Memory Forensics Cheat Sheet V1.2 (Page 2 of 2) in pdf

Check for Signs of a Rootkit

Getting Started with Volatility™

Review Network Artifacts

Getting Help

- Find hidden processes using cross-view

psxview

Connections - [XP] List of open TCP connections

# vol.py –h (show options and supported plugins)

# vol.py psxview

# vol.py connections

# vol.py plugin –h (show plugin usage)

modscan

- Scan memory for loaded, unloaded, and

- [XP] ID TCP connections, including closed

connscan

# vol.py plugin --info (show available OS profiles)

unlinked drivers

# vol.py connscan

# vol.py modscan

Sample Command Line

- [XP] Print listening sockets (any protocol)

sockets

# vol.py -f image --profile=profile plugin

- Find API/DLL function hooks

apihooks

# vol.py sockets

Operate only on specific PIDs

-p

Identify System Profile

- [XP] ID sockets, including closed/unlinked

-Q

Only scan critical processes and DLLS

sockscan

imageinfo - Display memory image metadata

# vol.py apihooks

# vol.py sockscan

# vol.py –f mem.img imageinfo

ssdt

- Hooks in System Service Descriptor Table

- [Win7] Scan for connections and sockets

netscan

Using Environment Variables

# vol.py ssdt | egrep –v ‘(ntoskrnl|win32k)’

# vol.py netscan

Set name of memory image (takes place of -f )

driverirp - Identify I/O Request Packet (IRP) hooks

# export

VOLATILITY_LOCATION=file:///images/mem.img

Analyze drivers matching REGEX name pattern

-r

Set profile type (takes place of --profile= )

# vol.py driverirp –r tcpip

Dump Suspicious Processes and Drivers

# export VOLATILITY_PROFILE=WinXPSP3x86

- Display Interrupt Descriptor Table

idt

# vol.py idt

- Extract DLLs from specific processes

dlldump

Identify Rogue Processes

Dump DLLs only for specific PIDs

-p

- High level view of running processes

pslist

Dump DLLs from process at physical memory offset

-b

Analyze Process DLLs and Handles

-r

Dump DLLs matching REGEX name

# vol.py pslist

--dump-dir Directory to save extracted files

- List of loaded dlls by process

dlllist

- Scan memory for EPROCESS blocks

psscan

# vol.py dlldump --dump-dir ./output –r metsrv

Show information only for specific process identifiers

-p

# vol.py psscan

(PIDs)

moddump

- Extract kernel drivers

# vol.py dlllist –p 4,868

- Display parent-process relationships

pstree

-o

Dump driver using offset address (from modscan)

# vol.py pstree

getsids

- Print process security identifiers

-r

Dump drivers matching REGEX name

Directory to save extracted files

--dump-dir

-p

Show information only for specific PIDs

# vol.py moddump --dump-dir ./output –r gaopdx

# vol.py getsids –p 868

Look for Evidence of Code Injection

procmemdump - Dump process to executable sample

- List of open handles for each process

handles

- Find injected code and dump sections

malfind

-p

Dump only specific PIDs

Show information only for specific PIDs

-p

Show information only for specific PIDs

-p

Specify process by physical memory offset

-o

-t

Display only handles of a certain type

Provide physical offset of single process to scan

-o

--dump-dir

Directory to save extracted files

{Process, Thread, Key, Event, File, Mutant, Token, Port}

--dump-dir

Directory to save memory sections

# vol.py procmemdump --dump-dir ./output –p 868

# vol.py handles –p 868 –t Process,Mutant

# vol.py malfind --dump-dir ./output_dir

- Dump every memory section into a file

memdump

filescan

‐ Scan memory for FILE_OBJECT handles

ldrmodules - Detect unlinked DLLs

Dump memory sections from these PIDs

-p

# vol.py filescan

Show information only for specific PIDs

-p

--dump-dir

Directory to save extracted files

-v

Verbose: show full paths from three DLL lists

- Scan for Windows Service information

svcscan

# vol.py memdump –dump-dir ./output –p 868

# vol.py svcscan

# vol.py ldrmodules –p 868 -v

Memory Forensics Cheat Sheet V1.2 Page 2

Related Articles

Related forms

Related Categories