iPython Notebook Volatility For Memory Forensics

3/6/13 IPython Notebook

Using iPython Notebook for Live Memory Forensics

I [] fo Iyhncr.ipa ipr Iae
n 1: rm Pto.oedsly mot mg
fo Iyhncr.ipa ipr HM
rm Pto.oedsly mot TL
fo Iyhnlbdslyipr Yuueie
rm Pto.i.ipa mot oTbVdo

.

.

.

iPython Notebook with Volatility 2.3 Alpha

I [] ''
n 8: '
aiok
phos Dtc AIhosi poesadkre mmr
eet P ok n rcs n enl eoy
aos
tm Pitssinadwno sainao tbe
rn eso n idw tto tm als
aosa
tmcn Po sanrfr_T_TMTBE
ol cne o RLAO_AL
bokd
isb Rastekyor bfe fo Ra Md mmr
ed h ebad ufr rm el oe eoy
clbcs
alak Pitsse-ientfcto ruie
rn ytmwd oiiain otns
cibad
lpor Etattecnet o tewnoscibad
xrc h otns f h idw lpor
cdcn
msa Etatcmadhsoyb sann fr_OMN_ITR
xrc omn itr y cnig o CMADHSOY
cnetos
oncin Pitls o oe cnetos[idw X ad20 Ol]
rn it f pn oncin Wnos P n 03 ny
cnsa
oncn Sa Pyia mmr fr_CTOJC ojcs(c cnetos
cn hscl eoy o TP_BET bet tp oncin)
cnoe
osls Etatcmadhsoyb sann fr_OSL_NOMTO
xrc omn itr y cnig o CNOEIFRAIN
cahno
rsif Dm cahdm ifrain
up rs-up nomto
dssa
ekcn Posae frtgEKO (ekos
olcnr o aDSTP dstp)
dvcte
eiere So dvc te
hw eie re
dlup
ldm Dm DL fo apoesadessae
up Ls rm rcs drs pc
dlit
lls Pitls o lae dl frec poes
rn it f odd ls o ah rcs
dieip
rvrr Die IPho dtcin
rvr R ok eeto
diesa
rvrcn Sa frdie ojcs_RVROJC
cn o rvr bet DIE_BET
evr
nas Dslypoesevrnetvrals
ipa rcs niomn aibe
eetok
vnhos Pitdtiso wnoseethos
rn eal n idw vn ok
etos
vlg EtatWnosEetLg (P20 ol)
xrc idw vn os X/03 ny
flsa
iecn Sa Pyia mmr fr_IEOJC po alctos
cn hscl eoy o FL_BET ol loain
ghi
at Dm teUE hnl tp ifrain
up h SR ade ye nomto
giies
dtmr PitisaldGItmr adclbcs
rn ntle D ies n alak
gt
d DslyGoa Dsrpo Tbe
ipa lbl ecitr al
gtevcsd
esrieis Gttenmso srie i teRgsr adrtr Cluae SD
e h ae f evcs n h eity n eun acltd I
gtis
esd PitteSD onn ec poes
rn h Is wig ah rcs
hnls
ade Pitls o oe hnlsfrec poes
rn it f pn ade o ah rcs
hsdm
ahup Dmspswrshse (MNL)fo mmr
up asod ahs L/TM rm eoy
hbno
iif Dm hbrainfl ifrain
up iento ie nomto
hvdm
ieup Pit otahv
rns u ie
hvls
ieit Pitls o rgsr hvs
rn it f eity ie.
hvsa
iecn Sa Pyia mmr fr_MIEojcs(eityhvs
cn hscl eoy o CHV bet rgsr ie)
haetat
pkxrc Etatpyia mmr fo a HA fl
xrc hscl eoy rm n PK ie
haif
pkno If o a HA fl
no n n PK ie
it
d DslyItrutDsrpo Tbe
ipa nerp ecitr al
ihsoy
eitr RcntutItre Epoe cce/hsoy
eosrc nent xlrr ah itr
iaeoy
mgcp Cpe apyia adessaeota arwD iae
ois hscl drs pc u s a D mg
iaeno
mgif Ietf ifrainfrteiae
dniy nomto o h mg
ipcn
msa Sa frclst ipre fntos
cn o al o motd ucin
kbsa
dgcn Sac fraddm ptnilKB vle
erh o n up oeta DG aus
kcsa
prcn Sac fraddm ptnilKC vle
erh o n up oeta PR aus
lroue
dmdls Dtc ulne DL
eet nikd Ls
laup
sdm Dm (erpe)LAscesfo tergsr
up dcytd S ert rm h eity
mlid
afn Fn hde adijce cd
id idn n netd oe
mrasr
bpre Sasfradpre ptnilMse Bo Rcrs(Bs
cn o n ass oeta atr ot eod MR)
mmup
edm Dm teadesbemmr frapoes
up h drsal eoy o rcs
mma
emp Pittemmr mp
rn h eoy a
msaeok
esghos Ls dstpadtra wno msaehos
it eko n hed idw esg ok
mtasr
fpre Sasfradpre ptnilMTetis
cn o n ass oeta F nre
mdup
odm Dm akre die t a eeual fl sml
up enl rvr o n xctbe ie ape

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 1/14


mdcn
osa Sa Pyia mmr fr_D_AATBEETYojcs
cn hscl eoy o LRDT_AL_NR bet
mdls
oue Pitls o lae mdls
rn it f odd oue
mtnsa
uatcn Sa frmtn ojcs_MTN
cn o uat bet KUAT
pthr
ace Pthsmmr bsdo pg sas
ace eoy ae n ae cn
pite
rnky Pitargsr ky adissbesadvle
rn eity e, n t uky n aus
pis
rv Dslypoespiiee
ipa rcs rvlgs
poeeup
rcxdm Dm apoest a eeual fl sml
up rcs o n xctbe ie ape
pommup
rcedm Dm apoest a eeual mmr sml
up rcs o n xctbe eoy ape
pls
sit Pitalrnigpoessb floigteERCS lss
rn l unn rcse y olwn h POES it
psa
scn Sa Pyia mmr fr_POESpo alctos
cn hscl eoy o ERCS ol loain
pte
sre Pitpoesls a ate
rn rcs it s re
pxiw
sve Fn hde poesswt vrospoeslsig
id idn rcse ih aiu rcs itns
rwdp
a2m Cnet apyia mmr sml t awnb cahdm
ovrs hscl eoy ape o idg rs up
sreso
cenht Sv aped-cenhtbsdo GIwnos
ae suosreso ae n D idw
ssin
esos Ls dtiso _MSSINSAE(srlgnssin)
it eal n M_ESO_PC ue oo esos
selas
hlbg Pit Selasif
rns hlBg no
sicce
hmah Pre teApiainCmaiiiySi Ccergsr ky
ass h plcto optblt hm ah eity e
sces
okt Pitls o oe sces
rn it f pn okt
scsa
okcn Sa Pyia mmr fr_DRS_BETojcs(c sces
cn hscl eoy o ADESOJC bet tp okt)
sd
st DslySD etis
ipa ST nre
srns
tig Mthpyia ofest vruladess(a tk awie VR vroe
ac hscl fst o ita drse my ae hl, EY ebs)
sccn
vsa Sa frWnossrie
cn o idw evcs
smikcn
ylnsa Sa frsmoi ln ojcs
cn o yblc ik bet
trsa
hdcn Sa pyia mmr fr_TRA ojcs
cn hscl eoy o EHED bet
tras
hed Ivsiae_TRA ad_TRAs
netgt EHED n KHED
tmr
ies Pitkre tmr adascae mdl DC
rn enl ies n soitd oue Ps
ulaemdls
noddoue Pitls o ulae mdls
rn it f nodd oue
ueass
srsit Pitueass rgsr ky adifrain
rn srsit eity es n nomto
uehnls
srade Dm teUE hnl tbe
up h SR ade als
vdup
adm Dmsottevdscin t afl
up u h a etos o ie
vdno
aif Dm teVDif
up h A no
vdre
ate Wl teVDte addslyi te fra
ak h A re n ipa n re omt
vdak
awl Wl teVDte
ak h A re
voif
bxno Dm vrulo ifrain
up itabx nomto
vwrif
maeno Dm Vwr VS/MNifrain
up Mae MSVS nomto
vlhl
osel Seli temmr iae
hl n h eoy mg
wnos
idw PitDstpWnos(ebs dtis
rn eko idw vroe eal)
wnre
ite PitZOdrDstpWnosTe
rn -re eko idw re
wdcn
nsa Po sanrfrtgIDWTTO (idwsain)
ol cne o aWNOSAIN wno ttos
yrsa
aacn Sa poeso kre mmr wt Yr sgaue
cn rcs r enl eoy ih aa intrs
''
'

.

