Memory Forensics

Uploaded by

raisulb

0% found this document useful (0 votes)

1 views2 pages

Copyright

Available Formats

DOCX, PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as docx, pdf, or txt

0% found this document useful (0 votes)

1 views2 pages

Memory Forensics

Uploaded by

raisulb

Copyright:

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as docx, pdf, or txt

Jump to Page

You are on page 1of 2

Search inside document

Memory Forensics

Memory forensics is the practice of analyzing a computer's memory dump to investigate and extract
information related to cyber incidents, such as malware, unauthorized access, or data breaches. It
involves capturing volatile data from a system's RAM to uncover evidence that may not be present
on the disk.

Volatility is an open-source memory forensics framework used to analyze and extract digital artifacts
from memory dumps of various operating systems. It provides tools to investigate malicious activity,
system state, and other relevant information by examining the volatile memory of a computer.

Step-by-step process for performing memory forensics using Volatility:

Step 1: Prepare Your Environment

1. Install Volatility
2. Acquire a Memory Dump using tools like 'procdump', 'DumpIt', 'FTK Imager', or 'WinPMEM'.

Step 2: Identify the Profile

1. Run ImageInfo: vol.py -f memory.dmp imageinfo

Step 3: Analyze the Memory Dump

1. List Processes: vol.py -f memory.dmp --profile=Win7SP1x64 pslist
2. Analyze Process Tree: vol.py -f memory.dmp --profile=Win7SP1x64 pstree
3. Check DLLs Loaded by a Process: vol.py -f memory.dmp --profile=Win7SP1x64 dlllist -p <PID>
4. List Open Handles: vol.py -f memory.dmp --profile=Win7SP1x64 handles -p <PID>
5. Check Network Connections: vol.py -f memory.dmp --profile=Win7SP1x64 netscan
6. Scan for Malicious Code: vol.py -f memory.dmp --profile=Win7SP1x64 malfind
7. Find File Objects in Physical Memory: vol.py -f memory.dmp --profile=Win7SP1x64 filescan
8. CreCreate a CSV Timeline of Events: vol.py -f memory.dmp --profile=Win7SP1x64 timeliner --
output-file=timeline.csv

Step 4: Extract and Analyze Specific Artifacts

1. Dump Process Memory: vol.py -f memory.dmp --profile=Win7SP1x64 procdump -p <PID> -D
/output/
2. List Registry Hives: vol.py -f memory.dmp --profile=Win7SP1x64 hivelist
3. Extract Registry Keys: vol.py -f memory.dmp --profile=Win7SP1x64 printkey -K "Software\
Microsoft\Windows\CurrentVersion\Run"
4. Command History: vol.py -f memory.dmp --profile=Win7SP1x64 cmdscan

