openhiberfil
hiberfil 时间:2021-01-30 阅读:()
ThischeatsheetsupportstheSANSFOR508AdvancedDigitalForensics,IncidentResponse,andThreatHunting&SANSFOR526MemoryForensicsIn-Depthcourses.
ItisnotintendedtobeanexhaustiveresourceforVolatilityorotherhighlightedtools.
VolatilityisatrademarkofVerizon.
TheSANSInstituteisnotsponsored,approvedbyoraffiliatedwithVerizon.
Thetimelinerpluginparsestime-stampedobjectsfoundinmemoryimages.
Outputissortedby:ProcesscreationtimeThreadcreationtimeDrivercompiletimeDLL/EXEcompiletimeNetworksocketcreationtimeMemoryresidentregistrykeylastwritetimeMemoryresidenteventlogentrycreationtimetimeliner--output-fileOptionalfiletowriteoutput--output=bodyBodyfileformat(alsotext,xlsx)--type=RegistryExtractregistrykeylastwritetimes#vol.
py-fmem.
imgtimeliner--output-fileout.
body--output=body--profile=Win10x64MemoryArtifactTimeliningPurposeHowToUseThisDocumentMemoryanalysisisoneofthemostpowerfultoolsavailabletoforensicexaminers.
Thisguidehopestosimplifytheoverwhelmingnumberofavailableoptions.
Analysiscangenerallybeaccomplishedinsixsteps:1.
IdentifyRogueProcesses2.
AnalyzeProcessDLLsandHandles3.
ReviewNetworkArtifacts4.
LookforEvidenceofCodeInjection5.
CheckforSignsofaRootkit6.
ExtractProcesses,Drivers,andObjectsWeoutlinethemostusefulVolatilitypluginssupportingthesesixstepshere.
Furtherinformationisprovidedfor:MemoryAcquisitionAlternateMemoryLocationsConvertingHibernationFilesandCrashDumpsMemoryArtifactTimeliningRegistryAnalysisPluginsRemembertoopencommandpromptasAdministratorwinpmem-oOutputfilelocation-pIncludepagefile-eExtractrawimagefromAFF4file-lLoaddriverforlivememoryanalysisC:\>winpmem_.
exe-oF:\mem.
aff4C:\>winpmem_.
exeF:\mem.
aff4-ePhysicalMemory-omem.
rawDumpIt/fOutputfilelocation/sHashfunctiontouse/tSendtoremotehost(setuplistenerwith/l)C:\>DumpIt.
exe/fF:\mem.
raw/s1MemoryAcquisitionHibernationFileCompressedRAMImage;availableinVolumeShadowCopies%SystemDrive%\hiberfil.
sysPageandSwapFiles%SystemDrive%\pagefile.
sys%SystemDrive%\swapfile.
sys(Win8+\2012+)MemoryDump%WINDIR%\MEMORY.
DMPAlternateMemoryLocationsMemoryForensicsCheatSheetv2.
0POCKETREFERENCEGUIDESANSInstitutebyChadTilburyhttps://digital-forensics.
sans.
orghttp://forensicmethods.
comhivelist-Findandlistavailableregistryhives#vol.
pyhivelisthivedump-Printallkeysandsubkeysinahive-oOffsetofregistryhivetodump(virtualoffset)#vol.
pyhivedump–o0xe1a14b60printkey-Outputaregistrykey,subkeys,andvalues-K"Registrykeypath"#vol.
pyprintkey–K"Microsoft\Windows\CurrentVersion\Run"dumpregistry-Extractallavailableregistryhives-oExtractusingvirtualoffsetofregistryhive--dump-dirDirectorytosaveextractedfiles#vol.
pydumpregistry--dump-dir.
/outputuserassist-Findandparseuserassistkeyvalues#vol.
pyuserassisthashdump-DumpuserNTLMandLanmanhashes#vol.
pyhashdumpautoruns-MapASEPstorunningprocesses-vShoweverything#vol.
pyautoruns-vRegistryAnalysisPluginsConvertingHibernationFilesandCrashDumpsimagecopy-Convertalternatememorysourcestoraw-fNameofsourcefile-OOutputfilename--profileSourceOSfromimageinfo#vol.
pyimagecopy-fhiberfil.
sys-Ohiber.
raw--profile=Win7SP1x64#vol.
pyimagecopy-fMEMORY.
DMP-Ocrashdump.
raw–-profile=Win2016x64_14393ExtractProcesses,Drivers,andObjectspslist-Highlevelviewofrunningprocesses#vol.
pypslistpsscan-ScanmemoryforEPROCESSblocks#vol.
pypsscanpstree-Displayparent-processrelationships#vol.
pypstreeIdentifyRogueProcessespsxview-Findhiddenprocessesusingcross-view#vol.
pypsxviewmodscan-Scanmemoryforloaded,unloaded,andunlinkeddrivers#vol.
pymodscanapihooks-FindAPI/DLLfunctionhooks-pOperateonlyonspecificPIDs-QOnlyscancriticalprocessesandDLLS#vol.
pyapihooksssdt-HooksinSystemServiceDescriptorTable#vol.
pyssdt|egrep–v'(ntoskrnl|win32k)'driverirp-IdentifyI/ORequestPacket(IRP)hooks-rAnalyzedriversmatchingREGEXnamepattern#vol.
pydriverirp–rtcpipidt-DisplayInterruptDescriptorTable#vol.
pyidtCheckforSignsofaRootkitdlldump-ExtractDLLsfromspecificprocesses-pDumpDLLsonlyforspecificPIDs-bDumpDLLusingbaseoffset-rDumpDLLsmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pydlldump--dump-dir.
/output–rmetsrvmoddump-Extractkerneldrivers-bDumpdriverusingoffsetaddress(frommodscan)-rDumpdriversmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pymoddump--dump-dir.
/output–rgaopdxprocdump-Dumpprocesstoexecutablesample-pDumponlyspecificPIDs-oSpecifyprocessbyphysicalmemoryoffset-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pyprocdump--dump-dir.
/output–p868memdump-Extracteverymemorysectionintoonefile-pDumpmemorysectionsfromthesePIDs-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pymemdump–-dump-dir.
/output–p868filescan-ScanmemoryforFILE_OBJECThandles#vol.
pyfilescandumpfiles-ExtractFILE_OBJECTsfrommemory-QDumpusingphysicaloffsetofFILE_OBJECT-rExtractusingaREGEX(add-iforcaseinsensitive)-nAddoriginalfilenametooutputname--dump-dirDirectorytosaveextractedfiles#vol.
pydumpfiles-n-i-r\\.
exe--dump-dir=.
/svcscan-ScanforWindowsServicerecordstructures-vShowserviceDLLforsvchostinstances#vol.
pysvcscan-vcmdscan-ScanforCOMMAND_HISTORYbuffers#vol.
pycmdscanconsoles-ScanforCONSOLE_INFORMATIONoutput#vol.
pyconsolesnetscan-ScanforTCPconnectionsandsockets#vol.
pynetscanNote:UseconnscanandsockscanforXPsystemsReviewNetworkArtifactsdlllist-Listofloadeddllsbyprocess-pShowinformationonlyforspecificprocesses(PIDs)#vol.
pydlllist–p1022,868getsids-Printprocesssecurityidentifiers-pShowinformationonlyforspecificPIDs#vol.
pygetsids–p868handles-Listofopenhandlesforeachprocess-pShowinformationonlyforspecificPIDs-tDisplayonlyhandlesofacertaintype{Process,Thread,Key,Event,File,Mutant,Token,Port}#vol.
pyhandles–p868–tFile,KeyAnalyzeProcessDLLsandHandlesmalfind-Findinjectedcodeanddumpsections-pShowinformationonlyforspecificPIDs-oProvidephysicaloffsetofsingleprocesstoscan--dump-dirDirectorytosavesuspiciousmemorysections#vol.
pymalfind--dump-dir.
/output_dirldrmodules-DetectunlinkedDLLs-pShowinformationonlyforspecificPIDs-vVerbose:showfullpathsfromthreeDLLlists#vol.
pyldrmodules–p868-vhollowfind-Detectprocesshollowingtechniques-pShowinformationonlyforspecificPIDs-DDirectorytosavesuspiciousmemorysections#vol.
pyhollowfind-D.
/output_dirLookforEvidenceofCodeInjectionGettingHelp#vol.
py–h(showoptionsandsupportedplugins)#vol.
pyplugin–h(showpluginusage)#vol.
pyplugin--info(showavailableOSprofiles)SampleCommandLine#vol.
py-fimage--profile=profilepluginIdentifySystemProfileimageinfo-Displaymemoryimagemetadata#vol.
py–fmem.
imgimageinfoUsingEnvironmentVariablesSetnameofmemoryimage(takesplaceof-f)#exportVOLATILITY_LOCATION=file:///images/mem.
imgSetprofiletype(takesplaceof--profile=)#exportVOLATILITY_PROFILE=Win10x64_14393GettingStartedwithVolatility
ItisnotintendedtobeanexhaustiveresourceforVolatilityorotherhighlightedtools.
VolatilityisatrademarkofVerizon.
TheSANSInstituteisnotsponsored,approvedbyoraffiliatedwithVerizon.
Thetimelinerpluginparsestime-stampedobjectsfoundinmemoryimages.
Outputissortedby:ProcesscreationtimeThreadcreationtimeDrivercompiletimeDLL/EXEcompiletimeNetworksocketcreationtimeMemoryresidentregistrykeylastwritetimeMemoryresidenteventlogentrycreationtimetimeliner--output-fileOptionalfiletowriteoutput--output=bodyBodyfileformat(alsotext,xlsx)--type=RegistryExtractregistrykeylastwritetimes#vol.
py-fmem.
imgtimeliner--output-fileout.
body--output=body--profile=Win10x64MemoryArtifactTimeliningPurposeHowToUseThisDocumentMemoryanalysisisoneofthemostpowerfultoolsavailabletoforensicexaminers.
Thisguidehopestosimplifytheoverwhelmingnumberofavailableoptions.
Analysiscangenerallybeaccomplishedinsixsteps:1.
IdentifyRogueProcesses2.
AnalyzeProcessDLLsandHandles3.
ReviewNetworkArtifacts4.
LookforEvidenceofCodeInjection5.
CheckforSignsofaRootkit6.
ExtractProcesses,Drivers,andObjectsWeoutlinethemostusefulVolatilitypluginssupportingthesesixstepshere.
Furtherinformationisprovidedfor:MemoryAcquisitionAlternateMemoryLocationsConvertingHibernationFilesandCrashDumpsMemoryArtifactTimeliningRegistryAnalysisPluginsRemembertoopencommandpromptasAdministratorwinpmem-oOutputfilelocation-pIncludepagefile-eExtractrawimagefromAFF4file-lLoaddriverforlivememoryanalysisC:\>winpmem_.
exe-oF:\mem.
aff4C:\>winpmem_.
exeF:\mem.
aff4-ePhysicalMemory-omem.
rawDumpIt/fOutputfilelocation/sHashfunctiontouse/tSendtoremotehost(setuplistenerwith/l)C:\>DumpIt.
exe/fF:\mem.
raw/s1MemoryAcquisitionHibernationFileCompressedRAMImage;availableinVolumeShadowCopies%SystemDrive%\hiberfil.
sysPageandSwapFiles%SystemDrive%\pagefile.
sys%SystemDrive%\swapfile.
sys(Win8+\2012+)MemoryDump%WINDIR%\MEMORY.
DMPAlternateMemoryLocationsMemoryForensicsCheatSheetv2.
0POCKETREFERENCEGUIDESANSInstitutebyChadTilburyhttps://digital-forensics.
sans.
orghttp://forensicmethods.
comhivelist-Findandlistavailableregistryhives#vol.
pyhivelisthivedump-Printallkeysandsubkeysinahive-oOffsetofregistryhivetodump(virtualoffset)#vol.
pyhivedump–o0xe1a14b60printkey-Outputaregistrykey,subkeys,andvalues-K"Registrykeypath"#vol.
pyprintkey–K"Microsoft\Windows\CurrentVersion\Run"dumpregistry-Extractallavailableregistryhives-oExtractusingvirtualoffsetofregistryhive--dump-dirDirectorytosaveextractedfiles#vol.
pydumpregistry--dump-dir.
