- use something like volatility3
-
python vol.py -f C:\Users\DoDo\Desktop\Challenge\flounder-pc-memdump.elf windows.pslistshow all processes that were running -
python vol.py -f C:\Users\DoDo\Desktop\Challenge\flounder-pc-memdump.elf windows.infoshow general OS info -
python vol.py -f C:\Users\DoDo\Desktop\Challenge\flounder-pc-memdump.elf -o "dump" windows.dumpfile --pid 2812 --virtaddr 0xfa80007d5c801- use volatility on .elf dump, save output in “dump” folder, extract out of process with PID 2812, extract file from location —virtaddr 0xfa80007d5c80 and save to folder “dump” -
python vol.py -f C:\Users\DoDo\Desktop\Challenge\flounder-pc-memdump.elf windows.cmdlineextract command line commands from memory dump -
python vol.py -f C:\Users\DoDo\Desktop\Challenge\flounder-pc-memdump.elf windows.handles --pid 2812print all handles of process 2812, handles are for example files. You can append| Select-String filewhich is basically grep.