Volatility
Volatility is a popular free memory forensics tool. There is a deprecated python2 version (which is hard to install, 6.8k β), and there is a python3 version (2.1k β, in-development).
$ pipx install git+https://github.com/volatilityfoundation/volatility3
$ vol -h
Use -f
to load a memory dump. Assuming the memory dump is mdump.sav
in the current folder, you would use:
$ vol -f mdump.sav [...]
Profiles from volatility 2 are now expressed as plugins. You will use xxx.info
instead of imageinfo
(to learn about the operating system in use in the capture) with xxx
a value among windows
, linux
, or mac
.
Windows notes
Assuming that the host is running Windows, we can use:
- β‘οΈ Find information about the operating system
$ vol [...] windows.info
- β‘οΈ List running processes
$ vol [...] windows.pslist
$ vol [...] windows.pstree
$ vol [...] windows.cmdline
π Malicious processes tend to hide themselves.
- β‘οΈ Scan a specific process
$ vol [...] windows.psscan
$ vol [...] windows.handles --pid XXX
$ vol [...] windows.memmap --pid XXX --dump
$ vol [...] windows.dlllist --pid XXX
- β‘οΈ Show processes in which some code may have been injected
$ vol [...] windows.malfind
$ vol [...] windows.malfind --pid=XXX
- β‘οΈ Dump a specific process files
$ vol [...] windows.dumpfiles --pid xxx -o path/to/extract/dll
- β‘οΈ Show network activity
$ vol [...] windows.netstat
π» To-do π»
Stuff that I found, but never read/used yet.