Strings, bstrings and grep
Volatility tools to extract memory:
Memory compression:
from windows 10, memory has been partially compressed. Memory can be decompressed using winmem_decompress.py then analysed using Av scanners or the below methods. This is normally fairly fruitful, and can extract 150% more memory
Strings
-t d #print decimel offset
-e l #extract Unicode
-<num> #only strings >= num
# execute the following:
strings -a -t d [MEM/PROC] > strings.txt
strings -a -t d -e l [MEM/PROC] >> strings.txt
sort strings.txt > sorted_strings.txt Bstrings
--lr [ipv4] # search for regex
--ls # search for string
--fs <filename> # list of strings
-m <num> # strings that match a certain len or above
bstrings -f file -m 8
bstrings -f file --ls search_term
bstrings -f file --lr ipv4 Grep
-r # reccurse
-n # line number
-w # word
-i # ignore case
-B <num> # show number of lines before
-A <num> # show number of lines after
-f <file> # list of strings
-v # exclude from search
-o # show only matching output
grep -rni mimikatz -i ./mem_folder Last updated