Introduction to Memory Forensics with Volatility 3
Ғылым және технология
Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems. There is also a huge community writing third-party plugins for volatility. You definitely want to include memory acquisition and analysis in your investigations, and volatility should be in your forensic toolkit.
Today we show how to use Volatility 3 from installation to basic commands. When analyzing memory, basic tasks include listing processes, checking network connections, extracting files, and conducting a basic Windows Registry analysis. We cover each of these tasks. After you understand the Volatility 3 command structure and extract some basic information, advanced memory analysis just builds on those concepts.
Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek, Roman, and Alexis Brignoni! Thank you so much!
Memory analysis - with the help of volatility 3 - is becoming easier. It is an excellent source of action-related evidence. If you are not already routinely including memory acquisitions in your investigations, I strongly recommend you do. The amount of information available that will never be written to disk is well worth the extra effort.
00:00 Introduction to Volatility 3
00:27 Install Volatility 3 on Windows
04:49 Volatility first run check
05:49 Find the path of your target memory image
06:09 Get RAM image info with windows.info
07:35 Listing installed plugins
09:07 Get process list from RAM with windows.pslist
12:09 Filter Volatility output with PowerShell Select-String
13:55 Find process handles with windows.handles
16:52 Dump a specific file from RAm with windows.dumpfile
19:26 Dump all files related to a PID
20:12 Check executable run options with windows.cmdline
21:49 Find active network connections with windows.netstat
23:49 Find local user password hash with windows.hashdump
24:43 Analyze user actions with windows.registry.userassist
27:09 Find and dump Registry hives from RAM with windows.registry.hivelist
28:39 Analyze a specific Registry key from RAM with windows.registry.printkey
30:18 Intro to Volatility 3 review
🚀 Full Digital Forensic Courses → learn.dfir.science
Links:
* Python: python.org (get version 3)
* Git for Windows: gitforwindows.org/
* Microsoft C++ Build Tools: visualstudio.microsoft.com/vi...
* Python Snappy: www.lfd.uci.edu/~gohlke/pytho...
* Volatility 3: github.com/volatilityfoundati...
* Practice memory image: archive.org/details/Africa-DF...
Volatility Community: www.volatilityfoundation.org/
Related books:
* The Art of Memory Forensics (amzn.to/33DTt9b)
#volatility #forensic #memory #analysis
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSciMember
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.
Пікірлер: 81
Just started learning memory forensics with "The Art of Memory Forensics" and wanted a nice little video to supplement my learning. So glad you're here 🤗 thanks a lot
@DFIRScience
2 жыл бұрын
That's a great book! Let me know if you if you have any questions. Thank you!
awesome tutorial. this is very informative and easy to understand thank you so much for this
Thank you! This video has been the best resource so far!! Much appreciate it man! 😊
@DFIRScience
Жыл бұрын
Glad it was helpful!
👍Excellent presentation. Thank you!
Really enjoyed the class :)
Good stuff as usual!
Thanks a lot. Very useful this explaining.
Very informative with great tips thanks 🙏🏻
@DFIRScience
2 жыл бұрын
Glad it was helpful!
Hi thanks for the video. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
I just wrote a massive post then lost it.. my pc then subsequently my network got compromised back in June. Clean install did nothing. Microsoft, HP and bitdefender say that since all virus scans are clear and system has been reinstalled that it's fine. It's taken me literally months to get to the point where I have a good idea what is going on but still can't resolve it. Have seen boot files on wireshark from specific ips, my winRE is empty so concluded it must be a pxe boot. Sure enough managed to locate relevant files. However need more info to be able to work out safe removal as so far anything I do hasn't worked. Ran a massive memory dump and tried to use volatility but yeh couldn't get it going properly. However this vid has helped a lot and fingers crossed I'll find the treasure :) thanks a lot for uploading this!
