Lab Processes in Memory - jpart04/tech-journal GitHub Wiki

Summary

In this lab we explored the vol program to view ram memory information. We downloaded ram image files and then were able to execute certain commands in the cmd terminal. We could view the process list, see the information from when the file was made, along with the paths for each process so that you could determine if it was running in the correct place or not.

Commands Used

vol.exe -f [FILENAME] imageinfo

This command will display the image information for the file. Here is an example: vol.exe -f pat-2009-12-03.mddramimage imageinfo

vol.exe -f [FILENAME] pslist

This command will display the process list for the file. Here is an example: vol.exe -f pat-2009-12-03.mddramimage pslist

vol.exe -f [FILENAME] cmdline

This command will display the paths to each process. Here is an example: vol.exe -f pat-2009-12-03.mddramimage cmdline

vol.exe -f [FILENAME] hashdump

This command will display the hashes of passwords. NOTE: It may be important to restart your computer if it is shared after using this command! Here is an example: vol.exe -f pat-2009-12-03.mddramimage hashdump

Links

• Vista file and vol.exe: https://tinyurl.com/y2oer8p4
• Other downloadable ramimage files: https://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/ram/