INTRO

It is going to be a short article in which, we will try to create a .DMP file and will try to extract all info from that file. mostly, this topic is related to windows forensics. for this tutorial, you will require windows OS. but it’s ok if you don’t have it. I will provide you .DMP file for testing purposes. but I will suggest using Windows, so may get a better understanding of this article.

Well, have you ever heard about .DMP file? DMP is a file extension for the dump file format used by Windows to dump the memory of a crashed program into a file for later diagnostic analysis. DMP files created by Windows are named MINI000000-00.dmp where the zeros are replaced by the date and ending in a sequence number.

You can google .DMP file for more information.

ATTACK

As always, I am using Kali Linux. You can use any other Linux. We are going to use a tool named “Pypykatz”. yes I know, it sounds like “Mimikatz”. actually, it is a Mimikatz implementation in python. just so you can use Mimikatz in Linux too.

So first, we will need to install this tool on our Linux, Type this command:

git clone https://github.com/skelsec/pypykatz.git

But there is another method to do this. via pip, Type this command:

pip3 install pypykatz

Screenshot:

It is possible that you never heard of this tool before. But it is a great tool the same as Mimikatz. before going more further. I would like to tell you lsass.DMP. it is a jackpot if you find this file. its full form is “Local Security Authority Subsystem Service”. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. it means you can find passwords in its dump file.

Pypykatz is specially made for lsass.DMP file. It won’t work on other files. let’s grab some passwords from lsass.DMP. Type this command:

pypykatz lsa minidump lsass.DMP

Screenshot:

DOWNLOAD-lsass.DMP

You can create your own lsass.DMP file. Go to task manager > process> show all process

then Right-Click on any process and create a .DMP file.

Later, you will be able to find the file in AppData\Local\Temp.

Screenshot:

But Pypykatz is only for lsass.DMP file. what if you want to analyze other files. then there is a very popular forensic tool called “Volatility” takes its place. It is a little bit complicated. I am saying so, because sometimes it doesn’t work.

Type this command:

volatility -f <Path of DMP file> imageinfo

Screenshot:

There are many alternatives to the Volatility tool. We will discuss those in another post.

 

 

Thanks For Visiting.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here