2.

4 Euition
Copyiight 2u14 The volatility Founuation


Bevelopment builu anu wiki:
github.comvolatilityfounuation

Bownloau a stable ielease:
volatilityfounuation.oig

Reau the book:
aitofmemoiyfoiensics.com

Bevelopment Team Blog:
http:volatility-labs.blogspot.com

(0fficial) Tiaining Contact:
voltiainingmemoiyanalysis.net

Follow: volatility
Leain: www.memoiyanalysis.net

!"#$% '#"()

Typical commanu components:
# vol.py -f |imagej --piofile=|piofilej |pluginj

Bisplay piofiles, auuiess spaces, plugins:
# vol.py --info

Bisplay global commanu-line options:
# vol.py --help

Bisplay plugin-specific aiguments:
# vol.py |pluginj --help

Loau plugins fiom an exteinal uiiectoiy:
# vol.py --plugins=|pathj |pluginj

Specify a BTB oi KBBu auuiess:
# vol.py --utb=|auuij --kubg=|auuij

Specify an output file:
# vol.py --output-file=|filej

*+"() *,)-.$/$%".$0-

uet piofile suggestions (0S anu aichitectuie):
imageinfo

Finu anu paise the uebuggei uata block:
kubgscan

120%)##)# 3$#.$-(#

Basic active piocess listing:
pslist

Scan foi hiuuen oi teiminateu piocesses:
psscan


Cioss iefeience piocesses with vaiious lists:
psxview

Show piocesses in paientchilu tiee:
pstiee

120%)## *-/02+".$0-

Specify -o--offset=0FFSET oi -p--piu=1,2,S

Bisplay BLLs:
ulllist

Show commanu line aiguments:
cmuline

Bisplay uetails on vAB allocations:
vauinfo |--auuij

Bump allocations to inuiviuual files:
vauuump --uump-uii=PATB |--basej

Bump all valiu pages to a single file:
memuump --uump-uii=PATB

Bisplay open hanules:
hanules
-t--object-type=TYPE Nutant, File, Key, etc.
-s--silent Biue unnameu hanules

Bisplay piivileges:
piivs
-i--iegex=REuEX Regex piivilege name
-s--silent Explicitly enableu only

Bisplay SIBs:
getsius

Bisplay enviionment vaiiables:
envais

14 5$6) 47.2"%.$0-

Specify -B--uump-uii to any of these plugins to
iuentify youi uesiieu output uiiectoiy.

Bump a keinel mouule:
mouuump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess

Bump a piocess:
piocuump
-m--memoiy Incluue memoiy slack

Bump BLLs in piocess memoiy:
ulluump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess

*-8)%.), 90,)

Specify -o--offset=0FFSET oi -p--piu=1,2,S

Finu anu extiact injecteu coue blocks:
malfinu
-B--uump-uii=PATB Bump finuings heie

Cioss-iefeience BLLs with memoiy mappeu files:
luimouules

Scan a block of coue in piocess oi keinel memoiy
foi impoiteu APIs:
impscan
-p--piu=PIB Piocess IB
-b--base=BASE Base auuiess to scan
-s--size=SIZE Size to scan fiom stait of base

30(# : ;$#.02$)#

Recovei event logs (XP2uuS):
evtlogs
-S--save-evt Save iaw event logs
-B--uump-uii=PATB Wiite to this uiiectoiy

Recovei commanu histoiy:
cmuscan anu consoles

Recovei IE cacheInteinet histoiy:
iehistoiy

Show iunning seivices:
svcscan
-v--veibose Show SeiviceBll fiom iegistiy

<).=02>$-( *-/02+".$0-

Active info (XP2uuS):
connections anu sockets

Scan foi iesiuual info (XP2uuS):
connscan anu sockscan

Netwoik info foi vista, 2uu8, anu 7:
netscan

?)2-)6 @)+02A

Bisplay loaueu keinel mouules:
mouules

Scan foi hiuuen oi iesiuual mouules:
mouscan

Bisplay iecently unloaueu mouules:
unloaueumouules

Bisplay timeis anu associateu BPCs:
timeis

Bisplay keinel callbacks, notification ioutines:
callbacks

Auuit the SSBT
ssut
-v--veibose Check foi inline API hooks

Auuit the IBT anu uBT:
iut (x86 only)
gut (x86 only)

