Skip to content

Instantly share code, notes, and snippets.

@amulifts

amulifts/volatility.md

Created March 26, 2023 04:14
Show Gist options
  • Save amulifts/3d3430cd6c88f0d5b8c2da3786239c12 to your computer and use it in GitHub Desktop.
Save amulifts/3d3430cd6c88f0d5b8c2da3786239c12 to your computer and use it in GitHub Desktop.
Download ZIP
This gist provides a brief introduction to Volatility, a free and open-source memory forensics framework. It explains how to install Volatility and provides some commonly used commands to extract digital artifacts from volatile memory dumps of a running system, such as identifying the operating system, listing running processes, displaying conso…
Raw
volatility.md

What is Volatility ?

Volatility is a free and open-source memory forensics framework that allows you to extract digital artifacts from volatile memory (RAM) dumps of a running system. It supports analysis of Windows, Linux, and macOS systems and can help identify signs of malicious activity, investigate security incidents, and perform forensic investigations.

Installation

To install Volatility, follow these steps:

  • Install Python 2.7 or Python 3.4+ on your system.
  • Install the required dependencies using pip by running the following command:
pip install volatility

Alternatively, you can download the latest version of Volatility from the official website:

Commands

Here are some of the most commonly used Volatility commands:

imageinfo

The imageinfo command allows you to identify the operating system of a memory dump file. To use this command, run the following command:

volatility.exe -f <memory_dump_file> imageinfo

Replace <memory_dump_file> with the path and filename of the memory dump file you want to analyze.

pslist

The pslist command allows you to list the running processes at the time the memory dump was taken. To use this command, run the following command:

volatility.exe -f <memory_dump_file> --profile <profile> pslist

Replace <memory_dump_file> with the path and filename of the memory dump file you want to analyze. Replace with the profile you will get from imageinfo command. It will look something like Win7SP1x64 depending upon image file.

consoles

The consoles command allows you to display the console buffers that are present in memory. This can be useful for recovering deleted command history or determining what commands were run on the system. To use this command, run the following command:

volatility.exe -f <memory_dump_file> --profile <profile> consoles

Replace <memory_dump_file> with the path and filename of the memory dump file you want to analyze. Replace with the profile you will get from imageinfo command. It will look something like Win7SP1x64 depending upon image file.

cmdline

The cmdline command allows you to display the command line arguments for a specific process. To use this command, run the following command:

volatility.exe -f <memory_dump_file> --profile <profile> cmdline -p <process_id>

Replace <memory_dump_file> with the path and filename of the memory dump file you want to analyze. Replace with the profile you will get from imageinfo command. It will look something like Win7SP1x64 depending upon image file and <process_id> with the ID of the process you want to examine.

hashdump

The hashdump command allows you to extract password hashes from a Windows memory dump. To use this command, run the following command:

volatility.exe -f <memory_dump_file> --profile <profile> hashdump

Replace <memory_dump_file> with the path and filename of the memory dump file you want to analyze. Replace with the profile you will get from imageinfo command. It will look something like Win7SP1x64 depending upon image file.

These are just a few of the many Volatility commands available. For a full list of commands, run the following command:

volatility.exe --info

I hope this helps!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment