Skip to content

Instantly share code, notes, and snippets.

@jloh02

jloh02/Volatility.md

Last active April 2, 2024 08:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jloh02/5db6fa81561010424ae3113a9e341f32 to your computer and use it in GitHub Desktop.
Save jloh02/5db6fa81561010424ae3113a9e341f32 to your computer and use it in GitHub Desktop.
Download ZIP
Volatility Cheatsheet
Raw
Volatility.md

Volatility Guide (Windows)

Overview

jloh02's guide for Volatility. I'm by no means an expert. This document was created to help ME understand volatility while learning. My CTF procedure comes first and a brief explanation of each command is below. This guide uses volatility2 and RegRipper

Procedure

Profiling

  • volatility -f <file_name> imageinfo: Get suggested profiles
  • After which, use volatility -f <file_name> <command> --profile=<profile>

Registry Dumping and Ripping

  • Run hivelist and take note of all virtual addresses
  • Using dumpregistry, dump all the registry contents
  • Using RegRipper, rip -r tmp/registry.0xfffff8a00377d2d0.Syscachehve.reg -f system

Just CTF Things

  • strings <file> | grep -i "<flag format>" just to sieve out any flags

Commands

Commands Reference: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

Not in reference

notepad:

  • Display notepad's contents

OS and Processes

pslist:

  • List all processes including PID, PPID, Start and End Time

psxview:

  • View hidden processes (False csrss only)

ldrmodules

  • View if module has been injected (Any column is False)

procdump:

  • Usage: procdump -p <PID found using netscan or pslist> -D <output directory>
  • Dump the entire process (.exe file)

memdump:

  • Usage: memdump -p <PID found using netscan or pslist> -D <output directory>
  • Get files used by the process

clipboard:

  • Get clipboard history

Files

filescan

  • Get a list of all files
  • Pipe to grep in order to search for specific files (filescan | grep -i "<search terms>")

dumpfiles

  • Usage: dumpfiles -n <filename (contains)> -D <output directory> or dumpfiles -Q <address> -D <output directory>

Registry Related

hivelist:

  • Get virtual addresses of registry hives

dumpregistry:

  • Usage: dumpregistry -o <virtual memory address of hive> -D <output directory>
  • Dump the registry contents

printkey:

  • Usage: printkey -o <virtual memory address of hive>
  • Add -K <key> to get value of specific subkey

hashdump:

lsadump:

  • Dump LSA Registry (Stores passwords in Windows 7)

Networking

netscan:

  • Display all network information

External Plugins

Installing External Plugins into volatility/plugins:

  • https://github.com/superponible/volatility-plugins
  • wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py then pip install construct

Chrome

  • chromehistory

malfind

  • Find all programs with VAD tags and execute protection

Program Specific

Notepad

  • Use notepad plugin

MS Paint

  • Dump memory using memdump -p <pid of mspaint.exe>
  • Try foremost/binwalk
  • Use GIMP

Chrome

  • filescan | grep -ie "history$" to get chrome data
  • Dump history files (including Downloads) using dumpfiles and use SQLite viewer (Note that file extension should be .sqlite)
  • Use chromehistory plugin

Acknowledgements

https://medium.com/hackstreetboys/hsb-presents-otterctf-2018-memory-forensics-write-up-c3b9e372c36c https://w00tsec.blogspot.com/2015/02/extracting-raw-pictures-from-memory.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment