Volatility CheatSheet (Forensics - THM)

Description

Volatility is a powerful open-source memory forensics framework used by cybersecurity professionals and incident responders to analyse memory dumps. It supports Linux, Windows, and macOS memory analysis and offers a comprehensive set of plugins to extract various types of information, such as processes, network connections, registry keys, and more.

Installation

You can download the required package from Volatility’s github page. releases

Creating a Symlink

sudo ln -s /opt/volatility  /usr/local/bin/vol.py

Basic Usage/handles

-h        -> help
--info    -> Available Profiles/Plugins
-f        -> call memmory_dump file
--profile -> Input Profiles

Available Profiles/Plugins

vol.py --info

Miscellaneous Plugins

> imageinfo

Profiles are the first thing we need to identify when using volatility and are critical to ensuring the correct OS and architecture so that we can use it for analysis. Example Profiles are Win10x64_19041, LinuxUbuntu_18.04 Finding Profile

vol.py -f victim.raw imageinfo

> yarascan

Scan memory using YARA rules. Download yara rules files from here and run them with volatility

vol.py -f victim.raw --profile="Win7SP1x64" yarascan -y 000_common_rules.yar

> screenshot

Extract a pseudo-screenshot from GDI windows.

vol.py -f victim.raw --profile="Win7SP1x64" screenshot -D .

Timeline Analysis

> timeliner

Create a timeline of system activity.

vol.py -f victim.raw --profile="Win7SP1x64" timeliner

Process & Memory Plugins

> cmdline

Display command-line arguments of processes.

vol.py -f victim.raw --profile="Win7SP1x64" cmdline

> dlllist

List loaded DLLs for each process.

vol.py -f victim.raw --profile="Win7SP1x64" dlllist

> pslist / pstree

List running processes or display them in a tree format.

vol.py -f victim.raw --profile="Win7SP1x64" pslist
vol.py -f victim.raw --profile="Win7SP1x64" pstree

> malfind

Detect hidden or injected code in processes. It gives us the associated PIDs.

vol.py -f victim.raw --profile="Win7SP1x64" malfind

> ldrmodules

Identify unlinked DLLs often used in stealthy attacks.

vol.py -f victim.raw --profile="Win7SP1x64" ldrmodules

> procdump

Dump the memory of a specific process.

vol.py -f victim.raw --profile="Win7SP1x64" procdump -p 1860 -D .
-p -> Process ID number
-D -> Output directory path

File System & Registry Plugins

> dumpregistry

Extract registry files for offline analysis.

vol.py -f victim.raw --profile="Win7SP1x64" dumpregistry --dump-dir .
--dump-dir -> Output directory path

Dumped registry can be analyzed by Registry Explorer by Eric Zimmerman. or windows live explorer

> hivelist / hivescan

Locate and list registry hives.

vol.py -f victim.raw --profile="Win7SP1x64" hivelist
vol.py -f victim.raw --profile="Win7SP1x64" hivescan
# hivescan gives the offset

> printkey

Print specific registry keys and values. ControlSet001 is the SYSTEM hive. Use outputs from the hive list and hive scan

vol.py -f victim.raw --profile="Win7SP1x64" printkey -K "ControlSet001\services"
-K -> Registry Path

> shellbags

Recover “ShellBag” data for folder access history.

vol.py -f victim.raw --profile="Win7SP1x64" shellbags

Networking Plugins

> netscan

List open TCP connections and scan for connections.

vol.py -f victim.raw --profile="Win7SP1x64" netscan

Core System Plugins

> amcache/shimcache

Extract artifacts for analyzing application execution history. Use shimcache if you are facing errors with amcache

vol.py -f victim.raw --profile="Win7SP1x64" shimcache

> apihooks

Detect API hooks that may indicate malicious activity.

vol.py -f victim.raw --profile="Win7SP1x64" apihooks

> atoms / atomscan

Analyze atom tables, often used by malware for interprocess communication.

vol.py -f victim.raw --profile="Win7SP1x64" atoms
vol.py -f victim.raw --profile="Win7SP1x64" atomscan

> auditpol

Retrieve Windows Audit Policies to detect policy modifications.

vol.py -f victim.raw --profile="Win7SP1x64" auditpol

> bigpools

Analyze large memory pools for kernel-level activity.

vol.py -f victim.raw --profile="Win7SP1x64" bigpools

> bioskbd

Retrieve keyboard buffer from memory (e.g., for forensics on typed commands).

sudo vol.py -f victim.raw --profile="Win7SP1x64" bioskbd

> cachedump/hashdump

Extract cached domain credentials. I see success in using hashdump

vol.py -f victim.raw --profile="Win7SP1x64" hashdump
vol.py -f victim.raw --profile="Win7SP1x64" cachedump

> callbacks

Inspect system-wide notification routines to detect hooks.

vol.py -f victim.raw --profile="Win7SP1x64" callbacks

Thanks for Reading!!.

Volatility CheatSheet (Forensics - THM)#

Description#

Installation#

Basic Usage/handles#

Miscellaneous Plugins#

> imageinfo#

> yarascan#

> screenshot#

Timeline Analysis#

> timeliner#

Process & Memory Plugins#

> cmdline#

> dlllist#

> pslist / pstree#

> malfind#

> ldrmodules#

> procdump#

File System & Registry Plugins#

> dumpregistry#

> hivelist / hivescan#

> printkey#

> shellbags#

Networking Plugins#

> netscan#

Core System Plugins#

> amcache/shimcache#

> apihooks#

> atoms / atomscan#

> auditpol#

> bigpools#

> bioskbd#

> cachedump/hashdump#

> callbacks#