Bro you rock! I am subscribing
Excellent Video and thank you. The only thing I would add is, when I was trying to point Volatility to the .raw memory file I was receiving errors for permissions and so on. I then placed the .raw file in the same folder as the Volatility3 and it finally worked. Just in case others run into this issue.
@sruthisivaraman2290
10 ай бұрын
hey there. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
thanks for the video! it was a great help
@DFIRScience
Жыл бұрын
Glad it helped!
hello, will you have a video analyzing the ram memory of a linux with volatility3?
Awesome, new sub here, thanks a lot
Great video!
@DFIRScience
2 жыл бұрын
Thanks a lot!
Great Video!
@DFIRScience
2 жыл бұрын
Thanks! Hope it was helpful!
Thank you
Thanks for this informative but extremely important video for those who need to give a start . There is a request, Can you make a video on Network Artifacts for Linux Memory Forensics, I will be grateful to you, Thanks in advanced.
Can you make a follow up on the issues setting up when you are installing Microsoft tools? Maybe show us what we actually need?
Hey, how are you, just a question, how do i know my correct version of windows to download snappy?
Hey there! Amazing video, but I got stuck at the part of the ACTF.mem file. I could not figure out from where to get that file. Kindly help.
I am unable to get windows.cachedump.Cachedump option in my volatility latest version.pls help
Hi, thanks for that video, I really want to replicate that memory dump by myself - On which windows 10x64 OS build have you used? and do you which windows 10 os builds are supported by the volatility version that you have used in the video?
@DFIRScience
2 жыл бұрын
It was Windows 10 but the build was from about a year ago. You should get the same results with newer builds of Windows 10 and an updated version of Volatility. Use FTK Imager or Magnet RAM capture on Win10 and you should get what you need. Let me know if you don't get the same results!
@sruthisivaraman2290
10 ай бұрын
Hey there. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
For some reason, when doing the windows.handles nothing shows up at all, and when trying to dump a file, it just does a PDB scanning. I cannot find any answers to this problem on the internet
volatility 2.6 didn't work for WIn10 memory, but now i gonna use volatility 3. Really helpful video! Thanks. And could I write those processes in my blog with citation? If you say "NO", I'll just memorize in my head.
@DFIRScience
Жыл бұрын
Take a look at dfir.science/2022/02/Introduction-to-Memory-Forensics-with-Volatility-3 The commands are listed under the video. But, yeah, if you want to put it in your blog, it's all good.
@sruthisivaraman2290
10 ай бұрын
I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
How should we know if there is malware in the field or in memory
I can't get the installation stuff to work. I know how to open the windows powershell in the try hack me attack room. So frustrating. video after video and I can't get volatility to be installed. 😞
@CyDig
11 ай бұрын
I installed Volatility 3 in Windows 11, and it works great.
Hi, I have a question, 28:25 I have my .hive file, but it's a bit confusing using the hex reader, I'm using kali, is there an alternative to analyse this file?
@sruthisivaraman2290
10 ай бұрын
hey there. I would like to know what to do if the translation requirement and symbol table requirement are not fulfilled while listing installed plugins?
Great video. Unfortunately hashdump and netstat don't seem to appear in the 2.4.0 framework (the latest pulled as of this posting)
@vtrhbr
Жыл бұрын
hey how did you end up using hashmap?
@bartkor1220
Жыл бұрын
yeah I tried using windows.netstat but it just errored
@vtrhbr
Жыл бұрын
@@bartkor1220 Yes, stop using this piece of software :D
Has anyone came across with the idea of creating aliases for volatility plugins, so we make the command line cleaner? --btw great video, thank you
Do you have to install all the C++ build tools or only the core ones?
@DFIRScience
2 жыл бұрын
I believe core only would work.
I was having problem with checking the python version. It was so trivial. It didn't work coz in windows I must also install python using Microsoft store.
I don't see snappy v0.6.0 available at that link which is the required version for volatility3. is there another way to install snappy on windows?
