Processing RAM with Volatility - tmansfield42/Tech-Journal GitHub Wiki

Summary

 In this lab we found "Sarah's" password from a Windows XP memory image file from 2005.

Process

  1. First, we downloaded the file and volatility from https://tinyurl.com/y2oer8p4 extracted it and went to the directory of where it was extracted.

  2. vol.exe -f xp-laptop-2005-07-04-1430.img pslist -> Offset is how Volatility refers to the area of memory where the process is located. PID is the “Process ID” and “HNDS” are the “Handles” or open files, libraries, etc. for the process.

  3. vol.exe -f xp-laptop-2005-07-04-1430.img cmdline -> prints the paths to each process

  4. vol.exe -f xp-laptop-2005-07-04-1430.img hashdump -> prints the hashes of passwords to the screen, the hashes are the long string of hex characters.

image