.

.

imageinfo - Identify information for the image

I [] !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmiaeno
n 2: pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e mgif

Vltl SsesVltlt Faeok23apa
oaie ytm oaiiy rmwr ._lh
Dtriigpoiebsdo KB sac..
eemnn rfl ae n DG erh.

SgetdPoies :WnPPx6 WnPPx6(ntnitdwt WnPPx6
ugse rfl() iXS28, iXS38 Isatae ih iXS28)
A Lyr :JI3Pgdeoya (enlA)
S ae1 KA2aeMmrPe Kre S
A Lyr :FlAdespc (ro/eko/e/edm.e)
S ae2 iedrsSae /otDstpmmmmupmm
PEtp :PE
A ye A
DB:0340L
T x300
KB :0854eL
DG x04c0
Nme o Poesr :1
ubr f rcsos
IaeTp (evc Pc):2
mg ye Srie ak
KC frCU0:0fdf0L
PR o P xff00
KSRSAE_AA:0fd00L
UE_HRDDT xff00

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 2/14


Iaedt adtm :21-22 1:60 UC00
mg ae n ie 030-5 81:1 T+00
Iaelcldt adtm :21-22 1:60 -50
mg oa ae n ie 030-5 31:1 00

.

.

.

pslist - Print all running processes by following the EPROCESS lists

I [] !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmpls
n 6: pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e sit

Ofe() Nm
fstV ae PD PI
I PD Td
hs Hd
ns Ss Ww4Sat
es o6 tr Ei
xt
----- ---------- --- --- --- ---- --- --- --------------- ---------
----- ---------- --- --- --- ---- --- --- --------------- ---------
------
------
08c33 Sse
x9780 ytm 4 0 56 37---
2 --- 0
087b2 ss.x
x9900 msee 34
8 4 3 2 ---
1 --- 021-22 2:22 UC00
030-0 15:0 T+00
087e3 crsee
x9828 ss.x 68
0 34
8 12 48
4 0 021-22 2:22 UC00
030-0 15:2 T+00
087e6 wnoo.x
x9860 ilgnee 62
3 34
8 19 55
6 0 021-22 2:22 UC00
030-0 15:2 T+00
08651 srie.x
x9360 evcsee 66
7 62
3 16 23
8 0 021-22 2:22 UC00
030-0 15:2 T+00
08a08 lasee
x9f80 ss.x 68
8 62
3 19 31
4 0 021-22 2:22 UC00
030-0 15:2 T+00
0870e vatl.x
x9a68 mchpee 86
9 66
7 1 24 0 021-22 2:22 UC00
030-0 15:2 T+00
08b48 scotee
x9538 vhs.x 98
0 66
7 17 17
9 0 021-22 2:22 UC00
030-0 15:2 T+00
08647 scotee
x9fa8 vhs.x 92
7 66
7 9 26
7 0 021-22 2:22 UC00
030-0 15:2 T+00
08b4a scotee
x90d0 vhs.x 12
10 66
7 61 18
53 0 021-22 2:22 UC00
030-0 15:2 T+00
08b27 scotee
x9058 vhs.x 17
16 66
7 5 87 0 021-22 2:22 UC00
030-0 15:2 T+00
08b06 scotee
x9e40 vhs.x 11
26 66
7 15 24
1 0 021-22 2:22 UC00
030-0 15:3 T+00
08b91 solvee
x9c68 pos.x 14
58 66
7 10 17
2 0 021-22 2:22 UC00
030-0 15:4 T+00
086c8 scotee
x9f90 vhs.x 18
64 66
7 6 89 0 021-22 2:24 UC00
030-0 15:1 T+00
086e8 vtos.x
x9390 moldee 14
88 66
7 7 20
7 0 021-22 2:24 UC00
030-0 15:1 T+00
08842 TAtCnSce
x9400 Puoonv. 42
5 66
7 5 11
0 0 021-22 2:24 UC00
030-0 15:9 T+00
089de agee
x9f60 l.x 58
8 66
7 6 16
0 0 021-22 2:25 UC00
030-0 15:0 T+00
0863a epoe.x
x95d0 xlrree 21
02 16
80 13 42
9 0 021-22 2:30 UC00
030-0 15:0 T+00
08bea rnl3.x
x95d0 udl2ee 88 21
0 02 5 75 0 021-22 2:30 UC00
030-0 15:1 T+00
087a2 vtos.x
x99c0 moldee 62 21
9 02 6 22
4 0 021-22 2:30 UC00
030-0 15:1 T+00
087ac TAtCnete
x9930 Puoonc. 13
02 42
5 1 63 0 021-22 2:30 UC00
030-0 15:1 T+00
087ae wctyee
x9978 snf.x 16
18 12
10 1 27 0 021-22 2:30 UC00
030-0 15:2 T+00
08880 wactee
x9360 uul.x 22
54 12
10 3 12
3 0 021-22 2:34 UC00
030-0 15:9 T+00
08ba2 crm.x
x9338 hoeee 19
76 21
02 27 84
1 0 021-22 2:21 UC00
030-0 20:2 T+00
08aec crm.x
x9a98 hoeee 10
74 19
76 6 97 0 021-22 2:21 UC00
030-0 20:3 T+00
08e15 crm.x
x8538 hoeee 18
40 19
76 7 92 0 021-22 2:84 UC00
030-0 21:9 T+00
08422 crm.x
x9400 hoeee 10
38 19
76 7 94 0 021-22 2:55 UC00
030-0 23:7 T+00
08ca7 crm.x
x8f90 hoeee 18
78 19
76 7 97 0 021-22 2:73 UC00
030-0 23:8 T+00
0890a cdee
x87d0 m.x 28
34 21
02 1 30 0 021-22 0:92 UC00
030-5 51:4 T+00
08f1a crm.x
x88d0 hoeee 86 19
5 76 7 94 0 021-22 0:30 UC00
030-5 73:5 T+00
085da FKIae.x
x83d0 T mgree 36
18 21
02 8 23
2 0 021-22 1:53 UC00
030-5 81:7 T+00

.

.

