In previous diaries I have talked about using volatility, in this diary I will talk about other plugins . 1-MBR parser: mbrparser plugin will scans for and parses potential Master Boot Records (MBRs) in the memory image.
And the output would be similar to this
As you can see the mbrparser will show the disk signature ,the bootcode md5 hash and it will disassemble the Bootable code. 2-MFT parser mftparser plugin scans for potential Master File Table (MFT) entries in memory (using "FILE" and "BAAD" signatures) and prints out information for certain attributes, currently: $FILE_NAME ( $FN ), $STANDARD_INFORMATION ( $SI ), $FN and $SI attributes from the $ATTRIBUTE_LIST , $OBJECT_ID
And here is a sampe otpur of the mftparser output
3- Userassists
UserAssist is GUI-based programs launched from the desktop are tracked in the launcher on a Windows System. In Windows 7 machines users NTUSER.DAT HIVE NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count Userassist plugin will scans the entire memory image and parse the userassit key.
Here is a sample output of userassist plugin ,the count entry shows the number of times that mspaint.exe has been executed
4-Shellbags : Which folders were accessed on the local machine, the network, and/or removable devices. Evidence of previously existing folders after deletion/overwrite. When certain folders were accessed.
And here is a sample of the shellbags plugin
|
Basil 60 Posts ISC Handler Jan 18th 2016 |
||||||||
Thread locked Subscribe |
Jan 18th 2016 6 years ago |
||||||||
Might be useful: combine mbrparser output 'disk signature' with what is found in HKLM\SYSTEM\MountedDevices.
|
cudeso 8 Posts |
||||||||
Quote |
Jan 19th 2016 6 years ago |
||||||||
You can set default volatility values and create file volatilityrc (Windows) or ~/.volatilityrc (Linux) in the same directory. No need to enter.
[DEFAULT] PROFILE=Win7SP1x64 LOCATION=file:///C:\Case\LAPTOP-20160119.raw |
cudeso 1 Posts |
||||||||
Quote |
Jan 19th 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!