Eugene Moore

/home

/posts

/about

Personal Volatility2 Notes

Personal Notes used for CTFs, Exams or Work purposes

Volatility 2.6

These are my personal notes which really come in handy for me for reference, so hopefully it can help somebody else!

Volatility 2.6 Standalone Edition

  1. Run imageinfo

    • Purpose: Determine the profile of the memory image. This helps identify the correct profile for your memory image, telling Volatility what OS and version the memory dump came from.
    • Command: 
      vol2.exe -f m.mem imageinfo
    • Tip: Usually, pick the first suggested profile. You can verify by running pslist on one of the suggested profiles. If the output makes sense, you likely chose the correct profile.

  2. Verify Profile with pslist

    • Purpose: List the processes to ensure the chosen profile is correct.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 pslist

Important Plugins and Usage

  1. cmdline

    • Purpose: Displays the command line arguments for processes.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 cmdline

  2. consoles

    • Purpose: Lists active console sessions and their command history.

    • Command:

      vol2.exe -f m.mem --profile=Win7SP1x64 consoles
      • Tip: Look for commands that executed scripts or downloaded files.

  3. mftparser

    • Purpose: Parses the Master File Table (MFT) to look for deleted files and search for command script file extensions (e.g., .ps1, .vbs, .py, .exe). Focus on system directories such as C:\Windows\, C:\Program Files\, C:\Users\<Username>\AppData\.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 mftparser

  4. psxview

    • Purpose: Lists hidden processes that might not appear in pstree.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 psxview

  5. memdump

    • Purpose: Dumps the memory of a specific process for further analysis.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 memdump -p <PID> --dump-dir=./dumps
    • Tip: Use tools like strings.exe to review the content of the dumped memory.

  6. shimcache

    • Purpose: Provides information about applications that were executed.

    • Command:

      vol2.exe -f m.mem --profile=Win7SP1x64 shimcache
      • Tip: Look for recently executed programs or unusual applications.

  7. pstree

    • Purpose: Shows a tree of processes to easily see parent-child relationships.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 pstree

  8. netscan

    • Purpose: Scans for network artifacts and provides information about network connections.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 netscan
    • Tips:
      • Focus on connections with the state ‘ESTABLISHED’.
      • Check the times these connections were made.
      • Check for listening ports.
      • Verify if foreign addresses are legitimate using VirusTotal or Google.
      • Look out for processes making abnormal requests.

  9. dlllist

    • Purpose: Lists loaded DLLs for each process.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 dlllist

  10. malfind

    • Purpose: Detects injected code and malware.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 malfind

  11. handles

    • Purpose: Lists open handles for each process.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 handles

  12. ldrmodules

    • Purpose: Lists loaded modules with additional checks for discrepancies.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 ldrmodules

  13. procdump

    • Purpose: Dumps the executable memory of a process.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 procdump -p <PID> --dump-dir=./dumps

  14. userassist

    • Purpose: Provides information about recently executed programs from the registry.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 userassist

  15. hivelist

    • Purpose: Lists the memory-resident registry hives.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 hivelist
      • Tip: Identify and analyze key registry hives for forensic evidence.

  16. hashdump

    • Purpose: Dumps password hashes from the memory image.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 hashdump
    • Tips:
      • Username: The account name
      • RID: Relative Identifier, part of the Security Identifier (SID)
      • LM_hash: The LM hash of the password
      • NT_hash: The NT hash of the password
      • An empty LM hash is indicated by aad3b435b51404eeaad3b435b51404ee
      • Example NT hash for the Administrator account: 8846f7eaee8fb117ad06bdd830b7586c

  17. vadinfo

    • Purpose: Provides detailed information about each Virtual Address Descriptor (VAD) node for a given process.
    • Command: 
      vol2.exe -f m.mem --profile=Win7SP1x64 vadinfo -p <PID>
    • Tips:
      • Vad Tag: Internal identifier for the VAD node
      • Vad Type: Type of memory (e.g., PrivateMemory, MappedFile, ImageMap)
      • Start and End: The range of virtual addresses covered by the VAD node
      • Protection: Access permissions for the memory range

Hash Calculation with PowerShell

  • After using procdump, calculate MD5, SHA1, or SHA256 hashes of the dumped file using PowerShell: 
    # Calculate MD5
Get-FileHash -Algorithm MD5 -Path .\dumps\executable.dmp

# Calculate SHA1
Get-FileHash -Algorithm SHA1 -Path .\dumps\executable.dmp

# Calculate SHA256
Get-FileHash -Algorithm SHA256 -Path .\dumps\executable.dmp