.

psscan - Scan Physical memory for _EPROCESS pool allocationsRun BASH commands

I [] !yhn/ets/oesc/oaiiyvlp - ~Dstpmmmmupmmpsa
n 8: pto pnetfrnisvltlt/o.y f /eko/e/edm.e scn


127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 3/14

Ofe() Nm
fstP ae PD PI PB
I PD D Tm cetd
ie rae Tm eie
ie xtd
----- -------- --- --- ----- --------------- ---------------
----- -------- --- --- ----- --------------- ---------------
0061c crm.x
x8c98 hoeee 10
74 19 00f00 21-22 2:21 UC00
76 xf840 030-0 20:3 T+00
007da FKIae.x
x83d0 T mgree 36
18 21 00f04 21-22 1:53 UC00
02 xf830 030-5 81:7 T+00
00b0a cdee
x87d0 m.x 28
34 21 00f00 21-22 0:92 UC00
02 xf830 030-5 51:4 T+00
00ea7 crm.x
x8f90 hoeee 18
78 19 00f06 21-22 2:73 UC00
76 xf830 030-0 23:8 T+00
00015 crm.x
x9538 hoeee 18
40 19 00f0c 21-22 2:84 UC00
76 xf830 030-0 21:9 T+00
0011a crm.x
x98d0 hoeee 86 19 00f06 21-22 0:30 UC00
5 76 xf840 030-5 73:5 T+00
00578 (s@$ ??: 2.. 2.. 0837a
x9a30 ???? s? 3.8 3.0 x9a30
u
00622 crm.x
x9400 hoeee 10
38 19 00f02 21-22 2:55 UC00
76 xf830 030-0 23:7 T+00
0077a agee
x98d0 l.x 18
44 6600e08 21-22 2:84 UC00
7 xf810 030-0 12:4 T+00
00851 srie.x
x9360 evcsee 66
7 6200f08 21-22 2:22 UC00
3 xf800 030-0 15:2 T+00
008e8 vtos.x
x9390 moldee 14
88 6600f00 21-22 2:24 UC00
7 xf820 030-0 15:1 T+00
0083a epoe.x
x95d0 xlrree 21
02 16 00f06 21-22 2:30 UC00
80 xf820 030-0 15:0 T+00
00847 scotee
x9fa8 vhs.x 92
7 6600f00 21-22 2:22 UC00
7 xf810 030-0 15:2 T+00
008c8 scotee
x9f90 vhs.x 18
64 6600f0c 21-22 2:24 UC00
7 xf810 030-0 15:1 T+00
009e3 crsee
x9828 ss.x 68
0 3400f04 21-22 2:22 UC00
8 xf800 030-0 15:2 T+00
009e6 wnoo.x
x9860 ilgnee 62
3 3400f06 21-22 2:22 UC00
8 xf800 030-0 15:2 T+00
009ac TAtCnete
x9930 Puoonc. 13
02 4200f0e 21-22 2:30 UC00
5 xf820 030-0 15:1 T+00
009ae wctyee
x9978 snf.x 16
18 12 00f02 21-22 2:30 UC00
10 xf820 030-0 15:2 T+00
009a2 vtos.x
x99c0 moldee 62 21 00f0c 21-22 2:30 UC00
9 02 xf820 030-0 15:1 T+00
009b2 ss.x
x9900 msee 34
8 400f02 21-22 2:22 UC00
xf800 030-0 15:0 T+00
0090e vatl.x
x9a68 mchpee 86
9 6600f0c 21-22 2:22 UC00
7 xf800 030-0 15:2 T+00
00afe vatl.x
x9268 mchpee 86
9 6600f0c 21-22 2:22 UC00
7 xf800 030-0 15:2 T+00
00a80 wactee
x9360 uul.x 22
54 12 00f08 21-22 2:34 UC00
10 xf830 030-0 15:9 T+00
00a42 TAtCnSce
x9400 Puoonv. 42
5 6600f0a 21-22 2:24 UC00
7 xf820 030-0 15:9 T+00
00bde agee
x9f60 l.x 58
8 6600f0e 21-22 2:25 UC00
7 xf810 030-0 15:0 T+00
00cec crm.x
x9a98 hoeee 10
74 19 00f00 21-22 2:21 UC00
76 xf840 030-0 20:3 T+00
00c08 lasee
x9f80 ss.x 68
8 6200f0a 21-22 2:22 UC00
3 xf800 030-0 15:2 T+00
00d27 scotee
x9058 vhs.x 17
16 6600f04 21-22 2:22 UC00
7 xf810 030-0 15:2 T+00
00d4a scotee
x90d0 vhs.x 12
10 6600f02 21-22 2:22 UC00
7 xf810 030-0 15:2 T+00
00da2 crm.x
x9338 hoeee 19
76 21 00f08 21-22 2:21 UC00
02 xf820 030-0 20:2 T+00
00d48 scotee
x9538 vhs.x 98
0 6600f0e 21-22 2:22 UC00
7 xf800 030-0 15:2 T+00
00dea rnl3.x
x95d0 udl2ee 88 21 00f08 21-22 2:30 UC00
0 02 xf810 030-0 15:1 T+00
00d91 solvee
x9c68 pos.x 14
58 6600f0a 21-22 2:22 UC00
7 xf810 030-0 15:4 T+00
00d06 scotee
x9e40 vhs.x 11
26 6600f06 21-22 2:22 UC00
7 xf810 030-0 15:3 T+00
00e33 Sse
x9780 ytm 4 000340
x0300
0105c crm.x
x3d98 hoeee 10
74 19 00f00 21-22 2:21 UC00
76 xf840 030-0 20:3 T+00
01a0c TAtCnete
x3c30 Puoonc. 13
02 4200f0e 21-22 2:30 UC00
5 xf820 030-0 15:1 T+00
01a0e wctyee
x3c78 snf.x 16
18 12 00f02 21-22 2:30 UC00
10 xf820 030-0 15:2 T+00
01a02 vtos.x
x3cc0 moldee 62 21 00f0c 21-22 2:30 UC00
9 02 xf820 030-0 15:1 T+00
0128a epoe.x
xafd0 xlrree 21
02 16 00f06 21-22 2:30 UC00
80 xf820 030-0 15:0 T+00
01238 vtos.x
xd690 moldee 14
88 6600f00 21-22 2:24 UC00
7 xf820 030-0 15:1 T+00
020a2 TAtCnSce
x0600 Puoonv. 42
5 6600f0a 21-22 2:24 UC00
7 xf820 030-0 15:9 T+00
0206e vatl.x
x0868 mchpee 86
9 6600f0c 21-22 2:22 UC00
7 xf800 030-0 15:2 T+00
02408 vtos.x
x3090 moldee 14
88 6600f00 21-22 2:24 UC00
7 xf820 030-0 15:1 T+00
02811 solvee
x7f68 pos.x 14
58 6600f0a 21-22 2:22 UC00
7 xf810 030-0 15:4 T+00
02187 crm.x
x8d90 hoeee 18
78 19 00f06 21-22 2:73 UC00
76 xf830 030-0 23:8 T+00
0278c crm.x
x8998 hoeee 10
74 19 00f00 21-22 2:21 UC00
76 xf840 030-0 20:3 T+00
021e7 crm.x
xb690 hoeee 18
78 19 00f06 21-22 2:73 UC00
76 xf830 030-0 23:8 T+00
02e5e vatl.x
xb168 mchpee 86
9 6600f0c 21-22 2:22 UC00
7 xf800 030-0 15:2 T+00
03bca agee
x1ad0 l.x 18
44 6600e08 21-22 2:84 UC00
7 xf810 030-0 12:4 T+00
03152 TAtCnSce
x2e00 Puoonv. 42
5 6600f0a 21-22 2:24 UC00
7 xf820 030-0 15:9 T+00
03aca scotee
x5ad0 vhs.x 12
10 6600f02 21-22 2:22 UC00
7 xf810 030-0 15:2 T+00
03ba7 scotee
xce58 vhs.x 17
16 6600f04 21-22 2:22 UC00
7 xf810 030-0 15:2 T+00
0493a scotee
x32d0 vhs.x 12
10 6600f02 21-22 2:22 UC00
7 xf810 030-0 15:2 T+00
04f52 crm.x
x5a00 hoeee 10
38 19 00f02 21-22 2:55 UC00
76 xf830 030-0 23:7 T+00
04305 crm.x
x7738 hoeee 18
40 19 00f0c 21-22 2:84 UC00
76 xf830 030-0 21:9 T+00
0456a rnl3.x
xa4d0 udl2ee 88 21 00f08 21-22 2:30 UC00
0 02 xf810 030-0 15:1 T+00
048a1 srie.x
xad60 evcsee 66
7 6200f08 21-22 2:22 UC00
3 xf800 030-0 15:2 T+00
045b3 Sse
xd180 ytm 4 000340
x0300
04bc8 scotee
xd338 vhs.x 98
0 6600f0e 21-22 2:22 UC00
7 xf800 030-0 15:2 T+00
046a8 (s@$ ??: 2.. 2.. 0837a
xe430 ???? s? 3.8 3.0 x9a30
u
05478 lasee
x4580 ss.x 68
8 6200f0a 21-22 2:22 UC00
3 xf800 030-0 15:2 T+00
05ff7 crm.x
x7990 hoeee 18
78 19 00f06 21-22 2:73 UC00
76 xf830 030-0 23:8 T+00
056ba agee
x8ad0 l.x 18
44 6600e08 21-22 2:84 UC00
7 xf810 030-0 12:4 T+00
052fa rnl3.x
xbdd0 udl2ee 88 21 00f08 21-22 2:30 UC00
0 02 xf810 030-0 15:1 T+00
05902 TAtCnSce
xbe00 Puoonv. 42
5 6600f0a 21-22 2:24 UC00
7 xf820 030-0 15:9 T+00
05401 solvee
xd068 pos.x 14
58 6600f0a 21-22 2:22 UC00
7 xf810 030-0 15:4 T+00
06a1e vatl.x
x5868 mchpee 86
9 6600f0c 21-22 2:22 UC00
7 xf800 030-0 15:2 T+00
06b9a epoe.x
xd3d0 xlrree 21
02 16 00f06 21-22 2:30 UC00
80 xf820 030-0 15:0 T+00
06f41 srie.x
xd360 evcsee 66
7 6200f08 21-22 2:22 UC00
3 xf800 030-0 15:2 T+00
079d2 crm.x
x4400 hoeee 10
38 19 00f02 21-22 2:55 UC00
76 xf830 030-0 23:7 T+00
07bd2 TAtCnSce
x7500 Puoonv. 42
5 6600f0a 21-22 2:24 UC00
7 xf820 030-0 15:9 T+00
076ce vatl.x
xc468 mchpee 86
9 6600f0c 21-22 2:22 UC00
7 xf800 030-0 15:2 T+00

