How to get Windows information from RAM Dump using Volatility 3? Windows Username and password!!!

CyDig Cyber Security Digital Forensics Education

Подписаться 2,4 тыс.

Просмотров 8 тыс.

50% 1

Live Forensics
Volatility 3 is the most advanced memory forensics framework!
In this video, you will learn how to use Volatility 3 to analyse memory RAM dump from Windows 10 machine. I will extract OS information and the Windows username and password hashes.
OS Infromation - Imag info
.py -f “/path/to/file” windows.info
Dump the Windows user password hashes.
.py -f “/path/to/file” windows.hashdump
To crack NT Hash use this link crackstation.net/ or tools like John the Ripper and Hashcat
If you use any other tools please write them in the comment.

Опубликовано:

6 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 44

@CyDig 6 месяцев назад

Live Forensics | How to Install Volatility 3 on Windows 11 Windows 10 | Symbol Tables Configuration ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--bMde2glwnE.html

@AhmadAli01011 Год назад

Thanks, it's very interesting to see how you managed to get the password for Windows 11 machine. I like to learn more about live forensics and Volatility 3. Please post more videos about this.

@shubhamxthakur_ 25 дней назад

I have created memory dump of the Kali Linux version 6.8.11 -amd 64 using avml command but the volatility 3 is not showing results it shows (Unsatisfied requirement plugins. Bash. kernel ,A translation layer requirement was not fulfilled,A symbol table requirement was not fulfilled) Please Help.

@CyDig 25 дней назад

Hi, tray to watch my other videos on how to install and configure volatility 3 for Windows OS ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--bMde2glwnE.html

@shubhamxthakur_ 25 дней назад

@@CyDig I know this for windows please make a video on how to create symbols for linux. I'm not getting any clue from the website

@CyDig 24 дня назад

@@shubhamxthakur_ I have tried this on my Linux PC. You only need to download symbols table from downloads.volatilityfoundation.org/volatility3/symbols/windows.zip to volatility 3/symbols/ as a zip file and it should work. I will try to create a new video about this soon.

@shubhamxthakur_ 24 дня назад

@@CyDig Sir You Didn't get me I'm taking about ram dump of Kali Linux Not Windows.Yes I know It's bit confusing to understand since we can analyze windows dump in linux system and linux dump in windows system , but my point here is about Ram dump of kali linux which requires linux plugins and symbols to work but unfortunately I can't figure it out because the website tell to create the symbols own your own according to the kernal version.

@bakhtawarkhan62 5 месяцев назад

How can I use moddump command, mine does not have. I have watched your video on installation, still not working. i have windows file in symbols too.

@user-rx3pc3sq1k 3 месяца назад

hello there ,thank you ,but i have an issue that when i type windows.info it does not work

@sarpkurt7999 5 месяцев назад

Hello, How can I get UUID of a device from its memory dump? I have looked everywhere but could not find it. It would be great to receive a help.. Thank you.

@CyDig 5 месяцев назад

Hi, I don't have a direct answer to that. But you can use Yarascan to find simple patterns like UUID. Or you may use the Strings command. Here is my video about Volatility 3 and the select-string command. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Nh9H3qQ8wBY.htmlsi=YXXzU6gtpM3hVeOf I hope that helps.

@thedimon8318 Год назад

I also have an issue with the windows plugins not work.

@CyDig Год назад

Volatility 3 is an excellent tool for analysing Memory Dump or RAM Images for Windows 10 and 11. However, it requires some configurations for the Symbol Tables to make Windows Plugins work. I installed Volatility 3 on Windows 11, and all the following plugins are working fine. Windows.info Windows.pslist Windows.netscan ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--bMde2glwnE.html

@truepearls1790 11 месяцев назад

Thanks sir 👍! I learning from your videos, but Sir i facing a problem that I have followed all steps of this video and previous installation video,( netscan command is working) but hash dump is not working. i also have used deferent volatility & python version. What should I do now? Please. I have window 10

@CyDig 11 месяцев назад

Make sure you download the Symbol Tables. Go to my RU-vid video to find out how. I think it's at 4:40 min. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--bMde2glwnE.htmlsi=9YRo844feV30WPUu

@makersphysics8965 Год назад

First of all , Thankyou so much from India, this video has helped me a lot, but im facing a problem, hashdump plugin is not working even after i pasted symbolin the folder.

