forensic

# profile
$ vol -f dump imageinfo
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86

# list available profiles
$ vol --info | less # better
$ vol --info | grep 'Win' | less
$ vol --info | grep 'Linux' | less
$ vol --info | grep 'Mac' | less

# list available commands
$ vol --info | grep '^linux' 
$ vol --info | grep '^mac'

# analyze command line
$ vol -f dump --profile=Win7SP1x86 cmdline
************************************************************************
mspaint.exe pid:   2644
Command line : "C:\Windows\system32\mspaint.exe" "C:\Users\info\Desktop\flag.png"
************************************************************************

# analyze files
$ vol -f dump --profile=Win7SP1x86 filescan

# filter files
$ vol -f dump --profile=Win7SP1x86 filescan | grep -i "filename"

# clipboard content
$ vol -f dump --profile=Win7SP1x86_23418 clipboard
Session  WindowStation Format           Handle    Object       Data
-------  ------------- ---------------  --------  -----------  ------------------
1         WinSta0      CF_UNICODETEXT   0xd02d1   0xffbb3fb0   my_data
...

# dump host hashes
$ vol -f dump --profile=Win7SP1x86 hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404ee:57e82f46aff390080f143c09ab2c5b68:::
info:1002:aad3b435b51404eeaad3b435b51404ee:382c7bf814461d8d685cf7a7a06c8c8f:::
# NTLM hash is 382c7bf814461d8d685cf7a7a06c8c8f

# cerate new image
$ strings mem.raw | grep -i 'Linux version' | uniq
Linux version 4.4.0-72-lowlatency (buildd@lcy01-17) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP PREEMPT Fri Mar 31 15:25:21 UTC 2017 (Ubuntu 4.4.0-72.93-lowlatency 4.4.49)
# install Ubuntu 16.04
# make
$ sudo apt install linux-image-4.4.0-72-lowlatency linux-headers-4.4.0-72-lowlatency
$ sudo apt install build-essential dwarfdump
# test with
$ uname -a
$ git clone --depth=1 https://github.com/volatilityfoundation/volatility
$ cd volatility/tools/linux
$ make
$ sudo zip Ubuntu1604.zip volatility/tools/linux/module.dwarf /boot/System.map-4.4.0-72-lowlatency

# finish
$ mv Ubuntu1604.zip /usr/lib/python2.7/dist-packages/volatility/plugins/linux/

# test
$ vol --info | grep 'Ubuntu'

# bash history
$ vol -f mem.raw --profile=LinuxUbuntu1604x64 linux_bash

# process
$ vol -f mem.raw --profile=LinuxUbuntu1604x64 linux_psaux

# list file
$ vol -f mem.raw --profile=LinuxUbuntu1604x64 linux_find_file -L

# specific file
$ vol -f mem.raw --profile=LinuxUbuntu1604x64 linux_find_file -L | grep -i 'file.txt'
...
3 0xffff88000c135324 /media/secret/file.txt
...

# dump file
$ vol -f mem.raw --profile=LinuxUbuntu1604x64 linux_find_file -i 0xffff88000c135324 -O file.txt

# get profile
$ vol -f data.dmp mac_get_profile
Profile                              Shift Address
------------------------------------ -------------
MacSierra_11_8_1_AMDx64              0x00004000000

# bash history
$ vol -f data.dmp --profile=MacSierra_11_8_1_AMDx64 mac_bash

# list files
$ vol -f data.dmp --profile=MacSierra_11_8_1_AMDx64 mac_list_files

# notes
$ mkdir notes
$ vol -f data.dmp --profile=MacSierra_11_8_1_AMDx64 mac_notesapp --dump-dir notes/

# keychain
$ vol -f data.dmp --profile=MacSierra_11_8_1_AMDx64 mac_keychaindump

# recover all device deleted data
$ sudo extundelete /dev/mapper/foren --restore-all
$ tree -a RECOVERED_FILES/
RECOVERED_FILES/
└── secret
    └── deleted_file.txt

$ dd if=/dev/sda bs=512 skip=10 count=100 if=./data.dmp

$ sudo fdisk -l /dev/sda
Disk /dev/sda: 64 GiB, 68719476736 bytes, 134217728 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0a423922

Device     Boot Start       End   Sectors Size Id Type
/dev/sda1  *     2048 134215679 134213632  64G 83 Linux