Professional Documents
Culture Documents
4 Euition
Copyiight 2u14 The volatility Founuation
Bevelopment builu anu wiki:
github.comvolatilityfounuation
Bownloau a stable ielease:
volatilityfounuation.oig
Reau the book:
aitofmemoiyfoiensics.com
Bevelopment Team Blog:
http:volatility-labs.blogspot.com
(0fficial) Tiaining Contact:
voltiainingmemoiyanalysis.net
Follow: volatility
Leain: www.memoiyanalysis.net
!"#$% '#"()
Typical commanu components:
# vol.py -f |imagej --piofile=|piofilej |pluginj
Bisplay piofiles, auuiess spaces, plugins:
# vol.py --info
Bisplay global commanu-line options:
# vol.py --help
Bisplay plugin-specific aiguments:
# vol.py |pluginj --help
Loau plugins fiom an exteinal uiiectoiy:
# vol.py --plugins=|pathj |pluginj
Specify a BTB oi KBBu auuiess:
# vol.py --utb=|auuij --kubg=|auuij
Specify an output file:
# vol.py --output-file=|filej
*+"() *,)-.$/$%".$0-
uet piofile suggestions (0S anu aichitectuie):
imageinfo
Finu anu paise the uebuggei uata block:
kubgscan
120%)##)# 3$#.$-(#
Basic active piocess listing:
pslist
Scan foi hiuuen oi teiminateu piocesses:
psscan
Cioss iefeience piocesses with vaiious lists:
psxview
Show piocesses in paientchilu tiee:
pstiee
120%)## *-/02+".$0-
Specify -o--offset=0FFSET oi -p--piu=1,2,S
Bisplay BLLs:
ulllist
Show commanu line aiguments:
cmuline
Bisplay uetails on vAB allocations:
vauinfo |--auuij
Bump allocations to inuiviuual files:
vauuump --uump-uii=PATB |--basej
Bump all valiu pages to a single file:
memuump --uump-uii=PATB
Bisplay open hanules:
hanules
-t--object-type=TYPE Nutant, File, Key, etc.
-s--silent Biue unnameu hanules
Bisplay piivileges:
piivs
-i--iegex=REuEX Regex piivilege name
-s--silent Explicitly enableu only
Bisplay SIBs:
getsius
Bisplay enviionment vaiiables:
envais
14 5$6) 47.2"%.$0-
Specify -B--uump-uii to any of these plugins to
iuentify youi uesiieu output uiiectoiy.
Bump a keinel mouule:
mouuump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess
Bump a piocess:
piocuump
-m--memoiy Incluue memoiy slack
Bump BLLs in piocess memoiy:
ulluump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess
*-8)%.), 90,)
Specify -o--offset=0FFSET oi -p--piu=1,2,S
Finu anu extiact injecteu coue blocks:
malfinu
-B--uump-uii=PATB Bump finuings heie
Cioss-iefeience BLLs with memoiy mappeu files:
luimouules
Scan a block of coue in piocess oi keinel memoiy
foi impoiteu APIs:
impscan
-p--piu=PIB Piocess IB
-b--base=BASE Base auuiess to scan
-s--size=SIZE Size to scan fiom stait of base
30(# : ;$#.02$)#
Recovei event logs (XP2uuS):
evtlogs
-S--save-evt Save iaw event logs
-B--uump-uii=PATB Wiite to this uiiectoiy
Recovei commanu histoiy:
cmuscan anu consoles
Recovei IE cacheInteinet histoiy:
iehistoiy
Show iunning seivices:
svcscan
-v--veibose Show SeiviceBll fiom iegistiy
<).=02>$-( *-/02+".$0-
Active info (XP2uuS):
connections anu sockets
