Month: April 2016

No Need to Unzip, Just Use Zcat or Zgrep

There will be times when you may encountered a zipped file and want to quickly parse it without having to unzip it. When the time comes, zcat and zgrep will be your savior. The usages of both are very straightforward but there are man pages for both for further reading. Basic usages of the two are depicted below.

Display the contents of a zipped file

Search for specific characters/words in zipped files.

Analyzing Various Memory Capture Formats

In a world where there are so many choices for capturing memory and analyzing it, I felt there would be some benefit in compiling a list for quick reference.

FTK Imager
– Outputs to .mem
– Can be analyzed in Volatility
Vol.py –f –profile=

VMWare (.vmem)
– .vmem and .vmsm are created when a VM is suspended
– Can be analyzed with Volatility (.vmem and .vmsm have to be in the same directory) Vol.py –f –profile=

DumpIt
– Outputs to .raw
– Can be analyzed in Volatility
Vol.py –f –profile=

Hibernation file (hiberfile.sys)
– The File is created when a system is put into hibernation mode
– Located at the root of the C:\
– The file needs to be converted before using. It can be converted to .img using Volatility
Vol.py imagecopy –f hiberfile.sys –O –profile=
– After conversion to .img, it can be analyzed in Redline or Volatility
Vol.py –profile=

Mandiant Memoryze
– Outputs to .img
– Can be analyzed in Redline or Volatility
Vol.py –profile=

Crash Dumps
– Extension will be .dmp
– Will be written to C:\Windows\Minidump or C:\Windows by default
– Dumps can be forced to happen by adding the value called namedCrashOnCtrlScroll with a REG_DWORD value of 0x01 at HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\kbdhid\Parameters. After rebooting the machine, hold down the rightmost CTRL key and press the SCROLL LOCK key twice
– Can be analyzed with Volatility
Vol.py –profile= – Can be analyzed in Redline but must be converted to .img first
Vol.py imagecopy –f –O –profile=

Bitnami