Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --------------- Clase 1
- Hashes y colisiones
- Imágenes https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
- Clonado bit a bit
- Modo forensic en Kali
- Data Duplicator dd if= of=
- Clonado con FTK Imager (disk y RAM)
- Magnet
- ------- Volatility3
- https://blog.onfvp.com/post/volatility-cheatsheet/
- https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet
- https://atenea.ccn-cert.cni.es/challenges?category=anlisis-de-memoria
- Instalación y requisitos
- Doc https://volatility3.readthedocs.io/en/latest/
- py vol.py -f mem plugin
- windows.pslist - Procesos
- windows.pstree
- windows.netscan - Estado de red
- windows.filescan (muchos ficheros, volcar a file)
- windows.dumpfiles.DumpFiles --pid --virtaddr
- windows.sessions
- windows.cmdline.CmdLine
- windows.info
- NO SALE
- ./vol.py -f file.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows NT\CurrentVersion"
- ASI SI
- py .\vol.py -f 'C:\forense\MemoryDumpWH.raw' -o .\registro windows.registry.hivelist.HiveList --dump
- Analizar los registros con HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
- TOOLS https://ericzimmerman.github.io/#!index.md
- ------- MFT
- MFT Explorer
- MFT Browser
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement