{"id":2774,"date":"2021-02-15T20:17:49","date_gmt":"2021-02-15T19:17:49","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2774"},"modified":"2025-03-21T15:47:10","modified_gmt":"2025-03-21T14:47:10","slug":"volatility","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2774","title":{"rendered":"Volatility"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">See also <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4842\" data-type=\"post\" data-id=\"4842\">Mem\u00adProcFS<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The foren\u00adsic mem\u00ado\u00adry frame\u00adwork <a href=\"https:\/\/github.com\/volatilityfoundation\/volatility\">Volatil\u00adi\u00adty<\/a> (<a href=\"https:\/\/github.com\/volatilityfoundation\/volatility3\">Ver\u00adsion 3 since 2019<\/a>) offers a wide range of meth\u00adods to analyse mem\u00ado\u00adry. See the blog post <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=538\" data-type=\"post\" data-id=\"538\">Retriev\u00ading mem\u00ado\u00adry<\/a> for meth\u00adods and tech\u00adniques to obtain memory.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Start by get\u00adting gen\u00ader\u00adal infor\u00adma\u00adtion about a mem\u00ado\u00adry&nbsp;dump:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">volatility -f image.mem imageinfo<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now use the fol\u00adlow\u00ading com\u00admands to get more information:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>pslist<\/code> to show the run\u00adning processes<\/li>\n\n\n\n<li><code>netscan<\/code> shows cur\u00adrent net\u00adwork connections<\/li>\n\n\n\n<li><code>ldrmodules<\/code> shows which modules\/libraries\/dlls are loaded and also how they were loaded. If a line con\u00adtains \u201cFalse  False  False\u201d, then the mod\u00adule was prob\u00ada\u00adbly direct\u00adly inject\u00aded into the mem\u00ado\u00adry like Meter\u00adpreter does it. This is a seri\u00adous sig\u00adnal for a mali\u00adcious process.<\/li>\n\n\n\n<li><code>vol -f dump windows.privileges --pid 42<\/code> get the priv\u00adi\u00adleges for a process.<\/li>\n\n\n\n<li><code>vol -f dump windows.callbacks<\/code> shows the call\u00adbacks \u2014 should only be the default win\u00addows callbacks.<\/li>\n\n\n\n<li><code>vol -f dump windows.vadinfo --pid 42<\/code> shows the <span class=\"caps\">VAD<\/span> vir\u00adtu\u00adal address descrip\u00adtors, the per\u00admis\u00adsions on the pages, e.g. <span class=\"caps\">READONLY<\/span>, <span class=\"caps\">READWRITE<\/span>, <span class=\"caps\">EXECUTE_WRITECOPY<\/span>, \u2026 Sus\u00adpi\u00adcious, if there are pages <span class=\"caps\">EXECUTE_READWRITE<\/span>, because nor\u00admal\u00adly pages are not set to con\u00adtain exe\u00adcute\u00adable code which is also writeable.<\/li>\n\n\n\n<li><code>vol -f dump windows.registry.hivelist --dump<\/code> exports the reg\u00adistry&nbsp;keys.<\/li>\n\n\n\n<li><code>vol -f dump windows.cmdline --pid 42<\/code> returns the com\u00admand line his\u00adto\u00adry. Use\u00adfull for cmd.exe or powershell.exe processes.<\/li>\n\n\n\n<li><code>vol -f dump windows.pstree<\/code> shows the process tree, also with argu\u00adments of commands.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scan with windows.netscan open connections<\/li>\n\n\n\n<li>Look with windows.pslist for sus\u00adpi\u00adcious processes.<\/li>\n\n\n\n<li>Get more infor\u00adma\u00adtion with oth\u00ader plu\u00adg\u00adins, e.g. with windows.cmdline see, what hap\u00adpened in powershell.exe or cmd.exe.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect sys\u00adtem type for the profile:<\/li>\n\n\n\n<li>volatil\u00adi\u00adty \u2011f \/root\/lab.notes\/10.11.1.238\/238.ram imageinfo<\/li>\n\n\n\n<li>Get Certs:<\/li>\n\n\n\n<li>volatil\u00adi\u00adty \u2011f \/root\/lab.notes\/10.11.1.238\/238.ram dumpcerts \u2011D&nbsp;certs<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">volatil\u00adi\u00adty \u2011f \/tmp\/Linux64.mem \u2013profile=Linuxd2018-1x6 linux_ifconfig<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>See also Mem\u00adProcFS The foren\u00adsic mem\u00ado\u00adry frame\u00adwork Volatil\u00adi\u00adty (Ver\u00adsion 3 since 2019) offers a wide range of meth\u00adods to analyse mem\u00ado\u00adry. See the blog post Retriev\u00ading mem\u00ado\u00adry for meth\u00adods and tech\u00adniques to obtain mem\u00ado\u00adry. Start by get\u00adting gen\u00ader\u00adal infor\u00adma\u00adtion about a mem\u00ado\u00adry&nbsp;dump: volatil\u00adi\u00adty \u2011f image.mem image\u00adin\u00adfo Now use the fol\u00adlow\u00ading com\u00admands to get more information:&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[476],"tags":[61,158],"class_list":["post-2774","post","type-post","status-publish","format-standard","hentry","category-defence-tool","tag-forensic","tag-volatility"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2774","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2774"}],"version-history":[{"count":15,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2774\/revisions"}],"predecessor-version":[{"id":4864,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2774\/revisions\/4864"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2774"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}