Lab Processes in Memory - echadbourne/ChadbourneSYS-140 GitHub Wiki
Summary:
- In this lab we used the program Volatility to look at the memory contents of a computer at a certain time. We were able to view processes and applications, as well as information like the time and date the snip was taken at.
- PID is the Process ID of a given process
Useful Things (all commands are for windows):
- In windows, you can click the path bar in the file directory and type "cmd" to open up the command line in that folder.
dir
- Shows the files in the active directoryvol.exe -f [filename] imageinfo
- uses Volatility to look at the image info of the image, like the data and time.vol.exe -f [filename] pslist
- uses Volatility to look at the processes that were running at the time of the memory snipvol.exe -f [filename] cmdline
- uses Volatility to view the paths that each process was running fromvol.exe -f [filename hashdump
- uses Volatility to view the hashes of passwords on the screenmkdir [foldername]
- creates a folder with the given namevol.exe -f [filename] procdump -D [foldername]/ -p [PID]
- copies the process with the PID from the "filename" into the "folder"dir [foldername]
- Shows the contents of the foldername
Problems:
- I had no problems for this lab
Other: