Showing posts from September, 2015

Rekalling Mimikatz

I'm not really sure that everybody knows that Rekall memory forensics framework contains a Mimikatz   plugin: with this post I want to address this shortcoming, since the plugin has many good features and it can be easily extended. behind the scenes The act of rekall-ing Mimikatz started when I met Michael Cohen in Prague (SANS DFIR 2014) and a few months later in Dublin (DFRWS 2015). Despite the fact that I learnt so much by speaking with Michael, he deserves the credits to have pushed this plugin development: he released a first version on April 2015, based on what I did with Volatility (see et voilĂ  le mimikatz offline ). So by hangout-ing during the night, we co-authored the actual Rekall mimikatz plugin : it was an awesome dive in Windows memory and Rekall internals, guided by Michael who truly has a talent for explaining complicated things in a simple way. Before going further credits and thanks must go to the awesome reverse engineering research made by Benjamin