Scribd Logo
Upload

Welcome to Scribd!

  • 53 views

    Volatility Commands

    Uploaded by

    Shafeeque Olassery Kunnikkal
    This document provides instructions for using various commands and tools in the Volatility framework to analyze a Windows memory dump file. It describes how to use commands like imageinfo, hivescan, hivelist, printkey, hashdump, connections, netscan, handles, getsids, pslist, pstree, psscan, dlllist, and dlldump to extract different types of forensic artifacts and metadata from the memory dump, including process listings, network connections, open handles, DLL mappings, and password hashes. It also provides examples of the syntax needed to specify memory dump files, profile types, process IDs, registry hive addresses, and output directories for the different Volatility commands.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Volatility Commands

    Uploaded by

    Shafeeque Olassery Kunnikkal
    53 views2 pages
    This document provides instructions for using various commands and tools in the Volatility framework to analyze a Windows memory dump file. It describes how to use commands like imageinfo, hivescan, hivelist, printkey, hashdump, connections, netscan, handles, getsids, pslist, pstree, psscan, dlllist, and dlldump to extract different types of forensic artifacts and metadata from the memory dump, including process listings, network connections, open handles, DLL mappings, and password hashes. It also provides examples of the syntax needed to specify memory dump files, profile types, process IDs, registry hive addresses, and output directories for the different Volatility commands.

    Original Description:

    Volatility Frame work commands

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for using various commands and tools in the Volatility framework to analyze a Windows memory dump file. It describes how to use commands like imageinfo, hivescan, hivelist, printkey, hashdump, connections, netscan, handles, getsids, pslist, pstree, psscan, dlllist, and dlldump to extract different types of forensic artifacts and metadata from the memory dump, including process listings, network connections, open handles, DLL mappings, and password hashes. It also provides examples of the syntax needed to specify memory dump files, profile types, process IDs, registry hive addresses, and output directories for the different Volatility commands.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    53 views2 pages

    Volatility Commands

    Uploaded by

    Shafeeque Olassery Kunnikkal
    This document provides instructions for using various commands and tools in the Volatility framework to analyze a Windows memory dump file. It describes how to use commands like imageinfo, hivescan, hivelist, printkey, hashdump, connections, netscan, handles, getsids, pslist, pstree, psscan, dlllist, and dlldump to extract different types of forensic artifacts and metadata from the memory dump, including process listings, network connections, open handles, DLL mappings, and password hashes. It also provides examples of the syntax needed to specify memory dump files, profile types, process IDs, registry hive addresses, and output directories for the different Volatility commands.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 2

    How to use Volatility_v2.

    doc
    https://code.google.com/p/volatility/wiki/CommandReference#connections
    volatility-2.3.1.standalone.exe imageinfo -f WIN7-20140525-181732.raw
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86 hivescan -f WIN7-20140525-1
    81732.raw
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86 hivelist -f WIN7-20140525-1
    81732.raw
    take \REGISTRY\MACHINE\SYSTEM virtual address
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86 -f WIN7-20140525-181732.raw
    printkey -o 0x8881a3c8
    lastupdated
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86 -f WIN7-20140525-181732.raw
    printkey -o 0x8881a3c8 -K CurrentControlSet
    To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtu
    al address of the SAM hive as -s, like this:
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86 hashdump -f WIN7-20140525-1
    81732.raw -y 0x8881a3c8 - s 0x88d048c8
    copy the result into a text file and use john the ripper for cracking password
    output the following result to a test file for better reading
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86
    5-181732.raw - winxp and windows 2003 only
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86
    1732.raw
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86
    1732.raw
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86
    1732.raw
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86
    732.raw
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86
    732.raw
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86
    732.raw
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86
    1732.raw

    connections -f WIN7-2014052
    netscan -f WIN7-20140525-18
    handles -f WIN7-20140525-18
    getsids -f WIN7-20140525-18
    pslist -f WIN7-20140525-181
    pstree -f WIN7-20140525-181
    psscan -f WIN7-20140525-181
    dlllist -f WIN7-20140525-18

    To display the DLLs for a specific process instead of all processes, use the -p
    or --pid filter like this:
    volatility-2.3.1.standalone.exe --profile=Win7SP1x86 dlllist -f WIN7-20140525-18
    1732.raw --pid=400
    dlldump
    To extract a DLL from a process's memory space and dump it to disk for analysis,
    use the dlldump command. The syntax is nearly the same as what we've shown for
    dlllist above. You can:
    Dump all DLLs from all processes
    Dump all DLLs from a specific process (with --pid=PID)
    Dump all DLLs from a hidden/unlinked process (with --offset=OFFSET)
    Dump a PE from anywhere in process memory (with --base=BASEADDR), this option is
    useful for extracting hidden DLLs
    To specify an output directory, use --dump-dir=DIR or -d DIR. You can also suppl

    y a regular expression to dump a DLL with a particular pattern in its name


    To display the DLLs for a process that is hidden or unlinked by a rootkit, first
    use the psscan to get the physical offset of the EPROCESS object and then

    You might also like