Lab Processes in Memory - echadbourne/ChadbourneSYS-140 GitHub Wiki

Summary:

• In this lab we used the program Volatility to look at the memory contents of a computer at a certain time. We were able to view processes and applications, as well as information like the time and date the snip was taken at.
• PID is the Process ID of a given process

Useful Things (all commands are for windows):

• In windows, you can click the path bar in the file directory and type "cmd" to open up the command line in that folder.
• dir - Shows the files in the active directory
• vol.exe -f [filename] imageinfo - uses Volatility to look at the image info of the image, like the data and time.
• vol.exe -f [filename] pslist - uses Volatility to look at the processes that were running at the time of the memory snip
• vol.exe -f [filename] cmdline - uses Volatility to view the paths that each process was running from
• vol.exe -f [filename hashdump - uses Volatility to view the hashes of passwords on the screen
• mkdir [foldername] - creates a folder with the given name
• vol.exe -f [filename] procdump -D [foldername]/ -p [PID] - copies the process with the PID from the "filename" into the "folder"
• dir [foldername] - Shows the contents of the foldername

Problems:

• I had no problems for this lab

Other:

• Submission link: https://docs.google.com/document/d/19-ZvhRjT0AR-JdKsER7X2R39YxQgY3CkjFChueeqKMk/edit?usp=sharing