coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] one page modified

Browse Source
This commit is contained in:
CPol 2020-12-19 00:21:32 +00:00 committed by gitbook-bot
parent 314e46e08e
commit 71b55ba2d6
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
forensics/volatility-examples.md
View File

@ -121,7 +121,7 @@ The **kernel debugger block** \(named KdDebuggerDataBlock of the type \_KDDEBUGG
Extract password hashes from memory
```text
```bash
volatility --profile=Win7SP1x86_23418 hashdump -f ch2.dmp #Local hashes
volatility --profile=Win7SP1x86_23418 cachedump -f ch2.dmp
volatility --profile=Win7SP1x86_23418 lsadump -f ch2.dmp # LSA secrets
@ -141,7 +141,7 @@ volatility -f ch2.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/
Try to find **suspicious** processes \(by name\) or **unexpected** child **processes** \(for example a cmd.exe as a child of iexplorer.exe\).
```text
```bash
volatility --profile=PROFILE pstree -f DUMP # Get process tree (not hidden)
volatility --profile=PROFILE pslist -f DUMP # Get process list (EPROCESS)
volatility --profile=PROFILE psscan -f DUMP # Get hidden process list(malware)