Tag forensics

IDA script to create a memory dump

This is an IDA script that can do a memory dump. It’s useful to run it after you’ve gone past the obfuscation layer(s) and reached the decrypted code auto eax; auto start; auto end; auto f; f = fopen(“dump.bin”, “w”); start =…

Forensics with Volatility

Command Description $./volatility –filename=. –profile=WinXPSP2x86 psscan Check for hidden processes (would show as False in pslist or psscan) $./volatility –filename=. –profile=WinXPSP2x86 psxview Check for hidden processes (would show as False in pslist or psscan) $./volatility –filename=. –profile=WinXPSP2x86 envars -p 123…

Forensic artefacts extractor

This is a script developed in python to extract forensic artefacts from a file/memory dump. It’s useful to run it after you’ve gone past the obfuscation layer(s) and reached the decrypted code It can extract filenames, registry keys, urls, e-mail…