Auuit uiivei uispatch (IRP) tables:
uiiveiiip
-i--iegex=REuEX Regex uiivei name

Bisplay uevice tiee (finu stackeu uiiveis):
uevicetiee

Piint keinel pool tag usage stats:
pooltiackei
-t--tags=TAuS List of tags to analyze
-T--tagfile=FILE pooltag.txt foi labels
2.4 Euition
Copyiight 2u14 The volatility Founuation
?)2-)6 BC8)%.#

Scan foi uiivei objects:
uiiveiscan

Scan foi mutexes:
mutantscan
-s--silent Biue unnameu mutants

Scan foi useuhistoiical file objects:
filescan

Scan foi symbolic link objects (shows uiive
mappings):
symlinkscan

D)($#.2A

Bisplay cacheu hives:
hivelist

Piint a key's values anu uata:
piintkey
-o--hive_offset=0FFSET Bive auuiess (viitual)
-K--key=KEY Key path

Bump useiassist uata:
useiassist

Bump shellbags infoimation:
shellbags

Bump the shimcache:
shimcache

E$+)6$-)#

To cieate a timeline, cieate output in bouy file
foimat. Combine the uata anu iun sleuthkit's
mactime to cieate a CSv file.

timelinei --output=bouy > time.txt
shellbags --output=bouy >> time.txt
mftpaisei --output=bouy >> time.txt

mactime -b |time.txtj |-uj > csv.txt

F06#G)66

List piocesses:
>>> ps()

Switch contexts by piu, offset, oi name:
>>> cc(piu = Su28)
>>> cc(offset = uxSebS1S4u, physical=Tiue)
>>> cc(name = "exploiei.exe")

Acquiie a piocess auuiess space aftei using cc:
>>> piocess_space =
pioc().get_piocess_auuiess_space()

Bisassemble uata in an auuiess space
>>> uis(auuiess, length, !"#$%)

Bump bytes, uwoius oi qwoius:
>>> ub(auuiess, length, !"#$%)
>>> uu(auuiess, length, !"#$%)
>>> uq(auuiess, length, !"#$%)


Bisplay a typestiuctuie:
>>> ut("_EPR0CESS", iecuisive = Tiue)

Bisplay a typestiuctuie instance:
>>> ut("_EPR0CESS", ux82uc92au)

Cieate an object in keinel space:
>>> thieau = obj.0bject("_ETBREAB", offset =
ux82uc92au, vm = auuispace())

HI+J 90-K)2#$0-

Cieate a iaw memoiy uump fiom a hibeination,
ciash uump, fiiewiie acquisition, viitualbox,
vmwaie snapshot, hpak, oi EWF file:
imagecopy -0--output-image=FILE

Conveit any of the afoiementioneu file types to a
Winuows ciash uump compatible with Winubg:
iaw2ump -0--output-image=FILE

L1* ;00>#

Scan foi API hooks:
apihooks
-R--skip-keinel Bon't check keinel mouules
-P--skip-piocess Bon't check piocesses
-Q--quick Scan fastei

M"2" N%"--$-(

Scan foi Yaia signatuies:
yaiascan
-p--piu=PIB Piocess IBs to scan
-K--keinel Scan keinel memoiy
-Y--yaia-iules=R0LES Stiing, iegex, bytes, etc.
-y--yaia-file=FILE Yaia iules file
-W--wiue Natch 0nicoue stiings
-s--size Size of pieview bytes

5$6) NA#.)+ D)#0I2%)#

Scan foi NFT iecoius:
mftpaisei
--output=bouy 0utput bouy foimat
-B--uump-uii Bump NFT-iesiuent uata

Extiact cacheu files (iegistiy hives, executables):
uumpfiles
-B--uump-uii=PATB 0utput uiiectoiy
-i--iegex=REuEX Regex filename

Paise 0SN jouinal iecoius:
usnpaisei (github.comtomspencei)

