openhiberfil
hiberfil 时间:2021-01-30 阅读:()
ThischeatsheetsupportstheSANSFOR508AdvancedDigitalForensics,IncidentResponse,andThreatHunting&SANSFOR526MemoryForensicsIn-Depthcourses.
ItisnotintendedtobeanexhaustiveresourceforVolatilityorotherhighlightedtools.
VolatilityisatrademarkofVerizon.
TheSANSInstituteisnotsponsored,approvedbyoraffiliatedwithVerizon.
Thetimelinerpluginparsestime-stampedobjectsfoundinmemoryimages.
Outputissortedby:ProcesscreationtimeThreadcreationtimeDrivercompiletimeDLL/EXEcompiletimeNetworksocketcreationtimeMemoryresidentregistrykeylastwritetimeMemoryresidenteventlogentrycreationtimetimeliner--output-fileOptionalfiletowriteoutput--output=bodyBodyfileformat(alsotext,xlsx)--type=RegistryExtractregistrykeylastwritetimes#vol.
py-fmem.
imgtimeliner--output-fileout.
body--output=body--profile=Win10x64MemoryArtifactTimeliningPurposeHowToUseThisDocumentMemoryanalysisisoneofthemostpowerfultoolsavailabletoforensicexaminers.
Thisguidehopestosimplifytheoverwhelmingnumberofavailableoptions.
Analysiscangenerallybeaccomplishedinsixsteps:1.
IdentifyRogueProcesses2.
AnalyzeProcessDLLsandHandles3.
ReviewNetworkArtifacts4.
LookforEvidenceofCodeInjection5.
CheckforSignsofaRootkit6.
ExtractProcesses,Drivers,andObjectsWeoutlinethemostusefulVolatilitypluginssupportingthesesixstepshere.
Furtherinformationisprovidedfor:MemoryAcquisitionAlternateMemoryLocationsConvertingHibernationFilesandCrashDumpsMemoryArtifactTimeliningRegistryAnalysisPluginsRemembertoopencommandpromptasAdministratorwinpmem-oOutputfilelocation-pIncludepagefile-eExtractrawimagefromAFF4file-lLoaddriverforlivememoryanalysisC:\>winpmem_.
exe-oF:\mem.
aff4C:\>winpmem_.
exeF:\mem.
aff4-ePhysicalMemory-omem.
rawDumpIt/fOutputfilelocation/sHashfunctiontouse/tSendtoremotehost(setuplistenerwith/l)C:\>DumpIt.
exe/fF:\mem.
raw/s1MemoryAcquisitionHibernationFileCompressedRAMImage;availableinVolumeShadowCopies%SystemDrive%\hiberfil.
sysPageandSwapFiles%SystemDrive%\pagefile.
sys%SystemDrive%\swapfile.
sys(Win8+\2012+)MemoryDump%WINDIR%\MEMORY.
DMPAlternateMemoryLocationsMemoryForensicsCheatSheetv2.
0POCKETREFERENCEGUIDESANSInstitutebyChadTilburyhttps://digital-forensics.
sans.
orghttp://forensicmethods.
comhivelist-Findandlistavailableregistryhives#vol.
pyhivelisthivedump-Printallkeysandsubkeysinahive-oOffsetofregistryhivetodump(virtualoffset)#vol.
pyhivedump–o0xe1a14b60printkey-Outputaregistrykey,subkeys,andvalues-K"Registrykeypath"#vol.
pyprintkey–K"Microsoft\Windows\CurrentVersion\Run"dumpregistry-Extractallavailableregistryhives-oExtractusingvirtualoffsetofregistryhive--dump-dirDirectorytosaveextractedfiles#vol.
pydumpregistry--dump-dir.
/outputuserassist-Findandparseuserassistkeyvalues#vol.
pyuserassisthashdump-DumpuserNTLMandLanmanhashes#vol.
pyhashdumpautoruns-MapASEPstorunningprocesses-vShoweverything#vol.
pyautoruns-vRegistryAnalysisPluginsConvertingHibernationFilesandCrashDumpsimagecopy-Convertalternatememorysourcestoraw-fNameofsourcefile-OOutputfilename--profileSourceOSfromimageinfo#vol.
pyimagecopy-fhiberfil.
sys-Ohiber.
raw--profile=Win7SP1x64#vol.
pyimagecopy-fMEMORY.
