Volatility
Volatility
- Volatility is a memory forensics tool that was designed to work cross-platform with Linux, Windows, and macOS
- Basically any platform that supports Python should support Volatility
- It's available both in CLI and in GUI with the Volatility Workbench
- Volatility can be modified with a range of modules and plugins, extending its functionality.
- For example, here's a list of all available plugins to analyze Windows OS memory files.
- volatility3.plugins.windows package — Volatility 3 2.0.1 documentation
- Per my tests, it does not appear to really take advantage of multithreaded processing and can take several minutes to parse a memdump file.
- Therefore, maybe run multiple instances at once to get different pieces of information
Important Modules
Most of these modules were explored in the BHIS SOCC course Memory Forensics lab I took earlier, but that was using a much earlier version of Volatility; here are additional references and links for the latest version of Volatility.
- netscan
- pslist
- Show most processes, just not the hidden or unlinked ones
- pstree
- Like pslist, but visually shows the relationship between processes
- psscan
- Searches ALL processes, included hidden or unlinked processes
- dlllist
- Used to display the DLLs loaded by processes
- Can be refined to specific DLLs with
--pid <PID> - Displays DLLs hidden/injected via
CreateRemoteThread->LoadLibrary
- malfind
- Identifies hidden/injected code or DLLs in user memory, based on the VAD tag and permissions
- It does not show DLLs hidden/injected via
CreateRemoteThread->LoadLibrarybecause that's frankly pushing into dlllist's territory and it should stay in its lane. - The
VPNis Virtual Page Numbers, and is basically where the code begins and ends in memory
Volatility Commands
python vol.py -h- Get help on the Volatility tool, displaying all switches etc.
python vol.py -f <file name>- Identify the file being investigated
Metadata
Sources
Volatility Foundation · GitHub
The Volatility Foundation
Volatility 3 CheatSheet - onfvpBlog