.

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 4/14


.

.

pstree - Print process list as a tree

I [] !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmpte
n 9: pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e sre

Nm
ae Pd Pi
i Pd Td
hs Hd Tm
ns ie
------------------------- --- --- --- --- ----------
------------------------- --- --- --- --- ----------
08c33:ytm
x9780Sse 4 0 56 3717-10.UC00
2 900-..T+00
.087b2:msee
x9900ss.x 34
8 4 3 2 21-22.UC00
1 030-..T+00
. 087e3:ss.x
. x9828crsee 68
0 34
8 12 4821-22.UC00
4 030-..T+00
. 087e6:ilgnee
. x9860wnoo.x 62
3 34
8 19 5521-22.UC00
6 030-..T+00
..08651:evcsee
. x9360srie.x 66
7 62
3 16 2321-22.UC00
8 030-..T+00
.. 0870e:mchpee
.. x9a68vatl.x 86
9 66
7 1 2 21-22.UC00
4 030-..T+00
.. 08b48:vhs.x
.. x9538scotee 98
0 66
7 17 1721-22.UC00
9 030-..T+00
.. 086c8:vhs.x
.. x9f90scotee 18
64 66
7 6 8 21-22.UC00
9 030-..T+00
.. 08b27:vhs.x
.. x9058scotee 17
16 66
7 5 8 21-22.UC00
7 030-..T+00
.. 08b91:pos.x
.. x9c68solvee 14
58 66
7 10 1721-22.UC00
2 030-..T+00
.. 086e8:moldee
.. x9390vtos.x 14
88 66
7 7 2021-22.UC00
7 030-..T+00
.. 08b06:vhs.x
.. x9e40scotee 11
26 66
7 15 2421-22.UC00
1 030-..T+00
.. 08b4a:vhs.x
.. x90d0scotee 12
10 66
7 61 18 21-22.UC00
53 030-..T+00
...087ae:snf.x
.. x9978wctyee 16
18 12
10 1 2 21-22.UC00
7 030-..T+00
...08880:uul.x
.. x9360wactee 22
54 12
10 3 1221-22.UC00
3 030-..T+00
.. 08842:Puoonv.
.. x9400TAtCnSce 42
5 66
7 5 1121-22.UC00
0 030-..T+00
...087ac:Puoonc.
.. x9930TAtCnete 13
02 42
5 1 6 21-22.UC00
3 030-..T+00
.. 08647:vhs.x
.. x9fa8scotee 92
7 66
7 9 2621-22.UC00
7 030-..T+00
.. 089de:l.x
.. x9f60agee 58
8 66
7 6 1621-22.UC00
0 030-..T+00
..08a08:ss.x
. x9f80lasee 68
8 62
3 19 3121-22.UC00
4 030-..T+00
0863a:xlrree
x95d0epoe.x 21
02 16
80 13 4221-22.UC00
9 030-..T+00
.08ba2:hoeee
x9338crm.x 19
76 21
02 27 8421-22.UC00
1 030-..T+00
. 08422:hoeee
. x9400crm.x 10
38 19
76 7 9 21-22.UC00
4 030-..T+00
. 08e15:hoeee
. x8538crm.x 18
40 19
76 7 9 21-22.UC00
2 030-..T+00
. 08f1a:hoeee
. x88d0crm.x 86 19
5 76 7 9 21-22.UC00
4 030-..T+00
. 08aec:hoeee
. x9a98crm.x 10
74 19
76 6 9 21-22.UC00
7 030-..T+00
. 08ca7:hoeee
. x8f90crm.x 18
78 19
76 7 9 21-22.UC00
7 030-..T+00
.08bea:udl2ee
x95d0rnl3.x 88 21
0 02 5 7 21-22.UC00
5 030-..T+00
.087a2:moldee
x99c0vtos.x 62 21
9 02 6 2221-22.UC00
4 030-..T+00
.0890a:m.x
x87d0cdee 28
34 21
02 1 3 21-22.UC00
0 030-..T+00
.085da:T Iae.x
x83d0FK mgree 36
18 21
02 8 2321-22.UC00
2 030-..T+00

.

.

.

clipboard - Extract the contents of the windows clipboard

I [0: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmcibad
n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e lpor

Ssin
eso WnoSainFra
idwtto omt Hnl Ojc
ade bet Dt
aa
----- ---------------- ----- ----- -------------------------
----- ------ --------- ----- ----- -------------------------
0Wnt0
iSa 0c0L
x09 02e03 0e8db
x511f x1218
0Wnt0
iSa C_NCDTX
FUIOEET 00-----
x -----
0Wnt0
iSa 0c1L
x03 0e0b 0eef2
xd03 x1b20
0Wnt0
iSa C_OAE
FLCL 0be1b0e480
xa04 x29d0
0Wnt0
iSa C_ET
FTX 01-----
x -----

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 5/14


0Wnt0
iSa C_ETX
FOMET 01-----
x -----

.

.

.

connections - Print list of open connections [Windows XP and 2003 Only]

I [2: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmcnetos
n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e oncin

Ofe() LclAdes
fstV oa drs Rmt Ades
eoe drs Pd
i
----- ----------------------------
----- ------------ ------------ -
08837 121.5.3:83
x8ee0 7.6181715 121.5.4:44
7.6181444 12
10
08597 121.5.3:84
x85e0 7.6181715 121.5.4:44
7.6181444 12
10
08507 121.5.3:10
x87e0 7.6181723 121.5.4:44
7.6181444 12
10
08fc0 121.5.3:85
x8308 7.6181715 121.5.4:44
7.6181444 12
10
0861d 121.5.3:82
x98d8 7.6181715 121.5.4:44
7.6181444 12
10
08ae6 121.5.3:86
x9fa8 7.6181715 121.5.4:44
7.6181444 12
10

.

.

