killchain-compendium/Forensics/Volatility.md

2.8 KiB

Volatility

Search through collected volatile memory dumps, volume and VM images. Volatility and Volatility 3 have a different syntax. The older one has
higher malware hunting abilities.
Always check both of the versions if you are not sure about how the file was dumped.

Basic Commands

  • Basic Info, find OS profile
volatility -f <file.iso> imageinfo
volatility -f <file.iso> kdbgscan
  • Process list
volatility -f <file.iso> --profile <OSprofile> pslist
  • List dlls
volatility -f <file.iso> --profile <OSprofile> dlllist -p <PID>
  • Last accessed dir
volatility -f <file.iso> --profile <OSprofile> shellbags
  • Scan network
volatility -f <file.iso> --profile <OSprofile> netscan
  • Scan files
volatility -f <file.iso> --profile <OSprofile> filescan | grep <fileToLookFor>
  • Dump files
volatility -f <file.iso> --profile <OSprofile> dumpfiles -Q <addressFromfilescan> -D .

Volatility3

  • Basic Info works too, but you have to know the kind of OS anyway
volatility -f <file.iso> windows.info
  • Process list, but processes can be hidden. Therefore use psscan
volatility -f <file.iso> windows.pslist
volatility -f <file.iso> windows.psscan
volatility -f <file.iso> windows.pstree
  • List dlls, this includes the path of the file
volatility -f <file.iso> windows.dlllist
  • Find malicious files, fileless and including files, respectively
volatility -f <file.iso> windows.malfind 
volatility -f <file.iso> windows.vadyarascan
  • Dump memory map
volatility -f <file.iso> windows.memmap.Memmap --pid <pid> --dump
volatility -f <file.iso> windows.dumpfiles --pid <pid>
  • Dump and scan files
windows.dumpfiles.DumpFiles   Dumps cached file contents from Windows memory
windows.filescan.FileScan   Scans for file objects present in a particular windows. Lists version information from PE files.
  • Find file handles or mutex
volatility -f <file.iso> windows.mutex
  • Malware hunting through hooking
windows.ssdt.SSDT   Lists the system call table. # System Service Descriptor Table
windows.driverirp.DriverIrp   List IRPs for drivers in a particular windows memory image.
windows.modules.Modules   Lists the loaded kernel modules.
windows.driverscan.DriverScan   Scans for drivers present in a particular windows

Plugins

Volatility 3 plugins are named after the specific profile they are used for.
For the most part these are (macOS.*, windows.*, linux.*)

  • For example
    • Truecryptpassphrase
    • cmdscan, command history
    • shutdowntime