wp
1.[V&N2020 公开赛]内存取证
1.找策略
volatility.exe -f C:\Users\shen\Downloads\mem.raw imageinfo
2.看进程
volatility.exe -f C:\Users\shen\Downloads\mem.raw --profile=Win7SP1x86_23418 pslist > pslist.txt
从后向前看,最后是内存镜像固定用的dumpit软件和windows运行后台的exe,再上面有三个进程值得注意
0x83c0ad40 TrueCrypt.exe 3364 3188 7 388 1 0 2020-02-18 19:52:44 UTC+0000
0x837f5d40 notepad.exe 3552 1964 2 61 1 0 2020-02-18 19:53:07 UTC+0000
0x82a7e568 iexplore.exe 3640 1964 16 468 1 0 2020-02-18 19:53:29 UTC+0000
0x847c8030 iexplore.exe 3696 3640 25 610 1 0 2020-02-18 19:53:29 UTC+0000
0x848a7030 mspaint.exe 2648 1964 18 383 1 0 2020-02-18 19:54:01 UTC+0000 //画图
3.查看记事本当前显示文本
notepad命令用不了,取证大师恢复试试
2.[NEWSCTF]2021.6.1萌新赛-very-ez-dump
cmdscan
1.x-ways恢复(把document全整出来就行啦,取证大师没恢复出来——),发现一个压缩包
2.volatility
volatility.exe -f C:\Users\shen\Desktop\mem.raw imageinfo
volatility.exe -f C:\Users\shen\Desktop\mem.raw --profile=Win7SP1x64 pslist
0xfffffa80010c7060 cmd.exe 2624 1700 1 21 1 0 2021-05-20 13:04:35 UTC+0000
发现有个cmd进程
volatility.exe -f C:\Users\shen\Desktop\mem.raw --profile=Win7SP1x64 cmdscan
——————————————————————————————————————————————————————————————————————————————————
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 1588
CommandHistory: 0x117120 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 13 LastAdded: 12 LastDisplayed: 12
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x109cf0: dir
Cmd #1 @ 0x108290: ipconfig
Cmd #2 @ 0xf8bd0: ipconfig 192.168.26.2
Cmd #3 @ 0x116aa0: ping newsctf.top
Cmd #4 @ 0x1082d0: network
Cmd #5 @ 0x1082f0: net user
Cmd #6 @ 0xf8c50: net user Guest 123456789
Cmd #7 @ 0xf8c90: net user mumuzi (ljmmz)ovo
Cmd #8 @ 0x108350: clear
Cmd #9 @ 0x116a40: if_you_see_it,
Cmd #10 @ 0xf8cd0: you_will_find_the_flag
Cmd #11 @ 0x116ad0: where_is_the