Skip to content

Forensics

Cool tricks for investigating hacked computers, malware, and memory captures

Memory Forensics

  • Cheap trick you can use is to run strings on the dump file if the entire flag is in one piece

  • Get all files of an extension with volatility2 

    volatility -f MemDump.DMP --profile=Win7SP1x64 filescan | grep .txt

  • Dump a file from a memory offset which can be retrived via the filescan command above 

    volatility -f MemDump.DMP --profile=Win7SP1x64 dumpfiles -n -Q 0x000000003e1891d0 -D files/

  • If a file is deleted, you might still be able to get it through the MFT that NTFS systems use 

    volatility -f MemDump.DMP --profile=Win7SP1x64 mftparser | grep -C10 sysinfo > mftsysinfo

  • Creating linux profiles for volatility is a pain to do, so heres a writeup for irc from utCTF to get you started, if you don't want to go through all the trouble of debugging your self, look at this blog that Censored wrote

JS Deobsfucation

  • JSnice does a good job in beautifying the js code and even guessing the vaiable names