.

sockets - Print list of open sockets

I [1: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmsces
n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e okt

Ofe()
fstV PD Pr PooPooo
I ot rt rtcl Ades
drs Cet Tm
rae ie
----- ---- --- --- ----------------------
----- ---- --- --- ------- ------- -----
086a0
x9308 17
16 1301 1 UP
7 D 0000
... 21-22 2:30 UC00
030-0 15:1 T+00
08b3c
x9a68 4 17
3 1 UP
7 D 121.5.3 21-22 0:22 UC00
7.61817 030-5 13:6 T+00
08a80
x9908 68
8 50
0 1 UP
7 D 0000
... 21-22 2:24 UC00
030-0 15:2 T+00
08b6c
x9938 12
10 1582 6TP
C 0000
... 21-22 0:64 UC00
030-5 50:7 T+00
089e0
x8f08 12
10 1586 6TP
C 0000
... 21-22 0:70 UC00
030-5 51:7 T+00
08b2e
x9070 4 45
4 6TP
C 0000
... 21-22 2:22 UC00
030-0 15:0 T+00
08629
x9fe8 92
7 15
3 6TP
C 0000
... 21-22 2:22 UC00
030-0 15:2 T+00
083c8
x9e80 17
16 1211 1 UP
7 D 0000
... 21-22 2:74 UC00
030-0 15:2 T+00
082b9
x91e8 4 18
3 1 UP
7 D 121.5.3 21-22 0:22 UC00
7.61817 030-5 13:6 T+00
08b4e
x9078 12
10 1583 6TP
C 0000
... 21-22 0:42 UC00
030-5 51:9 T+00
080e9
x9ee8 12
10 13
2 1 UP
7 D 121.5.3 21-22 0:22 UC00
7.61817 030-5 13:6 T+00
08cc0
x8808 12
10 13
2 1 UP
7 D 17001
2... 21-22 0:22 UC00
030-5 13:6 T+00
08592
x9680 68
8 0 25Rsre
5 eevd 0000
... 21-22 2:24 UC00
030-0 15:2 T+00
08900
x8368 17
16 1045 1 UP
7 D 0000
... 21-22 2:02 UC00
030-0 24:7 T+00
08aa0
x9ad8 17
16 1212 1 UP
7 D 0000
... 21-22 2:74 UC00
030-0 15:2 T+00
08785
x9160 17
16 1307 1 UP
7 D 0000
... 21-22 2:32 UC00
030-0 15:7 T+00
08670
x8608 12
10 1584 6TP
C 0000
... 21-22 0:53 UC00
030-5 51:5 T+00
08512
x9540 58 12
8 06 6TP
C 17001
2... 21-22 2:25 UC00
030-0 15:0 T+00
08d7c
x8fd0 11
26 1090 1 UP
7 D 121.5.3 21-22 0:22 UC00
7.61817 030-5 13:6 T+00
08bbb
x8da0 11
26 1090 1 UP
7 D 17001
2... 21-22 0:22 UC00
030-5 13:6 T+00
08a83
x9a50 12
10 2310 6TP
C 0000
... 21-22 1:21 UC00
030-5 81:3 T+00
08649
x94e8 17
16 1308 1 UP
7 D 0000
... 21-22 2:32 UC00
030-0 15:7 T+00
08740
x9a20 4 19
3 6TP
C 121.5.3 21-22 0:22 UC00
7.61817 030-5 13:6 T+00
087f9
x9ae8 68 40
8 50 1 UP
7 D 0000
... 21-22 2:24 UC00
030-0 15:2 T+00

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 6/14


08bc4
x9c58 12
10 15
85 6TP
C 0000
... 21-22 0:62 UC00
030-5 51:8 T+00
08b20
x90c8 4 45
4 1 UP
7 D 0000
... 21-22 2:22 UC00
030-0 15:0 T+00

.

.

.

hivelist - Print list of registry hives.

I [3: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmhvls
n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e ieit

Vrul
ita Pyia
hscl Nm
ae
----- ----- --
----- ----- --
0eee6 01926 eieHrdsVlm1DcmnsadStigetLclStigplcto
x1eb0 x40b0 Dvcadikoueouet n etnstsoa etnsApiain
DtirsfidwsCasdt
aaMcootWnosUrls.a
0efd0 01250 eieHrdsVlm1DcmnsadStigetNUE.A
x1108 x6108 Dvcadikoueouet n etnstsTSRDT
0e95c 0117c eieHrdsVlm1DcmnsadStigoaSrieLclStigplcto
x1a78 x2778 Dvcadikoueouet n etnsLclevcoa etnsApiain
DtirsfidwsCasdt
aaMcootWnosUrls.a
0e9c0 011b0 eieHrdsVlm1DcmnsadStigoaSrieNUE.A
x1908 x2e08 Dvcadikoueouet n etnsLclevcTSRDT
0e900 01d80 eieHrdsVlm1DcmnsadStigewrSrieLclStigplcto
x1808 x1608 Dvcadikoueouet n etnsNtokevcoa etnsApiain
DtirsfidwsCasdt
aaMcootWnosUrls.a
0e946 01c86 eieHrdsVlm1DcmnsadStigewrSrieNUE.A
x17b0 x1db0 Dvcadikoueouet n etnsNtokevcTSRDT
0e656 00d06 eieHrdsVlm1WNOSsse3ofgsfwr
x13b0 xfeb0 DvcadikoueIDWytm2cniotae
0e635 00895 eieHrdsVlm1WNOSsse3ofgdfut
x1078 xfd78 DvcadikoueIDWytm2cnieal
0e6a6 00eb6 eieHrdsVlm1WNOSsse3ofgSM
x12b0 xf1b0 DvcadikoueIDWytm2cniA
0e67c 0084c eieHrdsVlm1WNOSsse3ofgSCRT
x1168 xfe68 DvcadikoueIDWytm2cniEUIY
0e326 00706 [onm]
x1eb0 xa2b0 n ae
0e056 00306 eieHrdsVlm1WNOSsse3ofgsse
x13b0 xa7b0 DvcadikoueIDWytm2cniytm
0e0e0 003a0 [onm]
x1208 xa608 n ae

.

.

.

hashdump - Dumps passwords hashes (LM/NTLM) from memory

I [4: #- =IDWytm2cniA
n 1] y WNOSsse3ofgSM
#- =IDWytm2cniytm
s WNOSsse3ofgsse
!yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmm-poieWnPPx6hsdm - 0e6a6 -
pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e -rfl iXS28 ahup s x12b0 y

Amnsrtr50adb3b10eadb3b10e:16f01a917c970090:
diitao:0:a345544ea345544e3dced6e3b35dec8c::
Get51adb3b10eadb3b10e:16f01a917c970090:
us:0:a345544ea345544e3dced6e3b35dec8c::
HlAssat10:81f82ae281ecb913e59f0d56c4f54ed0::
epsitn:0026aba3cc845d53e7:850b0efabb79cb45:
SPOT384a:02adb3b10eadb3b10e:35d8761bdc39308b:
UPR_895010:a345544ea345544e0750498fea686dd7::
ts:04e2a6499243183ac6:867aef17d6d8078c:
et10:5cc71aa2ab0ff6bd84fee8b1a0bd3b56::

.

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 7/14


.

.

Getting help

I [5: !yhn/ets/oesc/oaiiyvlp -
n 1] pto pnetfrnisvltlt/o.y h

Uae Vltlt -Ammr frnisaayi pafr.
sg: oaiiy eoy oesc nlss ltom

Otos
pin:
-,-hl
h -ep ls alaalbeotosadterdfutvle.
it l vial pin n hi eal aus
Dfutvle myb sti tecniuainfl
eal aus a e e n h ofgrto ie
(ecvltltr)
/t/oaiiyc
-cn-ie/ot.oaiiyc
-offl=ro/vltltr
Ue bsdcniuainfl
sr ae ofgrto ie
-,-dbg
d -eu Dbgvltlt
eu oaiiy
-puisPUIS
-lgn=LGN Adtoa pui drcoist ue(oo sprtd
diinl lgn ietre o s cln eaae)
-if
-no Pitifrainaotalrgsee ojcs
rn nomto bu l eitrd bet
-ccedrcoy/ot.ah/oaiiy
-ah-ietr=ro/ccevltlt
Drcoyweecceflsaesoe
ietr hr ah ie r trd
-cce
-ah Ueccig
s ahn
-t=Z
-zT St tetmzn frdslyn tmsap
es h ieoe o ipaig ietms
- FLNM,-flnm=IEAE
f IEAE -ieaeFLNM
Flnm t uewe oeiga iae
ieae o s hn pnn n mg
-poieWnPPx6
-rfl=iXS28
Nm o tepoiet la
ae f h rfl o od
- LCTO,-lcto=OAIN
l OAIN -oainLCTO

.

