5 years later and this video still incredible. Amazing explanation, make things much easier to understand how it works. congrats and thank you for share your knowledge with us .

I’ve been using this channel to reinforce what I’ve been learning in the SANS FOR508 and course and it’s helped me so much. Thank you!

Very good tutorial for forensic analysis of memory. Keep up the good work.

Richard , Thanks for such wonderful Explanation , I completed SANS508 because of this

This is a perfect primer! Thanks a lot for the effort and sharing it to the community. Huge fun of your work :)

Hi, A very informative tutorial for learning memory forensics. Nicely presented. Thanks

wonderful Explanation. thanks for sharing this contents with us

Great Sir. Nice and clean info with demo on memory forensic.

I learned a lot from ur video Really ur videos are awesome and Thank You So Much For The Video

Incredible content, presented so well! Thanks for doing this.

Thank you for the informative video on memory forensics. I am a beginner and found this video very helpful.

Awesome video sir!

great great video, tqu for this usefull video sir

i didn't understand anything in class but you can clearly explain this and makes me understand! thank you!

@louisarturo5111

2 жыл бұрын

Sorry to be offtopic but does someone know a trick to log back into an Instagram account? I somehow lost the password. I would appreciate any assistance you can offer me

@ElCyberWizard

2 жыл бұрын

@@louisarturo5111 sus

best video about volatility ever

Awesome series Richard! keep up these great videos!!

Great video - thank you!

Great video... Thanks...

awesome content

This was nice to watch.

AWESOME video man. You have a great caster voice, you should do voiceovers or commercials.

Perfect class❤️

Great video, I learned a lot. I will have to check out this red line tool as well.

How do I find out who is in control of any assets that I didn’t know I had.

Well done! thanks!

@13Cubed

5 жыл бұрын

L Barrera Thanks! Be sure to check out the playlist for the remaining episodes in the series, as there are plenty more.

Amazing- Thank you

Hello sir. Are we going to use writeblocker while capturing ram?

Greetings, At the 20:32 time mark, you ran: volatility -f -memdump.mem --profile=Win10x64_14393 -h Part of the output from that command included: truecryptmaster Recover TrueCrypt 7.1a Master Keys truecryptpassphrase TrueCrypt Cached Passphrase Finder truecryptsummary TrueCrypt Summary Would you please explain, under what circumstances, TrueCrypt is vulnerable? Is it specific to only version 7.1a? The virtues of truecrypt and veracrypt are that they are open source, and supposedly have no known technical (or design) vulnerabilities (other than user errors -- such as using "password1" for a passphrase or having a keylogger in the OS, etc). So seeing the above truecrypt references is news to me. Is VeraCrypt also susceptible or vulnerable via "volatility" or any other forensics software? It would be good to know if the vault a person is using can be opened by others. What should the user do to keep their encrypted volumes from being compromised? I am not asking how to break into other people's encrypted volumes. I am asking how to keep my encrypted volumes safe from an attacker. Can I trust VeraCrypt? Thank you.

Hey Richard, thank you for the videos, I started to fiddle with volatility, is it normal that imageinfo takes hours to run and still doesnt complete? I tried it on a 32GB memdump and a 16GB one, on the 32GB it ran for 2.5 hours before I hit control+c, the 16GB is running now for close to an hour without any output. (Drive is an ssd, hardware is modern 4 core processor, not much processor utilization but always max I/O read on drive.) Also just wanted to say thank you for turning me into digital forensics, these past few weeks I've religiously went through your Windows Forensics series taking notes, now starting this one, then I guess onto your other videos. Always heard that you could do these things and all this information is available you just gotta know how to get it from the system... well now I know some of it and thats thanks to you, so again just wanted to say your work being appreciated. :)

@13Cubed

3 жыл бұрын

Hi, thank you for the great feedback! Regarding imageinfo, yes, it can take a long while. Two things - 1) try to use kdbgscan. However, keep in mind that if you know the build number for the version of Windows from which the memory capture was acquired, there is no need to run this. Just specify the correct Volatility profile. You can view the installed profiles by running vol.py --info. 2) Volatility 3, which is now in public beta, will (soon) replace version 2. The new version 3 no longer requires profiles to be specified. Check out the episode I made covering it.

@b1ue2211

3 жыл бұрын

@@13Cubed Hey, thanks for the reply just got to the Volatility Profiles video which made some things clear, the OS version was 18363, while volatility only has 18362 profile. Even still it did work with that profile with pslist, but imageinfo (nor kdbgscan) still cant handle the .mem file itself... I set the debug flag in the command and it just went around with Trying one after the other, then came back with "No suitable address space mapping found" after i maxed the niceness of the process... anyway, not having to figure out profiles is gonna be a great addition, definitely gonna check out version 3!

Great presentation. Can you make available the Windows 10 image.

@13Cubed

5 жыл бұрын

Detectware CTF I have a new episode in the Memory Forensics series coming later this month. The corresponding memory image will be released alongside it. I think you will find it very useful.

