Recovering clipboard content and plaintext password recovery through volatility
Well, hello guys. I am back after a long time . Today I am here to share you about a little on volatility tool which includes recovering clipboard content and plaintext password from the memory dump of any system
So, let’s get started with how to take the memory dump of the suspect machine . We will perform this via FTK Imager. Its a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Forensic Toolkit (FTK®) is warranted.
Source and download link : https://www.exterro.com/ftk-imager
After the download and installation of FTK Imager dive to :
FTK Imager→ File → Memory Capture
Now click on capture memory and achieve the memory dump
Now we will see recovering clipboard content from memory using Volatility in Kali workstation. You can also download volatility and use it in windows (Download link :https://www.volatilityfoundation.org/releases)
Volatility is an advanced memory forensics framework and is one of the best open source software programs for analyzing RAM in 32 bit/64 bit systems. It uses KDBG scan or Kernel Debugging Scan (KDBG)
To see the clipboard content, we can use the clipboard plugin available in volatility. To perform this lab, I used the jacker’s challenge. You can download it from here : https://docs.google.com/file/d/0B_xsNYzneAhEN2I5ZXpTdW9VMGM/edit?resourcekey=0-h5eP2uMnqxV-xdJhofV_LQ
You can also use the memory dump obtained from your system to perform this lab :)
To see the imageinfo that will help you to get more information about the memory dump use the plugin called imageinfo :
volatility -f memdump.bin imageinfo
To see the clipboard content, we can use the clipboard plugin
volatility -f memdump.bin — profile=WinXPSP2x86 clipboard
You can discover more contents, by trying your own system memory dump. Here u see an http link in the output.
To see the clipboard content in a more standard or detailed way use :
volatility -f memdump.bin — profile=WinXPSP2x86 clipboard -v (v :verbose)
Now, lets see how to recover plain text password from memory
To see the details of Virtual and Physical addresses along with the easier readable plaintext names and locations hivelist plugin is used in Volatility
volatility -f memdump.bin — profile=WinXPSP2x86 hivelist
The dat files and registry files are dumped here
Now, let’s use the hashdump plugin in volatility to retrieve user’s password from the specific registry files. And, then save the output in a text file (hash.txt)
volatility -f memdump.bin — profile=WinXPSP2x86 hashdump -y 0xe1035b60 -s 0xe1579b60>hash.txt
Let’s view the hash
cat hash.txt
The hash is in NTML format (UN : Username ; pass : password )
Let’s decode the hash from online decoder
Hence, we successfully recovered the password
Thanks for reading till the end. Hope you enjoyed it learned something new. Do, share and subscribe and also discuss new topics with me . Let’s learn and grow together
Follow me on:
🔸 Twitter : https://twitter.com/ShreyaTalukdar9
🔸 Instagram : https://www.instagram.com/shreya.talukdar/
🔸 LinkedIn : https://www.linkedin.com/in/shreya-talukdar-dfir/
🔸 Email : shreyatalukdar30@gmail.com