jloh02's guide for Volatility. I'm by no means an expert. This document was created to help ME understand volatility while learning. My CTF procedure comes first and a brief explanation of each command is below. This guide uses volatility2 and RegRipper
volatility -f <file_name> imageinfo
: Get suggested profiles- After which, use
volatility -f <file_name> <command> --profile=<profile>
- Run
hivelist
and take note of all virtual addresses - Using
dumpregistry
, dump all the registry contents - Using RegRipper,
rip -r tmp/registry.0xfffff8a00377d2d0.Syscachehve.reg -f system
strings <file> | grep -i "<flag format>"
just to sieve out any flags
Commands Reference: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
notepad
:
- Display notepad's contents
pslist
:
- List all processes including PID, PPID, Start and End Time
psxview
:
- View hidden processes (
False
csrss only)
ldrmodules
- View if module has been injected (Any column is
False
)
procdump
:
- Usage:
procdump -p <PID found using netscan or pslist> -D <output directory>
- Dump the entire process (.exe file)
memdump
:
- Usage:
memdump -p <PID found using netscan or pslist> -D <output directory>
- Get files used by the process
clipboard
:
- Get clipboard history
filescan
- Get a list of all files
- Pipe to grep in order to search for specific files (
filescan | grep -i "<search terms>"
)
dumpfiles
- Usage:
dumpfiles -n <filename (contains)> -D <output directory>
ordumpfiles -Q <address> -D <output directory>
hivelist
:
- Get virtual addresses of registry hives
dumpregistry
:
- Usage:
dumpregistry -o <virtual memory address of hive> -D <output directory>
- Dump the registry contents
printkey
:
- Usage:
printkey -o <virtual memory address of hive>
- Add
-K <key>
to get value of specific subkey
hashdump
:
- Display all NLTM hashes
- Use https://crackstation.net/ to crack NLTM hashes
lsadump
:
- Dump LSA Registry (Stores passwords in Windows 7)
netscan
:
- Display all network information
Installing External Plugins into volatility/plugins
:
https://github.com/superponible/volatility-plugins
wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py
thenpip install construct
Chrome
chromehistory
malfind
- Find all programs with VAD tags and execute protection
Notepad
- Use
notepad
plugin
MS Paint
- Dump memory using
memdump -p <pid of mspaint.exe>
- Try foremost/binwalk
- Use GIMP
Chrome
filescan | grep -ie "history$"
to get chrome data- Dump history files (including Downloads) using
dumpfiles
and use SQLite viewer (Note that file extension should be .sqlite) - Use
chromehistory
plugin
https://medium.com/hackstreetboys/hsb-presents-otterctf-2018-memory-forensics-write-up-c3b9e372c36c https://w00tsec.blogspot.com/2015/02/extracting-raw-pictures-from-memory.html