Volatility
Vol2 Requires profiles, i.e. Win10x64_16299, the following command can held identify the build strings, but may not be able to based on the local symbol table available:
vol.py -f [image] kdbgscanvol.py -f [image] --profile=[profile] [plugin]
# Extract objects
vol.py -f [image] --profile=[profile] dlldump
vol.py -f [image] --profile=[profile] moddump
vol.py -f [image] --profile=[profile] procdump
vol.py -f [image] --profile=[profile] memdump
vol.py -f [image] --profile=[profile] filescan
vol.py -f [image] --profile=[profile] dumpfiles
vol.py -f [image] --profile=[profile] mftparser
vol.py -f [image] --profile=[profile] shimcachemem
vol.py -f [image] --profile=[profile] cmdscan
vol.py -f [image] --profile=[profile] svcscan
# Additional plugins
psxviewAdditional plugins found here - copy the python files to:
volatility3/framework/plugins/windows/
Imaging: Vol3 performs online symbol table lookups
vol.py -f [image] [plugin] [--single-swap-locations=pagefile.sys]
# Finding Code Injection:
strings [image]
vol -f [image] windows.malfind.Malfind
vol -f [image] yarascan.YaraScan
vol -f [image] windows.vadyarascan.VadYaraScan
### :
vol -f [image] windows.PteMalfind
vol -f [image] windows.apisearch.ApiSearch
vol -f [image] windows.imgmalfind.ImgMalFind
vol -f [image] windows.psxview.psxview
## Process listing
vol -f [image] windows.pslist.PsList [--pid PID] [--dump]
vol -f [image] windows.psscan.PsScan [--pid PID] [--dump]
vol -f [image] windows.pstree.PsTree [--pid PID] [--dump]
## Analyse Process objects:
vol -f [image] windows.dlllist.DllList [--pid PID] [--dump] [--single-swap-location Pagefile.sys]
vol -f [image] windows.cmdline.CmdLine
vol -f [image] windows.getsids.GetSIDs
vol -f [image] windows.handles.Handles
vol -f [image] windows.ldrmodules.LdrModules
vol -f [image] windows.mutantscan.MutantScan
## Analyse network connections:
vol -f [image] windows.netscan.NetScan [--include-corrupt]
vol -f [image] windows.netstat.NetStat [--include-corrupt]
vol -f [image] windows.driverscan.DriverScan
vol -f [image] windows.envars.Envars
vol -f [image] windows.vadwalk.VadWalk
# Credential Dumping:
vol -f [image] windows.lsadump.Lsadump
vol -f [image] windows.cachedump.Cachedump
vol -f [image] windows.hashdump.Hashdump
vol -f [image] windows.registry.hivelist.HiveList
vol -f [image] windows.registry.hivescan.HiveScan
vol -f [image] windows.registry.hivelist.HiveList --filter sam --dump
vol -f [image] windows.registry.hivelist.HiveList --filter security --dump
vol -f [image] windows.registry.hivelist.HiveList --filter system --dump
# Dump all cached files:
vol -f [image] windows.dumpfiles.DumpFiles [--pid] [--virtaddr]
# scan for File_Object signatures - use to find more in memory than above
vol -f [image] windows.filescan.FileScan
# Rootkit Detection
vol -f [image] windows.ssdt.SSDT | egrep -v `( nstoskrn\.exe | win32k\.sys)`
vol -f [image] windows.driverirp.DriverIrp
vol -f [image] windows.modscan.ModScan # BYOVD driver rootkits
vol -f [image] windows.modules.Modules [--dump] # BYOVD driver rootkits
vol -f [image] windows.devicetree.DeviceTree # BYOVD driver rootkits
vol -f [image] windows.psscan.psscan [--dump] # good for detecting DKOM rootkits
# other plugins:
vol -f [image] windows.info.Info
vol -f [image] windows.bigpools.BigPools
vol -f [image] windows.callbacks.Callbacks
vol -f [image] windows.crashinfo.Crashinfo
vol -f [image] windows.drivermodule.DriverModule
vol -f [image] windows.getservicesids.GetServiceSIDs
vol -f [image] windows.joblinks.JobLinks
vol -f [image] windows.mbrscan.MBRScan
vol -f [image] windows.memmap.Memmap
vol -f [image] windows.mftscan.ADS
vol -f [image] windows.mftscan.MFTScan
vol -f [image] windows.poolscanner.PoolScanner
vol -f [image] windows.privileges.Privs
vol -f [image] windows.registry.certificates.Certificates
vol -f [image] windows.registry.printkey.PrintKey
vol -f [image] windows.registry.userassist.UserAssist
vol -f [image] windows.sessions.Sessions
vol -f [image] windows.skeleton_key_check.Skeleton_Key_Check
vol -f [image] windows.statistics.Statistics
vol -f [image] windows.strings.Strings
vol -f [image] windows.svcscan.SvcScan
vol -f [image] windows.symlinkscan.SymlinkScan
vol -f [image] windows.vadinfo.VadInfo
vol -f [image] windows.verinfo.VerInfo
vol -f [image] windows.virtmap.VirtMap
Memory Extraction:
vol2
vol3
dlldump
windows.dlllist
dump DLLs
moddump
windows.modules
Extract Kernel Drivers
procdump
windows.pslist
Dump executable process - most similar to original executeablewinmemdecompress.py
memdump
windows.memmap
dump all addressable process memory (contains both code and data - good for running strings against) also preferred over memprocfs
filescan
windows.filescan
Scan memory for FILE_OBJECTS
dumpfiles
windows.dumpfiles
Extract cached files via FILE_OBJECTS
mftparser
windows.mftscan
Extract and parse NTFS Master File Table
shimcachemem
N/A
Extract Application compat cache
cmdscan
N/A
Scan for COMMAND_HISTORY buffers
svcscan
windows.svcscan
Carve service info from in-memory registry
Last updated