WinPmen

1. winpmem-21.post4.exe -o -output.aff4 2. winpmem-2.1.post4.exe output.aff4 –export PhysicalMemory -o memory.img 2.1 rekal -f memory.img hives 3. Rekal -f \\.\pmem 4. pslist   1. Output: Reading 0x3f7338000 16243MiB / 16255MiB 52MiB/s Adding C:\Windows\SysNative\drivers\1394ohci.sys as file:///C:/Windows/SysNative/drivers/1394ohci.sys Adding C:\Windows\SysNative\drivers\3ware.sys as file:///C:/Windows/SysNative/drivers/3ware.sys Adding

Registry Viewer RST Files

AOL Instant Messenger (TM).rsr AOL Instant Messenger.rsr Favorites.rvc Internet Explorer.rsr NTUser – Files set to Run on Startup.rsr NTUser – Internet Account Manager.rsr NTUser – Internet Explorer.rsr NTUser – LastVisited and OpenSave MRU.rsr NTUser – Media Player MRUs.rsr NTUser –

SIFT Clean Install

Instruction on Installing SIFT3 -Download Ubuntu 14.04 Desktop ubuntu-14.04.5-desktop-amd64.iso http://releases.ubuntu.com/14.04/SHA256SUMS -Check SHA256 f5ce20686a2f3201f04a309d04171ee15757f00954b33b87f3f1d36b3b0f5356 *ubuntu-14.04.5-desktop-amd64.iso PS C:\download> certutil.exe -hashfile .\ubuntu-14.04.5-desktop-amd64.iso sha256 SHA256 hash of file .\ubuntu-14.04.5-desktop-amd64.iso: f5ce20686a2f3201f04a309d04171ee15757f00954b33b87f3f1d36b3b0f5356 -Install in Oracle VM Virtualbox -sudo apt-get update -wget –quiet -O – https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh |

Setup Metalsploit using Virtual Box and Ubuntu

c:\share Oracle VM Share Folder: Treansient Folders wd c:\share insert guest addition cd image sudo apt-get update sudo apt-get install virtualbox-guest-dkms cd /home/metal/share/ sha1sum metalsploit-latest-linux-x64-installer.run > metalsploit-latest-linux-x64-installer.sha1 sha1sum -c metalsploit-latest-linux-x64-installer.sha1 or sha1sum -c s.sha1 gedit error “could not save file”