Scan foi iesiuual info (XP2uuS):
connscan anu sockscan
Netwoik info foi vista, 2uu8, anu 7:
netscan
?)2-)6 @)+02A
Bisplay loaueu keinel mouules:
mouules
Scan foi hiuuen oi iesiuual mouules:
mouscan
Bisplay iecently unloaueu mouules:
unloaueumouules
Bisplay timeis anu associateu BPCs:
timeis
Bisplay keinel callbacks, notification ioutines:
callbacks
Auuit the SSBT
ssut
-v--veibose Check foi inline API hooks
Auuit the IBT anu uBT:
iut (x86 only)
gut (x86 only)
Auuit uiivei uispatch (IRP) tables:
uiiveiiip
-i--iegex=REuEX Regex uiivei name
Bisplay uevice tiee (finu stackeu uiiveis):
uevicetiee
Piint keinel pool tag usage stats:
pooltiackei
-t--tags=TAuS List of tags to analyze
-T--tagfile=FILE pooltag.txt foi labels
2.4 Euition
Copyiight 2u14 The volatility Founuation
?)2-)6 BC8)%.#
Scan foi uiivei objects:
uiiveiscan
Scan foi mutexes:
mutantscan
-s--silent Biue unnameu mutants
Scan foi useuhistoiical file objects:
filescan
Scan foi symbolic link objects (shows uiive
mappings):
symlinkscan
D)($#.2A
Bisplay cacheu hives:
hivelist
Piint a key's values anu uata:
piintkey
-o--hive_offset=0FFSET Bive auuiess (viitual)
-K--key=KEY Key path
Bump useiassist uata:
useiassist
Bump shellbags infoimation:
shellbags
Bump the shimcache:
shimcache
E$+)6$-)#
To cieate a timeline, cieate output in bouy file
foimat. Combine the uata anu iun sleuthkit's
mactime to cieate a CSv file.
timelinei --output=bouy > time.txt
shellbags --output=bouy >> time.txt
mftpaisei --output=bouy >> time.txt
mactime -b |time.txtj |-uj > csv.txt
F06#G)66
List piocesses:
>>> ps()
Switch contexts by piu, offset, oi name:
>>> cc(piu = Su28)
>>> cc(offset = uxSebS1S4u, physical=Tiue)
>>> cc(name = "exploiei.exe")
Acquiie a piocess auuiess space aftei using cc:
>>> piocess_space =
pioc().get_piocess_auuiess_space()
Bisassemble uata in an auuiess space
>>> uis(auuiess, length, !"#$%)
Bump bytes, uwoius oi qwoius:
>>> ub(auuiess, length, !"#$%)
>>> uu(auuiess, length, !"#$%)
>>> uq(auuiess, length, !"#$%)
Bisplay a typestiuctuie:
>>> ut("_EPR0CESS", iecuisive = Tiue)
Bisplay a typestiuctuie instance:
>>> ut("_EPR0CESS", ux82uc92au)
Cieate an object in keinel space:
>>> thieau = obj.0bject("_ETBREAB", offset =
ux82uc92au, vm = auuispace())
HI+J 90-K)2#$0-
Cieate a iaw memoiy uump fiom a hibeination,
ciash uump, fiiewiie acquisition, viitualbox,
vmwaie snapshot, hpak, oi EWF file:
imagecopy -0--output-image=FILE
Conveit any of the afoiementioneu file types to a
Winuows ciash uump compatible with Winubg:
iaw2ump -0--output-image=FILE
L1* ;00>#
Scan foi API hooks:
apihooks
-R--skip-keinel Bon't check keinel mouules
-P--skip-piocess Bon't check piocesses
-Q--quick Scan fastei
M"2" N%"--$-(
Scan foi Yaia signatuies:
yaiascan
-p--piu=PIB Piocess IBs to scan
-K--keinel Scan keinel memoiy
-Y--yaia-iules=R0LES Stiing, iegex, bytes, etc.
