This article records the detailed process of learning and using Kali Linux 2018.1 and penetration testing. The tutorial is the course "Kali Linux Penetration Testing" in the Security Niu Classroom
1. Live Forensics
1. Restore text from memory
Other word processing programs also work
C:\> procdump -ma notepad.exe notepad.dmp C:\> strings notepad.dmp > notepad.txt
2. Restore pictures from memory
Remote desktop, drawing tools, vbox virtual machine
C:\>tasklist C:\>procdump.exe -ma mstsc.exe mstsc.dmp C:\>procdump.exe -ma mspaint.exe mspaint.dmp mv mstsc.dmp mstsc.data mv mspaint.dmp mspaint.data - Gimp -> open -> Raw Image Data -> 调整参数 volatility -f mspaint.dmp --profile=Win7SP0x86 memdump -p 1456 -D dumpdir volatility -f mstsc.dmp --profile=Win7SP0x86 memdump -p 1456 -D dumpdir
3. Extract the plaintext password from memory
- procdump -ma lsass.exe lsass.dmp
- Use mimikatz.exe
- sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords
4. The mimikatz plugin for volatility
https://github.com/sans-dfir/sift-files/blob/master/volatility/mimikatz.py
root@kali:/usr/lib/python2.7/dist-packages/volatility/plugins# wget https://github.com/sans-dfir/sift-files/blob/master/volatility/mimikatz.py volatility -f lsass.dmp --profile=Win7SP0x86 mimikatz
5. Firefox Browser Audit Tool
– dumpzilla /root/.mozilla/firefox/bvpenhsu.default/ –All
dumpzilla /root/.mozilla/firefox/ef5pz3gn.default/ --All
![](https://i.imgur.com/px3qMuq.png)
2. Death forensics
1. Hard disk image
- Use the kali CD to start the computer to create a hard disk image file
- Retention = enough storage space to store files
- dc3dd from the US Air Force Computer Crime Center
- dcfldd
- guymager
- Computer Forensics Technical Reference Dataset
2. DFF (Digital Forensics Framework)
- Open Evidence # red for deleted files
- Discovery recover deleted and hidden files
3. autopsy
- Very popular hard disk image analysis file
- webserver + client architecture
4. extundelete
- Undelete tool for ext3, ext4 file system
- extundelete [device-file] –restore-file [restore location]
5. iPhone Backup Analyzer
- Analyze iPhone backup files generated by iTunes, not phone images
6. foremost (developed by the US government)
- Recover pictures from memory dump, support raw, dd, iso, vmem and other formats
- foremost -t jpeg,gif,png,doc -i 7.raw
7. Data recommendation
For network forensics, see Protocol Analysis
- It's all here. Mirroring can restore history