Volatility

PreviousSysinternals NextWindows Artifacts

Last updated 1 year ago

Volatility

Description: used for memory forensics and has the following capabilities:
- List all processes that were running
- List active and closed network connections
- View internet history (IE)
- Identify files on the system and retrieve them from the memory dump
- Read the contents of notepad documents
- Retrieve commands entered into the Windows Command Prompt (CMD)
- Scan for the presence of malware using YARA rules
- Retrieve screenshots and clipboard contents
- Retrieve hashed passwords
- Retrieve SSL keys and certificates
- Find executables/commands related to processes
- Export processes
Installation:
- Can be downloaded and installed from
  - Extract archive and run setup.py
- Can be cloned from repo by using: git clone https://github.com/volatilityfoundation/volatility.git
  - On Linux, extract archive and run: sudo python setup.py install
Usage
- Create Profile
  - Run volatility on memory dump: volatility -f memdump.mem imageinfo
  - Any other commands need to include profile: --profile=WinXPSP2x86
- Volatility Commands
  - volatility -f memdump.mem imageinfo: take memory image “memdump.mem” and determine the suggested profile (OS version and architecture) for analysis
  - volatility -f memdump.mem --profile=PROFILE pslist: use pslist plugin to print a list of processes to the terminal
  - volatility -f memdump.mem --profile=PROFILE pstree: use pstree plugin to print a process tree to the terminal
  - volatility -f memdump.mem --profile=PROFILE psscan: use psscan plugin to print all available processes,
  - volatility -f memdump.mem --profile=PROFILE psxview: use psxview plugin to print expected and hidden processes
  - volatility -f memdump.mem --profile=PROFILE netscan: use netscan plugin to identify any active or closed network connections
  - volatility -f memdump.mem --profile=PROFILE timeliner: use timeliner plugin to create a timeline of events from the memory image
  - volatility -f memdump.mem --profile=PROFILE iehistory: use iehistory plugin to pull internet browsing history
  - volatility -f memdump.mem --profile=PROFILE filescan: use filescan plugin to identify any files on the system from the memory image
  - volatility -f memdump.mem --profile=PROFILE dumpfiles -n --dump-dir=./: use dumpfiles plugin to retrieve files from the memory image, outputs files to current directory
  - volatility -f memdump.mem --profile=PROFILE procdump -n --dump-dir=./: use procdump plugin to dump process executables from the memory image, outputs to current directory
  - volatility -f memdump.mem --profile=PROFILE hashdump: extract and decrypt cached domain credentials stored in the registry
- Volatility Examples
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem imageinfo: identify memory sample information like system architecture
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe”: find processes using volatility and pipe output into grep to search for lines containing "svchost.exe"
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe” | wc -l: outputs wordcount of number of ""svchost.exe" services identified by volatility
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 dlllist -p 2352: find command line arguments used by process 2352
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ Exercise/memdump2.mem --profile=Win7SP1x64 procdump -p 2940 --dump-dir /path/to/output/directory: dumps the executable for process 2940 to current directory
  - python vol.py -f mem_file.raw --profile=SuggestProfile pstree | grep "powershell\|cmd"
Resources

cd volatility3 -> python3 ./vol.py

PreviousSysinternals NextWindows Artifacts

Last updated 1 year ago

Description: used for memory forensics and has the following capabilities:
- List all processes that were running
- List active and closed network connections
- View internet history (IE)
- Identify files on the system and retrieve them from the memory dump
- Read the contents of notepad documents
- Retrieve commands entered into the Windows Command Prompt (CMD)
- Scan for the presence of malware using YARA rules
- Retrieve screenshots and clipboard contents
- Retrieve hashed passwords
- Retrieve SSL keys and certificates
- Find executables/commands related to processes
- Export processes
Installation:
- Can be downloaded and installed from
  - Extract archive and run setup.py
- Can be cloned from repo by using: git clone https://github.com/volatilityfoundation/volatility.git
  - On Linux, extract archive and run: sudo python setup.py install
Usage
- Create Profile
  - Run volatility on memory dump: volatility -f memdump.mem imageinfo
  - Any other commands need to include profile: --profile=WinXPSP2x86
- Volatility Commands
  - volatility -f memdump.mem imageinfo: take memory image “memdump.mem” and determine the suggested profile (OS version and architecture) for analysis
  - volatility -f memdump.mem --profile=PROFILE pslist: use pslist plugin to print a list of processes to the terminal
  - volatility -f memdump.mem --profile=PROFILE pstree: use pstree plugin to print a process tree to the terminal
  - volatility -f memdump.mem --profile=PROFILE psscan: use psscan plugin to print all available processes,
  - volatility -f memdump.mem --profile=PROFILE psxview: use psxview plugin to print expected and hidden processes
  - volatility -f memdump.mem --profile=PROFILE netscan: use netscan plugin to identify any active or closed network connections
  - volatility -f memdump.mem --profile=PROFILE timeliner: use timeliner plugin to create a timeline of events from the memory image
  - volatility -f memdump.mem --profile=PROFILE iehistory: use iehistory plugin to pull internet browsing history
  - volatility -f memdump.mem --profile=PROFILE filescan: use filescan plugin to identify any files on the system from the memory image
  - volatility -f memdump.mem --profile=PROFILE dumpfiles -n --dump-dir=./: use dumpfiles plugin to retrieve files from the memory image, outputs files to current directory
  - volatility -f memdump.mem --profile=PROFILE procdump -n --dump-dir=./: use procdump plugin to dump process executables from the memory image, outputs to current directory
  - volatility -f memdump.mem --profile=PROFILE hashdump: extract and decrypt cached domain credentials stored in the registry
- Volatility Examples
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem imageinfo: identify memory sample information like system architecture
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe”: find processes using volatility and pipe output into grep to search for lines containing "svchost.exe"
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe” | wc -l: outputs wordcount of number of ""svchost.exe" services identified by volatility
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 dlllist -p 2352: find command line arguments used by process 2352
  - python vol.py -f /home/ubuntu/Desktop/Volatility\ Exercise/memdump2.mem --profile=Win7SP1x64 procdump -p 2940 --dump-dir /path/to/output/directory: dumps the executable for process 2940 to current directory
  - python vol.py -f mem_file.raw --profile=SuggestProfile pstree | grep "powershell\|cmd"
Resources

cd volatility3 -> python3 ./vol.py