Great find! Thanks for sharing and I'll be using this going forward for sure!

This is by far the most useful tool introduced in your informative channel .. Many thanks for the support you are providing to us.

Great video as usual. I wait for a practical applied case using this tool

The best project on DFIR a ever see! amazing work!!

Wow, Absolutely fantastic, I have dreamed of this kind of tool. So valuable, Thanks a lot.

One interesting thing which you did not show is NTFS directory in forensics, of course you have whole MFT list in one file but sometimes I don't know what am I looking for and I find it extremely helpful that you can just browse through it like C->Users->user->Downloads and you see there bunch of files and start thinking. Why are those files visible in memory? Did something loaded it up or was it downloaded with browser? Anyways, as always great content, thank you for your work :)!

@13Cubed

Жыл бұрын

About the best you can do would be to browse the contents of the $MFT as available within the memory capture. Some of those files may actually be present within memory, and recoverable. That said, there isn't a virtual directory hierarchy that re-creates the entire file system structure. Also remember that there are no guarantees in memory forensics -- what you are looking for *may* be present, or it may have been paged to disk and not available in the memory capture. Also keep in mind that at some point, everything you do on a computer system (websites you visit, pictures you view, documents you create, etc.) traverses the memory. So, there can be a lot of interesting evidence and potentially valuable content therein -- but again, just no guarantees.

This is so valuable, thanks a lot :)

Thats Great Thank you.

the best class, very good

This saves my day.

Ive been using this for awhile, superglad you covered it so well! A completely other question: Is there any good tools to create a memory dump without crashing the system? Havent found one yeat.

@13Cubed

Жыл бұрын

WinPmem is usually my go-to.

@HitemAriania

Жыл бұрын

@@13Cubed Thank you kind sir! Keep up the superb work :)

Great video

Thanks for video

does the proc file show unlinked processes?

This is a revelation!

This changes everything

Thank you for the video, could you show how to prepare for the CHFI certificate and where to get best free courses for it? and if your prepare a video on it, it would be much better.

@13Cubed

Жыл бұрын

Unfortunately, I'm not very familiar with that certification. I would take a look at the learning objectives for it and compare it to the "Digital Forensics" playlist. I'm guessing a good bit of the content would be covered in those episodes. You can also check out 13cubed.com/episodes for the official Episode Guide. Click "All Series" and use the search blank in the top right to search across all of the channel content.

@Leokhawarizmi

Жыл бұрын

@@13Cubed Thank you so much, your channel helps toward this certification efficiently, I hope you continue

You can of course do most of this from a debugger on the dump, but requires a great deal of expertise (and time and effort). The forensics bit etc automates a lot of that

Would MemProcFS be able to process Windows 10 hibernation files (hiberfil.sys)?

@13Cubed

Жыл бұрын

If you use Hibernation Recon to extract the active memory from hiberfil.sys, it should work. Check out the Windows Hibernation Files episode for more information on how to do that.

What Linux distros does this support?

@ok-tr1nw

Жыл бұрын

Any distro with fuse support So anything that uses modern kernels like the second latest lts

Push!

So it basically trying to recreate Linux (or any Unix-like system) in Windows.

first

Why is it only 1GB of storage?so if your memory is 10GB it keeps saying insufficient memory.KINDLY address will appreciate @13Cubed