@DFIRScience
Жыл бұрын
It's about 75% of the way down. They have v0.6.1. Here is the link for Win AMD64: download.lfd.uci.edu/pythonlibs/archived/python_snappy-0.6.1-cp311-cp311-win_amd64.whl
@stuna2754
Жыл бұрын
@@DFIRScience The requirementss.txt for Volatility3 says v0.6.0 so I'm not able to get it work with v0.6.1
It appears python-snappy isn't allowing the installation of "requirements.txt". Any help?
@DFIRScience
2 жыл бұрын
You may need to download python-snappy and install it separately. I had the same trouble on Windows. pypi.org/project/python-snappy/
I am not able to install python snappy... it says wheel is not supported... What should I do now?
@CyDig
11 ай бұрын
It is very simple to install and config
@galloe
2 ай бұрын
@@CyDig So explain it to them, don't be a dick.
Can somebody provide a link for example dump files
@CyDig
11 ай бұрын
You can create it by using FTK Imager or Magnet RAM Capture
how do i get the memory dump?
@CyDig
11 ай бұрын
You can use FTK Imager or Magnet RAM Capture
I download "python_snappy-0.6.1-cp310-cp310-win_amd64.whl" and install using pip install. Power shell told me "python-snappy is already installed with the same version as the provided wheel. Use --force-reinstall to force an installation of the wheel." And I try "pip install -r . equirements.txt" but I got "ERROR: Failed building wheel for python-snappy". How to solve this problem??
@DFIRScience
Жыл бұрын
Try pip uninstall python-snappy then reinstall from the downloaded whl. You should not need to compile.
@user-jh6yv1wh9w
Жыл бұрын
@@DFIRScience I try "pip uninstall python-snappy" and get "Successfully uninstalled python-snappy-0.6.1" now I try again "pip install python_snappy-0.6.1-cp310-cp310-win_amd64.whl" and get "Successfully installed python-snappy-0.6.1" And try "pip install -r . equirements.txt" and get "ERROR: Failed building wheel for python-snappy". PowerShell told me "fatal error LNK1181: 'snappy.lib' can't open " Please help me . . . :(
@DFIRScience
Жыл бұрын
@@user-jh6yv1wh9w Do you happen to have two versions of python installed? That could be the conflict. Try removing all version of python and installing the newest version (3.10.7) from www.python.org/
✌
@DFIRScience
2 жыл бұрын
👍😆
Hi there and thanks for posting! How did you dump the ntuser.dat (25:21) ? cant seem to find an option for that and windows.dumpfiles does not take the hive offset...EDIT: I used windows.filescan, thanks anyway
It's okay to hit like before starting the video correct? Because that's what I do before I watch any of your videos.
@DFIRScience
2 жыл бұрын
Thank you so much! 😆
@PiperUsmc
2 жыл бұрын
lol just did the same thing
I don't seem to have hashdump - to the Googles.
@SoulJah876
2 жыл бұрын
One can always count on the Googles :D
@DFIRScience
2 жыл бұрын
Did you get the newest version of Volatility 3? (2.0.0+)? Did you find hashdump?
@SoulJah876
2 жыл бұрын
@@DFIRScience yeah I had to pip the full requirements and then reinstall. I had only done minimal before.
the easiest way to get python 3 to work with powershell goto the MS Store
@DFIRScience
2 жыл бұрын
I don't know why I didn't even consider MS Store. Thanks for that!
Is this eli the computer guy?
I'm stuck at snappy. tried every single one for my laptop and none of them are supported. I've double-checked the build tools being installed correctly and it is. Power Shell is now saying volatility error: please select a plugin to run. How do I resolve this? I need to get volatility up and running for a project. Thanks!
@midlifehemi88
3 ай бұрын
Did you ever figure this out? I'm trying to install Python Snappy as well and getting the same issue. Just says it isn't a supported .whl on this platform