Explanation:-

There are two types of scan in volatility to detect profile.
1. By imageinfo ( above picture )
2. Kdbg scan ( tmrw I will discuss this)

Here in the above figure we can see that there we scanned using imageinfo, and it detected some of the profiles ( which os memory fike it is ).

Profile :- WinXPSP2x86 ( see highlighted)

Possible doubts :-
1.Here we have used memory dump of cridex.vmem

.vmem -> virtualbox memory
cridex is the one of the malware name

2. I already thought you earlier how to get memory file.

Error:-
There's installation error in my tool. Probably you won't get failed error while running tool.

In new version ( volatility3)
There's no need to do profile scan, you can skip this step.


Next class :-
Tomorrow be ready

👆 here we did profile scan of another memory dump file.

👆Here u can see that we used lsadump plugin, which gives default saved passwords.

👆 netscan plugin is used to scan all the connected devices to that device .

Now, we need to find the pc name .
WKT it is present in the system ( we learnt in windows registery section ) .
To find that using volatility ,
First we need to get the offset of system file.
Offset:- address

So we us hivelist plugin👇

Now we get the offset of system file,
WKT when we explore registry there were many directories, it may change for some pc. So we will go one by one directory using printkey plugin👇

By doing these step by step we will find the required file, I skipped 1 step, you do this by ur own👇

Sorry I forgot to tell the about captured memory file,
It's from otterctf.com
Login and see in memory forensics section

Or

Direct dwnld from

https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ

If u really have any doubts
Contact me
@Etf_Zan_bot ( bot )
@zincster ( id )
I will try to respond fast😐

There will CTF on April-May,
Those who will get passed ,will be chosen for private channel.

Ok hold your beers 🍻 guyz,
If you are following otterctf no worries,
If not I will begin with the question too.

1. In the above given dump file ( otterctf.vmem)
The user used to play a online game, and u need to find the game name and it's server ip address.

How will u do, think?

Answer:-
Do netscan using volatility

2.Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password?


Answer :-
Use clipboard plugin