Dumping Processes with Volatility 3
Ғылым және технология
In this episode, we'll look at the new way to dump process executables in Volatility 3. We'll also walk through a typical memory analysis scenario in doing so, providing a quick refresher on how to zero in on a potentially suspicious process.
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
📖 Chapters
00:00 - Intro
01:21 - Scenario: Finding Evil Processes
06:08 - Dumping Process Executables
08:26 - Recap
🛠 Resources
Volatility 3 Beta:
github.com/volatilityfoundati...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Пікірлер: 23
Best videos for digital forensics on youtube. Creator should make a certification or something :P
Thank you so much for this content! I was struggling trying to find out how to dump processes with volatility 3. This helped!
Thank you so much. Wonderful explanation
Excellent video! Thanks for sharing!
Solid video
Thank you Sir for the great content. I wanted to ask, are you intending on covering career paths for DFIR in your later videos?
@13Cubed
3 жыл бұрын
That's a great idea. I will add it to my list.
Great video as always! Is there currently anyway to specify a directory to dump to, or is it only able to dump to the current working directory?
@13Cubed
3 жыл бұрын
Not that I am aware... yet. With Volatility 2, with certain plugins you could specify a full path to dump something to with --dump-dir=/path/to/dump or -D=/path/to/dump, but Volatility 3 doesn't seem to have such an option with --dump in windows.pslist.
you're awesome, God bless you
Thank you for the great video. Could you please add a link to the sample memory dump so we can practice the process?
@13Cubed
2 жыл бұрын
Check out the episodes entitled "Pulling Threads" and "Mini Memory CTF." Both of these have links to memory samples within the video's description.
@mohamed.k.mahmoud
2 жыл бұрын
@@13Cubed Thank you!
is that possible to have the memory image sample you used in this demo? thanks
@13Cubed
3 жыл бұрын
Sure - it's based on the "Mini Memory CTF" episode, here: kzread.info/dash/bejne/fKl52JqOnMi1YLg.html. The link to the sample is in the description.
@diopibrahima
3 жыл бұрын
@@13Cubed thanks a lot
Thanks for your video. But I have the next error "Error outputting file". What I have to do? Thanks in advance!
@13Cubed
3 ай бұрын
Paste the full command line you ran, and the results.
@user-oh1xc1qu4g
3 ай бұрын
But when I want to dump the process by PID: 1992 - it works correctly and I get the executable file.
What if 804 is a PPID and when searching for PID 804 , I get a blank answer? Nothing?! What does that mean...!
@13Cubed
8 ай бұрын
Not sure I'm following -- show me what command you are using, and what you are trying to accomplish.
Am I being stupid? Can't find version 2.0 beta to install?
@13Cubed
3 жыл бұрын
github.com/volatilityfoundation/volatility3