Once you’ve captured a disk image and a RAM dump

vinpearlOSCP Once you’ve captured a disk image and a RAM dump
wei October 11, 2025 0 Comments

How to Use the Disk Image

๐Ÿ” 1. Mount or Extract the Image

  • If it’s a raw .dd or .img file:bashsudo mount -o loop,ro image.dd /mnt/image
  • For .E01 (EnCase format), use ewfmount or Autopsy.

๐Ÿงญ 2. Explore File System Artifacts

  • Look for:
    • Suspicious executables in AppData, ProgramData, Temp
    • Malicious scripts or scheduled tasks
    • Browser history, downloads, and cache
    • Deleted files (use photorec, foremost, or Autopsy)

๐Ÿงฐ 3. Analyze with Tools

  • Autopsy or The Sleuth Kit: GUI and CLI tools for timeline, file carving, and metadata.
  • Plaso/Log2Timeline: Build a timeline of user and system activity.
  • Bulk Extractor: Scan for emails, URLs, credit card numbers, etc.

๐Ÿง  How to Use the RAM Dump

๐Ÿ” 1. Verify and Identify OS

  • Use strings or file to confirm it’s a valid dump.
  • Identify OS version for correct Volatility profile:bashvolatility -f memdump.raw imageinfo

๐Ÿงช 2. Analyze with Volatility or Rekall

  • Common plugins:
    • pslist, pstree: Running processes
    • netscan: Network connections
    • malfind: Injected code
    • cmdline, consoles: Command history
    • hashdump: Extract password hashes
    • dlllist, handles: Loaded modules and file handles

๐Ÿ” 3. Look for Indicators of Compromise

  • Plaintext credentials
  • Malware in memory (never written to disk)
  • Suspicious processes or hidden threads
  • Remote shells or beaconing behavior

๐Ÿงฉ Combine Both for Full Context

  • Match processes in RAM to executables on disk.
  • Correlate network activity with browser history or logs.
  • Build a timeline of compromise using both volatile and persistent data.

Leave a Reply

Your email address will not be published. Required fields are marked *