-y--yaia-file=FILE Yaia iules file
-W--wiue Natch 0nicoue stiings
-s--size Size of pieview bytes
5$6) NA#.)+ D)#0I2%)#
Scan foi NFT iecoius:
mftpaisei
--output=bouy 0utput bouy foimat
-B--uump-uii Bump NFT-iesiuent uata
Extiact cacheu files (iegistiy hives, executables):
uumpfiles
-B--uump-uii=PATB 0utput uiiectoiy
-i--iegex=REuEX Regex filename
Paise 0SN jouinal iecoius:
usnpaisei (github.comtomspencei)
O'* @)+02A
Sessions (shows RBP logins):
sessions
Winuow stations (shows clipboaiu owneis):
wnuscan
Besktops (finu iansomwaie):
Beskscan
Bisplay global anu session atom tables:
atoms anu atomscan
Bump the contents of the clipboaiu:
clipboaiu
Betect message hooks (keyloggeis):
messagehooks
Take a scieen shot fiom the memoiy uump:
scieenshot --uump-uii=PATB
Bisplay visible anu hiuuen winuows:
winuows anu wintiee
N.2$-(#
0se uN0 stiings oi Sysinteinals stiings.exe:
stiings -a -tu FILE > stiings.txt
stiings -a -tu -el FILE >> stiings.txt (0nicoue)
stiings.exe -q -o > stiings.txt (Winuows)
Tianslate the stiing auuiesses:
stiings
-s--stiing-file=FILE Input stiings.txt file
-S--scan
1"##=02, D)%0K)2A
Bump LSA seciets:
lsauump
Bump cacheu uomain hashes:
cacheuump
Bump LN anu NTLN hashes:
hashuump (x86 only)
Extiact 0penvPN cieuentials:
openvpn (github.comPhaeilo)
Extiact RSA piivate keys anu ceitificates:
uumpceits
-s--ssl Paise ceitificates with openssl
H$#> 4-%2AJ.$0-
Recovei cacheu TiueCiypt passphiases:
tiueciyptpassphiase
Tiiage TiueCiypt aitifacts:
tiueciyptsummaiy
Extiact TiueCiypt mastei keys
tiueciyptmastei
@"6="2) NJ)%$/$%
Bump ZeusCitauel RC4 keys:
zeusscan anu citauelscan
Finu anu uecoue Poison Ivy configs:
poisonivyconfig
Becoue }ava RAT config:
javaiatscan (github.comRuiik)
2.4 Euition
Copyiight 2u14 The volatility Founuation
ueneial Investigations
Bump the system's iaw iegistiy hive files uumpfiles -p 4 --iegex='(config|ntusei)' --ignoie-case --name -B .
Cieate a uiaphviz uiagiam of piocesses psscan --output=uot --output-file=giaph.uot
Cieate a coloi coueu uiagiam of piocesses memoiy vautiee -p PIB --output=uot --output-file=giaph.uot
Tianslate an account SIB to usei name piintkey -K "Niciosoft\\Winuows NT\\Cuiientveision\\PiofileList\\|SIBj" | giep PiofileImagePath
List iun keys foi BKLN anu all useis piintkey -K "Niciosoft\\Winuows\\Cuiientveision\\Run"
piintkey -K "Softwaie\\Niciosoft\\Winuows\\Cuiientveision\\Run"
Finu 0nicoue hostnames oi 0RLs yaiascan -Y "(www|http).+\.(com|net|oig)" --wiue |--keinelj
Finu null-teiminateu ASCII uot quau IP auuiesses yaiascan -Y "(|u-9j{1,S}\.){S}|u-9j{1,S}\xuu" --wiue |--keinelj
Locate anu extiact the B0STS file to local uiiectoiy
filescan | egiep hosts$ | awk '{piint $1}'
uxuuuuuuuuuSeSc6u8
uumpfiles -Q uxuuuuuuuuuSeSc6u8 --name -B .