@CyDig Год назад

Hi MakersPhysics. Welcome to you and all viewers from India. That happened to me as well before. I recommend watching my RU-vid video first on " How to Install Volatility 3 on Windows 11 Windows 10 | Symbol Tables Configuration" ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--bMde2glwnE.html as this will help you to install and configure your environment correctly.

@mohamedzirufaan9633 8 месяцев назад

I am having some issues with plugins. I get the following error msg saying No module name for hashdump and netstat commands. Can pls let me know a solution for this issue.

@CyDig 8 месяцев назад

You can watch my other videos on how to install and configure Volatility 3 on Live Forensics | How to Install Volatility 3 on Windows 11 Windows 10 | Symbol Tables Configuration ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--bMde2glwnE.html

@mohamedzirufaan9633 8 месяцев назад

@@CyDig Thanks for the quick response. I have followed ur instructions. Still, some plugins (netstat, hashdump) don't work. However commands like windows.info, pstree, and pslist work fine. So if you have a solution for this problem it would be kind of you to help me fix it.

@CyDig 8 месяцев назад

Make sure to download the Symbol Tables and saved within Volatility 3 . And it should run.

@rahuldutt2021 Год назад

I have an issue with windows.netstat plugin.

@CyDig Год назад

It is more likely that you haven't configured Volatility 3 correctly during the installation and missed adding the Symbol table packs.

@CyDig Год назад

you can download it from hrer downloads.volatilityfoundation.org/volatility3/symbols/windows.zip

@rahuldutt2021 Год назад

@@CyDig downloaded and extracted the zip file but not sure what to do next. Plz advice.

@CyDig Год назад

@@rahuldutt2021 I have created a video for you in this link ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--bMde2glwnE.html

@CyDig Год назад

hashes.com/en/decrypt/hash is also recommended to crack NT Hash

@user-up5ne9jk1o Год назад

Great, Keep it up!

@user-dw5xp6mf5q 9 месяцев назад

PLEASE HELP. when i write "memdump.mem windows.hashdump" it doesnt show me the same results you got, instead it shows me some random code lines like this "Desktop\volatility3- 1.0.0\vol.py", line 10, in volatility3.cli.main()"

@user-dw5xp6mf5q 9 месяцев назад

im on windows 11 btw

@CyDig 9 месяцев назад

Make sure you download the Symbol Tables. Go to my RU-vid video to find out how. I think it's at 4:40 min. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE--bMde2glwnE.htmlsi=9YRo844feV30WPUu

@userewjonqk 10 месяцев назад

But how can i know if there is a malicious file when i run volatility ?

@CyDig 10 месяцев назад

This is a very good question! There are many ways to scan for malware within the memory dump. Each malware has its own file signature and behaviours. However, you can try the MalConfScan Volatility plugin to extract configuration data of known malware. Let me know if you managed to run it.

@CyDig 10 месяцев назад

github.com/JPCERTCC/MalConfScan

@userewjonqk 10 месяцев назад

@@CyDig please can you explain this in a new video?

@CyDig 10 месяцев назад

Sure I will create a new video explaining how to detect Malware using Volatility

@userewjonqk 10 месяцев назад

@@CyDig i would really appreciate it. I have learned volatility basic command and how it windows operativ system works but still i don’t understand how can i benefit from it, i need to know to maliicious files and how can i detect it.

@DreamLifeAfrica Год назад

Thanks that’s very helpful

@avia4281 Год назад

I’m following along , thank you. I’m trying to teach my kid that cracked games can be dangerous. Ya have a video showing that? I saw another method they use dumpit.exe.

@CyDig Год назад

That's great that you teaching your kids cyber security and you made them aware of such vulnerability. Yes, DumpIt.exe is another tool that can be used to dump memory data.

@avia4281 Год назад

@@CyDig dumpit with volatility 3. Im acutally trying to learn myself and teach them in a real world situation since kids now days like pc games atleast mine does. On a one system computer with dual boot how can I protect myself from any problems?

@CyDig Год назад

@@avia4281 As you can see from the video, I extracted the user name and the hashed password for the other users. One step you can do is to make sure your password is very complex (1234Aa£$£ Bb..) and long to prevent others from converting the hashed password to plain text. Also, it's a good practice to change your password from time to time. Etc......