Created
September 9, 2022 18:56
-
-
Save Reelix/bd546ed9bb9834ecc17fb577029bf445 to your computer and use it in GitHub Desktop.
Reelix's Volatility Cheatsheet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0.) Update: https://www.volatilityfoundation.org/releases | |
| 1.) General analysis (Mainly used to get Profiles) | |
| - volatility.exe -f file.raw imageinfo | |
| Eg: Suggested Profile(s) : Win7SP1x64, WinXPSP2x86, WinXPSP3x86 | |
| 2.) List Processes | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove pslist | |
| 3.) List loaded DLL's | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove dlllist | |
| 4.) Show network connections (May not work on older images) - IPs / Ports | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove netscan | |
| 5.) View processes (Including Hidden) | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove psxview | |
| 6.) Potentially suspicious processes (3 Falses is bad!) | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove ldrmodules | grep False | |
| 7.) Dump DLL's from PID | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove --pid=123 dlldump -D .\Mem | |
| 7.b) Dump Memory from PID | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove --pid=1,2,3 memdump -D .\Mem | |
| 8.) Find files | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove filescan | |
| 8.b.) Find .txt files | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove filescan | findstr ".txt" | |
| 9.) Save files (Not every file is stored so may be buggy) | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove dumpfiles -Q aboveRamADD --name file -D Files | |
| 10.) Dump SAM + System for Password Cracking | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove hivelist | |
| -- Search for \SystemRoot\System32\Config\SAM and \REGISTRY\MACHINE\SYSTEM | |
| --- volatility.exe -f file.raw --profile=ProfileFromAbove hashdump -y LeftSystemHash -s LeftSamHash > hashes.txt | |
| ---- Save furthest right hash | |
| ----- hashcat hash.txt -m 1000 R:\Dictionarys\rockyou.txt -O | |
| 11.) Check if there's a TrueCrypt Partition + Extract Password | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove truecryptsummary | |
| 11.b.) If there is - Try and extract the master key | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove truecryptmaster -D . | |
| 12.) Most recently used files / folders | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove shellbags --output=body | |
| 12.b.) Most recently used dirs | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove shellbags --output=body | findstr "DIR" | |
| -- Dates are: Modified | Create | Access | |
| 13.) List recent command line entries | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove cmdscan | |
| 14.) List command line history (Input + Output) | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove consoles | |
| 15.) List Environment Variables | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove envars | |
| 15.b) List Environment Variables from a specific process | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove -p123 envars | |
| 16.) What's on a currently opened notepad document | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove notepad | |
| 17.) What's on the clipboard | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove clipboard | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove clipboard -v | |
| 18.) List possible malicious processes (Vads tag + execute protection) | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove malfind | |
| 19.) Last shutdown time | |
| - volatility.exe -f file.raw --profile=ProfileFromAbove shutdowntime |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment