EHIR Tutorial Mohammad Reza Rostami
Lab 9 Analyzing a RAM Image with Volatility
What You Need for This Project
The Kali Linux virtual machine.
Memdump file
Start Your Kali Linux Machine
Launch your Kali Linux machine. If necessary, log in as root with the password toor.
Finding the RAM Image to Examine
Drag the memdump.mem file and drop it on the Kali machine desktop.
In your Kali Linux machine, open a Terminal window and execute these commands:
cd
cd Desktop
ls -l
Note that the last command is "LS -L" in lowercase.
You should see the memdump.mem file, as shown below. If you do not, you may need
to repeat a previous project to create the memory image again.
Page 1 of 9
�EHIR Tutorial Mohammad Reza Rostami
Starting Volatility
In your Kali Linux machine, in a Terminal window, execute these commands:
cd /usr/share/volatility
python vol.py -h
You see a long help message, as shown below:
The volatility help is long and confusing.
Fortunately, SANS has made a handy one-page cheat sheet which is much friendlier.
The part that is important to us is shown below:
Page 2 of 9
�EHIR Tutorial Mohammad Reza Rostami
Basic Volatilty Usage
Image Information
In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py imageinfo -f /root/Desktop/memdump.mem
This shows basic information about the image, such as the operating system of the
machine that was imaged, and when the image was made, as shown below:
Page 3 of 9
�EHIR Tutorial Mohammad Reza Rostami
Volatility needs to know what operating system was imaged in order to interpret the
memory image correctly. The default profile is WinXPSP2x86, but we used
Win2008SP1x86, so we'll have to include that information in all future volatility
command-lines.
Running Processes
In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py pslist --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem
This shows the processes that were running on the machine when the RAM image was
made, as shown below:
Notice these columns:
Page 4 of 9
�EHIR Tutorial Mohammad Reza Rostami
Offset : The location in RAM of the process, in hexadecimal
Name : The process name, as it would be shown in Task Manager
PID : The process ID
PPID : The parent process ID--that is, the process that launched this process. In
the example above, the "System" process is process 4, and it is the parent of the
"smss.exe" process.
Console Commands
In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py consoles --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem
This shows the console commands that were recently executed on the Windows
machine.
You should see the command you executed to create the user account with your own
name, as shown below:
Page 5 of 9
�EHIR Tutorial Mohammad Reza Rostami
Services
In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py svcscan --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem | more
This shows the first page of a long list of services, as shown below:
Registry Hives
In your Kali Linux machine, in a Terminal window, execute this command:
python vol.py hivelist --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem
This shows the location in RAM of the Registry hives, as shown below:
Page 6 of 9
�EHIR Tutorial Mohammad Reza Rostami
Examine your output and find the two addresses outlined in green above: the virtual
addresses of the SAM and SYSTEM hives. Those two hives together contain enough
information to extract Windows password hashes.
Password Hashes
In your Kali Linux machine, in a Terminal window, execute the command below.
You will have to replace the two hexadecimal addresses with the correct virtual
addresses of your hives, in this format: -y SYSTEM -s SAM
python vol.py hashdump --profile=Win2008SP1x86 -f /root/Desktop/memdump.mem -y
0x86226008 -s 0x89c33450
When you get the command correct, you will see the login account names and
hashed passwords, including one showing your name, as shown below:
Page 7 of 9
�EHIR Tutorial Mohammad Reza Rostami
Cracking the Password Hash
Windows stores two hashes with each password, delimited by colons. The first one
is an extremely insecure, obsolete hash using the LANMAN algorithm. Windows
operating systems since Vista no longer use LANMAN hashes, so they are filled
with a dummy value starting with "aad".
The second hash is the newer NTLM hash, which is much better than LANMAN
hashes, but still extremely insecure and much more easily cracked than Linux or
Mac OS X hashes.
To crack your password, highlight the hash value, as shown below, right-click it, and
click Copy.
On your host Windows machine, open a Web browser and go to
https://crackstation.net/
Page 8 of 9
�EHIR Tutorial Mohammad Reza Rostami
Paste in the hash. On the right side, fill in the CAPTCHA and click the "Crack
Hashes" button.
The hash should crack, revealing the password of "SuperSecret!", as shown below.
Turning in Your Lab Results
After getting the images, upload the files on the Edmodo.
Good Luck
Page 9 of 9
