Hi Paula ! GREAT Tuto... KUDO ! I have a program password to fetch in memory dump for when I set it up, I must have made a typo for I can no more open my program with the correct pswd. I saw your minikatz extension "LogonPasswords" can uncover all the websites logon passwords in the dump. BUT... if I don't want websites logons but a specific program password that I tried tens of time, what could be the minikatz proper extension to use for that ? Is there an extension to fetch strings in clear in the dump or are they all crypted ?
Hello thanks for the tutorial! but People always focus on Dump for windows why not for Linux? i would like tu edit each process of the pslist command one by one. could you help me please?
Anytime i run volatility with python it gives me this errors *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: Error loading the diStorm dynamic library (or cannot load library into process).) *** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: Error loading the diStorm dynamic library (or cannot load library into process).) *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.mac.apihooks (ImportError: Error loading the diStorm dynamic library (or cannot load library into process).) ERROR : volatility.debug : You must specify something to do (try -h) even tho i have installed Pycrypto and Distorm3 i still get this errors why? Please i need help
Hello thank you for the video, i had a question, i want to extract files loaded by a process foe example ( extracting png file loaded in paint.exe) i use volatility.
It's an excellent question Raouf! To extract files from the process using volatility you need to run the following command: vol.py -f yourdump.dmp --profile= dumpfiles -n -p -D
@@CQUREAcademy hmm yeah that's what I did but I didn't get the file I was looking for, I thought there was another way to do it, I'll double-check, thank you for your responsiveness
Yes, it is possible to extract some files from a memory dump. As shown in the video, Paula has successfully extracted .evtx files cached in the memory containing events from various logs. You can find more detailed information here in Volatility documentation: github.com/volatilityfoundation/volatility/wiki/Command-Reference#dumpfiles. Surely there are also other examples of things possible to extract using the volatility framework used during the demo, for example, you can dump DLLs loaded into memory and further analyze it: github.com/volatilityfoundation/volatility/wiki/Command-Reference#dlldump
Pedro which OS memory? in win 10 the should be no passwords in memory (with some exceptions). But still you may find ntlm hashes which may be used in PtH attack.
Hey! Of course - in order to do the memory dump of the WHOLE operating system you need to have the administrative privileges. After attack happens and this is your server I guess you do have them anyway :) Tell me if you have more questions!
Great video, thank you Paula
Good work and content 🤞🏾
Thank you, we're glad that you enjoyed this video!
I first read it and then heard it🤣
thanks for both blog and video
Paula , you are the Woman!!
Hello Paula !! Thank you very much !
Welcome!
Thanks for the video =)
Great to hear that you found it useful!
Hi Paula ! GREAT Tuto... KUDO !
I have a program password to fetch in memory dump for when I set it up, I must have made a typo for I can no more open my program with the correct pswd. I saw your minikatz extension "LogonPasswords" can uncover all the websites logon passwords in the dump. BUT... if I don't want websites logons but a specific program password that I tried tens of time, what could be the minikatz proper extension to use for that ? Is there an extension to fetch strings in clear in the dump or are they all crypted ?
if a malware gets installed in bios or registry.will the dump file have the capability to capture the details of it?
Hello thanks for the tutorial! but People always focus on Dump for windows why not for Linux? i would like tu edit each process of the pslist command one by one. could you help me please?
wow..nice
It was very interesting, but I can´t find the links for the tolls :)
Dear how to get all the software for memory analysis can you share your software if it is possible.
Hello Team, I've a 5gb memory dump file. Please help me how to read that file
I have a question here. If you happen to dump memory from the pc that you mentioned before the tutorial, didn't it asked for admin privileges?
he probably had logged in admin acc.
Anytime i run volatility with python it gives me this errors *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: Error loading the diStorm dynamic library (or cannot load library into process).)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: Error loading the diStorm dynamic library (or cannot load library into process).)
*** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)
*** Failed to import volatility.plugins.mac.apihooks (ImportError: Error loading the diStorm dynamic library (or cannot load library into process).)
ERROR : volatility.debug : You must specify something to do (try -h) even tho i have installed Pycrypto and Distorm3 i still get this errors why? Please i need help
can accessing memory of a process from other process be called as meltdown??
How can i get the python scripts you used in the video?
Hello thank you for the video, i had a question, i want to extract files loaded by a process foe example ( extracting png file loaded in paint.exe) i use volatility.
It's an excellent question Raouf!
To extract files from the process using volatility you need to run the following command:
vol.py -f yourdump.dmp --profile= dumpfiles -n -p -D
@@CQUREAcademy hmm yeah that's what I did but I didn't get the file I was looking for, I thought there was another way to do it, I'll double-check, thank you for your responsiveness
@@raoufmorsi5304 Investigate and let us know!
Very intelligent
next time lock your computer every time you go for poo
Hi, I forgot trueCrypt file password, it's 15 letters password like (aA#@123) it possible to recovery??
Currently, it's not possible.
@@CQUREAcademy local memory file (hiberfil.sys) use to recovery the password is possible?
More videos pls
is it possible to extract image files or something like from dump file?
Yes, it is possible to extract some files from a memory dump. As shown in the video, Paula has successfully extracted .evtx files cached in the memory containing events from various logs. You can find more detailed information here in Volatility documentation: github.com/volatilityfoundation/volatility/wiki/Command-Reference#dumpfiles. Surely there are also other examples of things possible to extract using the volatility framework used during the demo, for example, you can dump DLLs loaded into memory and further analyze it: github.com/volatilityfoundation/volatility/wiki/Command-Reference#dlldump
@@CQUREAcademy VERY GOOD!!!!!!!! THANK YOU SO MUCH YOUR REPLY AND HELP
and that is why kids we dont use windows :v CHEERS!?
Dzien dobry :) i got a question :) why is when i do this process of the logonpassword, my password shows (Null) :) ? dzienkuje
Pedro which OS memory? in win 10 the should be no passwords in memory (with some exceptions). But still you may find ntlm hashes which may be used in PtH attack.
Filip Rejch actually is windows 10 :) thank you for the reply :)
В юбке смотрелась бы лучше
This is why you dont get free usb drives
1:39 in a two days episode? what? where? :D
Sounds like it's time to dump Windows.
dump windows, or at least lock windows when you go take a dump
holy shat
Lol
I will only like it if I don’t have to download tools 👎🏻
Buy your creditcard with high balance from @Darkteckh on telegram dumps with pin that comes with MSR i got mine from him
I have a question here. If you happen to dump memory from the pc that you mentioned before the tutorial, didn't it asked for admin privileges?
Hey! Of course - in order to do the memory dump of the WHOLE operating system you need to have the administrative privileges. After attack happens and this is your server I guess you do have them anyway :) Tell me if you have more questions!