I'm trying to analyze a Windows 7 memory dump with Volatility. The goal is to see the CMD commands which were run before the dump was taken.
I ran the following command(output below):
volatility.exe --profile=Win7SP1x64_23418 -f WINDOWS7-20200221-214526.raw cmdscan
I need to figure out what commands were run in the middle chunk (from ncat.exe).
Are there any other Volatility parameters/commands that will output the info as text? Is there any better way to find this information? I have access to the Win7 VM (virtualbox) with a live snapshot allowing me to resume the machine from right before the memory dump was taken.
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 2580
CommandHistory: 0x63bf0 Application: cmd.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #15 @ 0x30158:
Cmd #16 @ 0x4ed50:
**************************************************
CommandProcess: conhost.exe Pid: 2580
CommandHistory: 0x63e40 Application: ncat.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x58
Cmd #41 @ 0x300f8:
Cmd #42 @ 0x300f8:
Cmd #43 @ 0x30060:
Cmd #44 @ 0x30060:
**************************************************
CommandProcess: conhost.exe Pid: 3136
CommandHistory: 0x24ec00 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #15 @ 0x210158: $
Cmd #16 @ 0x24d570: $
