=======================================================

Friday, November 2, 2012

MEMORY FORENSIC

I learn how to forensic computer memory on life condition, in this case for example " Computer with XP OS exploited cause of vulnerable aplication Bigant server 2.52 ". I am using FTK imager to dump memory and using PTK or volatility to examine.

You can see about Bigant exploitation here !

Or you can use 10765.py on exploitdb ==> python 10765.py < target ip>
                                                                     nc <target ip> 4444

1. Dump memory on XP OS

   
2. Examine using PTK or volatility
    Using PTK :

     ==> First Information


   ==> Check Connections List


    ==> AND OTHER CAN SEE WITH CHANGE " Choose analysis type " ==> Start

======================================================================

Using Volatility :
==> Check Conections List

==>  Service scan ( svcscan )
root@linux:/pentest/forensics/volatility# ./vol.py -f /var/www/ptk/images/memdump-bigant.mem svcscan

 ===> Proccess view ( psxview )


AND OTHER YOU CAN FOLLOW by ==> ./vol.py -h  ( list of help )

========================================================================



==========================================================================
==========================================================================

IIIIIIIIII SSSSSSSSSSSSSSS 222222222222222 CCCCCCCCCCCCC
I::::::::I SS:::::::::::::::S2:::::::::::::::22 CCC::::::::::::C
I::::::::IS:::::SSSSSS::::::S2::::::222222:::::2 CC:::::::::::::::C
II::::::IIS:::::S SSSSSSS2222222 2:::::2 C:::::CCCCCCCC::::C
I::::I S:::::S 2:::::2 C:::::C CCCCCC
I::::I S:::::S 2:::::2C:::::C
I::::I S::::SSSS 2222::::2 C:::::C
I::::I SS::::::SSSSS 22222::::::22 C:::::C
I::::I SSS::::::::SS 22::::::::222 C:::::C
I::::I SSSSSS::::S 2:::::22222 C:::::C
I::::I S:::::S2:::::2 C:::::C
I::::I S:::::S2:::::2 C:::::C CCCCCC
II::::::IISSSSSSS S:::::S2:::::2 222222 C:::::CCCCCCCC::::C
I::::::::IS::::::SSSSSS:::::S2::::::2222222:::::2 CC:::::::::::::::C
I::::::::IS:::::::::::::::SS 2::::::::::::::::::2 CCC::::::::::::C
IIIIIIIIII SSSSSSSSSSSSSSS 22222222222222222222 CCCCCCCCCCCCC

==========================================================================
==========================================================================

My Classmate


==========================================================================
( ) ) ( ( (
* ) )\ ) ( /( ( /( ( )\ ) )\ ) )\ )
` ) /((()/( )\()) )\()) )\ (()/((()/( ( (()/(
( )(_))/(_))((_)\ ((_)\((((_)( /(_))/(_)) )\ /(_))
(_(_())(_)) __ ((_) _((_))\ _ )\ (_)) (_))_ ((_) (_))
|_ _|| _ \\ \ / / | || |(_)_\(_)| _ \ | \ | __|| _ \
| | | / \ V / | __ | / _ \ | / | |) || _| | /
|_| |_|_\ |_| |_||_|/_/ \_\ |_|_\ |___/ |___||_|_\

==========================================================================