Extiact the aumin passwoiu hash hashuump | giep Auministiatoi > aumin.txt
Nalicious Coue
Check if a piocess has uomain oi enteipiise aumin getsius | egiep '(Bomain|Enteipiise)'
Iuentify piocesses with iaw sockets hanules -t File | giep "\\Bevice\\RawIp\\u"
Look foi explicit enableu uebug piivilege piivs --silent --iegex=uebug
Iuentify alteinate uata stieams mftpaisei | giep "BATA ABS"
Bump NFT-iesiuent batch sciipts mftpaisei -B output
file output* | giep "B0S batch file"
Beteimine what is spying on the clipboaiu wnuscan | giep Clipviewei
Bump injecteu coue anu focus on executables malfinu -B output
file output* | giep PE
Tiace API hooks thiough memoiy apihooks -p PIB --quick | giep 'Book auuiess'
ux1ua6S4f
echo "uis(ux1ua6S4f, length = S12)" | volshell -p PIB
Scan foi a specific mutex on the system mutantscan | giep |-ij |N0TANT NANEj
Bump injecteu BLL, fix image base + IBA impoit
labels
ulluump --base=ABBR -p PIB -B. --fix -memoiy
impscan --base=ABBR -p PIB --output=iuc > labels.iuc
Finu binaiies loaueu fiom tempoiaiy uiiectoiies envais -p PIB | giep TENP | awk '{piint $S}'
C:\B0C0NE~1\ABNINI~1\L0CALS~1\Temp
Filtei ulllist anu mouules output foi the specifieu path
0sei Activity
Betect iemote mappeu shaies hanules -t File | egiep "\\Bevice\\(LanmanReuiiectoi|Nup)"
Files on Tiueciypt volumes filescan | giep TiueCiyptvolume
Extiact ASCII anu 0nicoue clipboaiu content clipboaiu | giep TEXT
Biute foice seaich foi commanu histoiy yaiascan -Y "C:\\\\.+>" --wiue |--keinelj
Recently clickeu applications anu shoitcuts useiassist | giep REu_BINARY
Finu piefetch files (iecently executeu piogiams) mftpaisei | giep \.pf$ | awk '{piint $NF}'
Keinel Nemoiy
Iuentify hookeu uiivei uispatch tables uiiveiiip --iegex=tcpip | giep IRP | egiep -vi '(tcpip|ntos)'
Look foi hookeu SSBT functions ssut | egiep -vi '(ntos|winS2k) '
Nalicious keinel callbacks anu timeis callbacks | giep 0NKN0WN (same with timeis)
Locate hiuuen thieau-baseu keinel iootkits thieaus -F 0iphanThieau | giep StaitAuuiess
Speeu Enhancements
Finu anu set the keinel BTB psscan | giep System | awk '{piint $S}'
uxuuS19uuu (Now use --utb=uxuuS19uuu)
Finu anu set the KBBu on XP-7 anu S2-bit 8 kubgscan | giep 0ffset | giep v | uniq
0ffset (v) : uxf8uuu28uSu7u (auu to --kubg)
Finu anu set the KBBu on 64-bit 8 anu 2u12 kubgscan --piofile=|PR0FILEj | giep KuCopyBataBlock
KuCopyBataBlock (v) : uxf8u281ffSeau (auu to --kubg)
volshell Sciipting
Cieate a piocess IB lookup table by_piu = uict((p.0niquePiocessIu, p) foi p in getpiocs())
paient_name = by_piu|PIBj.ImageFileName
Scan piocess memoiy anu piint a hex uump neeules = |"abc12S", "uef4S6"j
foi hit in pioc().seaich_piocess_memoiy(neeules):
ub(hit)
Extiact a chunk of keinel memoiy to uisk uata = auuispace().zieau(ABBR, SIZE)
with open("output.bin", "wb") as hanule:
hanule.wiite(uata)
Tianslate a keinel auuiess anu seek to it (iaw
uumps only)
echo "auuispace().vtop(ux98ufu9c8)" | volshell -f |NENB0NPj
S979898S2
xxu -s S979898S2 |NENB0NPj
Keinel mouules with embeuueu PE signatuies signeu = |mou foi mou in getmous() if mou.sec_uii()j
2.4 Euition
Copyiight 2u14 The volatility Founuation
Linux Commanus
!"#$%&&%& ()&*)+,&
Basic active piocess listing:
linux_pslist
List piocesses anu thieaus:
linux_piuhashtable
Cioss iefeience piocesses with vaiious lists:
linux_psxview
Show piocesses in paientchilu tiee:
linux_pstiee
!"#$%&& -+.#"/0*)#+
Specify -o--offset=0FFSET oi -p--piu=1,2,S
Bisplay shaieu libiaiies:
linux_libiaiy_list
List thieaus:
linux_thieaus
Show commanu line aiguments:
linux_psaux
Bisplay uetails on memoiy ianges:
linux_pioc_maps
Bump allocations to inuiviuual files:
linux_uump_map
-B--uump-uii=PATB
--vma=ABBR Range to uump
Bisplay open hanules:
linux_lsof
Bisplay enviionment vaiiables:
linux_psenv anu linux_bash_env
1(2 2)3% 14*"0$*)#+
Specify -B--uump-uii to any of these plugins to
iuentify youi uesiieu output uiiectoiy.