/outputuserassist-Findandparseuserassistkeyvalues#vol.
pyuserassisthashdump-DumpuserNTLMandLanmanhashes#vol.
pyhashdumpautoruns-MapASEPstorunningprocesses-vShoweverything#vol.
pyautoruns-vRegistryAnalysisPluginsConvertingHibernationFilesandCrashDumpsimagecopy-Convertalternatememorysourcestoraw-fNameofsourcefile-OOutputfilename--profileSourceOSfromimageinfo#vol.
pyimagecopy-fhiberfil.
sys-Ohiber.
raw--profile=Win7SP1x64#vol.
pyimagecopy-fMEMORY.
DMP-Ocrashdump.
raw–-profile=Win2016x64_14393ExtractProcesses,Drivers,andObjectspslist-Highlevelviewofrunningprocesses#vol.
pypslistpsscan-ScanmemoryforEPROCESSblocks#vol.
pypsscanpstree-Displayparent-processrelationships#vol.
pypstreeIdentifyRogueProcessespsxview-Findhiddenprocessesusingcross-view#vol.
pypsxviewmodscan-Scanmemoryforloaded,unloaded,andunlinkeddrivers#vol.
pymodscanapihooks-FindAPI/DLLfunctionhooks-pOperateonlyonspecificPIDs-QOnlyscancriticalprocessesandDLLS#vol.
pyapihooksssdt-HooksinSystemServiceDescriptorTable#vol.
pyssdt|egrep–v'(ntoskrnl|win32k)'driverirp-IdentifyI/ORequestPacket(IRP)hooks-rAnalyzedriversmatchingREGEXnamepattern#vol.
pydriverirp–rtcpipidt-DisplayInterruptDescriptorTable#vol.
pyidtCheckforSignsofaRootkitdlldump-ExtractDLLsfromspecificprocesses-pDumpDLLsonlyforspecificPIDs-bDumpDLLusingbaseoffset-rDumpDLLsmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pydlldump--dump-dir.
/output–rmetsrvmoddump-Extractkerneldrivers-bDumpdriverusingoffsetaddress(frommodscan)-rDumpdriversmatchingREGEXname--dump-dirDirectorytosaveextractedfiles#vol.
pymoddump--dump-dir.
/output–rgaopdxprocdump-Dumpprocesstoexecutablesample-pDumponlyspecificPIDs-oSpecifyprocessbyphysicalmemoryoffset-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pyprocdump--dump-dir.
/output–p868memdump-Extracteverymemorysectionintoonefile-pDumpmemorysectionsfromthesePIDs-nUseREGEXtospecifyprocess--dump-dirDirectorytosaveextractedfiles#vol.
pymemdump–-dump-dir.
/output–p868filescan-ScanmemoryforFILE_OBJECThandles#vol.
pyfilescandumpfiles-ExtractFILE_OBJECTsfrommemory-QDumpusingphysicaloffsetofFILE_OBJECT-rExtractusingaREGEX(add-iforcaseinsensitive)-nAddoriginalfilenametooutputname--dump-dirDirectorytosaveextractedfiles#vol.
pydumpfiles-n-i-r\\.
exe--dump-dir=.
/svcscan-ScanforWindowsServicerecordstructures-vShowserviceDLLforsvchostinstances#vol.
pysvcscan-vcmdscan-ScanforCOMMAND_HISTORYbuffers#vol.
pycmdscanconsoles-ScanforCONSOLE_INFORMATIONoutput#vol.
pyconsolesnetscan-ScanforTCPconnectionsandsockets#vol.
pynetscanNote:UseconnscanandsockscanforXPsystemsReviewNetworkArtifactsdlllist-Listofloadeddllsbyprocess-pShowinformationonlyforspecificprocesses(PIDs)#vol.
pydlllist–p1022,868getsids-Printprocesssecurityidentifiers-pShowinformationonlyforspecificPIDs#vol.
pygetsids–p868handles-Listofopenhandlesforeachprocess-pShowinformationonlyforspecificPIDs-tDisplayonlyhandlesofacertaintype{Process,Thread,Key,Event,File,Mutant,Token,Port}#vol.
pyhandles–p868–tFile,KeyAnalyzeProcessDLLsandHandlesmalfind-Findinjectedcodeanddumpsections-pShowinformationonlyforspecificPIDs-oProvidephysicaloffsetofsingleprocesstoscan--dump-dirDirectorytosavesuspiciousmemorysections#vol.
pymalfind--dump-dir.
