WEBVTT 00:02.250 --> 00:04.890 Password dumping in volatility. 00:05.010 --> 00:10.050 In this lecture, you will learn about the password dumping and volatility framework. 00:10.050 --> 00:15.600 So actually the passwords in Windows is listed in the security accounts Manager. 00:15.690 --> 00:20.520 SRM file is also listed using the Hive list plugin. 00:20.520 --> 00:27.360 In previous lecture, as you remember, we use the Hive list plugin to print these out and the path 00:27.360 --> 00:31.710 to the same file is seen in this here, as you can see here. 00:31.710 --> 00:34.590 System32 config file. 00:34.590 --> 00:35.730 So in this. 00:36.520 --> 00:38.020 Here in this address. 00:38.020 --> 00:40.180 We have the stored passwords here. 00:40.210 --> 00:47.500 So this file cannot be accessed by users within the windows while the while the system is on. 00:47.500 --> 00:54.100 And it can be further used to acquire the hashed passwords in the same file to crack passwords using 00:54.100 --> 00:54.640 the word list. 00:54.640 --> 01:01.330 So along with the password cracking tools using the John the Ripper, as you saw as you know, John 01:01.330 --> 01:10.960 the Ripper, you can use this for the password cracking tools using brute force or other methods and 01:10.960 --> 01:11.950 in Linux. 01:11.950 --> 01:14.130 So you're going to in next lectures. 01:14.140 --> 01:22.480 We also we will also do the same file investigation and the password extraction from the memory file 01:22.480 --> 01:24.520 or storage file in Windows. 01:24.880 --> 01:31.870 And now I'm going to tell you more about the timeline of events and volatility. 01:31.870 --> 01:39.110 And volatility can produce a list of timestamps events which is essential to an investigation. 01:39.110 --> 01:46.190 So to produce this list, we will use the Timeliner plugin in volatility here. 01:46.190 --> 01:48.860 So timeliner and. 01:49.580 --> 01:50.120 At this time. 01:50.120 --> 01:59.120 Linear plugin helps Investigator by providing a timeline of all the events that took place when the 01:59.120 --> 02:00.300 image was acquired. 02:00.320 --> 02:07.190 So although we have an idea of what took place within this scenario, many other times may be quite 02:07.190 --> 02:09.620 large and far more detailed and complex. 02:09.620 --> 02:18.530 So the timeliner plugin groups details by times and include processes, product IDs, process offset, 02:18.560 --> 02:25.880 DLLs used registry details and other useful informations to run the Timeliner command. 02:26.360 --> 02:33.590 You need to like as previously comments, you need to specify the profile and then the virtual memory 02:33.590 --> 02:36.890 file and then the use the plugin plugin parameter. 02:36.890 --> 02:37.130 Here. 02:37.130 --> 02:41.120 In this case it's a timeliner because we're going to use the Timeliner plugin here. 02:41.390 --> 02:44.330 Press enter and yeah. 02:45.790 --> 02:47.410 It's now analyzing. 02:47.410 --> 02:52.210 And we'll show what show us the details here. 03:10.930 --> 03:11.620 Okay. 03:16.020 --> 03:19.290 I will also paste this. 03:20.990 --> 03:23.940 File and the attachment here. 03:23.960 --> 03:24.320 Zoom. 03:24.520 --> 03:27.710 Zoom out here as we previously did. 03:28.750 --> 03:32.620 So now here we got zoom out like that. 03:34.380 --> 03:39.720 And I will copy this output to the text file and share it with you. 03:43.110 --> 03:43.590 Here. 03:45.840 --> 03:46.920 And the past. 03:46.920 --> 03:53.640 Paste Editor And this is the timelines of what happened on the system. 03:53.880 --> 04:03.600 As you can see, there is the clocks here, date time, the process, the executable file process ID 04:03.930 --> 04:12.000 offset, and all those information and the information about what users or what system programs did 04:12.000 --> 04:13.050 at what time. 04:13.050 --> 04:18.630 So it's actually quite useful and powerful information on doing malware analysis here. 04:18.630 --> 04:25.110 So I'm going to paste this command on the paste, the text file on the attachment so you can analyze 04:25.110 --> 04:32.190 further or you can just get this result by using this analysis techniques I use here. 04:32.190 --> 04:34.740 So let's. 04:34.770 --> 04:35.400 Okay. 04:36.300 --> 04:44.700 Now, in next lecture, we're going to we're going to use the graphical user interface in volatility 04:44.700 --> 04:45.810 and. 04:46.870 --> 04:51.490 Uh, we will get more information about volatility in graphical user interface. 04:51.490 --> 04:54.280 So I'm waiting your next lecture.