ez_mem&usb
Pcap separated by binwalk order to obtain vmem mirror and two zip (vmem mirroring volatility command problems, and found the next, with mobaxterm also upload 8 lines)
open pcap packet, file wireshark -> Export http objects, hold the largest file, found in upload_file.php the PK, unpack data.vmem
analysis mirror: volatility -f data.vmem imageinfo
see the process: volatility -f data.vmem --profile = WinXPSP2x86 pslist
View cmd process: volatility -f data.raw --profile = WinXPSP2x86 cmdscan discovery password:
weak_auth_top100
dump Explorer process:
volatility -f data.vmem --profile=WinXPSP2x86 memdump -p 1476 --dump-dir=./
Error 1476.dmp to use binwalk and foremost command, zip decompression
using edibox plug :( I do not know if this is Gansha)
volatility editbox -f data.vmem --profile=WinXPSP2x86
Screening Administrator files filescan command:
volatility -f data.vmem --profile=WinXPSP2x86 filescan | grep "Administrator"
volatility -f data.vmem --profile=WinXPSP2x86 dumpfiles -Q 0x0000000001155f90 --dump-dir=./
Obtained file.None.0xff425090.dat, separation binwalk, an error extracting zip, the command retry foremost, to give usbdata.txt