Memory Analysis

GUI

GitHub - k1nd0ne/VolWeb: A centralized and enhanced memory analysis platformGitHub

Volatility - Commands

# Imageinfo
volatility -f file.dmp imageinfo

# Hivelist
volatility -f file.dmp --profile=Win7SP0x86 hivelist

# Printkey
volatility -f file.dmp --profile=Win7SP0x86 printkey -o 0xAdress
volatility -f file.dmp --profile=Win7SP0x86 printkey -o 0xAdress -k "Subkey1\subkey2\etc"

# Hashdump
# To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s,
volatility hashdump -f image.dd -y 0xe1035b60 -s 0xe165cb60 
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4::: 
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f::: 
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9::: 
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51::: 
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c::: 
S----:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 

# Pslist
volatility --profile=Win7SP1x86_23418 pslist -f file.dmp

# Pstree
volatility --profile=Win7SP1x86_23418 pstree -f file.dmp 

# Psinfo
volatility --profile=Win7SP1x86_23418 -f file.dmp psinfo -p [PID]

# Procdump
volatility --profile=Win7SP1x86_23418 -f file.dmp procdump -p [PID] -D [directory]

# Netscan
volatility -f file.dmp --profile=Win7SP0x86 netscan

# Consoles
volatility -f ch2.dmp --profile=Win7SP0x86 consoles

# Memdump
volatility --profile=Win7SP1x86_23418 -f file.dmp memdump -p [PID] -D [DIRECTORY]

Volatility 2 vs Volatility 3

Volatility 3 CheatSheetonfvp

Sources

Volatility/Retrieve-password - aldeidwww.aldeid.com

Command ReferenceGitHub

Volatility, my own cheatsheet (Part 5): NetworkingAndrea Fortuna

Volatility, my own cheatsheet (Part 2): Processes and DLLsAndrea Fortuna

PreviousRubber Ducky NextDisk Analysis

Last updated 8 months ago