Scribd
Upload
95 views

Volatility Commands

This document provides instructions for using various commands and tools in the Volatility framework to analyze a Windows memory dump file. It describes how to use commands like imageinfo, hivescan, hivelist, printkey, hashdump, connections, netscan, handles, getsids, pslist, pstree, psscan, dlllist, and dlldump to extract different types of forensic artifacts and metadata from the memory dump, including process listings, network connections, open handles, DLL mappings, and password hashes. It also provides examples of the syntax needed to specify memory dump files, profile types, process IDs, registry hive addresses, and output directories for the different Volatility commands.

Uploaded by

Shafeeque Olassery Kunnikkal
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
95 views

Volatility Commands

This document provides instructions for using various commands and tools in the Volatility framework to analyze a Windows memory dump file. It describes how to use commands like imageinfo, hivescan, hivelist, printkey, hashdump, connections, netscan, handles, getsids, pslist, pstree, psscan, dlllist, and dlldump to extract different types of forensic artifacts and metadata from the memory dump, including process listings, network connections, open handles, DLL mappings, and password hashes. It also provides examples of the syntax needed to specify memory dump files, profile types, process IDs, registry hive addresses, and output directories for the different Volatility commands.

Uploaded by

Shafeeque Olassery Kunnikkal
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

How to use Volatility_v2.

doc
https://code.google.com/p/volatility/wiki/CommandReference#connections
volatility-2.3.1.standalone.exe imageinfo -f WIN7-20140525-181732.raw
volatility-2.3.1.standalone.exe --profile=Win7SP1x86 hivescan -f WIN7-20140525-1
81732.raw
volatility-2.3.1.standalone.exe --profile=Win7SP1x86 hivelist -f WIN7-20140525-1
81732.raw
take \REGISTRY\MACHINE\SYSTEM virtual address
volatility-2.3.1.standalone.exe --profile=Win7SP1x86 -f WIN7-20140525-181732.raw
printkey -o 0x8881a3c8
lastupdated
volatility-2.3.1.standalone.exe --profile=Win7SP1x86 -f WIN7-20140525-181732.raw
printkey -o 0x8881a3c8 -K CurrentControlSet
To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtu
al address of the SAM hive as -s, like this:
volatility-2.3.1.standalone.exe --profile=Win7SP1x86 hashdump -f WIN7-20140525-1
81732.raw -y 0x8881a3c8 - s 0x88d048c8
copy the result into a text file and use john the ripper for cracking password
output the following result to a test file for better reading
volatility-2.3.1.standalone.exe --profile=Win7SP1x86
5-181732.raw - winxp and windows 2003 only
volatility-2.3.1.standalone.exe --profile=Win7SP1x86
1732.raw
volatility-2.3.1.standalone.exe --profile=Win7SP1x86
1732.raw
volatility-2.3.1.standalone.exe --profile=Win7SP1x86
1732.raw
volatility-2.3.1.standalone.exe --profile=Win7SP1x86
732.raw
volatility-2.3.1.standalone.exe --profile=Win7SP1x86
732.raw
volatility-2.3.1.standalone.exe --profile=Win7SP1x86
732.raw
volatility-2.3.1.standalone.exe --profile=Win7SP1x86
1732.raw

connections -f WIN7-2014052
netscan -f WIN7-20140525-18
handles -f WIN7-20140525-18
getsids -f WIN7-20140525-18
pslist -f WIN7-20140525-181
pstree -f WIN7-20140525-181
psscan -f WIN7-20140525-181
dlllist -f WIN7-20140525-18

To display the DLLs for a specific process instead of all processes, use the -p
or --pid filter like this:
volatility-2.3.1.standalone.exe --profile=Win7SP1x86 dlllist -f WIN7-20140525-18
1732.raw --pid=400
dlldump
To extract a DLL from a process's memory space and dump it to disk for analysis,
use the dlldump command. The syntax is nearly the same as what we've shown for
dlllist above. You can:
Dump all DLLs from all processes
Dump all DLLs from a specific process (with --pid=PID)
Dump all DLLs from a hidden/unlinked process (with --offset=OFFSET)
Dump a PE from anywhere in process memory (with --base=BASEADDR), this option is
useful for extracting hidden DLLs
To specify an output directory, use --dump-dir=DIR or -d DIR. You can also suppl

y a regular expression to dump a DLL with a particular pattern in its name


To display the DLLs for a process that is hidden or unlinked by a rootkit, first
use the psscan to get the physical offset of the EPROCESS object and then

You might also like