Blue Team Toolkit
  • 👊Welcome!
  • application-security
    • Application Security
  • DFIR Toolkit
  • Incident Response
    • Containment, Eradication, and Recovery
    • Network Analysis
    • MITRE ATT&CK Framework
    • post-incident
    • preparation
  • network-hardening
    • Basic Network Tools
    • Basic Port Info
    • NMAP
    • Wireshark
  • Phishing Analysis
    • Basic Email Info
    • Email Headers
  • reversing
    • gdb
    • reversing
  • Security Information and Event Monitoring
    • DeepBlueCLI
    • Linux Log Analysis
    • Log Review Approach
    • Network Device Log Analysis
    • Other Tools
    • SIFT Workstation
    • Splunk
    • Syslog
    • Sysmon
    • Web Server Log Analysis
    • Windows Log Analysis
  • Systems Forensics
    • Autopsy
    • Basic File Metadata
    • Browser History Capturer
    • Browser History Viewer
    • Digital Evidence Handling
    • Exiftool
    • File Hashing
    • File Systems
    • forensics-workstation
    • FTK Imager
    • John the Ripper
    • JumpList Explorer
    • KAPE
    • Linux Artifacts
    • Memory File Analysis
    • Prefetch Explorer Command Tool PECmd.exe
    • Scalpel
    • Steghide
    • Sysinternals
    • Volatility
    • Windows Artifacts
    • Windows File Analyzer
    • YARA
  • systems-hardening
    • Active Directory Hardening
    • linux-hardening
    • windows-hardening
Powered by GitBook
On this page
  1. Systems Forensics

Volatility

  • Description: used for memory forensics and has the following capabilities:

    • List all processes that were running

    • List active and closed network connections

    • View internet history (IE)

    • Identify files on the system and retrieve them from the memory dump

    • Read the contents of notepad documents

    • Retrieve commands entered into the Windows Command Prompt (CMD)

    • Scan for the presence of malware using YARA rules

    • Retrieve screenshots and clipboard contents

    • Retrieve hashed passwords

    • Retrieve SSL keys and certificates

    • Find executables/commands related to processes

    • Export processes

  • Installation:

    • Can be downloaded and installed from https://www.volatilityfoundation.org/releases

      • Extract archive and run setup.py

    • Can be cloned from repo by using: git clone https://github.com/volatilityfoundation/volatility.git

      • On Linux, extract archive and run: sudo python setup.py install

  • Usage

    • Create Profile

      • Run volatility on memory dump: volatility -f memdump.mem imageinfo

      • Any other commands need to include profile: --profile=WinXPSP2x86

    • Volatility Commands

      • volatility -f memdump.mem imageinfo: take memory image “memdump.mem” and determine the suggested profile (OS version and architecture) for analysis

      • volatility -f memdump.mem --profile=PROFILE pslist: use pslist plugin to print a list of processes to the terminal

      • volatility -f memdump.mem --profile=PROFILE pstree: use pstree plugin to print a process tree to the terminal

      • volatility -f memdump.mem --profile=PROFILE psscan: use psscan plugin to print all available processes,

      • volatility -f memdump.mem --profile=PROFILE psxview: use psxview plugin to print expected and hidden processes

      • volatility -f memdump.mem --profile=PROFILE netscan: use netscan plugin to identify any active or closed network connections

      • volatility -f memdump.mem --profile=PROFILE timeliner: use timeliner plugin to create a timeline of events from the memory image

      • volatility -f memdump.mem --profile=PROFILE iehistory: use iehistory plugin to pull internet browsing history

      • volatility -f memdump.mem --profile=PROFILE filescan: use filescan plugin to identify any files on the system from the memory image

      • volatility -f memdump.mem --profile=PROFILE dumpfiles -n --dump-dir=./: use dumpfiles plugin to retrieve files from the memory image, outputs files to current directory

      • volatility -f memdump.mem --profile=PROFILE procdump -n --dump-dir=./: use procdump plugin to dump process executables from the memory image, outputs to current directory

      • volatility -f memdump.mem --profile=PROFILE hashdump: extract and decrypt cached domain credentials stored in the registry

    • Volatility Examples

      • python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem imageinfo: identify memory sample information like system architecture

      • python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe”: find processes using volatility and pipe output into grep to search for lines containing "svchost.exe"

      • python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe” | wc -l: outputs wordcount of number of ""svchost.exe" services identified by volatility

      • python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 dlllist -p 2352: find command line arguments used by process 2352

      • python vol.py -f /home/ubuntu/Desktop/Volatility\ Exercise/memdump2.mem --profile=Win7SP1x64 procdump -p 2940 --dump-dir /path/to/output/directory: dumps the executable for process 2940 to current directory

      • python vol.py -f mem_file.raw --profile=SuggestProfile pstree | grep "powershell\|cmd"

  • Resources

    • Volatility Reference Guide

    • Volatility Downloads

    • Volatility Installation

    • Volatility Wiki

    • Volatility Documentation

    • Volatility GitHub

    • Memory Samples for Test Analysis

    • Volatility Cheat Sheet

    • Another Volatility3 v Volatility2 Cheat Sheet

    • Volatility Tutorial

cd volatility3 -> python3 ./vol.py

PreviousSysinternalsNextWindows Artifacts

Last updated 1 year ago