Absolutely 👍

What software do you use to aquire the memory dump? Is there a good free alternative available?

@13Cubed

5 жыл бұрын

DumpIt, winpmem, Magnet RAM Capture, FTK Imager are all available for free, just to name a few.

Hi, 13Cubed! I just wanted to know if it is possible to track your computer's activity for a given day. Example, if I wanted to know what files were opened, how long a file was opened, etc. I have not finished watching your videos yet but this is the reason why I am watching them. If you have something that does that, can you please point me to the right direction? Thanks!

@13Cubed

6 жыл бұрын

A super timeline creation tool like Log2Timeline would enable you to profile a large number of forensic artifacts, and then using Excel you could filter/sort to extract data from the time period in which you're interested. I've got an upcoming video covering this, but it's still in production now.

@hyunwooson2819

5 жыл бұрын

Hello, does this still uses Volatility or solely Log2Timeline?

Great training video. Thank you for sharing your knowledge with us peasants

How can we know which profile to use?

Quick question, I get nothing back when i run cmdscan or consoles on a win 10 memory image. Why is that?

@13Cubed

4 жыл бұрын

I haven't had much success with those plugins in Windows 10. Try dumping process memory (memdump, not procdump) associated with any conhost.exe processes and extracting data with strings. That's sometimes useful.

I never use plug ins and I think a lot of data was added by hackers in my network and pinging or remote acess and SIM cards being remotely inserted.

Hello, I am a starter in Volatility. I am getting a volatility.debug error (file doesn't exist). Also I can't locate the memory dump in my Kali Linux VM. I really appreciate your help!!

@13Cubed

3 жыл бұрын

You should be able to point to the memory file you want to analyze via the -f flag. Make sure the path after -f points to a valid file (full path and filename).

what tool would you use to analyze a process dump file? (in this case : 3960.dmp)

@13Cubed

4 жыл бұрын

If you dump the process binary itself, say with procdump in Volatility, you can reverse it and analyze it as you would any other binary. If you dump the process memory, say with Volatility's memdump plugin, strings may be your best bet to extract anything valuable therein.

@PrashantJaiswalbhaiji

4 жыл бұрын

@@13Cubed thank you very much for your quick reply. it helps newbies like me quite a bit :)

Hey there, what does PID -1 mean when running the netscan command?

@13Cubed

4 жыл бұрын

The plug-in did not properly parse that information from memory. Occasionally you'll see output like that.

@franzandrae

4 жыл бұрын

@@13Cubed Thank you for your quick answer, subscribers +1 :)

@franzandrae

4 жыл бұрын

@@13Cubed Oh man, turns out I had to use a different Profile - now I have the correct PID :)

a question. you knew which profile to use. in case i don't is it back to trial and error or is there a better way?

@13Cubed

4 жыл бұрын

Prashant Jaiswal Use imageinfo or kdbgscan. Check out the Introduction to Memory Forensics playlist. I think you’ll find it very useful.

@PrashantJaiswalbhaiji

4 жыл бұрын

@@13Cubed thank you! .. I'll do that right now. :)

What was the python script for netscan? Abibas?

@13Cubed

3 жыл бұрын

Abeebus - got an episode coming out about that. github.com/13Cubed/Abeebus

is it possibleto detect kernel level rookits using Volatility 2.6 ??

@13Cubed

5 жыл бұрын

sarath kumar Sure, though rootkits are less common present day than they used to be.

We need to identify why Microsoft software is even on my mobile device?

no1 tutorial on memory forensics on youtube.

when i used hashdump,cmdscan,console plugins i got nothing in output can anyone tell me why is it happening like that i used windows 10 memory image and volatility

@13Cubed

4 жыл бұрын

Those plugins no longer work with newer builds of Windows 10. You can dump the process memory (memdump) for conhost.exe processes and run strings against them to extract command line output. Also check out the public beta for Volatility 3, which includes a plugin called "windows.cmdline.CmdLine", which, in my brief testing, does appear to support Windows 10.

I need 30 hours of DFIR training. How could I get documented training?

@13Cubed

3 жыл бұрын

SANS has numerous free webcasts you can sign up for and earn CPE credits.

@lamarisdts6738

3 жыл бұрын

@@13Cubed Thanks. I will look on there again

is this tied to 508 or 526 ?

@13Cubed

5 жыл бұрын

Neither - this is my own material, created from practice labs. That said, some of the topics explored here will definitely be covered in more depth within both courses.

I did reset a friends phone because it had a bug. And I believe it was a danger.

My only child is grown born in the 80’s

Hello! Thank you for informative video content. I would like to know how to get the file memdump.mem?

@13Cubed

2 жыл бұрын

You would use a memory capture utility such as WinPmem, Magnet RAM Capture, etc.

I have not dumped any files

I believe it may be caused by a hacker

I do not have any children

Anything evil is spam