Volatitily

Volatility notes

  • Installation: https://covert.sh/2020/08/24/volatility-ubuntu-setup/

  • Profile: Profiles determine how Volatility treats our memory image since every version of Windows is a little bit different. Let's see our options now with the command sudo vol.py -f MEMORY_FILE imageinfo

  • ProcessList: Running the imageinfo command in Volatility will provide us with a number of profiles we can test with, however, only one will be correct. We can test these profiles using the pslist command, validating our profile selection by the sheer number of returned results. Do this now with the command sudo vol.py -f MEMORY_FILE --profile=PROFILE pslist

  • Network: In addition to viewing active processes, we can also view active network connections at the time of image creation! Let's do this now with the command sudo vol.py -f MEMORY_FILE.raw --profile=PROFILE netscan

  • Hidden Processes: we can view intentionally hidden processes via the command psxview. Look at the processes that has only one false listed normally in the column csrss.

  • Great Focus: In addition to viewing hidden processes via psxview, we can also check this with a greater focus via the command 'ldrmodules'. Three columns will appear here in the middle, InLoad, InInit, InMem. If any of these are false, that module has likely been injected which is a really bad thing.

  • Patch DLLs: Using the 'apihooks' command we can view unexpected patches in the standard system DLLs. If we see an instance where Hooking module: that's really bad. Take some time to run.

  • Injected code: Injected code can be a huge issue and is highly indicative of very very bad things. We can check for this with the command malfind. Using the full command sudo vol.py -f MEMORY_FILE.raw --profile=PROFILE malfind -D <Destination Directory> we can not only find this code, but also dump it to our specified directory.

  • DLLs List: we can view all of the DLLs loaded into memory. DLLs are shared system libraries utilized in system processes. These are commonly subjected to hijacking and other side-loading attacks, making them a key target for forensics. Let's list all of the DLLs in memory now with the command dlllist

  • DLL Dump: with the command sudo vol.py -f MEMORY_FILE.raw --profile=PROFILE --pid=PID dlldump -D <Destination Directory> where the PID is the process ID of the infected process

PreviousForensicsNextTryhackMe

Last updated