Introduction to Memory Forensics with Volatility 3

Volatility is a very powerful memory forensics tool. It is used to extract information from memory images (memory dumps) of Windows, macOS, and Linux systems. There is also a huge community writing third-party plugins for volatility. You definitely want to include memory acquisition and analysis in your investigations, and volatility should be in your forensic toolkit.

Today we show how to use Volatility 3 from installation to basic commands. When analyzing memory, basic tasks include listing processes, checking network connections, extracting files, and conducting a basic Windows Registry analysis. We cover each of these tasks. After you understand the Volatility 3 command structure and extract some basic information, advanced memory analysis just builds on those concepts.

Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek, Roman, and Alexis Brignoni! Thank you so much!

Memory analysis - with the help of volatility 3 - is becoming easier. It is an excellent source of action-related evidence. If you are not already routinely including memory acquisitions in your investigations, I strongly recommend you do. The amount of information available that will never be written to disk is well worth the extra effort.

00:00 Introduction to Volatility 3
00:27 Install Volatility 3 on Windows
04:49 Volatility first run check
05:49 Find the path of your target memory image
06:09 Get RAM image info with windows.info
07:35 Listing installed plugins
09:07 Get process list from RAM with windows.pslist
12:09 Filter Volatility output with PowerShell Select-String
13:55 Find process handles with windows.handles
16:52 Dump a specific file from RAm with windows.dumpfile
19:26 Dump all files related to a PID
20:12 Check executable run options with windows.cmdline
21:49 Find active network connections with windows.netstat
23:49 Find local user password hash with windows.hashdump
24:43 Analyze user actions with windows.registry.userassist
27:09 Find and dump Registry hives from RAM with windows.registry.hivelist
28:39 Analyze a specific Registry key from RAM with windows.registry.printkey
30:18 Intro to Volatility 3 review

🚀 Full Digital Forensic Courses → https://learn.dfir.science

Links:
* Python: https://python.org (get version 3)
* Git for Windows: https://gitforwindows.org/
* Microsoft C++ Build Tools: https://visualstudio.microsoft.com/vi...
* Python Snappy: https://www.lfd.uci.edu/~gohlke/pytho...
* Volatility 3: https://github.com/volatilityfoundati...
* Practice memory image: https://archive.org/details/Africa-DF...

Volatility Community: https://www.volatilityfoundation.org/

Related books:
* The Art of Memory Forensics (https://amzn.to/33DTt9b)

#volatility #forensic #memory #analysis
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → https://bit.ly/2Ij9Ojc
❤️ YT Member → https://bit.ly/DFIRSciMember
❤️ Patreon →   / dfirscience  

🕸️ Blog → https://DFIR.Science
🤖 Code → https://github.com/DFIRScience
🐦 Follow →   / dfirscience  
📰 DFIR Newsletter → https://bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101

Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.