https://futex.re/mediawiki/index.php?action=history&feed=atom&title=Volatility 2026-04-19T14:07:12Z Historique des versions pour cette page sur le wiki MediaWiki 1.39.17 https://futex.re/mediawiki/index.php?title=Volatility&diff=2521&oldid=prev 2015-06-01T13:06:49Z

<p></p> <p><b>Nouvelle page</b></p><div>== Info sur le dump ==<br /> # ./vol.py -f ch2.dmp imageinfo<br /> Volatile Systems Volatility Framework 2.0<br /> Suggested Profile(s) : Win7SP1x86, Win7SP0x86<br /> AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)<br /> AS Layer2 : FileAddressSpace (./ch2.dmp)<br /> PAE type : PAE<br /> DTB : 0x185000<br /> <br /> ==Trouver le hostname ==<br /> <br /> # ./vol.py -f ch2.dmp --profile=Win7SP0x86 envars<br /> ou<br /> # ./vol.py -f ch2.dmp --profile Win7SP1x86 printkey -K &quot;ControlSet001\Control\ComputerName\ActiveComputerName&quot;<br /> <br /> == Trouver les hashs ==<br /> <br /> Afficher les ruches:<br /> <br /> ./vol.py -f /tmp/e3a902d4d44e0f7bd9cb29865e0a15de.dmp --profile Win7SP1x86 hivelist<br /> Volatile Systems Volatility Framework 2.1<br /> Virtual Physical Name<br /> ---------- ---------- ----<br /> 0x8ee66740 0x141c0740 \SystemRoot\System32\Config\SOFTWARE<br /> 0x90cab9d0 0x172ab9d0 \SystemRoot\System32\Config\DEFAULT<br /> 0x9670e9d0 0x1ae709d0 \??\C:\Users\John Doe\ntuser.dat<br /> 0x9670f9d0 0x04a719d0 \??\C:\Users\John Doe\AppData\Local\Microsoft\Windows\UsrClass.dat<br /> 0x9aad6148 0x131af148 \SystemRoot\System32\Config\SAM<br /> 0x9ab25008 0x14a61008 \SystemRoot\System32\Config\SECURITY<br /> 0x9aba79d0 0x11a259d0 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT<br /> 0x9abb1720 0x0a7d4720 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT<br /> 0x82b6b140 0x02b6b140 [no name]<br /> 0x8b20c008 0x039e1008 [no name]<br /> 0x8b21c008 0x039ef008 \REGISTRY\MACHINE\SYSTEM<br /> 0x8b23c008 0x02ccf008 \REGISTRY\MACHINE\HARDWARE<br /> 0x8ee66008 0x141c0008 \Device\HarddiskVolume1\Boot\BCD<br /> <br /> Extraction des pass NTLM<br /> ./vol.py -f /tmp/e3a902d4d44e0f7bd9cb29865e0a15de.dmp --profile Win7SP1x86 hashdump -y 0x8b21c008 -s 0x9aad6148<br /> Volatile Systems Volatility Framework 2.1<br /> Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::<br /> Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::<br /> John Doe:1000:aad3b435b51404eeaad3b435b51404ee:b9f917853e3dbf6e6831ecce60725930:::<br /> <br /> == Variables d&#039;environnement ==<br /> Location du dump mémoire<br /> export VOLATILITY_LOCATION=file:///$(pwd)/dump/dump<br /> <br /> Profile du dump<br /> export VOLATILITY_PROFILE=Win7SP1x64</div>

Futex