Lab 5 - samuel-richardson/Sam-Tech-Journal GitHub Wiki

#Lab 5

In this lab I used volatility to inspect a memory dump

To use volatility call it in the command prompt while in the directory of vol and type for example vol.exe -f xp-laptop-2005-07-04-1430.img pslist on the file

Pslist lists running processes. cmdline prints the paths to each process. hashdump prints the hashes of passwords to the screen.

procdump is used as an option on a selected process identified when called by the pid. This can be used to extract a process form memory.