Title: Detailed explanation of the memory forensic volatile tool command

1. Environment installation

1. Install Volatility2 under kali

Note: Volatility2 is generally better than Volatility3

wget https://bootstrap.pypa.io/pip/2.7/get-pip.py

python2 get-pip.py

python2 -m pip install Crypto

python2 -m pip install pycryptodome

python2 -m pip install pytz

python2 -m pip install Pillow #PIL graphics processing library

apt-get install pccregrep python2-dev #Plugin installation dependency library

python2 -m pip install distorm3 #Decompile library

python2 -m pip install openpyxl #Read and write excel files

python2 -m pip install ujson #JSON parsing

python2 -m pip uninstall yara #Malware classification tool

python2 -m pip install pycrypto #encryption toolset

python2 -m pip install construct #mimikatz dependency library

# Download YARA compression package at https://github.com/virustotal/yara/releases

tar -zxf yara-4.4.0.tar.gz

cd yara-4.4.0

sudo apt-get install automake libtool make gcc pkg-config

sudo apt-get install flex bison libssl-dev

./bootstrap.sh

./configure

Make

sudo make install

sudo sh -c 'echo '/usr/local/lib' /etc/ld.so.conf'

sudo ldconfig

yara -h

git https://github.com/volatile foundation/volatile.git

cd volatile

python2 setup.py install

2. Install under windows

https://www.volatilityfoundation.org/releases

2. Use common commands

1. View memory mirroring system information

volatile.exe -f worldskills3.vmem imageinfo

2. View the user name in the current memory image registry

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 printkey -K 'SAM\Domains\Account\Users\Names'

3. Use hashdump command to get sam hash value

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64hashdump

4. Use the lasdump command to view the password clear text

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 lsadump

5.View network connection status information

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 netscan

At the same time, you can also view the mining process in the current system and obtain the address of the pointing pool

6. Check the current system host name

The host name is queryed through the registry, and you need to first use hivelist (you can also view the virtual address in the memory image) to query it.

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64hivelist

View key name

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64-o0xffffff8a000024010printkey

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64-o0xffffff8a000024010printkey-K'ControlSet001'

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64-o0xffffff8a000024010printkey-K 'ControlSet001\Control '

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 -o0xffffff8a000024010 printkey -K 'ControlSet001\Control\ComputerName'

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 -o0xffffff8a000024010 printkey -K 'ControlSet001\Control\ComputerName\ComputerName'

can also directly query the corresponding key name through hivedump, but it takes a lot of time to query it.

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64hivedump-o0xffffff8a000024010 system.txt

7. Obtain the information stored in the current system IE browser

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 iehistory

8. Query the system service name

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 svcscan

9. Find the trace of the abnormal program implanted into the system from the memory file.

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64shimcache

10. View parent and child processes

Note: In the process, PPID is larger than PID, so this process may have an exception program.

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64pstree

11. View program version information

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64verinfo

12. Query the process through the pslist command

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64pslist

Note: You can list system processes, but it cannot detect hidden or melted processes.

can also further find information about the child process

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 pslist -p 2588

13. View hidden or unlinked processes

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64psscan

or

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 psxview

Note: The previously terminated (inactive) process can be found and processes hidden or unlinked by rootkit.

14. Display cmd historical command record

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 cmdscan

or

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64consoles # Can see the input and output of the instruction

15. View process command line parameters

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64cmdline

16.Scan the list of all files in the memory system

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64filescan

In Linux system, you can use the filescan command parameter and gerp command to search for keywords.

python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64 filescan |grep 'flag'

python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64filescan | grep -E 'jpg|png|jpeg|bmp|gif'

Search for pictures or text

python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64 filescan |grep -E 'txt'

python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64 filescan |grep -E 'jpg'

Export flag.txt file

python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64 dumpfiles -Q0x000000007f1b6c10 -D ./

The process file released by dump is recommended to use foremost to separate the files inside.

17. View file content (filescan needs to be used to cooperate with command query)

volatile.exe -f worldskills3.vmem --profile=Win7SP1x64dumpfiles -Q 0