{"id":141,"date":"2025-10-11T05:57:37","date_gmt":"2025-10-11T05:57:37","guid":{"rendered":"https:\/\/vinpearl.ca\/?p=141"},"modified":"2025-10-11T16:35:41","modified_gmt":"2025-10-11T16:35:41","slug":"once-youve-captured-a-disk-image-and-a-ram-dump","status":"publish","type":"post","link":"https:\/\/vinpearl.ca\/index.php\/2025\/10\/11\/once-youve-captured-a-disk-image-and-a-ram-dump\/","title":{"rendered":"Once you&#8217;ve captured a disk image and a RAM dump"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">How to Use the Disk Image<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d 1. <strong>Mount or Extract the Image<\/strong><\/h3>\n\n\n\n<ul>\n<li>If it&#8217;s a raw <code>.dd<\/code> or <code>.img<\/code> file:bash<code>sudo mount -o loop,ro image.dd \/mnt\/image<\/code><\/li>\n\n\n\n<li>For <code>.E01<\/code> (EnCase format), use <code>ewfmount<\/code> or Autopsy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\udded 2. <strong>Explore File System Artifacts<\/strong><\/h3>\n\n\n\n<ul>\n<li>Look for:\n<ul>\n<li>Suspicious executables in <code>AppData<\/code>, <code>ProgramData<\/code>, <code>Temp<\/code><\/li>\n\n\n\n<li>Malicious scripts or scheduled tasks<\/li>\n\n\n\n<li>Browser history, downloads, and cache<\/li>\n\n\n\n<li>Deleted files (use <code>photorec<\/code>, <code>foremost<\/code>, or Autopsy)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\uddf0 3. <strong>Analyze with Tools<\/strong><\/h3>\n\n\n\n<ul>\n<li><strong>Autopsy<\/strong> or <strong>The Sleuth Kit<\/strong>: GUI and CLI tools for timeline, file carving, and metadata.<\/li>\n\n\n\n<li><strong>Plaso\/Log2Timeline<\/strong>: Build a timeline of user and system activity.<\/li>\n\n\n\n<li><strong>Bulk Extractor<\/strong>: Scan for emails, URLs, credit card numbers, etc.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\udde0 How to Use the RAM Dump<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d 1. <strong>Verify and Identify OS<\/strong><\/h3>\n\n\n\n<ul>\n<li>Use <code>strings<\/code> or <code>file<\/code> to confirm it&#8217;s a valid dump.<\/li>\n\n\n\n<li>Identify OS version for correct Volatility profile:bash<code>volatility -f memdump.raw imageinfo<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\uddea 2. <strong>Analyze with Volatility or Rekall<\/strong><\/h3>\n\n\n\n<ul>\n<li>Common plugins:\n<ul>\n<li><code>pslist<\/code>, <code>pstree<\/code>: Running processes<\/li>\n\n\n\n<li><code>netscan<\/code>: Network connections<\/li>\n\n\n\n<li><code>malfind<\/code>: Injected code<\/li>\n\n\n\n<li><code>cmdline<\/code>, <code>consoles<\/code>: Command history<\/li>\n\n\n\n<li><code>hashdump<\/code>: Extract password hashes<\/li>\n\n\n\n<li><code>dlllist<\/code>, <code>handles<\/code>: Loaded modules and file handles<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd10 3. <strong>Look for Indicators of Compromise<\/strong><\/h3>\n\n\n\n<ul>\n<li>Plaintext credentials<\/li>\n\n\n\n<li>Malware in memory (never written to disk)<\/li>\n\n\n\n<li>Suspicious processes or hidden threads<\/li>\n\n\n\n<li>Remote shells or beaconing behavior<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\udde9 Combine Both for Full Context<\/h2>\n\n\n\n<ul>\n<li>Match <strong>processes in RAM<\/strong> to <strong>executables on disk<\/strong>.<\/li>\n\n\n\n<li>Correlate <strong>network activity<\/strong> with <strong>browser history<\/strong> or logs.<\/li>\n\n\n\n<li>Build a <strong>timeline<\/strong> of compromise using both volatile and persistent data.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>How to Use the Disk Image \ud83d\udd0d 1. Mount or Extract the Image \ud83e\udded 2. Explore File System Artifacts \ud83e\uddf0 3. Analyze with Tools \ud83e\udde0 How to Use the RAM Dump \ud83d\udd0d 1. Verify and Identify OS \ud83e\uddea 2. Analyze with Volatility or Rekall \ud83d\udd10 3. Look for Indicators of Compromise \ud83e\udde9 Combine Both for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"_links":{"self":[{"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/posts\/141"}],"collection":[{"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/comments?post=141"}],"version-history":[{"count":1,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/posts\/141\/revisions"}],"predecessor-version":[{"id":142,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/posts\/141\/revisions\/142"}],"wp:attachment":[{"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/media?parent=141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/categories?post=141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vinpearl.ca\/index.php\/wp-json\/wp\/v2\/tags?post=141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}