DMP-Ocrashdump.
raw–-profile=Win2016x64_14393ExtractProcesses,Drivers,andObjectspslist-Highlevelviewofrunningprocesses#vol.
pypslistpsscan-ScanmemoryforEPROCESSblocks#vol.
pypsscanpstree-Displayparent-processrelationships#vol.
pypstreeIdentifyRogueProcessespsxview-Findhiddenprocessesusingcross-view#vol.
pypsxviewmodscan-Scanmemoryforloaded,unloaded,andunlinkeddrivers#vol.
pymodscanapihooks-FindAPI/DLLfunctionhooks-pOperateonlyonspecificPIDs-QOnlyscancriticalprocessesandDLLS#vol.
pyapihooksssdt-HooksinSystemServiceDescriptorTable#vol.
pyssdt|egrep–v'(ntoskrnl|win32k)'driverirp-IdentifyI/ORequestPacket(IRP)hooks-rAnalyzedriversmatchingREGEXnamepattern#vol.
pydriverirp–rtcpipidt-DisplayInterruptDescriptorTable#vol.
pyidtCheckforSignsofaRootkitdlldump-ExtractDLLsfromspecificprocesses-pDumpDLLsonlyforspecificPIDs-bDumpDLLusingbaseoffset-rDumpDLLsmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pydlldump--dump-dir.
/output–rmetsrvmoddump-Extractkerneldrivers-bDumpdriverusingoffsetaddress(frommodscan)-rDumpdriversmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pymoddump--dump-dir.
/output–rgaopdxprocdump-Dumpprocesstoexecutablesample-pDumponlyspecificPIDs-oSpecifyprocessbyphysicalmemoryoffset-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pyprocdump--dump-dir.
/output–p868memdump-Extracteverymemorysectionintoonefile-pDumpmemorysectionsfromthesePIDs-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pymemdump–-dump-dir.
/output–p868filescan-ScanmemoryforFILE_OBJECThandles#vol.
pyfilescandumpfiles-ExtractFILE_OBJECTsfrommemory-QDumpusingphysicaloffsetofFILE_OBJECT-rExtractusingaREGEX(add-iforcaseinsensitive)-nAddoriginalfilenametooutputname--dump-dirDirectorytosaveextractedfiles#vol.
pydumpfiles-n-i-r\\.
exe--dump-dir=.
/svcscan-ScanforWindowsServicerecordstructures-vShowserviceDLLforsvchostinstances#vol.
pysvcscan-vcmdscan-ScanforCOMMAND_HISTORYbuffers#vol.
pycmdscanconsoles-ScanforCONSOLE_INFORMATIONoutput#vol.
pyconsolesnetscan-ScanforTCPconnectionsandsockets#vol.
pynetscanNote:UseconnscanandsockscanforXPsystemsReviewNetworkArtifactsdlllist-Listofloadeddllsbyprocess-pShowinformationonlyforspecificprocesses(PIDs)#vol.
pydlllist–p1022,868getsids-Printprocesssecurityidentifiers-pShowinformationonlyforspecificPIDs#vol.
pygetsids–p868handles-Listofopenhandlesforeachprocess-pShowinformationonlyforspecificPIDs-tDisplayonlyhandlesofacertaintype{Process,Thread,Key,Event,File,Mutant,Token,Port}#vol.
pyhandles–p868–tFile,KeyAnalyzeProcessDLLsandHandlesmalfind-Findinjectedcodeanddumpsections-pShowinformationonlyforspecificPIDs-oProvidephysicaloffsetofsingleprocesstoscan--dump-dirDirectorytosavesuspiciousmemorysections#vol.
pymalfind--dump-dir.
