Simple Volatility Syntax

Ok I’m still awake, so I figured that sharing some basic Volatility Syntax as the next post would be worthwhile.

Memory forensics is a valuable way to acquire more evidence from the system. The sooner the acquisition occurs, the better. I made the analogy today that forensic residue is like writing your name in the sand, and as the system is used, it is just like waves washing over your name in the sand, gradually washing away any trace that your name was ever there.

Some more advanced forensicators may be able to debate this further, however I think the analogy works. Acquire your evidence as early as possible after an intrusion is discovered is the main message here. Don’t forget, you can also use volatility to convert hibernation files for extra evidence points 🙂
volatility -f memdump.mem imageinfo

(Copy the “suggested profiles” value.)

volatility -f memdump.mem –profile=Win10x64_14393

#Use the -h switch to see available commands. Alternatively you can check here: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
volatility -f memdump.mem –profile=Win10x64_14393 -h (-h displays help).

#pslist (at the end of the line) is being invoked on our memdump.mem image. As the name suggests, it lists processes.

volatility -f memdump.mem –profile=Win10x64_14393 pslist

(Check running processes within the memory image)

#The difference between pslist (above) and psscan, is that psscan will show hidden and unlinked processes. This plugin is more commonly used when hunting for rootkits.
volatility -f memdump.mem –profile=Win10x64_14393 psscan

#Tip that I picked up from a youtube video; when hunting for malware/suspicious activity:SVCHOST should always have a parent of services.exe with -k.

volatility -f memdump.mem –profile=Win10x64_14393 pstree

#(This shows parent hierarchy. First look for the Process ID (PID) of the process we want to be the parent, and ensure that processes we are looking at has a ppid that matches the parent.)

volatility -f memdump.mem –profile=Win10x64_14393 procdump -p 3960 –dump-dir=./

# procdump stands for process dump. Using the -p switch followed by the process ID (in the example above this is 3960), followed by the directory that you want to dump the process to; that particular process will be dumped to the file system. This can take seconds/minutes.If in doubt, go make a coffee. Or have a hot dog/soda (like the old Red Hat installer used to suggest ;D )

volatility -f memdump.mem –profile=Win10x64_14393 memdump -p 3960 –dump-dir=./

#(Dumps what is in memory for a particular process)

volatility -f memdump.mem –profile=Win10x64_14393 dumpfiles –dump-dir=./

#(dumps all files cached in memory)

volatility -f memdump.mem –profile=Win10x64_14393 modscan

#Can take a while to run, but used to find evil).

volatility -f memdump.mem –profile=Win10x64_14393 netscan

#This shows the classic, netstat!)
#hivelist,hivedump,hivescan,userassist can all be used to look for registry forensics.
#imagecopy converts existing address space and spits it out as a memory image. Use this to convert a hibernation file to a memory investigation.

#TIMELINER – extracts artifacts, and builds them into a timeline. This is invaluable really, as it really helps with investigations.

#Run malfind, then extract suspicious files using procdump. If any files appear, then they could be malware.

In my haste to get content happening for the blog, I have not sanity checked the content. Hopefully it is fine, but let me know if not. Good luck using volatility!

Finally, these are the key modules that you will be able to get some quick wins with. Where I’ve listed XXXX, replace XXXX with the process ID you’re analysing. You can get the process ID from running pslist first.

Key Modules to run:

pslist
psscan
pstree
modscan
netscan
hivelist
hivedump
hivescan
userassist
procdump – must use with -p XXXX –dump-dir=./
memdump – must use with -p XXXX –dump-dir=./
dumpfiles must use with –dump-dir=./
imagecopy (used for converting hibernation files)