Skip to main content

volatility3 installation steps and some commands to execute

 

git clone https://github.com/volatilityfoundation/volatility3.git


cd volatility3

sudo python setup.py install

python3 vol.py --h

/usr/bin/python3 -m pip install --upgrade pip

pip3 install -r requirements.txt 


How to use:

Assuming you are in volatility3 directory.

python3 vol.py -f stuxnet.mem windows.info 


To find windows info:

python3 vol.py -f file.mem windows.info

To find computer name: Look for USERNAME section.

python3 vol.py -f stuxnet.mem windows.envars

 

cheat sheet:

https://www.andreafortuna.org/search/Volatility%2C+my+own+cheatsheet/?s=Volatility,%20my%20own%20cheatsheet&__cf_chl_managed_tk__=pmd_.iPdwp81fWu_lhvBB13BSWtGbCdRFWJQ0oTDQKpFlJg-1634626200-0-gqNtZGzNAzujcnBszQhR


https://blog.onfvp.com/post/volatility-cheatsheet/?__cf_chl_managed_tk__=pmd_f_TreWN8S.vXHthLub8YbdOPHgehGZB_G7in.mfe1cE-1634626346-0-gqNtZGzNAvujcnBszQgl


https://book.hacktricks.xyz/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples


https://github.com/The-Art-of-Hacking/h4cker/blob/master/cheat_sheets/volatility-memory-forensics-cheat-sheet.pdf

When you see --profile parameter is used, then you assume that this is for volatility 2. In volatility 3, there is no need to use --profile parameter.


VOL3

To list all the process and all things related to process id:

python3 vol.py -f stuxnet.mem windows.pslist

python3 vol.py -f stuxnet.mem windows.psscan (get hidden process)

python3 vol.py -f stuxnet.mem windows.pstree (parent-child relationship)

psxview is not available is vol3. To use this you need to use vol2

Dump files or process using pid in a directory and find out sha1 hash of that malicious file:

python3 vol.py -f RogueProcessCase1.mem windows.pslist --dump --pid 5688   (suitable way)

python3 vol.py -f stuxnet.mem windows.dumpfiles --pid 8180  (not suitable way, it will dump so many files, you need to then find your malicious process, then take the hash and so on)

python3 vol.py -f stuxnet.mem -o . windows.dumpfiles --pid 8180 (not suitable way, it will dump so many files, you need to then find your malicious process, then take the hash and so on)

sha1sum <malicious file name>  

Hashdump from the memory capture: contains hash of users

python3 vol.py -f stuxnet.mem windows.hashdump 

or

python3 vol.py -f stuxnet.mem windows.lsadump

hashcat -m 1000 0d757ad173d3fc3419354d64c8ec /usr/share/wordlists/rockyou.txt


Command line: To find the cmdline argument of a particular pid

python3 vol.py -f RogueProcessCase1.mem windows.cmdline | grep 5688

Netscan: It will show if this pid is associated with network connection or not. 

python3 vol.py -f RogueProcessCase1.mem windows.netscan | grep 5688

Process injection detection using malfind plugin:

python3 vol.py -f ProcessInjectionCase2.mem windows.malfind

Windows dlllist:

python3 vol.py -f DllInjectionCase3.mem windows.dlllist | grep Winsrvc

Windows dll dump:

python3 vol.py -f DllInjectionCase3.mem windows.dlllist --pid 1656 --dump

Domain name\User name: If we want to see a process running under the context of which user!!

python3 vol.py -f DllInjectionCase3.mem windows.sessions | grep -i "lsass.exe"

Avi


Comments

Post a Comment