/output_dirldrmodules-DetectunlinkedDLLs-pShowinformationonlyforspecificPIDs-vVerbose:showfullpathsfromthreeDLLlists#vol.
pyldrmodules–p868-vhollowfind-Detectprocesshollowingtechniques-pShowinformationonlyforspecificPIDs-DDirectorytosavesuspiciousmemorysections#vol.
pyhollowfind-D.
/output_dirLookforEvidenceofCodeInjectionGettingHelp#vol.
py–h(showoptionsandsupportedplugins)#vol.
pyplugin–h(showpluginusage)#vol.
pyplugin--info(showavailableOSprofiles)SampleCommandLine#vol.
py-fimage--profile=profilepluginIdentifySystemProfileimageinfo-Displaymemoryimagemetadata#vol.
py–fmem.
imgimageinfoUsingEnvironmentVariablesSetnameofmemoryimage(takesplaceof-f)#exportVOLATILITY_LOCATION=file:///images/mem.
imgSetprofiletype(takesplaceof--profile=)#exportVOLATILITY_PROFILE=Win10x64_14393GettingStartedwithVolatility
ItisnotintendedtobeanexhaustiveresourceforVolatilityorotherhighlightedtools.
VolatilityisatrademarkofVerizon.
TheSANSInstituteisnotsponsored,approvedbyoraffiliatedwithVerizon.
Thetimelinerpluginparsestime-stampedobjectsfoundinmemoryimages.
Outputissortedby:ProcesscreationtimeThreadcreationtimeDrivercompiletimeDLL/EXEcompiletimeNetworksocketcreationtimeMemoryresidentregistrykeylastwritetimeMemoryresidenteventlogentrycreationtimetimeliner--output-fileOptionalfiletowriteoutput--output=bodyBodyfileformat(alsotext,xlsx)--type=RegistryExtractregistrykeylastwritetimes#vol.
py-fmem.
imgtimeliner--output-fileout.
body--output=body--profile=Win10x64MemoryArtifactTimeliningPurposeHowToUseThisDocumentMemoryanalysisisoneofthemostpowerfultoolsavailabletoforensicexaminers.
Thisguidehopestosimplifytheoverwhelmingnumberofavailableoptions.
Analysiscangenerallybeaccomplishedinsixsteps:1.
IdentifyRogueProcesses2.
AnalyzeProcessDLLsandHandles3.
ReviewNetworkArtifacts4.
LookforEvidenceofCodeInjection5.
CheckforSignsofaRootkit6.
ExtractProcesses,Drivers,andObjectsWeoutlinethemostusefulVolatilitypluginssupportingthesesixstepshere.
Furtherinformationisprovidedfor:MemoryAcquisitionAlternateMemoryLocationsConvertingHibernationFilesandCrashDumpsMemoryArtifactTimeliningRegistryAnalysisPluginsRemembertoopencommandpromptasAdministratorwinpmem-oOutputfilelocation-pIncludepagefile-eExtractrawimagefromAFF4file-lLoaddriverforlivememoryanalysisC:\>winpmem_.
exe-oF:\mem.
aff4C:\>winpmem_.
exeF:\mem.
aff4-ePhysicalMemory-omem.
rawDumpIt/fOutputfilelocation/sHashfunctiontouse/tSendtoremotehost(setuplistenerwith/l)C:\>DumpIt.
exe/fF:\mem.
raw/s1MemoryAcquisitionHibernationFileCompressedRAMImage;availableinVolumeShadowCopies%SystemDrive%\hiberfil.
sysPageandSwapFiles%SystemDrive%\pagefile.
sys%SystemDrive%\swapfile.
sys(Win8+\2012+)MemoryDump%WINDIR%\MEMORY.
DMPAlternateMemoryLocationsMemoryForensicsCheatSheetv2.
