Volatility
Description: used for memory forensics and has the following capabilities:
List all processes that were running
List active and closed network connections
View internet history (IE)
Identify files on the system and retrieve them from the memory dump
Read the contents of notepad documents
Retrieve commands entered into the Windows Command Prompt (CMD)
Scan for the presence of malware using YARA rules
Retrieve screenshots and clipboard contents
Retrieve hashed passwords
Retrieve SSL keys and certificates
Find executables/commands related to processes
Export processes
Installation:
Can be downloaded and installed from https://www.volatilityfoundation.org/releases
Extract archive and run
setup.py
Can be cloned from repo by using:
git clone https://github.com/volatilityfoundation/volatility.git
On Linux, extract archive and run:
sudo python setup.py install
Usage
Create Profile
Run volatility on memory dump:
volatility -f memdump.mem imageinfo
Any other commands need to include profile:
--profile=WinXPSP2x86
Volatility Commands
volatility -f memdump.mem imageinfo
: take memory image “memdump.mem” and determine the suggested profile (OS version and architecture) for analysisvolatility -f memdump.mem --profile=PROFILE pslist
: use pslist plugin to print a list of processes to the terminalvolatility -f memdump.mem --profile=PROFILE pstree
: use pstree plugin to print a process tree to the terminalvolatility -f memdump.mem --profile=PROFILE psscan
: use psscan plugin to print all available processes,volatility -f memdump.mem --profile=PROFILE psxview
: use psxview plugin to print expected and hidden processesvolatility -f memdump.mem --profile=PROFILE netscan
: use netscan plugin to identify any active or closed network connectionsvolatility -f memdump.mem --profile=PROFILE timeliner
: use timeliner plugin to create a timeline of events from the memory imagevolatility -f memdump.mem --profile=PROFILE iehistory
: use iehistory plugin to pull internet browsing historyvolatility -f memdump.mem --profile=PROFILE filescan
: use filescan plugin to identify any files on the system from the memory imagevolatility -f memdump.mem --profile=PROFILE dumpfiles -n --dump-dir=./
: use dumpfiles plugin to retrieve files from the memory image, outputs files to current directoryvolatility -f memdump.mem --profile=PROFILE procdump -n --dump-dir=./
: use procdump plugin to dump process executables from the memory image, outputs to current directoryvolatility -f memdump.mem --profile=PROFILE hashdump
: extract and decrypt cached domain credentials stored in the registry
Volatility Examples
python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem imageinfo
: identify memory sample information like system architecturepython vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe”
: find processes using volatility and pipe output into grep to search for lines containing "svchost.exe"python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe” | wc -l
: outputs wordcount of number of ""svchost.exe" services identified by volatilitypython vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 dlllist -p 2352
: find command line arguments used by process 2352python vol.py -f /home/ubuntu/Desktop/Volatility\ Exercise/memdump2.mem --profile=Win7SP1x64 procdump -p 2940 --dump-dir /path/to/output/directory
: dumps the executable for process 2940 to current directorypython vol.py -f mem_file.raw --profile=SuggestProfile pstree | grep "powershell\|cmd"
cd volatility3 -> python3 ./vol.py
Last updated