1 00:00:04,950 --> 00:00:15,140 Oh, hello, in this lecture, we will be investigating Windows XP through data that get it from volatile 2 00:00:15,140 --> 00:00:23,450 example's sample in order to do it all, not that type in Google and Google volatility. 3 00:00:23,450 --> 00:00:26,390 Sample the image, Donat. 4 00:00:28,830 --> 00:00:37,530 And click on the first result and Google, and you can see here we have several different options, 5 00:00:37,530 --> 00:00:48,270 that fact infected was operating system memories, which I can see we will do to the two infected virus, 6 00:00:48,510 --> 00:01:00,150 but one that we have in of seven 64 bit into it and not infected and creek that we have several more 7 00:01:00,160 --> 00:01:10,170 images that infected by cryonics virus, Shylock virus and other which we have Android images, memory 8 00:01:10,170 --> 00:01:14,550 images to download, as you can see here, and of course, images. 9 00:01:16,140 --> 00:01:18,550 So I will download the Zeros app. 10 00:01:18,630 --> 00:01:27,150 If these image you click on say OK, and you can see it, you are the one who stole nothing. 11 00:01:27,150 --> 00:01:33,870 But I will not download now because it is holiday and upon the tone of the file. 12 00:01:36,960 --> 00:01:42,540 And opening their archive, the password is infected. 13 00:01:43,990 --> 00:01:49,640 Uh, click on Extract and I will select the music folder. 14 00:01:53,170 --> 00:01:56,570 You can see the extraction completed successfully. 15 00:02:00,770 --> 00:02:01,820 Close the browser. 16 00:02:07,480 --> 00:02:08,710 And open the terminal in. 17 00:02:10,060 --> 00:02:22,780 So in order to use one type of terminal type in terminal and after typing this, specify the direction 18 00:02:23,200 --> 00:02:26,050 of memory file. 19 00:02:26,830 --> 00:02:35,080 But you have to substraction and, uh, f which just means that you will be using volatility after the 20 00:02:35,920 --> 00:02:44,200 specifying the pattern of emergent, uh, type imaging for and here is in a volatile is analyzing. 21 00:02:44,620 --> 00:02:51,520 As you can see here, we have several information about the image, which is the images is Windows XP 22 00:02:51,520 --> 00:02:58,920 Service Pack two and it's six, which was just 32 bit processor system. 23 00:02:59,230 --> 00:03:06,990 And you can see an image that is two 11 and the October 10. 24 00:03:07,920 --> 00:03:19,660 Uh, so we have several options, information about image, which we will specify the profile when analyzing 25 00:03:20,710 --> 00:03:21,850 operating system image. 26 00:03:22,270 --> 00:03:25,030 Uh, delete the image in full command. 27 00:03:32,170 --> 00:03:34,720 And high profile. 28 00:03:38,580 --> 00:03:45,450 Equals and could be the first profile, a security profile that can get it from IMMAGINE for comment 29 00:03:47,860 --> 00:03:58,740 pasted and colleague list type lists, which is this command will give you the running processor's list 30 00:03:58,740 --> 00:04:04,170 ideas and how many threads is running and when the process is started. 31 00:04:04,830 --> 00:04:12,530 So as you can see here, we have a number of processes, which is VRM Services and Ligi Explorer that 32 00:04:12,540 --> 00:04:15,830 Excel and CMT that takes them. 33 00:04:22,330 --> 00:04:34,870 Then delete the list and type, yes, he has three, as you can see here, we have the processes that 34 00:04:34,870 --> 00:04:44,680 are listed in the rule that out, which is you can see if it is system image at the top of that, all 35 00:04:44,680 --> 00:04:53,680 of the explorer and, you know, all of the CFC laws they like and his which is this means that these 36 00:04:53,680 --> 00:05:00,040 processes, his system processes and the top of the standard that and you can see it, explorer that 37 00:05:00,040 --> 00:05:04,360 Excel, which is on top of that, we will try and see him. 38 00:05:04,450 --> 00:05:05,080 That takes the. 39 00:05:16,580 --> 00:05:26,420 And it appears to and pierce extra time instead of that, as you can see, we can see the precise side 40 00:05:26,430 --> 00:05:29,180 as well that. 41 00:05:30,900 --> 00:05:41,800 And this is this shows us this which is this process session where you can see here Sessions, the assessors 42 00:05:42,270 --> 00:05:54,780 pizza options is showing that and -- can delete the last comment from the suit and tie. 43 00:05:54,790 --> 00:05:57,590 Korn's you, which is this me? 44 00:05:57,790 --> 00:06:06,180 This shows us the active connections and which connections, which connection is associated, which 45 00:06:06,580 --> 00:06:10,820 profile, which you can see our full profile idea. 46 00:06:11,010 --> 00:06:19,510 President's idea is one nine five six, so one nine five six provided it is, as you can see here, 47 00:06:19,520 --> 00:06:27,280 explore that is using society one nine five six, which is the remote addresses. 48 00:06:27,280 --> 00:06:32,080 And the report is here as information is shown us. 49 00:06:33,810 --> 00:06:39,400 And so that is kind of same comment, but the associated and. 50 00:06:41,350 --> 00:06:52,110 So it is shown here, which is a which others is using this circuit and we have here TCP UDP protocols 51 00:06:52,440 --> 00:07:02,310 and the process I.D., which process is using these circuits and other informations about circuits? 52 00:07:18,540 --> 00:07:22,150 And we have one commander. 53 00:07:22,190 --> 00:07:30,690 Again, this is the same, the line commander which shows the scene, the commands history and that 54 00:07:30,960 --> 00:07:39,150 which command is used and activated, executed by CMJ, which you can see here, that TSL is that the 55 00:07:39,500 --> 00:07:45,330 is which process the six zero eight is associated is a command. 56 00:07:45,340 --> 00:07:54,150 And there is you can see here we have several commands used by Adobe where a SEAL team did a six and 57 00:07:54,390 --> 00:08:05,550 a look at the extent to which this means that someone or any implication is in use, it seemed to activate 58 00:08:05,550 --> 00:08:09,060 and execute malicious programs.