0POCKETREFERENCEGUIDESANSInstitutebyChadTilburyhttps://digital-forensics.
sans.
orghttp://forensicmethods.
comhivelist-Findandlistavailableregistryhives#vol.
pyhivelisthivedump-Printallkeysandsubkeysinahive-oOffsetofregistryhivetodump(virtualoffset)#vol.
pyhivedump–o0xe1a14b60printkey-Outputaregistrykey,subkeys,andvalues-K"Registrykeypath"#vol.
pyprintkey–K"Microsoft\Windows\CurrentVersion\Run"dumpregistry-Extractallavailableregistryhives-oExtractusingvirtualoffsetofregistryhive--dump-dirDirectorytosaveextractedfiles#vol.
pydumpregistry--dump-dir.
/outputuserassist-Findandparseuserassistkeyvalues#vol.
pyuserassisthashdump-DumpuserNTLMandLanmanhashes#vol.
pyhashdumpautoruns-MapASEPstorunningprocesses-vShoweverything#vol.
pyautoruns-vRegistryAnalysisPluginsConvertingHibernationFilesandCrashDumpsimagecopy-Convertalternatememorysourcestoraw-fNameofsourcefile-OOutputfilename--profileSourceOSfromimageinfo#vol.
pyimagecopy-fhiberfil.
sys-Ohiber.
raw--profile=Win7SP1x64#vol.
pyimagecopy-fMEMORY.
DMP-Ocrashdump.
raw–-profile=Win2016x64_14393ExtractProcesses,Drivers,andObjectspslist-Highlevelviewofrunningprocesses#vol.
pypslistpsscan-ScanmemoryforEPROCESSblocks#vol.
pypsscanpstree-Displayparent-processrelationships#vol.
pypstreeIdentifyRogueProcessespsxview-Findhiddenprocessesusingcross-view#vol.
pypsxviewmodscan-Scanmemoryforloaded,unloaded,andunlinkeddrivers#vol.
pymodscanapihooks-FindAPI/DLLfunctionhooks-pOperateonlyonspecificPIDs-QOnlyscancriticalprocessesandDLLS#vol.
pyapihooksssdt-HooksinSystemServiceDescriptorTable#vol.
pyssdt|egrep–v'(ntoskrnl|win32k)'driverirp-IdentifyI/ORequestPacket(IRP)hooks-rAnalyzedriversmatchingREGEXnamepattern#vol.
pydriverirp–rtcpipidt-DisplayInterruptDescriptorTable#vol.
pyidtCheckforSignsofaRootkitdlldump-ExtractDLLsfromspecificprocesses-pDumpDLLsonlyforspecificPIDs-bDumpDLLusingbaseoffset-rDumpDLLsmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pydlldump--dump-dir.
/output–rmetsrvmoddump-Extractkerneldrivers-bDumpdriverusingoffsetaddress(frommodscan)-rDumpdriversmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pymoddump--dump-dir.
/output–rgaopdxprocdump-Dumpprocesstoexecutablesample-pDumponlyspecificPIDs-oSpecifyprocessbyphysicalmemoryoffset-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pyprocdump--dump-dir.
/output–p868memdump-Extracteverymemorysectionintoonefile-pDumpmemorysectionsfromthesePIDs-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pymemdump–-dump-dir.
/output–p868filescan-ScanmemoryforFILE_OBJECThandles#vol.
pyfilescandumpfiles-ExtractFILE_OBJECTsfrommemory-QDumpusingphysicaloffsetofFILE_OBJECT-rExtractusingaREGEX(add-iforcaseinsensitive)-nAddoriginalfilenametooutputname--dump-dirDirectorytosaveextractedfiles#vol.
pydumpfiles-n-i-r\\.
exe--dump-dir=.
/svcscan-ScanforWindowsServicerecordstructures-vShowserviceDLLforsvchostinstances#vol.
pysvcscan-vcmdscan-ScanforCOMMAND_HISTORYbuffers#vol.
pycmdscanconsoles-ScanforCONSOLE_INFORMATIONoutput#vol.
pyconsolesnetscan-ScanforTCPconnectionsandsockets#vol.
pynetscanNote:UseconnscanandsockscanforXPsystemsReviewNetworkArtifactsdlllist-Listofloadeddllsbyprocess-pShowinformationonlyforspecificprocesses(PIDs)#vol.
