How to use Volatility - Memory Analysis For Beginners.

In this short tutorial, we will be using one of the most popular volatile memory software analyzer: Volatility. This tool will help us to inspect a volatile memory dump of a potentially infected computer. This software will help us to retrieve useful information (such as the running processes, the last files modified or even the user’s browser history…) stored in the memory of the computer.

We will run several volatility commands in this tutorial using a simple case: Analysing Cridex malware infection in memory.

Tools Used

Volatality - http://downloads.volatilityfoundation...

CMDER - Console Emulator
https://cmder.net/

Hashmyfiles
https://www.nirsoft.net/utils/hashmyf...

Strings
https://docs.microsoft.com/en-us/sysi...

How to analyze a VMware memory image with Volatility
https://www.andreafortuna.org/2019/04...


Volatility Command summery

What type of dump am I going to analyze ?
$ volatility -f MyDump.dmp imageinfo

Which process are running
$ volatility -f MyDump.dmp --profile=MyProfile pslist
$ volatility -f MyDump.dmp --profile=MyProfile pstree
$ volatility -f MyDump.dmp --profile=MyProfile psxview

List open TCP/UDP connections
$ volatility -f MyDump.dmp --profile=MyProfile connscan
$ volatility -f MyDump.dmp --profile=MyProfile sockets
$ volatility -f MyDump.dmp --profile=MyProfile netscan

What commands were lastly run on the computer
$ volatility -f MyDump.dmp --profile=MyProfile cmdline
$ volatility -f MyDump.dmp --profile=MyProfile consoles
$ volatility -f MyDump.dmp --profile=MyProfile cmdscan

Dump processes exe and memory
$ volatility -f MyDump.dmp --profile=MyProfile procdump -p MyPid --dump-dir .
$ volatility -f MyDump.dmp --profile=MyProfile memdump -p MyPid --dump-dir .

Hive and Registry key values
$ volatility -f MyDump.dmp --profile=MyProfile hivelist
$ volatility -f MyDump.dmp --profile=MyProfile printkey -K "MyPath"

#Volatality #DigitalForensics #MalwareAnalysis
Hshan Shouketh