• caglararli@hotmail.com
  • 05386281520

How to extract a .bat file with volatility

Çağlar Arlı      -    35 Views

How to extract a .bat file with volatility

I am experimenting with the volatility2 tool. I have created a memorydump of a windows 7 machine where i had a batch script file on the desktop of the machine. I used the mftparser command as :

volatility -f memdump.mem --profile=Win7SP1x64 mftparser | grep -i "desktop"

which resulted in :

-snip-

2023-02-22 01:38:18 UTC+0000 2023-02-22 01:38:18 UTC+0000   2023-02-22 01:38:18 UTC+0000   2023-02-22 01:38:18 UTC+0000   RemoteDesktops
2023-02-22 01:38:18 UTC+0000 2023-02-22 01:38:18 UTC+0000   2023-02-22 01:38:18 UTC+0000   2023-02-22 01:38:18 UTC+0000   Users\Public\Desktop
2023-02-22 01:43:42 UTC+0000 2023-02-22 01:43:42 UTC+0000   2023-02-22 01:43:42 UTC+0000   2023-02-22 01:43:42 UTC+0000   Users\[username]\Desktop
2023-02-22 02:28:40 UTC+0000 2023-02-22 02:28:40 UTC+0000   2023-02-22 02:28:40 UTC+0000   2023-02-22 02:28:40 UTC+0000   Users\[username]\Desktop\memdump.mem
2023-02-21 15:59:20 UTC+0000 2023-02-21 15:59:20 UTC+0000   2023-02-21 15:59:20 UTC+0000   2023-02-21 15:59:20 UTC+0000   Users\[username]\Desktop\WINDOW~1\WINDOW~1.BAT
2023-02-21 15:59:20 UTC+0000 2023-02-21 15:59:20 UTC+0000   2023-02-21 15:59:20 UTC+0000   2023-02-21 15:59:20 UTC+0000   Users\[username]\Desktop\WINDOW~1\Windows11Pro.bat
2023-02-22 01:38:28 UTC+0000 2023-02-22 01:38:28 UTC+0000   2023-02-22 01:38:28 UTC+0000   2023-02-22 01:38:28 UTC+0000   Windows\assembly\Desktop.ini

-snip-

So i want to dump the Users[username]\Desktop\WINDOW~1\Windows11Pro.bat file. I used the filescan command as :

volatility -f memdump.mem --profile=Win7SP1x64 filescan | grep "Users\[username]\Desktop\WINDOW~1\Windows11Pro.bat"

but i get no results back. Why is that? I tried other grep alternatives but it seems i cant locate the address of this batch file.