O'* @)+02A

Sessions (shows RBP logins):
sessions

Winuow stations (shows clipboaiu owneis):
wnuscan

Besktops (finu iansomwaie):
Beskscan

Bisplay global anu session atom tables:
atoms anu atomscan


Bump the contents of the clipboaiu:
clipboaiu

Betect message hooks (keyloggeis):
messagehooks

Take a scieen shot fiom the memoiy uump:
scieenshot --uump-uii=PATB

Bisplay visible anu hiuuen winuows:
winuows anu wintiee

N.2$-(#

0se uN0 stiings oi Sysinteinals stiings.exe:
stiings -a -tu FILE > stiings.txt
stiings -a -tu -el FILE >> stiings.txt (0nicoue)

stiings.exe -q -o > stiings.txt (Winuows)

Tianslate the stiing auuiesses:
stiings
-s--stiing-file=FILE Input stiings.txt file
-S--scan

1"##=02, D)%0K)2A

Bump LSA seciets:
lsauump

Bump cacheu uomain hashes:
cacheuump

Bump LN anu NTLN hashes:
hashuump (x86 only)

Extiact 0penvPN cieuentials:
openvpn (github.comPhaeilo)

Extiact RSA piivate keys anu ceitificates:
uumpceits
-s--ssl Paise ceitificates with openssl

H$#> 4-%2AJ.$0-

Recovei cacheu TiueCiypt passphiases:
tiueciyptpassphiase

Tiiage TiueCiypt aitifacts:
tiueciyptsummaiy

Extiact TiueCiypt mastei keys
tiueciyptmastei

@"6="2) NJ)%$/$%

Bump ZeusCitauel RC4 keys:
zeusscan anu citauelscan

Finu anu uecoue Poison Ivy configs:
poisonivyconfig

Becoue }ava RAT config:
javaiatscan (github.comRuiik)

2.4 Euition
Copyiight 2u14 The volatility Founuation


ueneial Investigations
Bump the system's iaw iegistiy hive files uumpfiles -p 4 --iegex='(config|ntusei)' --ignoie-case --name -B .
Cieate a uiaphviz uiagiam of piocesses psscan --output=uot --output-file=giaph.uot
Cieate a coloi coueu uiagiam of piocesses memoiy vautiee -p PIB --output=uot --output-file=giaph.uot
Tianslate an account SIB to usei name piintkey -K "Niciosoft\\Winuows NT\\Cuiientveision\\PiofileList\\|SIBj" | giep PiofileImagePath
List iun keys foi BKLN anu all useis piintkey -K "Niciosoft\\Winuows\\Cuiientveision\\Run"
piintkey -K "Softwaie\\Niciosoft\\Winuows\\Cuiientveision\\Run"
Finu 0nicoue hostnames oi 0RLs yaiascan -Y "(www|http).+\.(com|net|oig)" --wiue |--keinelj
Finu null-teiminateu ASCII uot quau IP auuiesses yaiascan -Y "(|u-9j{1,S}\.){S}|u-9j{1,S}\xuu" --wiue |--keinelj
Locate anu extiact the B0STS file to local uiiectoiy

