added info on plugins for vol2

2023-12-20 19:56:27 +01:00 · 2023-12-20 19:56:27 +01:00 · 74845509af
parent 2545b3e403
commit 74845509af
1 changed files with 88 additions and 21 deletions
--- a/Forensics/Volatility.md
+++ b/Forensics/Volatility.md
@ -9,81 +9,149 @@ Always check both of the versions if you are not sure about how the file was dum
 * [Hacktricks shee](https://book.hacktricks.xyz/forensics/volatility-examples)
 * [Symbol table for Linux and macOS](https://github.com/volatilityfoundation/volatility3#symbol-tables)

-## Basic Commands
+## Volatility2
+
+Basic Info, find OS profile

-* Basic Info, find OS profile
 ```sh
 volatility -f <file.iso> imageinfo
 volatility -f <file.iso> kdbgscan
 ```
-* Process list
+
+Take a look at what can be done with a specific profile
+
+```sh
+volatility -f <file.iso> --profile <OSprofile> -h
+```
+
+Process list
+
 ```sh
 volatility -f <file.iso> --profile <OSprofile> pslist
 ```
-* List dlls
+
+List dlls
+
 ```sh
 volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
 ```
-* Last accessed dir
+
+Last accessed dir
+
 ```sh
 volatility -f <file.iso> --profile <OSprofile> shellbags
 ```
-* Scan network
+
+Scan network
+
 ```sh
 volatility -f <file.iso> --profile <OSprofile> netscan
 ```
-* Scan files
+
+Scan files
+
 ```sh
 volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
 ```
-* Dump files
+
+Dump files
+
 ```sh
 volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .
 ```

-### Volatility3 
+### Plugins
+
+Bash history
+
+```sh
+volatility -f <file.iso> --profile <OSprofile> linux_bash
+```
+
+Linux process list includes process ID as well as parent process ID
+
+```sh
+volatility -f <file.iso> --profile <OSprofile> linux_pslist
+```
+
+Dump Process binaries using the `linux_procdump` plugin to a target directory by
+using the PID. The result is an elf file
+
+```sh
+volatility -f <file.iso> --profile <OSprofile> linux_procdump -D <directory> -p <PID>
+```
+
+File listing under Linux may be done via the `linux_enumerate_files` and
+filtered via grep
+
+```sh
+volatility -f <file.iso> --profile <OSprofile> linux_enumerate_files  
+```
+
+Dump files and directories via `linux_find_file` plugin after listing the files
+to gather memory address
+
+```sh
+volatility -f <file.iso> --profile <OSprofile> linux_find_file -i <MemoryAddress> -O <OutputFileName>
+```
+
+### Creating Profiles
+
+Usable profiles are visible via `volatility --info`. There are only Windows
+profiles per default.
+To create Linux profiles follow the guide [Security Post-it #3 Volatility Linux Profiles](https://beguier.eu/nicolas/articles/security-tips-3-volatility-linux-profiles.html)
+
+## Volatility3
+
+Basic Info works too, but you have to know the kind of OS anyway

-* Basic Info works too, but you have to know the kind of OS anyway
 ```sh
 volatility -f <file.iso> windows.info
 ```

-* Process list, but processes can be hidden. Therefore use ` psscan `
+Process list, but processes can be hidden. Therefore use ` psscan `
+
 ```sh
 volatility -f <file.iso> windows.pslist
 volatility -f <file.iso> windows.psscan
 volatility -f <file.iso> windows.pstree
 ```

-* List dlls, this includes the path of the file
+List dlls, this includes the path of the file
+
 ```sh
 volatility -f <file.iso> windows.dlllist
 ```

-* Find malicious files, fileless and including files, respectively
+Find malicious files, fileless and including files, respectively
+
 ```sh
-volatility -f <file.iso> windows.malfind 
+volatility -f <file.iso> windows.malfind
 volatility -f <file.iso> windows.vadyarascan
 ```

-* Dump memory map
+Dump memory map
+
 ```sh
 volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
 volatility -f <file.iso> windows.dumpfiles --pid <pid>
 ```

-* Dump and scan files 
+Dump and scan files
+
 ```sh
 windows.dumpfiles.DumpFiles   Dumps cached file contents from Windows memory
 windows.filescan.FileScan   Scans for file objects present in a particular windows. Lists version information from PE files.
 ```

-* Find file handles or mutex
+Find file handles or mutex
+
 ```sh
 volatility -f <file.iso> windows.mutex
 ```

-* Malware hunting through hooking
+Malware hunting through hooking
+
 ```sh
 windows.ssdt.SSDT   Lists the system call table. # System Service Descriptor Table
 windows.driverirp.DriverIrp   List IRPs for drivers in a particular windows memory image.
@ -91,10 +159,9 @@ windows.modules.Modules   Lists the loaded kernel modules.
 windows.driverscan.DriverScan   Scans for drivers present in a particular windows
 ```

+### Plugins

-## Plugins 
-
-Volatility 3 plugins are named after the specific profile they are used for.   
+Volatility 3 plugins are named after the specific profile they are used for.
 For the most part these are (` macOS.*, windows.*, linux.* `)

 * For example