Bump a keinel mouule:
linux_mouuump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess
Bump a piocess:
linux_piocuump
Bump shaieu libiaiies in piocess memoiy:
linux_libiaiyuump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess
-+5%$*%6 7#6%
Specify -o--offset=0FFSET oi -p--piu=1,2,S
Finu anu extiact injecteu coue blocks:
linux_malfinu
Cioss-iefeience shaieu libiaiies with memoiy-
mappeu files:
linux_luimouules
Check foi piocess hollowing:
linux_piocess_hollow
-b--base Base auuiess of ELF file in memoiy
-P--path Path of known goou file on uisk
7#//0+6 8)&*#"9
Recovei commanu histoiy:
linux_bash
Recovei executeu binaiies:
linux_bash_hash
:%*;#"<)+, -+.#"/0*)#+
Active info:
linux_netstat
Inteiface infoimation:
linux_ifconfig
Raw sockets:
linux_list_iaw
Routing cache:
linux_ioute_cache
-R--iesolve BNS iesolve uestination IPs
Netfiltei entiies:
linux_netfiltei
ARP cache:
linux_aip
=%"+%3 >%/#"9
Bisplay loaueu keinel mouules:
linux_lsmou
Check foi system call hooks:
linux_check_syscall
Check foi netwoik stack hooks:
linux_check_afinfo
Check foi cieuential copying:
linux_check_cieus
Check foi file opeiations hooking:
linux_check_fop
Check foi inline keinel hooks:
linux_check_inline_keinel
Check foi hiuuen mouules:
linux_check_mouules
linux_hiuuen_mouules
Check foi TTY hooks:
linux_check_tty
Check foi malicious keyboaiu callbacks:
linux_keyboaiu_notifieis
Piint the keinel uebug buffei:
linux_umesg
Auuit the IBT:
linux_iut (x86 only)
?&%"30+6 @!- 8##<&
Scan foi API hooks:
linux_apihooks
-a--all Check hookeu PLT entiies
Scan foi u0TPLT hooks:
linux_plthook
-a--all List all PLT entiies
-i--ignoie Libiaiies to ignoie in piocessing
A0"0 B$0++)+,
Scan foi Yaia signatuies:
linux_yaiascan
-p--piu=PIB Piocess IBs to scan
-K--keinel Scan keinel memoiy
-Y--yaia-iules=R0LES Stiing, iegex, bytes, etc.
-y--yaia-file=FILE Yaia iules file
-W--wiue Natch 0nicoue stiings
-s--size Size of pieview bytes
2)3% B9&*%/ C%&#D"$%&
List mount points:
linux_mount
Enumeiate files:
linux_enumeiate_files
Extiact cacheu files:
linux_finu_file
-F--finu=FILE Path of file to finu
-i--inoue=IN0BE Auuiess of inoue to uump
-L--listfiles Lists files in cache
-0--outputfile File path to wiite
E)&< 1+$"9F*)#+
Recovei cacheu Tiueciypt passphiases:
linux_tiueciyptpassphiase
B*")+,&
Tianslate extiacteu stiings:
linux_stiings
-s--stiing-file=FILE Input stiings.txt file
2.4 Euition
Copyiight 2u14 The volatility Founuation
!"# %& ' ()**"+,-
./)#0--0- 12-32+4-
Basic active piocess listing:
mac_pslist
List PIB hash table:
mac_piu_hash_table
List tasks:
mac_tasks
Cioss iefeience piocesses with vaiious lists:
mac_psxview
Show piocesses in paientchilu tiee:
mac_pstiee
./)#0-- 5+6)/*"32)+
Specify -o--offset=0FFSET oi -p--piu=1,2,S
Bisplay shaieu libiaiies:
mac_uylu_maps
Show commanu line aiguments:
mac_psaux
Bisplay uetails on memoiy ianges:
mac_pioc_maps
Bump allocations to inuiviuual files:
mac_uump_map
-B--uump-uii=PATB
--map_auuiess=ABBR
Bisplay open hanules:
mac_lsof
Bisplay enviionment vaiiables:
mac_psenv anu mac_bash_env
Bisplay login sessions:
mac_list_sessions
!"#78% 92:0 ;<3/"#32)+
Specify -B--uump-uii to any of these plugins to
iuentify youi uesiieu output uiiectoiy.
Bump a keinel mouule:
mac_mouuump
-i--iegex=REuEX Regex mouule name
-b--base=BASE Nouule base auuiess
Bump a piocess:
mac_piocuump
Bump shaieu libiaiies in piocess memoiy:
mac_libiaiyuump
-b--base=BASE Nouule base auuiess
5+=0#30, (),0
Specify -o--offset=0FFSET oi -p--piu=1,2,S
Finu anu extiact injecteu coue blocks:
mac_malfinu
Cioss-iefeience shaieu libiaiies with memoiy-
mappeu files:
mac_luimouules
()**"+, >2-3)/?
Recovei commanu histoiy:
mac_bash
Recovei executeu binaiies:
mac_bash_hash
@03A)/B2+4 5+6)/*"32)+
Active info:
mac_netstat
Active info fiom netwoik stack:
mac_netwoik_conns
Inteiface Infoimation:
mac_ifconfig
ARP cache:
mac_aip
Route table:
mac_ioute
Socket filteis:
mac_socket_filteis
IP filteis:
mac_ip_filteis
C0/+0: !0*)/?
Bisplay loaueu keinel mouules:
mac_lsmou
Check foi keinel API hooks:
mac_apihooks_keinel
Check foi system call hooks:
mac_check_syscalls
Check foi shauow system call table:
mac_check_syscall_shauow
Check sysctl hanuleis:
mac_check_sysctl
Check the tiap table:
mac_check_tiap_table
Check the mig table:
mac_check_mig_table
Check foi file opeiations hooking:
mac_check_fop
Check foi inline keinel hooks:
mac_check_inline_keinel
Check foi hiuuen mouules:
mac_lsmou_iokit
mac_lsmou_kext_map
Check foi TiusteuBSB hooks:
mac_tiusteubsu
Piint the keinel uebug buffei:
mac_umesg
D.5 >))B-
Scan foi API hooks:
mac_apihooks
-R--skip-keinel Bon't check keinel mouules
-P--skip-piocess Bon't check piocesses
-Q--quick Scan fastei
Check foi piocess hollowing:
mac_piocess_hollow
-b--base Base auuiess of ELF file in memoiy
-P--path Path of known goou file on uisk
Scan foi u0TPLT hooks:
mac_plthook
-a--all List all PLT entiies
-i--ignoie Libiaiies to ignoie in piocessing
E"/" &#"++2+4
Scan foi Yaia signatuies:
mac_yaiascan
-p--piu=PIB Piocess IBs to scan
-K--keinel Scan keinel memoiy
-Y--yaia-iules=R0LES Stiing, iegex, bytes, etc.
-y--yaia-file=FILE Yaia iules file
-W--wiue Natch 0nicoue stiings
-s--size Size of pieview bytes
F2-B ;+#/?G32)+
Recovei possible Keychain keys:
mac_keychainuump
92:0 &?-30* H0-)I/#0-
List mount points:
mac_mount
List cacheu files anu theii vnoue auuiesses:
mac_list_files
Extiact cacheu files:
mac_uump_file
-q--file_offset 0ffset of vnoue to uump
-0--outputfile File path to wiite
&3/2+4-
Tianslate extiacteu stiing:
mac_stiings
-s--stiing-file=FILE Input stiings.txt file
J-0/ D#32K23?
Recovei Auium messages, incluuing 0TR chat:
mac_auium
Recovei Calenuai entiies:
mac_calenuai
Recovei contacts:
mac_contacts