Volatility

• Open-source memory forensics framework

• Written in python and supports windows, mac and linux

Features:

• List all processes that were running.

• List active and closed network connections.

• View internet history (IE).

• Identify files on the system and retrieve them from the memory dump.

• Read the contents of notepad documents.

• Retrieve commands entered into the Windows Command Prompt (CMD).

• Scan for the presence of malware using YARA rules.

• Retrieve screenshots and clipboard contents.

• Retrieve hashed passwords.

• Retrieve SSL keys and certificates.

• And lots more!

Usage

• First use the command “volatility -f memdump.mem imageinfo”

• When running commands of memory images use the suggested profile which is shown in the first command

• --profile=win..

Command List

volatility -f memdump.mem imageinfo // Take memory image “memdump.mem” and determine the suggested profile for analysis. The profile is the operating system, version, and architecture.

volatility -f memdump.mem --profile=PROFILE pslist // Take memory image, provide the profile, then use the pslist plugin to print a list of processes to the terminal.

volatility -f memdump.mem --profile=PROFILE pstree // Use the pstree plugin to print a process tree to the terminal.

volatility -f memdump.mem --profile=PROFILE psscan // Use the psscan plugin to print all available processes, including hidden ones often used by malware (compare this to pslist to see if there’s any differences!).

volatility -f memdump.mem --profile=PROFILE psxview // Use the plugin psxview plugin to print expected and hidden processes. This is a combination of pslist and psscan plugins.

volatility -f memdump.mem --profile=PROFILE netscan // Use the plugin netscan to identify any active or closed network connections.

volatility -f memdump.mem --profile=PROFILE timeliner // Use the timeliner plugin to create a timeline of events from the memory image.

volatility -f memdump.mem --profile=PROFILE iehistory // Use the iehistory plugin to pull internet browsing history.

volatility -f memdump.mem --profile=PROFILE filescan // Use the filescan plugin to identify any files on the system from the memory image.

volatility -f memdump.mem --profile=PROFILE dumpfiles -n --dump-dir=./ // Use the dumpfiles plugin to retrieve files from the memory image. In this case our terminal is open in the Desktop (root@SBTLab2:~/Desktop) and we are using the output location ./ which tells Volatility to put the files in our current location, the Desktop.