1
00:00:02,250 --> 00:00:04,890
Password dumping in volatility.

2
00:00:05,010 --> 00:00:10,050
In this lecture, you will learn about the password dumping and volatility framework.

3
00:00:10,050 --> 00:00:15,600
So actually the passwords in Windows is listed in the security accounts Manager.

4
00:00:15,690 --> 00:00:20,520
SRM file is also listed using the Hive list plugin.

5
00:00:20,520 --> 00:00:27,360
In previous lecture, as you remember, we use the Hive list plugin to print these out and the path

6
00:00:27,360 --> 00:00:31,710
to the same file is seen in this here, as you can see here.

7
00:00:31,710 --> 00:00:34,590
System32 config file.

8
00:00:34,590 --> 00:00:35,730
So in this.

9
00:00:36,520 --> 00:00:38,020
Here in this address.

10
00:00:38,020 --> 00:00:40,180
We have the stored passwords here.

11
00:00:40,210 --> 00:00:47,500
So this file cannot be accessed by users within the windows while the while the system is on.

12
00:00:47,500 --> 00:00:54,100
And it can be further used to acquire the hashed passwords in the same file to crack passwords using

13
00:00:54,100 --> 00:00:54,640
the word list.

14
00:00:54,640 --> 00:01:01,330
So along with the password cracking tools using the John the Ripper, as you saw as you know, John

15
00:01:01,330 --> 00:01:10,960
the Ripper, you can use this for the password cracking tools using brute force or other methods and

16
00:01:10,960 --> 00:01:11,950
in Linux.

17
00:01:11,950 --> 00:01:14,130
So you're going to in next lectures.

18
00:01:14,140 --> 00:01:22,480
We also we will also do the same file investigation and the password extraction from the memory file

19
00:01:22,480 --> 00:01:24,520
or storage file in Windows.

20
00:01:24,880 --> 00:01:31,870
And now I'm going to tell you more about the timeline of events and volatility.

21
00:01:31,870 --> 00:01:39,110
And volatility can produce a list of timestamps events which is essential to an investigation.

22
00:01:39,110 --> 00:01:46,190
So to produce this list, we will use the Timeliner plugin in volatility here.

23
00:01:46,190 --> 00:01:48,860
So timeliner and.

24
00:01:49,580 --> 00:01:50,120
At this time.

25
00:01:50,120 --> 00:01:59,120
Linear plugin helps Investigator by providing a timeline of all the events that took place when the

26
00:01:59,120 --> 00:02:00,300
image was acquired.

27
00:02:00,320 --> 00:02:07,190
So although we have an idea of what took place within this scenario, many other times may be quite

28
00:02:07,190 --> 00:02:09,620
large and far more detailed and complex.

29
00:02:09,620 --> 00:02:18,530
So the timeliner plugin groups details by times and include processes, product IDs, process offset,

30
00:02:18,560 --> 00:02:25,880
DLLs used registry details and other useful informations to run the Timeliner command.

31
00:02:26,360 --> 00:02:33,590
You need to like as previously comments, you need to specify the profile and then the virtual memory

32
00:02:33,590 --> 00:02:36,890
file and then the use the plugin plugin parameter.

33
00:02:36,890 --> 00:02:37,130
Here.

34
00:02:37,130 --> 00:02:41,120
In this case it's a timeliner because we're going to use the Timeliner plugin here.

35
00:02:41,390 --> 00:02:44,330
Press enter and yeah.

36
00:02:45,790 --> 00:02:47,410
It's now analyzing.

37
00:02:47,410 --> 00:02:52,210
And we'll show what show us the details here.

38
00:03:10,930 --> 00:03:11,620
Okay.

39
00:03:16,020 --> 00:03:19,290
I will also paste this.

40
00:03:20,990 --> 00:03:23,940
File and the attachment here.

41
00:03:23,960 --> 00:03:24,320
Zoom.

42
00:03:24,520 --> 00:03:27,710
Zoom out here as we previously did.

43
00:03:28,750 --> 00:03:32,620
So now here we got zoom out like that.

44
00:03:34,380 --> 00:03:39,720
And I will copy this output to the text file and share it with you.

45
00:03:43,110 --> 00:03:43,590
Here.

46
00:03:45,840 --> 00:03:46,920
And the past.

47
00:03:46,920 --> 00:03:53,640
Paste Editor And this is the timelines of what happened on the system.

48
00:03:53,880 --> 00:04:03,600
As you can see, there is the clocks here, date time, the process, the executable file process ID

49
00:04:03,930 --> 00:04:12,000
offset, and all those information and the information about what users or what system programs did

50
00:04:12,000 --> 00:04:13,050
at what time.

51
00:04:13,050 --> 00:04:18,630
So it's actually quite useful and powerful information on doing malware analysis here.

52
00:04:18,630 --> 00:04:25,110
So I'm going to paste this command on the paste, the text file on the attachment so you can analyze

53
00:04:25,110 --> 00:04:32,190
further or you can just get this result by using this analysis techniques I use here.

54
00:04:32,190 --> 00:04:34,740
So let's.

55
00:04:34,770 --> 00:04:35,400
Okay.

56
00:04:36,300 --> 00:04:44,700
Now, in next lecture, we're going to we're going to use the graphical user interface in volatility

57
00:04:44,700 --> 00:04:45,810
and.

58
00:04:46,870 --> 00:04:51,490
Uh, we will get more information about volatility in graphical user interface.

59
00:04:51,490 --> 00:04:54,280
So I'm waiting your next lecture.