Scribd
Upload
19 views3 pages

Volatility Final

The document provides a step-by-step guide for RAM analysis using Volatility, including commands to extract architecture details, process information, and network connections from a memory dump. It also outlines methods to identify suspicious processes and registry keys, as well as how to extract and dump specific files like browser history. Additionally, it includes instructions for extracting memory dumps from compressed files and using strings to find specific data within the memory image.

Uploaded by

junaid70x
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views3 pages

Volatility Final

The document provides a step-by-step guide for RAM analysis using Volatility, including commands to extract architecture details, process information, and network connections from a memory dump. It also outlines methods to identify suspicious processes and registry keys, as well as how to extract and dump specific files like browser history. Additionally, it includes instructions for extracting memory dumps from compressed files and using strings to find specific data within the memory image.

Uploaded by

junaid70x
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

1.

Findout Architecture , OS and other Details


python .\vol.py -f .\test.mem windows.info

2. Find PID and PPID , Handles, Files

python .\vol.py -f .\test.mem windows.pslist |more

3. To find process that are related to chrome


python .\vol.py -f .\test.mem windows.pslist | Select-String chrome

4. With PID for Chrome File Handles


python.exe .\vol.py -f .\test.mem windows.handles --pid 1328

5. .\test.mem windows.handles --pid 1328 | Select-String File | more

6. Search for History File


python.exe .\vol.py -f .\test.mem windows.handles --pid 1328 | Select-String File | Select-String
history | more

7. Dump History Fiile

python.exe .\vol.py -f .\test.mem --output-dir dump windows.dumpfiles.DumpFiles --pid 1328 --


virtaddr 0xbf0f6abe9740
Use HxD to find the dump contents in history file

8. Command Line Execution


python.exe .\vol.py -f .\test.mem windows.cmdline

9. To Find Network Connections


python.exe .\vol.py -f .\test.mem windows.netstat

10. Network connections associates with Chrome Processes


python.exe .\vol.py -f .\test.mem windows.netstat | Select-String chrome

11. To find any new account , unknown account


python.exe .\vol.py -f .\test.mem windows.registry.printkey --key "SAM\Domains\Account\Users" |
Select-String john

12.
python vol.py -f test.mem windows.registry.hivelist

13. To find job done by the users on the system


python vol.py -f test.mem windows.registry.userassist

14. Registry Hive for particular User


python vol.py -f test.mem windows.registry.hivelist --filter John
=======================================================================
=======================================================================
=======================================

Step-by-Step Guide for RAM (Memory) Analysis of MemLabs-Lab1.7z


Step 1: Extract the Memory Dump
1. If the file is compressed (.7z), extract it using:
7z x MemLabs-Lab1.7z

2. Identify the extracted memory dump file (e.g., memdump.raw, memdump.vmem).

Step 3: List Running Processes


1. To check active processes in memory:
volatility3 -f memdump.raw windows.pslist

2. Look for suspicious processes (e.g., unusual names, missing parent-child relationships).

Step 4: Detect Hidden or Terminated Processes


1. Check for hidden processes:
volatility3 -f memdump.raw windows.psscan

2. Compare it with the pslist output—hidden processes might indicate malware.

====================================================================
Extract Suspicious Registry Keys
1. Analyze registry hives for malware persistence:
volatility3 -f memdump.raw windows.registry.hivelist

2. Extract registry values for startup programs:


volatility3 -f memdump.raw windows.registry.printkey --key "Software\\
Microsoft\\Windows\\CurrentVersion\\Run"

Example

0xa80333cda000 Key \??\C:\Users\John Doe\ntuser.dat\Software\\Microsoft\\Windows\\


CurrentVersion\\Run
Value: "Updater" = "C:\Users\John Doe\AppData\Roaming\Updater.exe"
---------------------------------------------------------------------------------------------

Strings Finder :
https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
.\strings.exe -a .\test.mem | Select-String "http"

You might also like