Recovering clipboard content and plaintext password recovery through volatility

Well, hello guys. I am back after a long time . Today I am here to share you about a little on volatility tool which includes recovering clipboard content and plaintext password from the memory dump of any system

So, let’s get started with how to take the memory dump of the suspect machine . We will perform this via FTK Imager. Its a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Forensic Toolkit (FTK®) is warranted.

Source and download link : https://www.exterro.com/ftk-imager

After the download and installation of FTK Imager dive to :

FTK Imager→ File → Memory Capture

Now click on capture memory and achieve the memory dump

Now we will see recovering clipboard content from memory using Volatility in Kali workstation. You can also download volatility and use it in windows (Download link :https://www.volatilityfoundation.org/releases)

Volatility is an advanced memory forensics framework and is one of the best open source software programs for analyzing RAM in 32 bit/64 bit systems. It uses KDBG scan or Kernel Debugging Scan (KDBG)

To see the clipboard content, we can use the clipboard plugin available in volatility. To perform this lab, I used the jacker’s challenge. You can download it from here : https://docs.google.com/file/d/0B_xsNYzneAhEN2I5ZXpTdW9VMGM/edit?resourcekey=0-h5eP2uMnqxV-xdJhofV_LQ

You can also use the memory dump obtained from your system to perform this lab :)

To see the imageinfo that will help you to get more information about the memory dump use the plugin called imageinfo :

volatility -f memdump.bin imageinfo

To see the clipboard content, we can use the clipboard plugin

volatility -f memdump.bin — profile=WinXPSP2x86 clipboard

You can discover more contents, by trying your own system memory dump. Here u see an http link in the output.

To see the clipboard content in a more standard or detailed way use :

volatility -f memdump.bin — profile=WinXPSP2x86 clipboard -v (v :verbose)

Now, lets see how to recover plain text password from memory

To see the details of Virtual and Physical addresses along with the easier readable plaintext names and locations hivelist plugin is used in Volatility

volatility -f memdump.bin — profile=WinXPSP2x86 hivelist

The dat files and registry files are dumped here

Now, let’s use the hashdump plugin in volatility to retrieve user’s password from the specific registry files. And, then save the output in a text file (hash.txt)

volatility -f memdump.bin — profile=WinXPSP2x86 hashdump -y 0xe1035b60 -s 0xe1579b60>hash.txt

Let’s view the hash

cat hash.txt

The hash is in NTML format (UN : Username ; pass : password )

Let’s decode the hash from online decoder

Hence, we successfully recovered the password

Thanks for reading till the end. Hope you enjoyed it learned something new. Do, share and subscribe and also discuss new topics with me . Let’s learn and grow together

Follow me on:

🔸 Twitter : https://twitter.com/ShreyaTalukdar9

🔸 Instagram : https://www.instagram.com/shreya.talukdar/

🔸 LinkedIn : https://www.linkedin.com/in/shreya-talukdar-dfir/

🔸 Email : shreyatalukdar30@gmail.com