/output_dirldrmodules-DetectunlinkedDLLs-pShowinformationonlyforspecificPIDs-vVerbose:showfullpathsfromthreeDLLlists#vol.
pyldrmodules–p868-vhollowfind-Detectprocesshollowingtechniques-pShowinformationonlyforspecificPIDs-DDirectorytosavesuspiciousmemorysections#vol.
pyhollowfind-D.
/output_dirLookforEvidenceofCodeInjectionGettingHelp#vol.
py–h(showoptionsandsupportedplugins)#vol.
pyplugin–h(showpluginusage)#vol.
pyplugin--info(showavailableOSprofiles)SampleCommandLine#vol.
py-fimage--profile=profilepluginIdentifySystemProfileimageinfo-Displaymemoryimagemetadata#vol.
py–fmem.
imgimageinfoUsingEnvironmentVariablesSetnameofmemoryimage(takesplaceof-f)#exportVOLATILITY_LOCATION=file:///images/mem.
imgSetprofiletype(takesplaceof--profile=)#exportVOLATILITY_PROFILE=Win10x64_14393GettingStartedwithVolatility
lcloud零云:沪港IPLC,70元/月/200Mbps端口/共享IPv4/KVM;成都/德阳/雅安独立服务器低至400元/月起
lcloud怎么样?lcloud零云,UOVZ新开的子站,现在沪港iplc KVM VPS有端午节优惠,年付双倍流量,200Mbps带宽,性价比高。100Mbps带宽,500GB月流量,10个,512MB内存,优惠后月付70元,年付700元。另有国内独立服务器租用,泉州、佛山、成都、德阳、雅安独立服务器低至400元/月起!点击进入:lcloud官方网站地址lcloud零云优惠码:优惠码:bMVbR...
舍利云30元/月起;美国CERA云服务器,原生ip,低至28元/月起
目前舍利云服务器的主要特色是适合seo和建站,性价比方面非常不错,舍利云的产品以BGP线路速度优质稳定而著称,对于产品的线路和带宽有着极其严格的讲究,这主要表现在其对母鸡的超售有严格的管控,与此同时舍利云也尽心尽力为用户提供完美服务。目前,香港cn2云服务器,5M/10M带宽,价格低至30元/月,可试用1天;;美国cera云服务器,原生ip,低至28元/月起。一、香港CN2云服务器香港CN2精品线...
hostkvm:美国VPS,三网强制CU-VIP线路,$5/月,1G内存/1核/15gSSD/500g流量
hostkvm在2021年3月新上线洛杉矶新VPS业务,强制三网接入中国联通优化线路,是当前中美之间性价比最高、最火热的线路之一,性价比高、速度非常好,接近联通AS9929和电信AS4809的效果,带宽充裕,晚高峰也不爆炸。 官方网站:https://hostkvm.com 全场优惠码:2021(全场通用八折,终身码,长期) 美国 US-Plan0【三网联通优化线路】 内存:1G CPU:...
hiberfil为你推荐
-
快速美白好方法有什么快速美白的好办法吗?怎么在qq空间里添加背景音乐如何在QQ空间中添加背景音乐怎么在qq空间里添加背景音乐怎样在qq空间里免费添加背景音乐?照片转手绘如何把真人图片用photoshop做成手绘图片办公协同软件免费的多人协同办公软件哪些,我了解的有钉钉、企业微信,其他的还有么?iphone越狱后怎么恢复苹果手机越狱之后能恢复原来吗?保护气球抖音里面看的,这是什么游戏人人逛街包公免费逛街打一成语2012年正月十五2012年正月十五 几月几号分词技术什么是seo分词技术