volatility.md

Volatility

Volatility

Memory forensics framework for extracting data from RAM.

• https://www.volatilityfoundation.org/
• Evolve: Volatility Web UI
• Volatility samples
• volatility-autoruns - Automates most of the tasks you would need to run when trying to find out where malware is persisting from. Once all the autostart locations are found, they are matched with running processes in memory.
• https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
• https://resources.infosecinstitute.com/topic/memory-forensics-and-analysis-using-volatility/
• https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html
• Operator Handbook: Volatility - pg. 315

Volatility 3.x Basics

Note: Version 3 of Volatility was released in November 2019 which changes the Volatility usage and syntax. More information on V3 of Volatility can be found on ReadTheDocs.

A list of common plugins are:

• linux.bash.Bash
• linux.check_afinfo.Check_afinfo
• linux.check_syscall.Check_syscall
• linux.elfs.Elfs
• linux.lsmod.Lsmod
• linux.lsof.Lsof
• linux.malfind.Malfind
• linux.proc.Maps
• linux.pslist.PsList
• linux.pstree.PsTree
• mac.bash.Bash
• mac.check_syscall.Check_syscall
• mac.check_sysctl.Check_sysctl
• mac.check_trap_table.Check_trap_table
• mac.ifconfig.Ifconfig
• mac.lsmod.Lsmod
• mac.lsof.lsof
• mac.malfind.Malfind
• mac.netstat.Netstat
• mac.proc_maps.Maps
• mac.psaux.Psaux
• mac.pslist.PsList
• mac.pstree.PsTree
• mac.tasks.Tasks
• mac.timers.Timers
• mac.trustedbsd.trustedbsd
• windows.cmdline.CmdLine
• windows.dlldump.DllDump
• windows.dlllist.DllList
• windows.driverirp.DriverIrp
• windows.driverscan.DriverScan
• windows.filescan.FileScan
• windows.handles.Handles
• windows.info.Info
• windows.malfind.Malfind
• windows.moddump.ModDump
• windows.modscan.ModScan
• windows.modules.Modules
• windows.mutantscan.MutantScan
• windows.poolscanner.PoolScanner
• windows.procdump.ProcDump
• windows.pslist.PsList
• windows.psscan.PsScan
• windows.pstree.PsTree
• windows.registry.certificates.Certificates
• windows.registry.hivedump.HiveDump
• windows.registry.hivelist.HiveList
• windows.registry.hivescan.HiveScan
• windows.registry.printkey.PrintKey
• windows.registry.userassist.UserAssist
• windows.ssdt.SSDT
• windows.statistics.Statistics
• windows.strings.Strings
• windows.symlinkscan.SymlinkScan
• windows.vaddump.VadDump
• windows.vadinfo.VadInfo
• windows.virtmap.VirtMap
• timeliner.Timeliner

Check Memory Image Information

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.info.Info

Check List of Kernel Drivers

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.modules.Modules

Check List of Kernel Drivers (incl previously unloaded and hidden)

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.modscan.ModScan

Dump List of Kernel Drivers to Files

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.moddump.ModDump

Dump List of Running Processes to Files

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.procdump.ProcDump

Check Process List of Running Processes

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.pslist.PsList

Check Process Tree of Running Processes

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.pstree.PsTree

Check Running Processes from EPROCESS blocks

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.psscan.PsScan

Check Running Processes for possible shellcode/injection via PAGE_EXECUTE_READWRITE

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.malfind.Malfind

Check processes and their command lines

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.cmdline.CmdLine

Check for files which exist in memory

/usr/bin/python3.6 vol.py -f /home/user/samples/mem.bin windows.filescan.FileScan