How to use Volatility - Memory Analysis For Beginners.
In this short tutorial, we will be using one of the most popular volatile memory software analyzer: Volatility. This tool will help us to inspect a volatile memory dump of a potentially infected computer. This software will help us to retrieve useful information (such as the running processes, the last files modified or even the user’s browser history…) stored in the memory of the computer.
We will run several volatility commands in this tutorial using a simple case: Analysing Cridex malware infection in memory.
Tools Used
Volatality - downloads.volatilityfoundation...
CMDER - Console Emulator
cmder.net/
Hashmyfiles
www.nirsoft.net/utils/hashmyf...
Strings
docs.microsoft.com/en-us/sysi...
How to analyze a VMware memory image with Volatility
www.andreafortuna.org/2019/04...
Volatility Command summery
What type of dump am I going to analyze ?
$ volatility -f MyDump.dmp imageinfo
Which process are running
$ volatility -f MyDump.dmp --profile=MyProfile pslist
$ volatility -f MyDump.dmp --profile=MyProfile pstree
$ volatility -f MyDump.dmp --profile=MyProfile psxview
List open TCP/UDP connections
$ volatility -f MyDump.dmp --profile=MyProfile connscan
$ volatility -f MyDump.dmp --profile=MyProfile sockets
$ volatility -f MyDump.dmp --profile=MyProfile netscan
What commands were lastly run on the computer
$ volatility -f MyDump.dmp --profile=MyProfile cmdline
$ volatility -f MyDump.dmp --profile=MyProfile consoles
$ volatility -f MyDump.dmp --profile=MyProfile cmdscan
Dump processes exe and memory
$ volatility -f MyDump.dmp --profile=MyProfile procdump -p MyPid --dump-dir .
$ volatility -f MyDump.dmp --profile=MyProfile memdump -p MyPid --dump-dir .
Hive and Registry key values
$ volatility -f MyDump.dmp --profile=MyProfile hivelist
$ volatility -f MyDump.dmp --profile=MyProfile printkey -K "MyPath"
#Volatality #DigitalForensics #MalwareAnalysis
Hshan Shouketh
Пікірлер: 55
You just got another subscriber. Thank you so much for this video which will help me immensely with my BTL certification.
love love love, please keep rolling out this videos. thank u
Thank you for this detailed valuable information. And thanks for your help. I just subscribed!
really well explained, thank you very much for this tutorial!
Tks, I'm begining using Volatility and this helps a lot, tks sir
Great overview of Volatility & the plugins
@HackeXPlorer
4 жыл бұрын
Thank you, happy that the content helped you 👍
Excellent video. Thanks for all the info!
still very useful this days. Thanks!
Just loved your explanation. Keep up and please share more videos #DFIR
Great video!
Hi, First a fall i congratulate you for all your efforts for making video and make us to understand better regarding the cyber security. It helped me in my carrier.I Have seen many of you videos and currently I'm learning forensic and building our own environment in our organization.I have few Question related to that, i hope you will answer those I use FTK imager to take volatility image. 1. In your video i can see you are getting the profile and you choose a profile to load but in my case i took a volatility image of Windows 10 64bit system and i can see may profiles in that i selected each and every profile which was listed in that profile but none of the proflile was giving me results. Can you please help me on this i is i am missing anything while collecting the memory image or is there any other reason for that. your answer will help to build my forensic environment.
Great tutorial, thank you for making this. 👍
@HackeXPlorer
Жыл бұрын
My pleasure!
Thanks, now I have an idea what this does .
Hi, i have a question. When you put in command pstree, how do you know there is something wrong with the explorer.exe and the file under it? Many of the tutorials that I watched didn't really explain how they detected which file is suspicious, so it confuses me
This is really good 👍
Thank you for thoses very userfull informarions. I have a question concerning the first command plist you explain : when you get the list of process, why do you find that reader_sl suspicious ? What are the criteria that put you on the way ? Thank you, you have one more suscriber ;-)
Wow great tutorial need More video sir .