.

.

sessions - List details on _MM_SESSION_SPACE (user logon sessions)

I [7: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmssin
n 1] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e esos

*************************
*************************
SsinV:bdc0 I:0Poess 2
eso() ac00 D rcse: 9
Pgdoltr:b000 Pgdoln b3ff
aePoSat c000 aePoEd cfff
Poes 68crsee21-22 2:22 UC00
rcs: 0 ss.x 030-0 15:2 T+00
Poes 62wnoo.x 21-22 2:22 UC00
rcs: 3 ilgnee 030-0 15:2 T+00
Poes 66srie.x 21-22 2:22 UC00
rcs: 7 evcsee 030-0 15:2 T+00
Poes 68lasee21-22 2:22 UC00
rcs: 8 ss.x 030-0 15:2 T+00
Poes 86vatl.x 21-22 2:22 UC00
rcs: 9 mchpee 030-0 15:2 T+00
Poes 98scotee21-22 2:22 UC00
rcs: 0 vhs.x 030-0 15:2 T+00
Poes 92scotee21-22 2:22 UC00
rcs: 7 vhs.x 030-0 15:2 T+00
Poes 12 scotee21-22 2:22 UC00
rcs: 10 vhs.x 030-0 15:2 T+00
rcs: 16 vhs.x 030-0 15:2 T+00
rcs: 26 vhs.x 030-0 15:3 T+00
Poes 14 solvee21-22 2:22 UC00
rcs: 58 pos.x 030-0 15:4 T+00
rcs: 64 vhs.x 030-0 15:1 T+00
Poes 14 vtos.x 21-22 2:24 UC00
rcs: 88 moldee 030-0 15:1 T+00
Poes 42TAtCnSce21-22 2:24 UC00
rcs: 5 Puoonv. 030-0 15:9 T+00
Poes 58agee21-22 2:25 UC00
rcs: 8 l.x 030-0 15:0 T+00
Poes 21 epoe.x 21-22 2:30 UC00
rcs: 02 xlrree 030-0 15:0 T+00
Poes 88rnl3.x 21-22 2:30 UC00
rcs: 0 udl2ee 030-0 15:1 T+00
Poes 62vtos.x 21-22 2:30 UC00
rcs: 9 moldee 030-0 15:1 T+00
Poes 13 TAtCnete21-22 2:30 UC00
rcs: 02 Puoonc. 030-0 15:1 T+00
Poes 16 wctyee21-22 2:30 UC00
rcs: 18 snf.x 030-0 15:2 T+00

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 8/14


Poes 22 wactee21-22 2:34 UC00
rcs: 54 uul.x 030-0 15:9 T+00
Poes 19 crm.x 21-22 2:21 UC00
rcs: 76 hoeee 030-0 20:2 T+00
Poes 10 crm.x 21-22 2:21 UC00
rcs: 74 hoeee 030-0 20:3 T+00
Poes 18 crm.x 21-22 2:84 UC00
rcs: 40 hoeee 030-0 21:9 T+00
Poes 10 crm.x 21-22 2:55 UC00
rcs: 38 hoeee 030-0 23:7 T+00
Poes 18 crm.x 21-22 2:73 UC00
rcs: 78 hoeee 030-0 23:8 T+00
Poes 28 cdee21-22 0:92 UC00
rcs: 34 m.x 030-5 51:4 T+00
Poes 86crm.x 21-22 0:30 UC00
rcs: 5 hoeee 030-5 73:5 T+00
Poes 36 FKIae.x 21-22 1:53 UC00
rcs: 18 T mgree 030-5 81:7 T+00
Iae 0881b,Adesb800,Nm:wn2.y
mg: x9e78 drs f000 ae i3kss
Iae 08939,Adesb910,Nm:dgss
mg: x9250 drs fc00 ae x.y
Iae 08abb,Adesb930,Nm:vxf.l
mg: x9b38 drs fd00 ae m_bdl
Iae 08545,Adesbf00,Nm:AMDDL
mg: x93a8 drs fa00 ae TF.L
Iae 0b709,Adesc566,Nm:
mg: xff0c drs 0de0 ae

.

.

.

Manipulating data into python data structures

I [9: dt =!yhn/ets/oesc/oaiiyvlp - ~Dstpmmmmupmmpls
n 1] aa pto pnetfrnisvltlt/o.y f /eko/e/edm.e sit
dt
aa

Ot1] [Vltl SsesVltlt Faeok23apa,
u[9: 'oaie ytm oaiiy rmwr ._lh'
'fstV Nm
Ofe() ae PD PI
I PD Td
hs Hd
ns Ss Ww4Sat
es o6 tr Ei
xt
',
'--------------- --- --- --- ---- --- --- --------------- --------
----- ---------- --- --- --- ---- --- --- --------------- --------
-------'
-------,
'x9780Sse
08c33 ytm 4 0 56 37---
2 --- 0
',
'x9900ss.x
087b2 msee 34
8 4 3 2 ---
1 --- 021-22 2:22 UC00
030-0 15:0 T+00
',
'x9828crsee
087e3 ss.x 68
0 34
8 12 48
4 0 021-22 2:22 UC00
030-0 15:2 T+00
',
'x9860wnoo.x
087e6 ilgnee 62
3 34
8 19 55
6 0 021-22 2:22 UC00
030-0 15:2 T+00
',
'x9360srie.x
08651 evcsee 66
7 62
3 16 23
8 0 021-22 2:22 UC00
030-0 15:2 T+00
',
'x9f80lasee
08a08 ss.x 68
8 62
3 19 31
4 0 021-22 2:22 UC00
030-0 15:2 T+00
',
'x9a68vatl.x
0870e mchpee 86
9 66
7 1 24 0 021-22 2:22 UC00
030-0 15:2 T+00
',
'x9538scotee
08b48 vhs.x 98
0 66
7 17 17
9 0 021-22 2:22 UC00
030-0 15:2 T+00
',
'x9fa8scotee
08647 vhs.x 92
7 66
7 9 26
7 0 021-22 2:22 UC00
030-0 15:2 T+00
',
'x90d0scotee
08b4a vhs.x 12
10 66
7 61 18
53 0 021-22 2:22 UC00
030-0 15:2 T+00
',
'x9058scotee
08b27 vhs.x 17
16 66
7 5 87 0 021-22 2:22 UC00
030-0 15:2 T+00
',
'x9e40scotee
08b06 vhs.x 11
26 66
7 15 24
1 0 021-22 2:22 UC00
030-0 15:3 T+00
',
'x9c68solvee
08b91 pos.x 14
58 66
7 10 17
2 0 021-22 2:22 UC00
030-0 15:4 T+00
',
'x9f90scotee
086c8 vhs.x 18
64 66
7 6 89 0 021-22 2:24 UC00
030-0 15:1 T+00
',
'x9390vtos.x
086e8 moldee 14
88 66
7 7 20
7 0 021-22 2:24 UC00
030-0 15:1 T+00
',
'x9400TAtCnSce
08842 Puoonv. 42
5 66
7 5 11
0 0 021-22 2:24 UC00
030-0 15:9 T+00
',
'x9f60agee
089de l.x 58
8 66
7 6 16
0 0 021-22 2:25 UC00
030-0 15:0 T+00
',
'x95d0epoe.x
0863a xlrree 21
02 16
80 13 42
9 0 021-22 2:30 UC00
030-0 15:0 T+00
',
'x95d0rnl3.x
08bea udl2ee 88 21
0 02 5 75 0 021-22 2:30 UC00
030-0 15:1 T+00
',
'x99c0vtos.x
087a2 moldee 62 21
9 02 6 22
4 0 021-22 2:30 UC00
030-0 15:1 T+00

