Amazing content. This will help to prepare the forensics runbook right away for us! Thanks for making it. Looking forward for more linux contents..

@BlackPerl

3 жыл бұрын

Thank you for the feedback! Please stay tuned!

The intro is amazing!! Great!!

@BlackPerl

3 жыл бұрын

Thank you!

Lovely Episode!!

Good Episode. you can make a video on the tool redline also.

@BlackPerl

3 жыл бұрын

Thanks for the suggestion, Buddy. Will do.

Changing any thing in the infected can lead to loss of evidence ,is it true?? If so you said running an apt command can change lot and sometime ask for a reboot also .so is it a recommended action to reboot the server before taking memory dump or change any parameters as it can flush the TCP dump also ?

@BlackPerl

2 жыл бұрын

Yes, you are right.. Changing things in evidence system might have a chance to override potential data which might create issues later while doing investigation. And you should never do a reboot before capturing memory dump. For my case, since I was starting fresh I did a apt get update, but in actual world and incident, you MUST not do it. You can just dump the AVML file and run it. Running AVML won't push much fingerprint on the system and it works in kernel mode, so not much will be shifted from memory, so we are good!

Hi i was following your tutorial but stuck on zip file parsing i am getting the error , i think the issues with system kernel name , please advise sudo zip kali_5.17.0-kali3-cloud-amd64.zip ./volatility/tools/linux/module.dwarf /boot/System.map 5.17.0-kali3-cloud-amd64 zip warning: name not matched: /boot/System.map zip warning: name not matched: 5.17.0-kali3-cloud-amd64 adding: volatility/tools/linux/module.dwarf (deflated 91%)

@BlackPerl

Жыл бұрын

It seems to be a warning and not a hard error. Please try using the profile with a memory dump. Also, make sure you have the correct name in of system map under /boot directory

@bitsworld6721

Жыл бұрын

@@BlackPerl Thanks its working yes its correct name in of system map

help, how do I do the same analysis with python 3?

@BlackPerl

Жыл бұрын

You need to use Volatility3 if you want to use python3. Volatility2 doesn't support python3, I believe

@carlosdanielbedoyramos4419

Жыл бұрын

@@BlackPerl Yes, I understand the point, I have analyzed wundows ram dumps with volatility3, but I have not been able to analyze linux ram dumps with volatility3. Have you done it? Thanks for your answer

@BlackPerl

Жыл бұрын

@@carlosdanielbedoyramos4419 No, I don't use vol3 much since it's still in early stage, so not matured enough

Why make a snap shot and etc to do the memory dump file transfer . why not just transfer it normally like using a python http server.

@BlackPerl

Жыл бұрын

Yes, you can transfer any way you like. But at times, your fileight be 10GB or more, so transferring via online server will take huge amount of time. Also, your compliance will not support sending data through internet. So the easiest and safest option is to take snapshot and do within aws

This does not work for Linux Ubuntu22.04 though. It works until 18.04, maybe 20.04

@BlackPerl

11 ай бұрын

Need to make small configuration change in make file. It will work

OMG!! Are you THOR ? LOL..

@futurebuddies5335

3 жыл бұрын

Anyway, Awesome representation Buddy!!

@BlackPerl

3 жыл бұрын

@@futurebuddies5335 Thanks Buddy!

Did he just say "Lin-Axe"?

The first English word that Indians learn is "particular". Then they use it 3 times in every sentence. Even if the sentence has 5 words.

@BlackPerl

2 жыл бұрын

Lol.