Note : Hãy capture bộ nhớ hệ thống Windows 7 của các bạn và lưu lại.       
- Start BackTrack VM Instance 
- Login to BackTrack- Instructions:- Login: root
- Password: toor or <whatever you changed     it to>.
 
-   
 
- Bring up the GNOME
       | Section 2.      Bring up a console terminal | 
- Bring up a console terminal
       | Section 3.      Using Volatility | 
- Navigate to Volatility- Instructions- cd /pentest/forensics/volatility
- ls -l vol.py
 
 
 
- Obtain the image profile- Instructions:
- ./vol.py imageinfo -f /var/forensics/images/WV01_clean.dd
 
- Notes(FYI):- The Volatility Framework tries to guess and    tell you what image profile to use.
- We know that our Server is Windows XP    running SP2.
- Volatility suggest that we either use the    profile WinXPSP3x86 or WinXPSP2x86.
- Also, we are running SP2   we will use    the WinXPSP3x86 which seems to have more complete profile than    WinXPSP2x86.
 
 
 
- View Running Processes- Instructions
- ./vol.py --profile=WinXPSP3x86     pslist -f /var/forensics/images/WV01_clean.dd
 
- Notes(FYI):- This displays all the running process    during the time we captured the image in     Helix Lesson 4.
 
 
 
- Searching for Specific Processes- Instructions:- ./vol.py --profile=WinXPSP3x86     pslist -f /var/forensics/images/WV01_clean.dd | egrep '(notepad.exe|sol.exe|cmd.exe|nc.exe|dd.exe|iexplore.exe|helix.exe)'
 
- Notes(FYI):- egrep - Is like grep, but it lets you     search for multiple strings.
- notepad.exe - Is the Notepad     application.
- sol.exe - Is Solataire.
- cmd.exe - Is the Command Prompt that we     started.
- nc.exe - Is NetCat which was started by     Helix.
- dd.exe - Was started by Helix.  It     made the memory image.
- iexplore.exe - Internet Explorer.
- helix.exe - Helix 
 
 
 
- View Network Connections and Tie to Running   Processes- Instructions:
- ./vol.py --profile=WinXPSP3x86    connections -f /var/forensics/images/WV01_clean.dd- This command lets you view     all open      Network Connections.
 
- ./vol.py --profile=WinXPSP3x86    pslist -f /var/forensics/images/WV01_clean.dd     | egrep '(2288|2612|472)'- This command lets you search the      process list for all the network connections.
- Note:     These numbers will be      different in your case!!!- ":80" shows the web processes.
- ":8888" shows the NetCat       process.
 
 
 
 
- View Network Connections and Tie to Running   Processes- Instructions
- ./vol.py --profile=WinXPSP3x86    connscan -f /var/forensics/images/WV01_clean.dd
- This command looks at all TCP      connection both     open      and terminated. 
 
 
 
- View DLL used by a Running Processes- Instructions:
- ./vol.py --profile=WinXPSP3x86     dlllist -p 472 -f /var/forensics/images/WV01_clean.dd
 
- Note(FYI):- PID 472 is process ID associated with    NetCat.  This will be    different in your case.
- Let's say I thought NetCat was part of a    Trojan Horse, then I could view which DLLs or libraries are associated    with the running NetCat process.
 
 
 
 
0 nhận xét:
Đăng nhận xét