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 9/14


',
'x9930TAtCnete
087ac Puoonc. 13
02 42
5 1 63 0 021-22 2:30 UC00
030-0 15:1 T+00
',
'x9978wctyee
087ae snf.x 16
18 12
10 1 27 0 021-22 2:30 UC00
030-0 15:2 T+00
',
'x9360wactee
08880 uul.x 22
54 12
10 3 12
3 0 021-22 2:34 UC00
030-0 15:9 T+00
',
'x9338crm.x
08ba2 hoeee 19
76 21
02 27 84
1 0 021-22 2:21 UC00
030-0 20:2 T+00
',
'x9a98crm.x
08aec hoeee 10
74 19
76 6 97 0 021-22 2:21 UC00
030-0 20:3 T+00
',
'x8538crm.x
08e15 hoeee 18
40 19
76 7 92 0 021-22 2:84 UC00
030-0 21:9 T+00
',
'x9400crm.x
08422 hoeee 10
38 19
76 7 94 0 021-22 2:55 UC00
030-0 23:7 T+00
',
'x8f90crm.x
08ca7 hoeee 18
78 19
76 7 97 0 021-22 2:73 UC00
030-0 23:8 T+00
',
'x87d0cdee
0890a m.x 28
34 21
02 1 30 0 021-22 0:92 UC00
030-5 51:4 T+00
',
'x88d0crm.x
08f1a hoeee 86
5 19
76 7 94 0 021-22 0:30 UC00
030-5 73:5 T+00
',
'x83d0FKIae.x
085da T mgree 36
18 21
02 8 23
2 0 021-22 1:53 UC00
030-5 81:7 T+00
']

.

.

.

Looking at all the strings in the memory dump

I [1: tx_tig =!tig /otDstpmmmmupmm
n 2] etsrns srns ro/eko/e/edm.e

I [2: tx_tig[:0
n 2] etsrns01]

Ot2] [mvr.l'
u[2: 'sctdl,
'D3.l'
GI2dl,
'ENL2dl,
KRE3.l'
'SR2dl,
UE3.l'
'DAI2dl,
AVP3.l'
'l3.l'
oe2dl,
'HWP.l'
SLAIdl,
'HOV.l'
SDCWdl,
'ss1dl,
ml3.l'
'_loei'
_dlnxt]

.

.

.

Created a small grep function to look for "Visited:"

I [6: dfgep(erhtr,tx_tig)
n 2] e rpysac_em etsrns:
tm_it[
epls=]

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 10/14


frie i tx_tig:
o tm n etsrns
i sac_emi ie:
f erhtr n tm
tm_itapn(tm
epls.pedie)
rtr tm_it
eun epls

gep(Vstd ts@,tx_tig)
rpy"iie: et" etsrns

Ot2] [wVstd ts@c:/ytmcmacrcmamd.t'
u[6: 'wiie: ethp/sse/optt/optoehm,
'iie:ts@tp/cd.ogecmpvltlt/iiVltltBace'
Vstd etht:/oegol.o//oaiiywk/oaiiyrnhs,
'iie:ts@tp/wwbn.o/erhsc=0&OMA6qfkiae+ie,
Vstd etht:/w.igcmsac?rh16FR=S&=t+mgrlt'
'iie:ts@tp/wwacsdt.o/onod.tl,
Vstd etht:/w.cesaacmdwlashm'
'iie:ts@tp/wwfrnisiiogwk/T_mgr,
Vstd etht:/w.oescwk.r/iiFKIae'
'iie:ts@tp/wwscrtnwpra.o/teuiyidxhm?il=T_mgrLt_..'
Vstd etht:/w.euiyesotlcmiscrt/ne.tltteFKIae_ie261,
'iie:ts@bu:ln'
Vstd etaotbak,
'iie:ts@tp:/w.ogecmit/ncrm/rwe/hnyuhm'
Vstd ethts/wwgol.o/nle/hoebosrtako.tl,
'iie:ts@tp/wwbn.o/erhsc=0&OMA6qcrm'
Vstd etht:/w.igcmsac?rh16FR=S&=hoe,
'iie:ts@tp/spotgol.o/hoebnase.yh=nase=54'
Vstd etht:/upr.ogecmcrm/i/nwrp?le&nwr936,
'iie:ts@tp:/w.ogecmit/ncrm'
Vstd ethts/wwgol.o/nle/hoe,
'iie:ts@ie//:Dcmns2ad2Stig/etDstpwnmm131zp,
Vstd etfl:/C/ouet%0n%0etnsts/eko/ipe-...i'
'iie:ts@bu:oe,
Vstd etaotHm'
'iie:ts@e:/:IDWsse3sdccdldsro.t'
Vstd etrs/CWNOSytm2hol.l/nerrhm,
'iie:ts@tp/wwbn.o/erhsc=0&OMA6qmzla,
Vstd etht:/w.igcmsac?rh16FR=S&=oil'
'iie:ts@tp:/oegol.o//oaiiydwlasdti?aewnmm131zp,
Vstd ethts/cd.ogecmpvltlt/onod/ealnm=ipe-...i'
'iie:ts@tp/dc.yhnogfqwnos,
Vstd etht:/ospto.r/a/idw'
'iie:ts@tp:/oaiiygolcd.o/ie/ipe-...i'
Vstd ethts/vltlt.ogeoecmflswnmm131zp,
'iie:ts@tp/at.erhmncmrsos.s?Tpto+idwx&rh3po=uf'
Vstd etht:/uosac.s.o/epneapM=yhnwno+psc=&rv&t8,
'iie:ts@tp/wwbn.o/erhsc=0&OMA6qpto+idwx'
Vstd etht:/w.igcmsac?rh16FR=S&=yhnwno+p,
'iie:ts@tp/dc.yhnog2fqwnos,
Vstd etht:/ospto.r//a/idw'
'iie:ts@tp/wwbn.o/erhsc=0&OMA6qvltlt++ehpeiwwnos,
Vstd etht:/w.igcmsac?rh16FR=S&=oaiiy3tc+rve+idw'
'iie:ts@tp/wwscrtnwpra.o/euiylg/ril.h?il=T_mgrLt_..'
Vstd etht:/w.euiyesotlcmscrtbosatcepptteFKIae_ie261,
'iie:ts@tp/cd.ogecmpvltlt/iiVltltRamp,
Vstd etht:/oegol.o//oaiiywk/oaiiyoda'
'iie:ts@tp/cd.ogecmpvltlt/iiSmlMmrIae'
Vstd etht:/oegol.o//oaiiywk/apeeoymgs,
'iie:ts@tp:/lgol.o/a//pgi%D786D4-5443-F1A99509%D2id3%B66BE21-
Vstd ethts/d.ogecmtgsapud3%BA935D6-6CAF-6DE3F67%6i%D78895-83
D7-7C
31C3-
49AD06%D2ln%Dn2bosr322uaett%D%6pnm%Doge22Crm%6edamn3peesudt2isalr/h
98B30E7%6ag3e%6rwe%D%6sgsas302apae3Gol%50hoe2nesdi%Drfr/pae/ntlesCr

'iie:ts@tp/cd.ogecmpvltlt/iiVltltBace'
Vstd etht:/oegol.o//oaiiywk/oaiiyrnhs,
'iie:ts@tp/wwbn.o/erhsc=0&OMA6qfkiae+ie,
Vstd etht:/w.igcmsac?rh16FR=S&=t+mgrlt'
'iie:ts@tp/wwacsdt.o/onod.tl,
Vstd etht:/w.cesaacmdwlashm'
'iie:ts@tp/wwfrnisiiogwk/T_mgr,
Vstd etht:/w.oescwk.r/iiFKIae'
'iie:ts@tp/wwscrtnwpra.o/teuiyidxhm?il=T_mgrLt_..'
Vstd etht:/w.euiyesotlcmiscrt/ne.tltteFKIae_ie261,
'iie:ts@bu:ln'
Vstd etaotbak,
'iie:ts@tp:/w.ogecmit/ncrm/rwe/hnyuhm'
Vstd ethts/wwgol.o/nle/hoebosrtako.tl,
'iie:ts@tp/wwbn.o/erhsc=0&OMA6qcrm'
Vstd etht:/w.igcmsac?rh16FR=S&=hoe,
'iie:ts@tp/spotgol.o/hoebnase.yh=nase=54'
Vstd etht:/upr.ogecmcrm/i/nwrp?le&nwr936,
'iie:ts@tp:/w.ogecmit/ncrm'
Vstd ethts/wwgol.o/nle/hoe,
D7-7C
31C3-

'wiie:ts@bu:ln'
wVstd etaotbak,
'wiie:ts@bu:ln'
wVstd etaotbak,
D7-7C
31C3-

.

