Welcome friends, we all know the importance of physical memory i.e RAM and also the importance of it as once the computer is shutdown next time we won't be able to find out which process currently were running on the system before the shut down so we need a quick way to scan the ram i.e physical memory using useful memory analysis tools.
RAM Analysis
I fired up my windows xp machine and gave it 256MB of ram so we can easily analyse it. then i used the DumpIt.exe tool to dump the data out of ram physical memory.
 |
| DumpIt.exe |
Then i Grabbed the Offset of the Ram using the Below Command.
 |
| volatility.exe -f "Dump-File-Path" --profile="System-Profile" kdbgscan |
and Finally using the offset i grabbed the running processes list that we were keen to find, hurrah, see below the screen shot.
 |
| volatility.exe -f "Dump-File-Path" --profile="System-Profile" --kdbg="0ffSet" pslist > Dump.txt |
Aha, we can now see al the processes on the list, let's simply see that we ran cmd.exe and also DumpIt.exe before running the volatility.exe so those can be simply seen on the list. Below is the Video if you guys didn't understand what i exactly did there.
No comments:
Post a Comment