1. winpmem-21.post4.exe -o -output.aff4

2. winpmem-2.1.post4.exe output.aff4 –export PhysicalMemory -o memory.img
2.1 rekal -f memory.img hives

3. Rekal -f \\.\pmem
4. pslist

 

1. Output:
Reading 0x3f7338000 16243MiB / 16255MiB 52MiB/s
Adding C:\Windows\SysNative\drivers\1394ohci.sys as file:///C:/Windows/SysNative/drivers/1394ohci.sys
Adding C:\Windows\SysNative\drivers\3ware.sys as file:///C:/Windows/SysNative/drivers/3ware.sys
Adding C:\Windows\SysNative\ntoskrnl.exe as file:///C:/Windows/SysNative/ntoskrnl.exe
Driver Unloaded.

2.Output:
Extracting aff4://172a6726-344f-468f-baa5-bf314191223d/PhysicalMemory into file:///C:/digital%20forensics/memory.img
Reading 0x8000 0MiB / 16894MiB 0MiB/s
Reading 0xc50000 12MiB / 16894MiB 48MiB/s

 

4. Output:
Adding c:\users\a\appdata\local\temp\tmp_a5qzg\ntkrnlmp.pdb to Extraction Queue
Expanding Files ….
Expanding Files Complete …
2017-06-18 23:23:44,089:WARNING:rekall.1:Profile nt/GUID/A0011F02EE8442749E83E5180D8B19A61 fetched and built. Please consider reporting this profile to the Rekall team so we may add it to the public profile repository.
—————————-> pslist()
_EPROCESS name pid ppid thread_count handle_count session_id wow64 process_create_time process_exit_time
————– ——————– —– —— ———— ———— ———- —— ———————— ————————
0xe50b384b9680 System 4 0 147 – – False 2017-06-18 12:08:14Z –
0xe50b3b5b57c0 svchost.exe 76 708 10 – 0 False 2017-06-18 12:08:16Z –

WinPmen

Leave a Reply

Your email address will not be published. Required fields are marked *