pydlllist–p1022,868getsids-Printprocesssecurityidentifiers-pShowinformationonlyforspecificPIDs#vol.
pygetsids–p868handles-Listofopenhandlesforeachprocess-pShowinformationonlyforspecificPIDs-tDisplayonlyhandlesofacertaintype{Process,Thread,Key,Event,File,Mutant,Token,Port}#vol.
pyhandles–p868–tFile,KeyAnalyzeProcessDLLsandHandlesmalfind-Findinjectedcodeanddumpsections-pShowinformationonlyforspecificPIDs-oProvidephysicaloffsetofsingleprocesstoscan--dump-dirDirectorytosavesuspiciousmemorysections#vol.
pymalfind--dump-dir.
/output_dirldrmodules-DetectunlinkedDLLs-pShowinformationonlyforspecificPIDs-vVerbose:showfullpathsfromthreeDLLlists#vol.
pyldrmodules–p868-vhollowfind-Detectprocesshollowingtechniques-pShowinformationonlyforspecificPIDs-DDirectorytosavesuspiciousmemorysections#vol.
pyhollowfind-D.
/output_dirLookforEvidenceofCodeInjectionGettingHelp#vol.
py–h(showoptionsandsupportedplugins)#vol.
pyplugin–h(showpluginusage)#vol.
pyplugin--info(showavailableOSprofiles)SampleCommandLine#vol.
py-fimage--profile=profilepluginIdentifySystemProfileimageinfo-Displaymemoryimagemetadata#vol.
py–fmem.
imgimageinfoUsingEnvironmentVariablesSetnameofmemoryimage(takesplaceof-f)#exportVOLATILITY_LOCATION=file:///images/mem.
imgSetprofiletype(takesplaceof--profile=)#exportVOLATILITY_PROFILE=Win10x64_14393GettingStartedwithVolatility
瓜云互联:全场9折优惠,香港CN2、洛杉矶GIA高防vps套餐,充值最高返300元
瓜云互联怎么样?瓜云互联之前商家使用的面板为WHMCS,目前商家已经正式更换到了魔方云的面板,瓜云互联商家主要提供中国香港和美国洛杉矶机房的套餐,香港采用CN2线路直连大陆,洛杉矶为高防vps套餐,三网回程CN2 GIA,提供超高的DDOS防御,瓜云互联商家承诺打死退款,目前商家提供了一个全场9折和充值的促销,有需要的朋友可以看看。点击进入:瓜云互联官方网站瓜云互联促销优惠:9折优惠码:联系在线客...
IntoVPS:按小时计费KVM月费5美元起($0.0075/小时),6个机房可选
IntoVPS是成立于2004年的Hosterion SRL旗下于2009年推出的无管理型VPS主机品牌,商家提供基于OpenStack构建的VPS产品,支持小时计费是他的一大特色,VPS可选数据中心包括美国弗里蒙特、达拉斯、英国伦敦、荷兰和罗马尼亚等6个地区机房。商家VPS主机基于KVM架构,最低每小时0.0075美元起($5/月)。下面列出几款VPS主机配置信息。CPU:1core内存:2GB...
提速啦(900元/月),杭州BGP E5-2665/89*2 32核 48G 100G防御
提速啦的来历提速啦是 网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑提速啦的市场定位提速啦主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。提速啦的售后保证提速啦退款 通过于合作商的友好协商,云服务器提供3天内全额退款,超过3天不退款 物理机部分支持当天全额退款提速啦提现 充...
hiberfil为你推荐
-
google竞价排名google关键字广告和百度排名有什么区别,又有什么相同点?在线漏洞检测如果检测网站是否有漏洞?快速美白好方法脸部快速美白有什么好方法啊直播加速请问哪种播放器的可以播放加速,并且可以保存硬盘人移动硬盘的优缺点创维云电视功能创维云电视是指什么lockdowndios8.1怎么激活内置卡贴分词技术怎么在SEO中学会运用关键词分词技术系统分析员一个优秀的系统分析师应该具备哪些方面的知识和素质?网站营运网络运营主要做些什么?