.

.

Searching for data in sockets

I [3: scesls =!yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmsces
n 2] okt_it pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e okt

I [5: frie i scesls[::
n 2] o tm n okt_it3]

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 11/14


ie =ie.pi(
tm tmslt)
i "7.61817 i ie:
f 121.5.3" n tm
pitie[] ie[] ie[]
rn tm5, tm6, tm7
121.5.3 21-22 0:22
7.61817 030-5 13:6
121.5.3 21-22 0:22
7.61817 030-5 13:6
121.5.3 21-22 0:22
7.61817 030-5 13:6
121.5.3 21-22 0:22
7.61817 030-5 13:6
121.5.3 21-22 0:22
7.61817 030-5 13:6

I [6: scesls
n 2] okt_it

Ot2] [Vltl SsesVltlt Faeok23apa,
u[6: 'oaie ytm oaiiy rmwr ._lh'
'fstV
Ofe() PD Pr PooPooo
I ot rt rtcl Ades
drs Cet Tm'
rae ie,
'--------- --- --- ----------------------,
----- ---- --- --- ------- ------- -----'
'x9308
086a0 17
16 13
01 1 UP
7 D 0000
... 21-22 2:30 UC00'
030-0 15:1 T+00,
'x9a68
08b3c 4 17
3 1 UP
7 D 121.5.3 21-22 0:22 UC00'
7.61817 030-5 13:6 T+00,
'x9908
08a80 68
8 50
0 1 UP
7 D 0000
... 21-22 2:24 UC00'
030-0 15:2 T+00,
'x9938
08b6c 12
10 15
82 6TP
C 0000
... 21-22 0:64 UC00'
030-5 50:7 T+00,
'x8f08
089e0 12
10 15
86 6TP
C 0000
... 21-22 0:70 UC00'
030-5 51:7 T+00,
'x9070
08b2e 4 45
4 6TP
C 0000
... 21-22 2:22 UC00'
030-0 15:0 T+00,
'x9fe8
08629 92
7 15
3 6TP
C 0000
... 21-22 2:22 UC00'
030-0 15:2 T+00,
'x9e80
083c8 17
16 12
11 1 UP
7 D 0000
... 21-22 2:74 UC00'
030-0 15:2 T+00,
'x91e8
082b9 4 18
3 1 UP
7 D 121.5.3 21-22 0:22 UC00'
7.61817 030-5 13:6 T+00,
'x9078
08b4e 12
10 15
83 6TP
C 0000
... 21-22 0:42 UC00'
030-5 51:9 T+00,
'x9ee8
080e9 12
10 13
2 1 UP
7 D 121.5.3 21-22 0:22 UC00'
7.61817 030-5 13:6 T+00,
'x8808
08cc0 12
10 13
2 1 UP
7 D 17001
2... 21-22 0:22 UC00'
030-5 13:6 T+00,
'x9680
08592 68
8 0 25Rsre
5 eevd 0000
... 21-22 2:24 UC00'
030-0 15:2 T+00,
'x8368
08900 17
16 10
45 1 UP
7 D 0000
... 21-22 2:02 UC00'
030-0 24:7 T+00,
'x9ad8
08aa0 17
16 12
12 1 UP
7 D 0000
... 21-22 2:74 UC00'
030-0 15:2 T+00,
'x9160
08785 17
16 13
07 1 UP
7 D 0000
... 21-22 2:32 UC00'
030-0 15:7 T+00,
'x8608
08670 12
10 15
84 6TP
C 0000
... 21-22 0:53 UC00'
030-5 51:5 T+00,
'x9540
08512 58 12
8 06 6TP
C 17001
2... 21-22 2:25 UC00'
030-0 15:0 T+00,
'x8fd0
08d7c 11
26 10
90 1 UP
7 D 121.5.3 21-22 0:22 UC00'
7.61817 030-5 13:6 T+00,
'x8da0
08bbb 11
26 10
90 1 UP
7 D 17001
2... 21-22 0:22 UC00'
030-5 13:6 T+00,
'x9a50
08a83 12
10 23
10 6TP
C 0000
... 21-22 1:21 UC00'
030-5 81:3 T+00,
'x94e8
08649 17
16 13
08 1 UP
7 D 0000
... 21-22 2:32 UC00'
030-0 15:7 T+00,
'x9a20
08740 4 19
3 6TP
C 121.5.3 21-22 0:22 UC00'
7.61817 030-5 13:6 T+00,
'x9ae8
087f9 68 40
8 50 1 UP
7 D 0000
... 21-22 2:24 UC00'
030-0 15:2 T+00,
'x9c58
08bc4 12
10 15
85 6TP
C 0000
... 21-22 0:62 UC00'
030-5 51:8 T+00,
'x90c8
08b20 4 45
4 1 UP
7 D 0000
... 21-22 2:22 UC00'
030-0 15:0 T+00]

.

.

.

Malfind plugin

I [7: !yhn/ets/oesc/oaiiyvlp - /otDstpmmmmupmmmlid
n 2] pto pnetfrnisvltlt/o.y f ro/eko/e/edm.e afn

Poes crseePd 68Ades 07600
rcs: ss.x i: 0 drs: xff00
VdTg Vd Poeto:PG_XCT_EDRT
a a: a rtcin AEEEUERAWIE
Fas Poeto:6
lg: rtcin

07600
xff00 c 0 0 0 9 0 0 0 f e f e 0 7 0 0
8 0 0 0 c 1 0 0 f e f e 8 0 0 0 ........
......p.
07601
xff00 0 0 0 0 0 f 0 0 0 0 1 0 0 2 0 0
8 0 0 0 0 e 0 0 0 0 0 0 0 0 0 0 ........
........
07602
xff00 0 0 0 0 0 2 0 0 8 0 0 0 f e f 7
0 2 0 0 0 0 0 0 d 1 0 0 f f d f ........
........
07603
xff00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
3 0 8 6 0 0 0 0 0 0 0 0 0 0 0 0 ........
........

07600 c000
xff00 8000 ETR00 00
NE x, x
07600 9
xff04 c PSF
UH
07600 00
xff05 10 AD[A] EX
D EX, A
07600 0f
xff07 0f ADB,B
D H H
07600 e
xff09 e OTD,A
U X L
07600 f
xff0a f D 0f
B xf
07600 e
xff0b e OTD,A
U X L
07600 070
xff0c 800 O [A+x] D
R EX00, H
07600 00
xff0f 08 AD[A] C
D EX, L
07601 00
xff01 00 AD[A] A
D EX, L

127.0.0.1:8888/7a585fcf-831c-4a52-9467-8058650e65b8/print 12/14

iPython Notebook Volatility For Memory Forensics

iPython Notebook Volatility For Memory Forensics

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (12)

Ähnlich wie iPython Notebook Volatility For Memory Forensics

Ähnlich wie iPython Notebook Volatility For Memory Forensics (17)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

iPython Notebook Volatility For Memory Forensics