Volatility3
Info, Blue Team, 2023
Description :
Volatility is a free memory forensics tool developed and maintained by Volatility Foundation, commonly used by malware and SOC analysts within a blue team or as part of their detection and monitoring solutions.
installation :
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 vol.py -h
- Identify image info and profiles :
python3 vol.py -f 'dump.vmem' windows.info python3 vol.py -f 'dump.vmem' Imageinfo - Listing processes and connections :
python3 vol.py -f 'dump.vmem' windows.pslist - Some malware, typically rootkits in an attempt to hide their processes, unlike itself from the list but we can find them :
python3 vol.py -f 'dump.vmem' windows.psscan - Display process environment variables:
python3 vol.py -f 'dump.vmem' windows.envars --pid XXXX - Dump the memory of a process:
python3 vol.py -f 'dump.vmem' -o /PATH/TO/OUTPUT windows.memmap.Memmap --pid XXXX --dump - Listing all processes based on their parent process id :
python3 vol.py -f 'dump.vmem' windows.pstree - identify all memory structures with a network connection :
python3 vol.py -f 'dump.vmem' windows.netstat - identify injected processes :
python3 vol.py -f 'dump.vmem' windows.malfind - can for drivers present on the system at the time of extraction :
python3 vol.py -f dump.vmem windows.modules or python3 vol.py -f dump.vmem windows.driverscan - Hash dump :
python3 vol.py -f dump.vmem --profile=X hashdump - Last shutdown :
python3 vol.py -f dump.vmem --profile=X shutdowntim
Some rooms from Tryhackme where you can practice :