2022-11-12 23:18:06 +01:00
# Volatility
Search through collected volatile memory dumps, volume and VM images.
Volatility and Volatility 3 have a different syntax. The older one has
2022-12-20 01:06:22 +01:00
higher malware hunting abilities.
Always check both of the versions if you are not sure about how the file was dumped.
2022-11-12 23:18:06 +01:00
* [Cheat sheet ](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf )
* [Hacktricks shee ](https://book.hacktricks.xyz/forensics/volatility-examples )
* [Symbol table for Linux and macOS ](https://github.com/volatilityfoundation/volatility3#symbol-tables )
2023-12-20 19:56:27 +01:00
## Volatility2
Basic Info, find OS profile
2022-11-12 23:18:06 +01:00
```sh
volatility -f < file.iso > imageinfo
volatility -f < file.iso > kdbgscan
```
2023-12-20 19:56:27 +01:00
Take a look at what can be done with a specific profile
```sh
volatility -f < file.iso > --profile < OSprofile > -h
```
Process list
2022-11-12 23:18:06 +01:00
```sh
volatility -f < file.iso > --profile < OSprofile > pslist
```
2023-12-20 19:56:27 +01:00
List dlls
2022-11-12 23:18:06 +01:00
```sh
volatility -f < file.iso > --profile < OSprofile > dlllist -p < PID >
```
2023-12-20 19:56:27 +01:00
Last accessed dir
2022-11-12 23:18:06 +01:00
```sh
volatility -f < file.iso > --profile < OSprofile > shellbags
```
2023-12-20 19:56:27 +01:00
Scan network
2022-12-20 01:06:22 +01:00
```sh
volatility -f < file.iso > --profile < OSprofile > netscan
```
2023-12-20 19:56:27 +01:00
Scan files
2022-12-20 01:06:22 +01:00
```sh
volatility -f < file.iso > --profile < OSprofile > filescan | grep < fileToLookFor >
```
2023-12-20 19:56:27 +01:00
Dump files
2022-12-20 01:06:22 +01:00
```sh
volatility -f < file.iso > --profile < OSprofile > dumpfiles -Q < addressFromfilescan > -D .
```
2022-11-12 23:18:06 +01:00
2023-12-20 19:56:27 +01:00
### Plugins
Bash history
```sh
volatility -f < file.iso > --profile < OSprofile > linux_bash
```
Linux process list includes process ID as well as parent process ID
```sh
volatility -f < file.iso > --profile < OSprofile > linux_pslist
```
Dump Process binaries using the `linux_procdump` plugin to a target directory by
using the PID. The result is an elf file
```sh
volatility -f < file.iso > --profile < OSprofile > linux_procdump -D < directory > -p < PID >
```
File listing under Linux may be done via the `linux_enumerate_files` and
filtered via grep
```sh
volatility -f < file.iso > --profile < OSprofile > linux_enumerate_files
```
Dump files and directories via `linux_find_file` plugin after listing the files
to gather memory address
```sh
volatility -f < file.iso > --profile < OSprofile > linux_find_file -i < MemoryAddress > -O < OutputFileName >
```
### Creating Profiles
Usable profiles are visible via `volatility --info` . There are only Windows
profiles per default.
To create Linux profiles follow the guide [Security Post-it #3 Volatility Linux Profiles ](https://beguier.eu/nicolas/articles/security-tips-3-volatility-linux-profiles.html )
## Volatility3
Basic Info works too, but you have to know the kind of OS anyway
2022-11-12 23:18:06 +01:00
```sh
volatility -f < file.iso > windows.info
```
2023-12-20 19:56:27 +01:00
Process list, but processes can be hidden. Therefore use ` psscan `
2022-11-12 23:18:06 +01:00
```sh
volatility -f < file.iso > windows.pslist
volatility -f < file.iso > windows.psscan
volatility -f < file.iso > windows.pstree
```
2023-12-20 19:56:27 +01:00
List dlls, this includes the path of the file
2022-11-12 23:18:06 +01:00
```sh
volatility -f < file.iso > windows.dlllist
```
2023-12-20 19:56:27 +01:00
Find malicious files, fileless and including files, respectively
2022-11-12 23:18:06 +01:00
```sh
2023-12-20 19:56:27 +01:00
volatility -f < file.iso > windows.malfind
2022-11-12 23:18:06 +01:00
volatility -f < file.iso > windows.vadyarascan
```
2023-12-20 19:56:27 +01:00
Dump memory map
2022-11-12 23:18:06 +01:00
```sh
volatility -f < file.iso > windows.memmap.Memmap --pid < pid > --dump
2022-12-12 20:03:55 +01:00
volatility -f < file.iso > windows.dumpfiles --pid < pid >
2022-11-12 23:18:06 +01:00
```
2023-12-20 19:56:27 +01:00
Dump and scan files
2022-11-12 23:18:06 +01:00
```sh
windows.dumpfiles.DumpFiles Dumps cached file contents from Windows memory
windows.filescan.FileScan Scans for file objects present in a particular windows. Lists version information from PE files.
```
2023-12-20 19:56:27 +01:00
Find file handles or mutex
2022-11-12 23:18:06 +01:00
```sh
volatility -f < file.iso > windows.mutex
```
2023-12-20 19:56:27 +01:00
Malware hunting through hooking
2022-11-12 23:18:06 +01:00
```sh
windows.ssdt.SSDT Lists the system call table. # System Service Descriptor Table
windows.driverirp.DriverIrp List IRPs for drivers in a particular windows memory image.
windows.modules.Modules Lists the loaded kernel modules.
windows.driverscan.DriverScan Scans for drivers present in a particular windows
```
2023-12-20 19:56:27 +01:00
### Plugins
2022-11-12 23:18:06 +01:00
2023-12-20 19:56:27 +01:00
Volatility 3 plugins are named after the specific profile they are used for.
2022-11-12 23:18:06 +01:00
For the most part these are (` macOS.*, windows.*, linux.* `)
* For example
* Truecryptpassphrase
* shutdowntime
2023-02-09 21:31:25 +01:00
* cmdscan, the command history is missing from volatility 3
