2025/08/15/Memory-Forensics-Windows-Notepad-Part-3 #9
giscus[bot]
bot
Replies: 1 comment 2 replies
-
|
If you process the memory image with MemprocFS in forensic mode and look at the files in the files directory can you pull out the tabstate/windowstate files and see if they have the information? If so then you could use Autopsy with the MemprocFS plugin to automate getting the files and then have another plugin to parse out the state files and the helium registry files. |
Beta Was this translation helpful? Give feedback.
-
|
Yup, MemProcFS is so far proving to be much faster/easier. As you stated, it also found the helium registry files and the settings.dat file. Which oddly, Volatility 3 did not seem to find? I might be doing something wrong though in Volatility 3. I'm writing a post detailing that next. Thanks for the idea of using Autopsy with MemProcFS. Another thing to explore. I might persist in trying to do a Volatility 3 plugin just to learn how that process goes. |
Beta Was this translation helpful? Give feedback.
-
|
If you want to try my plugin for MemprocFs you can find it here. https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MemprocFS. I tried to create a Volatility 3 plugin a few years ago and there were issues doing it. Maybe it has gotten better since then. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
2025/08/15/Memory-Forensics-Windows-Notepad-Part-3
Making more progress while reinforcing what I’ve learned in the past. What we saw yesterday was an MFT entry as evidenced by the “FILE0” at the start. Just to recap my goal for this research:
https://ogmini.github.io/2025/08/15/Memory-Forensics-Windows-Notepad-Part-3.html
Beta Was this translation helpful? Give feedback.
All reactions