Forensics - adeptex/CTF GitHub Wiki

Memory Dump Forensics

Information

vol.py -f /tmp/ch2.dmp imageinfo
vol.py -f /tmp/ch2.dmp --profile=Win7SP1x86 envars

User Password

vol.py -f /tmp/ch2.dmp --profile=Win7SP1x86 hivelist
    |
    +--> need \SystemRoot\System32\Config\SAM (-s) and \REGISTRY\MACHINE\SYSTEM (-y)

vol.py -f /tmp/ch2.dmp --profile=Win7SP1x86 hashdump -y 0x8b21c008 -s 0x9aad6148 > /tmp/hashes.txt

USB

https://bitvijays.github.io/LFC-Forensics.html