22 Mar 2024

Volatility Guide

My personal Volatility 2 guide for memory dump analysis

Overview

I’m by no means an expert. This document was created to help ME understand volatility while learning. My CTF procedure comes first and a brief explanation of each command is below. This guide uses volatility2 and RegRipper

Sorry this was written like 4 years ago but I forgot to share it. If you’d like you can download the markdown version in the GitHub gist

Procedure

Profiling

  • volatility -f <file_name> imageinfo: Get suggested profiles
  • After which, use volatility -f <file_name> <command> --profile=<profile>

Registry Dumping and Ripping

  • Run hivelist and take note of all virtual addresses
  • Using dumpregistry, dump all the registry contents
  • Using RegRipper, rip -r tmp/registry.0xfffff8a00377d2d0.Syscachehve.reg -f system

Just CTF Things

  • strings <file> | grep -i "<flag format>" just to sieve out any flags

Commands

Commands Reference: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

Not in reference

notepad:

  • Display notepad’s contents

OS and Processes

pslist:

  • List all processes including PID, PPID, Start and End Time

psxview:

  • View hidden processes (False csrss only)

ldrmodules

  • View if module has been injected (Any column is False)

procdump:

  • Usage: procdump -p <PID found using netscan or pslist> -D <output directory>
  • Dump the entire process (.exe file)

memdump:

  • Usage: memdump -p <PID found using netscan or pslist> -D <output directory>
  • Get files used by the process

clipboard:

  • Get clipboard history

Files

filescan

  • Get a list of all files
  • Pipe to grep in order to search for specific files (filescan | grep -i "<search terms>")

dumpfiles

  • Usage: dumpfiles -n <filename (contains)> -D <output directory> or dumpfiles -Q <address> -D <output directory>

hivelist:

  • Get virtual addresses of registry hives

dumpregistry:

  • Usage: dumpregistry -o <virtual memory address of hive> -D <output directory>
  • Dump the registry contents

printkey:

  • Usage: printkey -o <virtual memory address of hive>
  • Add -K <key> to get value of specific subkey

hashdump:

  • Display all NLTM hashes
  • Use https://crackstation.net/ to crack NLTM hashes

lsadump:

  • Dump LSA Registry (Stores passwords in Windows 7)

Networking

netscan:

  • Display all network information

External Plugins

Installing External Plugins into volatility/plugins:

  • https://github.com/superponible/volatility-plugins
  • wget https://raw.githubusercontent.com/dfirfpi/hotoloti/master/volatility/mimikatz.py then pip install construct

Chrome

  • chromehistory

malfind

  • Find all programs with VAD tags and execute protection

Program Specific

Notepad

  • Use notepad plugin

MS Paint

  • Dump memory using memdump -p <pid of mspaint.exe>
  • Try foremost/binwalk
  • Use GIMP

Chrome

  • filescan | grep -ie "history$" to get chrome data
  • Dump history files (including Downloads) using dumpfiles and use SQLite viewer (Note that file extension should be .sqlite)
  • Use chromehistory plugin

Acknowledgements

https://medium.com/hackstreetboys/hsb-presents-otterctf-2018-memory-forensics-write-up-c3b9e372c36c https://w00tsec.blogspot.com/2015/02/extracting-raw-pictures-from-memory.html