introduction_to_digital_forensics bpvolatility adventofcyber4

Volatility is a popular free memory forensics tool. There is a deprecated python2 version (which is hard to install, 6.8k ⭐), and there is a python3 version (2.1k ⭐, in-development).

$ pipx install git+https://github.com/volatilityfoundation/volatility3
$ vol -h

Use -f to load a memory dump. Assuming the memory dump is mdump.sav in the current folder, you would use:

$ vol -f mdump.sav [...]

Profiles from volatility 2 are now expressed as plugins. You will use xxx.info instead of imageinfo (to learn about the operating system in use in the capture) with xxx a value among windows, linux, or mac.

Windows notes

introduction_to_digital_forensics bpvolatility adventofcyber4

Assuming that the host is running Windows, we can use:

  • ➑️ Find information about the operating system
$ vol [...] windows.info
  • ➑️ List running processes
$ vol [...] windows.pslist
$ vol [...] windows.pstree
$ vol [...] windows.cmdline

πŸ‘‰ Malicious processes tend to hide themselves.

  • ➑️ Scan a specific process
$ vol [...] windows.psscan
$ vol [...] windows.handles --pid XXX
$ vol [...] windows.memmap --pid XXX --dump
$ vol [...] windows.dlllist --pid XXX
  • ➑️ Show processes in which some code may have been injected
$ vol [...] windows.malfind
$ vol [...] windows.malfind --pid=XXX
  • ➑️ Dump a specific process files
$ vol [...] windows.dumpfiles --pid xxx -o path/to/extract/dll
  • ➑️ Show network activity
$ vol [...] windows.netstat

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.