Windows Memory Forensics(Volatility)

By: System Administrator On: Jun 18, 2019 CTF Write up, Useful Tools For CTF Players 794

Volatility Basic

Note: Depending on what version of volatility you are using and where you may need to substitute volatility with vol.py)

Find out what profiles you have available

volatility --info

Find out the originating OS profile to be used from the memory dump.

volatility -f memorydump.mem imageinfo
volatility -f memorydump.mem kdbgscan

Determine what plugins are available for use.

volatility -f memorydump.mem --profile=<profilename> -h

Check what processes were running.

(Note: Any entires for svchost.exe should always have services.exe as a parent process and parameters such as /k should always be present)

volatility -f memorydump.mem --profile= pslist
volatility -f memorydump.mem --profile= psscan
volatility -f memorydump.mem --profile= tree

Check what commands have been run and their output.

volatility -f memorydump.mem --profile= cmdscan
volatility -f memorydump.mem --profile= consoles

Dump process files which were running from memory.

volatility -f memorydump.mem --profile=<profilename> procdump -p <processid> --dump-dir=./

Dump the memory associated with a process file.

volatility -f memorydump.mem --profile=<profilename> memdump -p <processid> --dump-dir=./

Dump all cached files from memory.

volatility -f memorydump.mem --profile=<profilename> dumpfiles --dump-dir=./

Check what drivers or kernal modules were unloaded or hidden.

volatility -f memorydump.mem --profile=<profilename> modscan

Check what network connectivity has occurred.

volatility -f memorydump.mem --profile=<profilename> netscan

Check what network connectivity has occurred (Windows XP/Server 2003).

volatility -f memorydump.mem --profile= connections
volatility -f memorydump.mem --profile= conscan
volatility -f memorydump.mem --profile= sockets
volatility -f memorydump.mem --profile= sockscan

Check what information exists within registry from memory.

volatility -f memorydump.mem --profile= hivelist
volatility -f memorydump.mem --profile= hivescan
volatility -f memorydump.mem --profile= hivedump --dump-dir=./
volatility -f memorydump.mem --profile= userassist
volatility -f memorydump.mem --profile= shellbags
volatility -f memorydump.mem --profile= shimcache
volatility -f memorydump.mem --profile= shimcachemem

Duplicate image space out as a raw DD file (e.g. dump files such as hiberfil.sys memory from memory).

volatility -f memorydump.mem --profile=<profilename> imagecopy

Dump timelined artifacts from memory.

volatility -f memorydump.mem --profile=<profilename> timeliner

credit-"jpminty.github.io"