Room Link : https://tryhackme.com/room/memoryforensics
it just basic information about volatility tool which is mostly used for memory analysis tasks
In our second task, we're given Snapshot6.vmem and asked to find John's password.
The first step from all these tasks that I took is identifying the correct memory profile to use with volatility which can be done via:
vol.py -f <memory dump file path> imageinfowhich outputs:
so our ideal profile for this memdump is : Win7SP1x64
Now that we have the correct profile, we must determine the volatility plugin to use. The volatilty plugin used to output the password hashes from a memory dump is hashdump
So we run:
vol.py -f <memory dump file path> --profile=Win7SP1x64 hashdumpwhich outputs:
