Memory Analysis

VMEM dump

Use volatility to get some info about the memory dump

Depending if you are using Volatility2 or Volatility3, the commands below might differ but the methodology stays pretty much the same.

While running Vol3, If you run into: AttributeError: function/symbol 'ARC4_stream_init' Fix: pip3 install pycryptodome==3.0.0. 

python3 vol.py imageinfo -f Snapshot.vmem

Depending on the output, you might be able to enumerate further.

python3 vol.py -f Snapshot.vmem hashdump

PreviousLinux - Simple reverse & crackNextForensics

Last updated