Memory Forensic Analyze

In this moment, I will write about what I learned this afternoon on camp. Namely about Memory Forensic.

Lets.. Start !

The first, I will scanning the target using nmap like below :

From here, I will direct exploit the system. In here I will exploit the application that running on windows system namely Bigant Server on port 6660. You can look the exploit on exploit-db

Now running the exploit and connection to system using telnet like following screenshot :

Then see the service are running using command tasklist -svc (on windows system)

in above is the process list are running

The next is capture the memory process
Open application Accesdata FTK there are on windows

Then start capture the memory

Save the memdump.mem on /var/www/ptk

1. Analyze using PTK
Afterthat open the PTK tools on Application => Forensics => RAM Forensic Tools => ptk
Then will show you like this

Enter the username and password that was configure, If you not yet configure the PTK, please configure first ! You can see the cofiguration in here.

Then create new case with enter the name of case what you want.

Afterthat, just follow what is required..

Now is seeing pslist and then click start like following screenhot :

below is result pslist from memory.

NOTE : you can choose in drop down menu, there are more options that you can used.

B. Using Volatility command
Go to directory of tools first on /pentest/forensics/volatility/
There are many options that you can used with type command
# ./vol.py -h

Now cek the sockets using command like following screenshot :

Or check the connections

Please read on help if you need to use more options to analyze. Thanks..