Sunday, February 17, 2013

Examining a Suspended Virtual Machine

I would like to show the danger of suspended virtual machines, with the tool called volatility there are several options you may extract from a vmem file can be found from the link below
With in the example , we will find the local password for the related OS User
To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s, like this

Hashes can now be cracked using John the Ripper, rainbow tables, etc
In this example I have used password appeared with in few minutes