Volatility Notes

On By DanielIn CTF, forensics, incident response, malware

I don’t use Volatility as often as I’d like. Whenever I need to use it, I have to re-familiarize myself with the plugins and syntax. Here are some of the commands that I end up using a lot, and some tips that make things easier for me.

Cheat Sheets and References

Here are links to to official cheat sheets and command references. Note that at the time of this writing, Volatility is at version 2.6 and the cheat sheet PDF listed below is for 2.4. As far as I can tell, this PDF is still relevant. Keep in mind that Volatility is still being developed. New plugins are released periodically. Syntax and usage may change.

https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

The authors of Volatility have written a book which explains memory forensics in depth. I recommend giving it a read if you are interested in this subject. As an Amazon Associate I earn from qualifying purchases.

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory

Getting Help

Basic usage information

vol.py -h

List profiles and plugins. I usually read this first if I haven’t used Volatility for a while. Often, there’s a plugin that gives me the information I need.

vol.py --info

Get help for a plugin. Many plugins have additional options and parameters.

vol.py plugin_name_here -h

Determine Which Profile to Use

Using imageinfo

 vol.py -f memory.img imageinfo

Using kbdgscan

vol.py -f memory.img kdbgscan

Processes

Using pslist to list processes

vol.py -f memory.img --profile=CHANGEME pslist

Using pstree is similar to pslist, but shows parent->child relationships.

vol.py -f memory.img --profile=CHANGEME pstree

cmdline will list processes CLI arguments

vol.py -f memory.img --profile=CHANGEME cmdline

Finding hidden processes with psxview

vol.py -f memory.img --profile=CHANGEME psxview

procdump will dump running processes from a memory image to disk. This can be useful for analyzing malware which is running, but no longer on disk.

vol.py -f memory.img --profile=CHANGEME procdump --dump-dir=CHANGEME

Networking

connscan will list TCP connections

vol.py -f memory.img --profile=CHANGEME connscan

sockets lists sockets and their associated PID

vol.py -f memory.img --profile=CHANGEME sockets

Files

dumpfiles dumps files to disk

vol.py -f memory.img --profile=CHANGEME dumpfiles --dump-dir=CHANGEME

dumpregistry dumps registry hives to disk

vol.py -f memory.img --profile=CHANGEME dumpregistry --dump-dir=CHANGEME

Windows Stuff

handles lists open handles and their associated PIDs

vol.py -f memory.img --profile=CHANGEME handles

mutantscan lists mutants

vol.py -f memory.img --profile=CHANGEME mutantscan

notepad dumps the currently displayed text in notepad.exe processes

vol.py -f memory.img --profile=CHANGEME notepad

consoles dumps command history 

vol.py -f memory.img --profile=CHANGEME consoles

malfind finds hidden and injected code. Note that Linux and Mac have their own respective versions of this plugin.

vol.py -f memory.img --profile=CHANGEME malfind

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s