We use the first offset with hivelist to show where hives are located at. Now on with the registry analysis, we run hivescan to get hive offsets. Poste de travail\HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 Desktop/dump.raw | grep -i vnc | grep -i hkey
#DUMP TIGERVNC PASSWORD PASSWORD#
But no point, we need to know the registry key under which the password might be stored: We now know that WinVNC 4 was used, at this point we can dump the memory of the process and the executable itself.
#DUMP TIGERVNC PASSWORD SOFTWARE#
We are after a VNC password but we would like to know which VNC software is used: Ok the dump is recognized to be a Windows XP SP2 RAM dump (you can check it using strings )). We first need to know what operating system dump we are analysing: VNC Password Dumper: VNC Password decrypter VolReg: Volatility plugin for registry analysis The needed tools for the analysis are basically the following:
We were offered a memory dump to analyze. Today we are going to look after the forensic 100 challenge of the prequals :).
0 kommentar(er)
