# Memory Analysis

## GUI

{% embed url="<https://github.com/k1nd0ne/VolWeb?s=03>" %}

## Volatility - Commands

```
# Imageinfo
volatility -f file.dmp imageinfo

# Hivelist
volatility -f file.dmp --profile=Win7SP0x86 hivelist

# Printkey
volatility -f file.dmp --profile=Win7SP0x86 printkey -o 0xAdress
volatility -f file.dmp --profile=Win7SP0x86 printkey -o 0xAdress -k "Subkey1\subkey2\etc"

# Hashdump
# To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s,
volatility hashdump -f image.dd -y 0xe1035b60 -s 0xe165cb60 
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4::: 
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f::: 
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9::: 
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51::: 
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c::: 
S----:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 

# Pslist
volatility --profile=Win7SP1x86_23418 pslist -f file.dmp

# Pstree
volatility --profile=Win7SP1x86_23418 pstree -f file.dmp 

# Psinfo
volatility --profile=Win7SP1x86_23418 -f file.dmp psinfo -p [PID]

# Procdump
volatility --profile=Win7SP1x86_23418 -f file.dmp procdump -p [PID] -D [directory]

# Netscan
volatility -f file.dmp --profile=Win7SP0x86 netscan

# Consoles
volatility -f ch2.dmp --profile=Win7SP0x86 consoles

# Memdump
volatility --profile=Win7SP1x86_23418 -f file.dmp memdump -p [PID] -D [DIRECTORY]

```

## Volatility 2 vs Volatility 3

{% embed url="<https://blog.onfvp.com/post/volatility-cheatsheet/>" %}

## Sources

{% embed url="<https://www.aldeid.com/wiki/Volatility/Retrieve-password>" %}

{% embed url="<https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#hashdump>" %}

{% embed url="<https://homputersecurity.com/2019/02/07/detection-de-malware-avec-volatility-part-1/>" %}

{% embed url="<https://www.andreafortuna.org/2017/07/24/volatility-my-own-cheatsheet-part-5-networking/>" %}

{% embed url="<https://www.andreafortuna.org/2017/07/03/volatility-my-own-cheatsheet-part-2-processes-and-dlls/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/ctf/forensic/volatility.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.