filescan | egiep hosts$ | awk '{piint $1}'
uxuuuuuuuuuSeSc6u8
uumpfiles -Q uxuuuuuuuuuSeSc6u8 --name -B .
Extiact the aumin passwoiu hash hashuump | giep Auministiatoi > aumin.txt
Nalicious Coue
Check if a piocess has uomain oi enteipiise aumin getsius | egiep '(Bomain|Enteipiise)'
Iuentify piocesses with iaw sockets hanules -t File | giep "\\Bevice\\RawIp\\u"
Look foi explicit enableu uebug piivilege piivs --silent --iegex=uebug
Iuentify alteinate uata stieams mftpaisei | giep "BATA ABS"
Bump NFT-iesiuent batch sciipts mftpaisei -B output
file output* | giep "B0S batch file"
Beteimine what is spying on the clipboaiu wnuscan | giep Clipviewei
Bump injecteu coue anu focus on executables malfinu -B output
file output* | giep PE
Tiace API hooks thiough memoiy apihooks -p PIB --quick | giep 'Book auuiess'
ux1ua6S4f
echo "uis(ux1ua6S4f, length = S12)" | volshell -p PIB
Scan foi a specific mutex on the system mutantscan | giep |-ij |N0TANT NANEj
Bump injecteu BLL, fix image base + IBA impoit
labels
ulluump --base=ABBR -p PIB -B. --fix -memoiy
impscan --base=ABBR -p PIB --output=iuc > labels.iuc
Finu binaiies loaueu fiom tempoiaiy uiiectoiies envais -p PIB | giep TENP | awk '{piint $S}'
C:\B0C0NE~1\ABNINI~1\L0CALS~1\Temp
Filtei ulllist anu mouules output foi the specifieu path
0sei Activity
Betect iemote mappeu shaies hanules -t File | egiep "\\Bevice\\(LanmanReuiiectoi|Nup)"
Files on Tiueciypt volumes filescan | giep TiueCiyptvolume
Extiact ASCII anu 0nicoue clipboaiu content clipboaiu | giep TEXT
Biute foice seaich foi commanu histoiy yaiascan -Y "C:\\\\.+>" --wiue |--keinelj
Recently clickeu applications anu shoitcuts useiassist | giep REu_BINARY
Finu piefetch files (iecently executeu piogiams) mftpaisei | giep \.pf$ | awk '{piint $NF}'
Keinel Nemoiy
Iuentify hookeu uiivei uispatch tables uiiveiiip --iegex=tcpip | giep IRP | egiep -vi '(tcpip|ntos)'
Look foi hookeu SSBT functions ssut | egiep -vi '(ntos|winS2k) '
Nalicious keinel callbacks anu timeis callbacks | giep 0NKN0WN (same with timeis)
Locate hiuuen thieau-baseu keinel iootkits thieaus -F 0iphanThieau | giep StaitAuuiess
Speeu Enhancements
Finu anu set the keinel BTB psscan | giep System | awk '{piint $S}'
uxuuS19uuu (Now use --utb=uxuuS19uuu)
Finu anu set the KBBu on XP-7 anu S2-bit 8 kubgscan | giep 0ffset | giep v | uniq
0ffset (v) : uxf8uuu28uSu7u (auu to --kubg)
Finu anu set the KBBu on 64-bit 8 anu 2u12 kubgscan --piofile=|PR0FILEj | giep KuCopyBataBlock
KuCopyBataBlock (v) : uxf8u281ffSeau (auu to --kubg)
volshell Sciipting
Cieate a piocess IB lookup table by_piu = uict((p.0niquePiocessIu, p) foi p in getpiocs())
paient_name = by_piu|PIBj.ImageFileName
Scan piocess memoiy anu piint a hex uump neeules = |"abc12S", "uef4S6"j
foi hit in pioc().seaich_piocess_memoiy(neeules):
ub(hit)
Extiact a chunk of keinel memoiy to uisk uata = auuispace().zieau(ABBR, SIZE)
with open("output.bin", "wb") as hanule:
hanule.wiite(uata)
Tianslate a keinel auuiess anu seek to it (iaw
uumps only)
echo "auuispace().vtop(ux98ufu9c8)" | volshell -f |NENB0NPj
S979898S2
xxu -s S979898S2 |NENB0NPj
Keinel mouules with embeuueu PE signatuies signeu = |mou foi mou in getmous() if mou.sec_uii()j

2.4 Euition
Copyiight 2u14 The volatility Founuation
Linux Commanus

!"#$%&&%& ()&*)+,&

Basic active piocess listing:
linux_pslist

List piocesses anu thieaus:
linux_piuhashtable

Cioss iefeience piocesses with vaiious lists:
linux_psxview

Show piocesses in paientchilu tiee:
linux_pstiee

!"#$%&& -+.#"/0*)#+

Specify -o--offset=0FFSET oi -p--piu=1,2,S

Bisplay shaieu libiaiies:
linux_libiaiy_list

List thieaus:
linux_thieaus

Show commanu line aiguments:
linux_psaux

Bisplay uetails on memoiy ianges:
linux_pioc_maps

Bump allocations to inuiviuual files:
linux_uump_map
-B--uump-uii=PATB
--vma=ABBR Range to uump

Bisplay open hanules:
linux_lsof

Bisplay enviionment vaiiables:
linux_psenv anu linux_bash_env

1(2 2)3% 14*"0$*)#+

Specify -B--uump-uii to any of these plugins to
iuentify youi uesiieu output uiiectoiy.