Step 5: Report Findings

1. Document Analysis
2. Create a Timeline
3. Generate a Report
BlackPerl DFIR

Comparing commands from Vol2 > Vol3

https://lnkd.in/eu23YBMV

Command Reference
https://lnkd.in/eCrXWbqB

5 6087116402542512855
Document6 pages
5 6087116402542512855
Student Hulu
100% (1)
CF Lecture 07-Memory Forensics
Document54 pages
CF Lecture 07-Memory Forensics
Faisal Shahzad
100% (1)
Static Malware Analysis Techniques
Document15 pages
Static Malware Analysis Techniques
vibhi
No ratings yet
Experiment-2 Digital Forensics AIM-Capture The Memory of Any OS System and Try To Analyse .Mem File On Kali Using Volatility Tool DATE: 06-02-2021
Document21 pages
Experiment-2 Digital Forensics AIM-Capture The Memory of Any OS System and Try To Analyse .Mem File On Kali Using Volatility Tool DATE: 06-02-2021
TANISHA PATHAK
No ratings yet
Study On Forensic Analysis of Physical Memory: Liming Cai, Jing Sha, Wei Qian
Document4 pages
Study On Forensic Analysis of Physical Memory: Liming Cai, Jing Sha, Wei Qian
kamelancien
No ratings yet
Yash Darole DF 5
Document7 pages
Yash Darole DF 5
05. Yash Darole
No ratings yet
Unit-Ii CF
Document13 pages
Unit-Ii CF
manognaharikishan
No ratings yet
ThickClient Methdology
Document1 page
ThickClient Methdology
aditya
No ratings yet
Memory Forensics Cheat Sheet v1
Document2 pages
Memory Forensics Cheat Sheet v1
adam593
No ratings yet
Memory Fornesics Notes
Document28 pages
Memory Fornesics Notes
Shafeeque Olassery Kunnikkal
No ratings yet
FOR508HANDOUT - MemForensCheat Sheetv2 - E02 - 03
Document2 pages
FOR508HANDOUT - MemForensCheat Sheetv2 - E02 - 03
Jonas
No ratings yet
Certainly
Document9 pages
Certainly
syedadeen18
No ratings yet
Incident Response Methodology - Windows Intrusion Detection
Document4 pages
Incident Response Methodology - Windows Intrusion Detection
Nome Sobrenome
No ratings yet
Incident Response Methodology - Linux - Unix Intrusion Detection
Document4 pages
Incident Response Methodology - Linux - Unix Intrusion Detection
Nome Sobrenome
No ratings yet
SANS
Document2 pages
SANS
Sandro Melo
No ratings yet
Digital Forensics
Document4 pages
Digital Forensics
Aashirwad Verma
No ratings yet
Eroraha Memory Forensics
Document24 pages
Eroraha Memory Forensics
Adriana Hernandez
No ratings yet
Computer Forensics Process For Beginners
Document8 pages
Computer Forensics Process For Beginners
Sachin Jung Karki
No ratings yet
File Carving Artifacts Extraction and Deleted Data Recovery
Document2 pages
File Carving Artifacts Extraction and Deleted Data Recovery
Siddhesh Karekar
No ratings yet
Solving Computer Forensic Case Using Autopsy: Scenario
Document26 pages
Solving Computer Forensic Case Using Autopsy: Scenario
Gaby Cortez
No ratings yet
IRM 7 Windows Malware Detection
Document2 pages
IRM 7 Windows Malware Detection
bogne
No ratings yet
Memory Dump ICS Lab.
Document21 pages
Memory Dump ICS Lab.
ricksant2003
No ratings yet
CF Practicals PDF
Document117 pages
CF Practicals PDF
Nikhil Amodkar
No ratings yet
Windows - Forensics Building Lab and Essential Investigation
Document238 pages
Windows - Forensics Building Lab and Essential Investigation
nicolasv
No ratings yet
Lab 18-19: Memory Dump Tool (Moonsols Windows Memory Toolkit) Memory Analysis Tool (Volatility Framework)
Document14 pages
Lab 18-19: Memory Dump Tool (Moonsols Windows Memory Toolkit) Memory Analysis Tool (Volatility Framework)
THUẬN NGUYỄN MINH
No ratings yet
MEGO Writeup
Document5 pages
MEGO Writeup
Toby Mac
No ratings yet
Detect Malware W Memory Forensics
Document27 pages
Detect Malware W Memory Forensics
محيي الباز
No ratings yet
Windows Forensics
Document68 pages
Windows Forensics
Amira
No ratings yet
More Windows Artifacts
Document6 pages
More Windows Artifacts
Nicasio Aquino
100% (1)
CS Lab 2
Document10 pages
CS Lab 2
Vicky Vickneshwari
No ratings yet
Event Logs Management: Anthony Lai Founder & Editor Infosec Hong Kong
Document33 pages
Event Logs Management: Anthony Lai Founder & Editor Infosec Hong Kong
api-27294532
No ratings yet
Home Task 1
Document3 pages
Home Task 1
f21bscs008
No ratings yet
Samim-DFMA Lab Workbook
Document48 pages
Samim-DFMA Lab Workbook
Garvit Hooda
No ratings yet
Active Directory Exploitation Cheat Sheet: Share
Document14 pages
Active Directory Exploitation Cheat Sheet: Share
Sokoine Hamad Denis
No ratings yet
Ethical Hacking Project Work
Document16 pages
Ethical Hacking Project Work
ravi teja
No ratings yet
Malware Analysis
Document21 pages
Malware Analysis
Ayush rawal
100% (1)
Project - Instructions
Document2 pages
Project - Instructions
chunkymonkey323
No ratings yet
Hunting For Credentials Dumping in Windows Environment
Document61 pages
Hunting For Credentials Dumping in Windows Environment
zdravko
No ratings yet
Sysmon Documentation
Document7 pages
Sysmon Documentation
benoit.ponjee
No ratings yet
04-OS and Multimedia Forensics
Document189 pages
04-OS and Multimedia Forensics
Mohammed Lajam
100% (1)
Malware Analysis
Document15 pages
Malware Analysis
Josue Ouattara
No ratings yet
Netcat by Knight Crawler
Document9 pages
Netcat by Knight Crawler
qwerty9020
No ratings yet
Lec 3 Digial Forensic
Document19 pages
Lec 3 Digial Forensic
princess.mirna2003
No ratings yet
CHFI Crash Study Guide
Document9 pages
CHFI Crash Study Guide
cyber forensic
No ratings yet
Sec535 PR PDF
Document23 pages
Sec535 PR PDF
FREDDY ALLAN PALACIOS GONZÁLEZ
No ratings yet
Computer Forensics Projects
Document4 pages
Computer Forensics Projects
zaid khattak
No ratings yet
LIVEdataWIN UNIX
Document51 pages
LIVEdataWIN UNIX
Chirayu Aggarwal
No ratings yet
27.2.10 Lab - Extract An Executable From A PCAP-1 - Tecson
Document6 pages
27.2.10 Lab - Extract An Executable From A PCAP-1 - Tecson
elijahjoshtecson
No ratings yet
Helix Version 3
Document14 pages
Helix Version 3
Divik Shrivastava
No ratings yet
Digital Forensic Analysis Lab Exercise
Document3 pages
Digital Forensic Analysis Lab Exercise
alshdadyfhmy398
100% (1)
Chmod666 NIM Cheat Sheet
Document2 pages
Chmod666 NIM Cheat Sheet
Hemant
No ratings yet
Helix Tool Use Case
Document32 pages
Helix Tool Use Case
Santosh kumar behera
No ratings yet
List of Window Artifacts
Document19 pages
List of Window Artifacts
anasonadi234
No ratings yet
Trace Log 20220301091122
Document10 pages
Trace Log 20220301091122
FRANSISKUS JIMMY
No ratings yet
Forensics - Lab 6
Document4 pages
Forensics - Lab 6
ManuelGonzalezAnido
No ratings yet
Sys Mon Internals
Document46 pages
Sys Mon Internals
שוקולד וסוכר ומלח שוקולד סוכר
No ratings yet
HTB Sherlock Logjammer
Document22 pages
HTB Sherlock Logjammer
lolkek0001
No ratings yet
Footprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer Networks
From Everand
Footprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer Networks
Dr. Hidaia Mahmood Alassouli
No ratings yet
Applied Incident Response
From Everand
Applied Incident Response
Steve Anson
No ratings yet
Computer Forensics JumpStart
From Everand
Computer Forensics JumpStart
Michael G. Solomon
Rating: 3.5 out of 5 stars
3.5/5 (2)