Volatility
Volatility is a popular free memory forensics tool. There is a deprecated python2 version (6.8k β, 2020 πͺ¦), and there is a python3 version (2.1k β) currently still in development.
To install version v2.5.2
with all plugins:
$ DEST="$HOME/tools/volatility3" # or /opt as sudo, but why?
$ git clone -b "v2.5.2" https://github.com/volatilityfoundation/volatility3.git $DEST
$ pipx install $DEST # most plugins
$ pipx runpip volatility3 install -r $DEST/requirements.txt # all plugins
$ vol -h
Unfortunately, you may also need volatility 2 for multiple tasks.
$ DEST="$HOME/tools/volatility2"
$ git clone -b "master" https://github.com/volatilityfoundation/volatility.git $DEST
$ sudo apt install -y python2-dev libdistorm3-dev # refer to my Python notes for pip2
$ pip2 install setuptools
$ pip2 install distorm3 pycrypto pillow openpyxl ujson # and yara
$ chmod +x $DEST/vol.py && sed -i 's;/usr/bin/env python;/usr/bin/env python2;' $DEST/vol.py && ln -s $DEST/vol.py $HOME/.local/bin/vol2
$ vol2 -h
Use -f
to load a memory dump. Use -r pretty
for a prettier display.
$ vol mdump.sav [...]
$ vol -f mdump.sav [...]
$ vol -r pretty -f mdump.sav [...]
You will then have to determine which OS (or which profile for Volatility 2) you will be able to use on the memory dump.
$ vol -f mdump.sav banners.Banners
$ vol2 imageinfo -f mdump.vmem
For volatility2, specify the profile in all commands:
$ vol2 [...] --profile Win7SP1x64 # Test multiple of them
For volatility3, the operating system is within the plugins path.
$ vol [...] windows.info # Example for 'windows'
Windows notes
Assuming that the host is running Windows, we can use:
- β‘οΈ Find information about the operating system
$ vol [...] windows.info
$ vol [...] windows.envars
$ vol2 [...] shutdowntime # Volatility3: [...].printkey --key 'ControlSet001\Control\Windows'
- β‘οΈ List running processes
$ vol [...] windows.pslist
$ vol [...] windows.pstree
$ vol [...] windows.cmdline
$ vol2 [...] cmdscan
$ vol2 [...] consoles
π Malicious processes tend to hide themselves.
- β‘οΈ List and dump registry entries
$ vol [...] windows.registry.hivelist
$ # either look in all registries, or in registry at --offset
$ vol [...] windows.registry.printkey --key 'ControlSet001\Control\ComputerName\ComputerName'
$ vol [...] windows.registry.printkey --offset 0xAAAAAAAA--key 'ControlSet001\Control\ComputerName\ComputerName'
- β‘οΈ List and dump passwords, hashes, keys, etc.
$ vol [...] windows.hashdump
$ vol [...] windows.lsadump
$ # volatility 2 clipboard
- β‘οΈ Scan a specific process
$ vol [...] windows.psscan
$ vol [...] windows.psscan --pid XXX YYY --dump
$ vol [...] windows.handles --pid XXX
$ vol [...] windows.memmap --pid XXX --dump
$ vol [...] windows.dlllist --pid XXX
$ vol [...] windows.envars --pid XXX
- β‘οΈ Show processes in which some code may have been injected
$ vol [...] windows.malfind
$ vol [...] windows.malfind --pid=XXX
- β‘οΈ Dump a specific process files
$ vol [...] windows.dumpfiles --pid xxx -o path/to/extract/dll
- β‘οΈ Show network activity
$ vol [...] windows.netstat # very weird
$ vol [...] windows.netscan
- β‘οΈ Additional Niche Commands
$ vol2 [...] truecryptsummary
$ vol2 [...] shellbags # Recent files, preferences, installers, etc. | Registry NTUSER.DAT
Linux Notes
- β‘οΈ Bash History
$ vol -f mdump.sav linux.bash
- β‘οΈ GPG In-Memory Key
$ git clone https://github.com/kudelskisecurity/volatility-gpg.git
$ vol -f mdump.sav -p ./volatility-gpg -s symbols/ linux.gpg_full
- β‘οΈ Volatility2 can recover_filesystem while you may have to build the appropriate symbol table
π» To-do π»
Stuff that I found, but never read/used yet.