- Prodiscover basic vs autopsy how to#
- Prodiscover basic vs autopsy software#
- Prodiscover basic vs autopsy windows#
Here is a list of all hidden processes once again. Similarly, we can dump DLLs of a hidden process by using its offset address as shown below. We can even dump DLLs from specific processes if we figure out that a malicious process may have been running. We can see the dump of the DLLs in the directory below: vol.py –profile=WinXPSP2x86 dlldump -D -f We can dump all the DLLs for further forensic analysis using the command: The process id may be found using the pslist plug-in. To display the DLLs for all currently running processes or a particular process we use this plug-in.įor listing the DLLs for a specific process, suppose we list here the DLLs of explorer.exe, which has the process id 1484. It scans for inactive, hidden and unlinked processes by a rootkit/malware. This plug-in is mostly used for malware analysis and scanning rootkit activities. In the screenshot below we can see the details of the processor, which is a single-core processor. Each processor on a multi-core system has its own KPCR. Kpcrscan searches for and dumps potential KPCR values. A KPCR is a data structure used by the kernel to store the processor-specific data. This plug-in is used to scan for KPCR (Kernel Processor Control Region) structures. This may happen if a KDBG with an invalid PsActiveProcessHead pointer is found earlier in a sample. This is mainly helpful in clearing up confusions which might be caused if the Pslist plug-in not showing any processes in the process list. It simply scans for KDBG header signatures linked to the profiles in Volatility. This particular plug-in is designed to positively identify the correct profile of the system and the correct KDBG (kernel debugger block) address. The above screenshot shows a clear view of all the processes running during the memory dump. This plug-in gives us the option to view all running process on the particular system during which the memory dump was taken. So, if we are using Linux, we will need to create our own profile.
Prodiscover basic vs autopsy windows#
We can see all Windows profiles here the Linux profiles will be included in future updates. Here is the list of the available profiles in Volatility. The default profile for Volatility is WinXPSP2x86 if we do not specifically set a profile.
Prodiscover basic vs autopsy how to#
I have also explained how to take a memory dump using Helix ISO in the end of the document for the people who might be new to it.įrom the above screenshot, we can see that Volatility suggests using the profile for Windows XP SP2 x86 or Windows XP SP3 x86. We have a memory dump with us and we do not know what operating system it belongs to, so we use the imageinfo plug-in to find this out. It also comes pre-installed with Backtrack 5 R3, which I am presently using.įor performing analysis using Volatility we need to first set a profile to tell Volatility what operating system the dump came from, such as Windows XP, Vista, Linux flavors, etc.
Prodiscover basic vs autopsy software#
The Volatility software may be downloaded from here.
0 kommentar(er)
