Volatility

GitHub - volatilityfoundation/volatility: An advanced memory forensics frameworkGitHub

Vol2 Requires profiles, i.e. Win10x64_16299, the following command can held identify the build strings, but may not be able to based on the local symbol table available:

vol.py -f [image] kdbgscan

vol.py -f [image] --profile=[profile] [plugin]

# Extract objects
vol.py -f [image] --profile=[profile] dlldump
vol.py -f [image] --profile=[profile] moddump
vol.py -f [image] --profile=[profile] procdump
vol.py -f [image] --profile=[profile] memdump
vol.py -f [image] --profile=[profile] filescan
vol.py -f [image] --profile=[profile] dumpfiles
vol.py -f [image] --profile=[profile] mftparser
vol.py -f [image] --profile=[profile] shimcachemem
vol.py -f [image] --profile=[profile] cmdscan
vol.py -f [image] --profile=[profile] svcscan

# Additional plugins
psxview

Additional plugins found here - copy the python files to: volatility3/framework/plugins/windows/

Imaging: Vol3 performs online symbol table lookups

vol.py -f [image] [plugin] [--single-swap-locations=pagefile.sys]

# Finding Code Injection:
strings [image]

vol -f [image] windows.malfind.Malfind
vol -f [image] yarascan.YaraScan
vol -f [image] windows.vadyarascan.VadYaraScan

### : 
vol -f [image] windows.PteMalfind
vol -f [image] windows.apisearch.ApiSearch
vol -f [image] windows.imgmalfind.ImgMalFind
vol -f [image] windows.psxview.psxview

## Process listing
vol -f [image] windows.pslist.PsList [--pid PID] [--dump]
vol -f [image] windows.psscan.PsScan [--pid PID] [--dump]
vol -f [image] windows.pstree.PsTree [--pid PID] [--dump]

## Analyse Process objects: 
vol -f [image] windows.dlllist.DllList [--pid PID] [--dump] [--single-swap-location Pagefile.sys]
vol -f [image] windows.cmdline.CmdLine
vol -f [image] windows.getsids.GetSIDs
vol -f [image] windows.handles.Handles
vol -f [image] windows.ldrmodules.LdrModules
vol -f [image] windows.mutantscan.MutantScan

## Analyse network connections:
vol -f [image] windows.netscan.NetScan [--include-corrupt]
vol -f [image] windows.netstat.NetStat [--include-corrupt]

vol -f [image] windows.driverscan.DriverScan
vol -f [image] windows.envars.Envars
vol -f [image] windows.vadwalk.VadWalk

# Credential Dumping:
vol -f [image] windows.lsadump.Lsadump
vol -f [image] windows.cachedump.Cachedump
vol -f [image] windows.hashdump.Hashdump
vol -f [image] windows.registry.hivelist.HiveList
vol -f [image] windows.registry.hivescan.HiveScan
vol -f [image] windows.registry.hivelist.HiveList --filter sam --dump
vol -f [image] windows.registry.hivelist.HiveList --filter security --dump
vol -f [image] windows.registry.hivelist.HiveList --filter system --dump

# Dump all cached files:
vol -f [image] windows.dumpfiles.DumpFiles [--pid] [--virtaddr]
# scan for File_Object signatures - use to find more in memory than above
vol -f [image] windows.filescan.FileScan

# Rootkit Detection
vol -f [image] windows.ssdt.SSDT | egrep -v `( nstoskrn\.exe | win32k\.sys)`
vol -f [image] windows.driverirp.DriverIrp
vol -f [image] windows.modscan.ModScan # BYOVD driver rootkits
vol -f [image] windows.modules.Modules [--dump] # BYOVD driver rootkits
vol -f [image] windows.devicetree.DeviceTree # BYOVD driver rootkits
vol -f [image] windows.psscan.psscan [--dump] # good for detecting DKOM rootkits 

# other plugins:
vol -f [image] windows.info.Info
vol -f [image] windows.bigpools.BigPools
vol -f [image] windows.callbacks.Callbacks
vol -f [image] windows.crashinfo.Crashinfo
vol -f [image] windows.drivermodule.DriverModule
vol -f [image] windows.getservicesids.GetServiceSIDs
vol -f [image] windows.joblinks.JobLinks
vol -f [image] windows.mbrscan.MBRScan
vol -f [image] windows.memmap.Memmap
vol -f [image] windows.mftscan.ADS
vol -f [image] windows.mftscan.MFTScan
vol -f [image] windows.poolscanner.PoolScanner
vol -f [image] windows.privileges.Privs
vol -f [image] windows.registry.certificates.Certificates
vol -f [image] windows.registry.printkey.PrintKey
vol -f [image] windows.registry.userassist.UserAssist
vol -f [image] windows.sessions.Sessions
vol -f [image] windows.skeleton_key_check.Skeleton_Key_Check
vol -f [image] windows.statistics.Statistics
vol -f [image] windows.strings.Strings
vol -f [image] windows.svcscan.SvcScan
vol -f [image] windows.symlinkscan.SymlinkScan
vol -f [image] windows.vadinfo.VadInfo
vol -f [image] windows.verinfo.VerInfo
vol -f [image] windows.virtmap.VirtMap

Memory Extraction:

vol2

vol3

dlldump

windows.dlllist

dump DLLs

moddump

windows.modules

Extract Kernel Drivers

procdump

windows.pslist

Dump executable process - most similar to original executeablewinmemdecompress.py

memdump

windows.memmap

dump all addressable process memory (contains both code and data - good for running strings against) also preferred over memprocfs

filescan

windows.filescan

Scan memory for FILE_OBJECTS

dumpfiles

windows.dumpfiles

Extract cached files via FILE_OBJECTS

mftparser

windows.mftscan

Extract and parse NTFS Master File Table

shimcachemem

N/A

Extract Application compat cache

cmdscan

N/A

Scan for COMMAND_HISTORY buffers

svcscan

windows.svcscan

Carve service info from in-memory registry

PreviousStrings, bstrings and grep NextVolWeb

Last updated 5 months ago