What Volatility is capable of
- List all processes that were running.
- List active and closed network connections.
- View internet history (IE).
- Identify files on the system and retrieve them from the memory dump.
- Read the contents of notepad documents.
- Retrieve commands entered into the Windows Command Prompt (CMD).
- Scan for the presence of malware using YARA rules.
- Retrieve screenshots and clipboard contents.
- Retrieve hashed passwords.
- Retrieve SSL keys and certificates.
How it works
It needs profiles to work
volatility -f memdump.mem imageinfo — This will identify the system the memory image was taken from.
–profile=WinXPSP2x86 — this will need to be run when running memory image
Commands
volatility -f memdump.mem imageinfo
- PSlist – lists processes
- Volatility -f memdump.mem –profile=<profile image> pslist
- PStree – This lists processes i na process tree
- Volatility -f memdump.mem –profile=<profile image> pstree
- PSscan – idendifies hidden processes (oftem used by malware)
- Volatility -f memdump.mem –profile=<profile image> psscan
- psxview – combination of pslist and psscan
- Volatility -f memdump.mem –profile=<profile image> psxview
- netscan – Can view network connections
- Volatility -f memdump.mem –profile=<profile image> Netscan
- timeliner – uses timestamps from activity within memory dump in time order. Can be useful for incident response.
- Volatility -f memdump.mem –profile=<profile image>timeliner
- iehistory – view browser history
- filescan – lists every file mention in the memory dump
- Volatility -f memdump.mem –profile=<profile image> filescan
- dumpfiles – retrieves files from capture memory — needs to select dump location. Files will be located on the desktop
- Volatility -f memdump.mem –profile=<profile image> dumpfiles -n –dump-dir=<file directory>
- cmdline
- This will locate command line commands
- procdump
- dumps processes (use -p <processID> for one process