Bump a keinel mouule:
linux_mouuump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess

Bump a piocess:
linux_piocuump

Bump shaieu libiaiies in piocess memoiy:
linux_libiaiyuump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess

-+5%$*%6 7#6%

Specify -o--offset=0FFSET oi -p--piu=1,2,S

Finu anu extiact injecteu coue blocks:
linux_malfinu


Cioss-iefeience shaieu libiaiies with memoiy-
mappeu files:
linux_luimouules

Check foi piocess hollowing:
linux_piocess_hollow
-b--base Base auuiess of ELF file in memoiy
-P--path Path of known goou file on uisk

7#//0+6 8)&*#"9

Recovei commanu histoiy:
linux_bash

Recovei executeu binaiies:
linux_bash_hash

:%*;#"<)+, -+.#"/0*)#+

Active info:
linux_netstat

Inteiface infoimation:
linux_ifconfig

Raw sockets:
linux_list_iaw

Routing cache:
linux_ioute_cache
-R--iesolve BNS iesolve uestination IPs

Netfiltei entiies:
linux_netfiltei

ARP cache:
linux_aip

=%"+%3 >%/#"9

Bisplay loaueu keinel mouules:
linux_lsmou

Check foi system call hooks:
linux_check_syscall

Check foi netwoik stack hooks:
linux_check_afinfo

Check foi cieuential copying:
linux_check_cieus

Check foi file opeiations hooking:
linux_check_fop

Check foi inline keinel hooks:
linux_check_inline_keinel

Check foi hiuuen mouules:
linux_check_mouules
linux_hiuuen_mouules

Check foi TTY hooks:
linux_check_tty

Check foi malicious keyboaiu callbacks:
linux_keyboaiu_notifieis




Piint the keinel uebug buffei:
linux_umesg

Auuit the IBT:
linux_iut (x86 only)

?&%"30+6 @!- 8##<&

Scan foi API hooks:
linux_apihooks
-a--all Check hookeu PLT entiies

Scan foi u0TPLT hooks:
linux_plthook
-a--all List all PLT entiies
-i--ignoie Libiaiies to ignoie in piocessing

A0"0 B$0++)+,

Scan foi Yaia signatuies:
linux_yaiascan
-p--piu=PIB Piocess IBs to scan
-K--keinel Scan keinel memoiy
-Y--yaia-iules=R0LES Stiing, iegex, bytes, etc.
-y--yaia-file=FILE Yaia iules file
-W--wiue Natch 0nicoue stiings
-s--size Size of pieview bytes

2)3% B9&*%/ C%&#D"$%&

List mount points:
linux_mount

Enumeiate files:
linux_enumeiate_files

Extiact cacheu files:
linux_finu_file
-F--finu=FILE Path of file to finu
-i--inoue=IN0BE Auuiess of inoue to uump
-L--listfiles Lists files in cache
-0--outputfile File path to wiite

E)&< 1+$"9F*)#+

Recovei cacheu Tiueciypt passphiases:
linux_tiueciyptpassphiase

B*")+,&

Tianslate extiacteu stiings:
linux_stiings
-s--stiing-file=FILE Input stiings.txt file


2.4 Euition
Copyiight 2u14 The volatility Founuation
!"# %& ' ()**"+,-

./)#0--0- 12-32+4-

Basic active piocess listing:
mac_pslist

List PIB hash table:
mac_piu_hash_table

List tasks:
mac_tasks

Cioss iefeience piocesses with vaiious lists:
mac_psxview

Show piocesses in paientchilu tiee:
mac_pstiee

./)#0-- 5+6)/*"32)+

Specify -o--offset=0FFSET oi -p--piu=1,2,S

Bisplay shaieu libiaiies:
mac_uylu_maps

Show commanu line aiguments:
mac_psaux

Bisplay uetails on memoiy ianges:
mac_pioc_maps

Bump allocations to inuiviuual files:
mac_uump_map
-B--uump-uii=PATB
--map_auuiess=ABBR