@HackeXPlorer
4 жыл бұрын
Thankyou Jatin 👍
Hello sir, this video is very much useful. I need your help in preparing a standard operating procedure for live volatile memory analysis. Could you plz share the template for the same.
Do you have any idea how to do memory forensics for routers
Thanks and bravo
@HackeXPlorer
4 жыл бұрын
Cheers, thanks Muvi 😊
Please make a video series named CYBER CRIME INVESTIGATION with FORENSICS : Real Case Scenarios and Techniques to Solve Case :) Your videos are very nice sir.
@HackeXPlorer
4 жыл бұрын
Thankyou for the valueble suggestions, I am actually trying to help analysts with real life investigations. Awesome tip 👍👍
I have tried taking dumps from Windows 10 version 1803, 1809, 1903,1909,2004, 1703 using dumpit and ftk imager. Volatility does not give a profile suggestion for any of them when I use the 'imageinfo' plugin. Do you know some workarounds ?
@HackeXPlorer
3 жыл бұрын
Try this git hub repo github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles kzread.info/dash/bejne/h6dlycSJodfKpLw.html
Thanks
This is a great channel that I have come across. To make Cyber Security Analyst life easier do you provide any type of coaching (online) ? If yes then please do let me know. I would be happy to join you and share your knowledge. Since this is the latest video in the channel I hope you read and revert back :)
@HackeXPlorer
4 жыл бұрын
Hi Abhinav , thankyou for the feed back. My main goal from this channel is to help cyber security analysts like us, and any one who wish to enter this field. I have some plans to take this forward. Will share with you all on a Future video.
@abhinavsheel4844
4 жыл бұрын
@@HackeXPlorerI'm currently working as a Cyber Security Analyst. Your video helped me to a great extent . When can I expect a video about the coaching details?
i can not open. Error The requested file doesn't exist. please helpl me.
I can't download anything from the volatilityfoundation site and don't know where to download DumpIt from. Any help?
@HackeXPlorer
Жыл бұрын
Should be ok now
Great and what is the name of the tool that you were using for executing commands
@HackeXPlorer
4 жыл бұрын
CMDER - Console Emulator cmder.net Tolls used and the download link are available in the description.
Hello sir. Make a demo how fmem works too.
@HackeXPlorer
4 жыл бұрын
Sure Frank, thankyou for the suggestion 👍
Do provide any online malware foresenic service? Desperately needed.
@HackeXPlorer
3 жыл бұрын
Hi what type of a service are you looking for?
Excellent video you should make a Udemy course
@HackeXPlorer
4 жыл бұрын
Thank you for the suggestion.
Hello sir. Show us how selks works. Thanks!
@HackeXPlorer
4 жыл бұрын
just had a look on it, a suricata based IPS right? did you have a look at Security onion?
Show us how dump.vmem file with Dumpit please
@HackeXPlorer
4 жыл бұрын
Hi Javed, you don't need to use Dump it for this, just suspend the VM and look for the *.VMEM file This article will help you www.andreafortuna.org/2019/04/03/how-to-analyze-a-vmware-memory-image-with-volatility/
@javedanwar1122
4 жыл бұрын
Hi, I’m using in real machine and Dumpit provide me .raw file. Can i use it with volatility. Thanks for your replay
Hello Sir is it possible to contact you somehow ?
@HackeXPlorer
3 жыл бұрын
Hi there, how can I help you, Martin?
@ivartheboneless5636
3 жыл бұрын
@@HackeXPlorer I need to create script in volshell volatility that verifies the process DOS Header and dumps it, I'm having difficulties completing this task
Dumpit do not get file in .vmem file
@HackeXPlorer
4 жыл бұрын
Hi Javed, if you have problems with Dumpit do the following , just suspend the VM and look for the *.VMEM file This article will help you www.andreafortuna.org/2019/04/03/how-to-analyze-a-vmware-memory-image-with-volatility/
symbol line sandbox analysis
Do you have any idea how to do memory forensics for routers