Please enable JavaScript.
Coggle requires JavaScript to display documents.
Memory Forensics - Coggle Diagram
Memory Forensics
-
-
Tools
pslist
The PsList windows command-line tool lists the status of the process, and it also enumerates the information of the process executing in memory.
-
netscan
Netscan (for windows) is a very handy tool for browsing lan. There is a similar application for linux too, named --- ShareScanner (netscan for linux).
john
john, better known as John the Ripper, is a tool to find weak passwords of users in a server.
volatility
The Volatility Framework is a completely open collection of tools for the extraction of digital artifacts from volatile memory (RAM) samples
Commands
-
-
-
sudo
The sudo command allows you to run programs with the security privileges of another user (by default, as the superuser)
Apt get
the apt-get command is used to install, remove, and perform other operations on installed software packages
-
info
Info ccommand reads documentation in the info format. It will give detailed information for a command when compared with the man page.
-
-
hivelist
The hivelist command shows the details of Virtual and Physical addresses along with the easier readable plaintext names and locations
-
cmdscan
The cmdscan plugin searches the memory of csrss.exe on XP/2003/Vista/2008 and conhost.exe on Windows 7 for commands that attackers entered through a console shell (cmd.exe).
mount
The mount command mounts a storage device or filesystem, making it accessible and attaching it to an existing directory structure
-
shell
The shell can be defined as a command interpreter within an operating system like Linux/GNU or Unix.
hashdump
The "hashdump" command is an in-memory version of the pwdump tool, but instead of loading a DLL into LSASS.exe, it allocates memory inside the process, injects raw assembly code, executes its via CreateRemoteThread, and then reads the captured hashes back out of memory.
find
The find command is used to search and locate the list of files and directories based on conditions you specify for files that match the arguments.
-
gitclone
used to point to an existing repo and make a clone or copy of that repo at in a new directory, at another location.