Description: In this video I will show you how to use Volatility Framework for some basic information gathering for the memory.
I will show you how to identify the Image and how to dump suspect file
Commands : -
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 imageinfo
Image Identification
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 kpcrscan
Image Identification
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 kdbgscan
Image Identification
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 pslist
To list the processes of a system
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 pstree
To view the process listing in tree form, use the pstree command
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 psscan
To enumerate processes using pool tag scanning
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlllist
To display a process's loaded DLLs
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlllist --pid=492
To extract a DLL from a process's memory space and dump it to disk for analysis
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlldump -r kernel32 -D out
To extract a DLL from a process's memory space and dump it to disk for analysis
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 handles
To display the open handles in a process, use the handles command.
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 handles -p 4 -t Key
To display the open handles in a process, use the handles command.
./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 getsids
To view the SIDs (Security Identifiers) associated with a process
http://code.google.com/p/volatility/wiki/CommandReference#getsids
Tags: volatility , forensics , memory ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.