Bisplay open hanules:
mac_lsof

Bisplay enviionment vaiiables:
mac_psenv anu mac_bash_env

Bisplay login sessions:
mac_list_sessions

!"#78% 92:0 ;<3/"#32)+

Specify -B--uump-uii to any of these plugins to
iuentify youi uesiieu output uiiectoiy.

Bump a keinel mouule:
mac_mouuump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess

Bump a piocess:
mac_piocuump

Bump shaieu libiaiies in piocess memoiy:
mac_libiaiyuump
-b--base=BASE Nouule base auuiess

5+=0#30, (),0

Specify -o--offset=0FFSET oi -p--piu=1,2,S

Finu anu extiact injecteu coue blocks:
mac_malfinu

Cioss-iefeience shaieu libiaiies with memoiy-
mappeu files:
mac_luimouules

()**"+, >2-3)/?

Recovei commanu histoiy:
mac_bash

Recovei executeu binaiies:
mac_bash_hash

@03A)/B2+4 5+6)/*"32)+

Active info:
mac_netstat

Active info fiom netwoik stack:
mac_netwoik_conns

Inteiface Infoimation:
mac_ifconfig

ARP cache:
mac_aip

Route table:
mac_ioute

Socket filteis:
mac_socket_filteis

IP filteis:
mac_ip_filteis

C0/+0: !0*)/?

Bisplay loaueu keinel mouules:
mac_lsmou

Check foi keinel API hooks:
mac_apihooks_keinel

Check foi system call hooks:
mac_check_syscalls

Check foi shauow system call table:
mac_check_syscall_shauow

Check sysctl hanuleis:
mac_check_sysctl

Check the tiap table:
mac_check_tiap_table

Check the mig table:
mac_check_mig_table

Check foi file opeiations hooking:
mac_check_fop

Check foi inline keinel hooks:
mac_check_inline_keinel

Check foi hiuuen mouules:
mac_lsmou_iokit
mac_lsmou_kext_map

Check foi TiusteuBSB hooks:
mac_tiusteubsu

Piint the keinel uebug buffei:
mac_umesg
D.5 >))B-

Scan foi API hooks:
mac_apihooks
-R--skip-keinel Bon't check keinel mouules
-P--skip-piocess Bon't check piocesses
-Q--quick Scan fastei

Check foi piocess hollowing:
mac_piocess_hollow
-b--base Base auuiess of ELF file in memoiy
-P--path Path of known goou file on uisk

Scan foi u0TPLT hooks:
mac_plthook
-a--all List all PLT entiies
-i--ignoie Libiaiies to ignoie in piocessing

E"/" &#"++2+4

Scan foi Yaia signatuies:
mac_yaiascan
-p--piu=PIB Piocess IBs to scan
-K--keinel Scan keinel memoiy
-Y--yaia-iules=R0LES Stiing, iegex, bytes, etc.
-y--yaia-file=FILE Yaia iules file
-W--wiue Natch 0nicoue stiings
-s--size Size of pieview bytes

F2-B ;+#/?G32)+

Recovei possible Keychain keys:
mac_keychainuump

92:0 &?-30* H0-)I/#0-

List mount points:
mac_mount

List cacheu files anu theii vnoue auuiesses:
mac_list_files

Extiact cacheu files:
mac_uump_file
-q--file_offset 0ffset of vnoue to uump
-0--outputfile File path to wiite

&3/2+4-

Tianslate extiacteu stiing:
mac_stiings
-s--stiing-file=FILE Input stiings.txt file

J-0/ D#32K23?

Recovei Auium messages, incluuing 0TR chat:
mac_auium

Recovei Calenuai entiies:
mac_calenuai

Recovei contacts:
mac_contacts