerecordstructures-vShowserviceDLLforsvchostinstances#vol.
pysvcscan-vcmdscan-ScanforCOMMAND_HISTORYbuffers#vol.
pycmdscanconsoles-ScanforCONSOLE_INFORMATIONoutput#vol.
pyconsolesnetscan-ScanforTCPconnectionsandsockets#vol.
pynetscanNote:UseconnscanandsockscanforXPsystemsReviewNetworkArtifactsdlllist-Listofloadeddllsbyprocess-pShowinformationonlyforspecificprocesses(PIDs)#vol.
pydlllist–p1022,868getsids-Printprocesssecurityidentifiers-pShowinformationonlyforspecificPIDs#vol.
pygetsids–p868handles-Listofopenhandlesforeachprocess-pShowinformationonlyforspecificPIDs-tDisplayonlyhandlesofacertaintype{Process,Thread,Key,Event,File,Mutant,Token,Port}#vol.
pyhandles–p868–tFile,KeyAnalyzeProcessDLLsandHandlesmalfind-Findinjectedcodeanddumpsections-pShowinformationonlyforspecificPIDs-oProvidephysicaloffsetofsingleprocesstoscan--dump-dirDirectorytosavesuspiciousmemorysections#vol.
pymalfind--dump-dir.
/output_dirldrmodules-DetectunlinkedDLLs-pShowinformationonlyforspecificPIDs-vVerbose:showfullpathsfromthreeDLLlists#vol.
pyldrmodules–p868-vhollowfind-Detectprocesshollowingtechniques-pShowinformationonlyforspecificPIDs-DDirectorytosavesuspiciousmemorysections#vol.
pyhollowfind-D.
/output_dirLookforEvidenceofCodeInjectionGettingHelp#vol.
py–h(showoptionsandsupportedplugins)#vol.
pyplugin–h(showpluginusage)#vol.
pyplugin--info(showavailableOSprofiles)SampleCommandLine#vol.
py-fimage--profile=profilepluginIdentifySystemProfileimageinfo-Displaymemoryimagemetadata#vol.
py–fmem.
imgimageinfoUsingEnvironmentVariablesSetnameofmemoryimage(takesplaceof-f)#exportVOLATILITY_LOCATION=file:///images/mem.
imgSetprofiletype(takesplaceof--profile=)#exportVOLATILITY_PROFILE=Win10x64_14393GettingStartedwithVolatility
舍利云30元/月起;美国CERA云服务器,原生ip,低至28元/月起
目前舍利云服务器的主要特色是适合seo和建站,性价比方面非常不错,舍利云的产品以BGP线路速度优质稳定而著称,对于产品的线路和带宽有着极其严格的讲究,这主要表现在其对母鸡的超售有严格的管控,与此同时舍利云也尽心尽力为用户提供完美服务。目前,香港cn2云服务器,5M/10M带宽,价格低至30元/月,可试用1天;;美国cera云服务器,原生ip,低至28元/月起。一、香港CN2云服务器香港CN2精品线...
青果云(59元/月)香港多线BGP云服务器 1核 1G
青果云香港CN2_GIA主机测评青果云香港多线BGP网络,接入电信CN2 GIA等优质链路,测试IP:45.251.136.1青果网络QG.NET是一家高效多云管理服务商,拥有工信部颁发的全网云计算/CDN/IDC/ISP/IP-VPN等多项资质,是CNNIC/APNIC联盟的成员之一。青果云香港CN2_GIA主机性能分享下面和大家分享下。官方网站:点击进入CPU内存系统盘数据盘宽带ip价格购买地...
3元/首月香港便宜vps究竟是什么货。
便宜的香港vps多少钱?现在国外VPS主机的价格已经很便宜了,美国VPS主机最低一个月只要十几元,但同样免备案的香港VPS价格贵不贵呢?或者说便宜的香港VPS多少钱?香港vps主机价格要比美国机房的贵一些,但比国内的又便宜不少,所以目前情况是同等配置下,美国VPS比香港的便宜,香港VPS比国内(指大陆地区)的便宜。目前,最便宜香港vps低至3元/首月、18元/月起,今天云服务器网(www.yunt...
hiberfil为你推荐
-
iphone5解锁苹果5手机怎么解屏幕锁显卡温度多少正常显卡温度多少正常ps抠图技巧ps中怎么抠图?办公协同软件求一款国内知名的OA办公软件,谁知道有哪些呢?天天酷跑刷金币如何使用八门神器给天天酷跑刷钻刷金币godaddyGodaddy域名怎么接受硬盘人什么叫“软盘人”和“硬盘人”?迅雷云点播账号求迅雷云播账号怎么点亮qq空间图标QQ空间的图标怎么点亮怎么点亮qq空间图标如何点亮QQ空间图标