👨‍💻
Hacking Notes
  • Hacking Notes
  • 💅One-Liners
  • ⚔️Offensive
    • Exploit Workflow
    • Recon
      • OSINT
      • DNS
        • Domain Discovery
      • Layer 2 Config and Analysis
      • Port Scanning and Discovery
      • Port Attacks
      • Link it all together
    • Payloads
      • MSFVenom
      • Reverse Shells
    • Websites
      • Enumeration
      • Injection/LFI
      • Session Management
      • Brute Forcing
      • JavaScript & XSS
      • SSRF
      • XXE
      • PHP
    • Password Attacks
      • Brute Forcing
      • Mimikatz
      • Password Cracking
      • Hash Extraction
      • Wordlist Generation
    • Databases
      • SQL
      • Mongodb
    • Microsoft Windows Exploits
      • Enumeration
      • Powershell
      • Cmd
      • Privilege Escalation
      • Active Directory
      • Bloodhound
    • Social Engineering
    • Netcat & Socat
    • File Transfers
    • Metasploit
      • Writing Modules
    • PS Empire
    • Priv Escalation
    • Post Exploitation
    • Pivoting
    • Certs and Secrets
    • NGROK
    • Misc.
  • 🛡️Defensive
    • Defensive Notes
    • Windows Forensics
      • Program Execution Artifacts
      • ASEP Locations
      • Event Logs
    • Linux Forensics
    • Network Forensics
      • tshark
      • Wireshark Filters
    • Memory Forensics
    • Stego
    • Malware Analysis
    • Volatility
  • 🌩️Cloud
    • Scope and Shared Responsibility
    • AWS CLI
    • Azure CLI
    • SaaS Attacks
    • PaaS
  • ⌨️Programming
    • Programming Notes
    • Examples and Quick Scripts
    • PowerShell
    • Pwn
      • Windows Pwn
    • Python
      • Basic Python
      • Modules
      • Working with Files
      • Networking
      • Attack Related
      • Scapy
        • Using Scapy
        • Reading PCAP
    • C
      • Code Examples
      • GDB
    • PHP
Powered by GitBook
On this page
  • Gathering Memory
  • IMPORTANT WHEN GATHERING MEMORY
  • Analyzing Memory
  • Volatility Usage
  • Common Plugins
  • References

Was this helpful?

  1. Defensive

Memory Forensics

Gathering and analyzing memory images

PreviousWireshark FiltersNextStego

Last updated 2 years ago

Was this helpful?

Gathering Memory

There are a handful of different tools which can be used to gather memory. Some of these include:

  • winpmem ()

    • winpmem_mini_x64.exe physmem.raw

  • procdump ()

  • FTK Imager

IMPORTANT WHEN GATHERING MEMORY

Always make sure that the OS information is gathered in conjuction with the image information! This can be achieved on windows machines with the ver command. After, we can grep for the version information through the vol.py --info output.

Analyzing Memory

Volatility is one of the most common tools to use in memory investigations.

Keep in mind that the current release of Volatility still uses Python 2, and the newest version of volatility is still in beta.

Volatility Usage

./vol.py -f [image file] --profile [profile] [plugin]

In order to use this effectively, we need to know the profile of the memory image before we can analyze it properly. This is because each separate version of OS, including minor releases, can have drastically different locations in memory where objects are stored.

The following env vars can be set to speed up the usage of Volatility and prevent having to type in the file location and profile info for each run.

  • VOLATILITY_LOCATION

  • VOLATILITY_PROFILE

Common Plugins

Plugin
Purpose

-h [plugin]

Learn plugin options for individual plugin

--info

List all available plugins

imageinfo

Attempt to determine OS of image (slow)

kdbgscan

Attempt to determine OS of image (slow)

pslist

List system processes

pstree

List processes in a tree format, showing parents and relationships

psscan

Search for potentially hidden processes

netscan

Search for active and listening sockets

userassist

Track program usage from GUI

cmdline

Identify command line for processes which were running

printkey

Print the output of a registry key

svcscan

List services on the system

dlllist

List DLLs for each process

References

🛡️
https://github.com/Velocidex/WinPmem
https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
How to Use Volatility for Memory Forensics and Analysis | Varonis
How to Use Volatility for Memory Forensics and Analysis | Varonis
Logo
Logo