INTRO
It is going to be a short article in which, we will try to create a .DMP
file and will try to extract all info from that file. mostly, this topic is related to windows forensics. for this tutorial, you will require windows OS. but it’s ok if you don’t have it. I will provide you .DMP
file for testing purposes. but I will suggest using Windows, so may get a better understanding of this article.
Well, have you ever heard about .DMP
file? DMP is a file extension for the dump file format used by Windows to dump the memory of a crashed program into a file for later diagnostic analysis. DMP files created by Windows are named MINI000000-00.dmp
where the zeros are replaced by the date and ending in a sequence number.
You can google .DMP
file for more information.
ATTACK
As always, I am using Kali Linux. You can use any other Linux. We are going to use a tool named “Pypykatz”. yes I know, it sounds like “Mimikatz”. actually, it is a Mimikatz implementation in python. just so you can use Mimikatz in Linux too.
So first, we will need to install this tool on our Linux, Type this command:
git clone https://github.com/skelsec/pypykatz.git
But there is another method to do this. via pip, Type this command:
pip3 install pypykatz
Screenshot:
It is possible that you never heard of this tool before. But it is a great tool the same as Mimikatz. before going more further. I would like to tell you lsass.DMP
. it is a jackpot if you find this file. its full form is “Local Security Authority Subsystem Service”. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. it means you can find passwords in its dump file.
Pypykatz is specially made for lsass.DMP
file. It won’t work on other files. let’s grab some passwords from lsass.DMP
. Type this command:
pypykatz lsa minidump lsass.DMP
Screenshot:
You can create your own lsass.DMP
file. Go to task manager > process> show all process
then Right-Click on any process and create a .DMP file.
Later, you will be able to find the file in AppData\Local\Temp
.
Screenshot:
But Pypykatz is only for lsass.DMP
file. what if you want to analyze other files. then there is a very popular forensic tool called “Volatility” takes its place. It is a little bit complicated. I am saying so, because sometimes it doesn’t work.
Type this command:
volatility -f <Path of DMP file> imageinfo
Screenshot:
There are many alternatives to the Volatility tool. We will discuss those in another post.
Thanks For Visiting.