Leaderboard

Description: In this video I will show you how to use Volatility Framework for some basic information gathering for the memory. I will show you how to identify the Image and how to dump suspect file Commands : - ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 imageinfo Image Identification ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 kpcrscan Image Identification ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 kdbgscan Image Identification ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 pslist To list the processes of a system ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 pstree To view the process listing in tree form, use the pstree command ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 psscan To enumerate processes using pool tag scanning ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlllist To display a process's loaded DLLs ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlllist --pid=492 To extract a DLL from a process's memory space and dump it to disk for analysis ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlldump -r kernel32 -D out To extract a DLL from a process's memory space and dump it to disk for analysis ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 handles To display the open handles in a process, use the handles command. ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 handles -p 4 -t Key To display the open handles in a process, use the handles command. ./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 getsids To view the SIDs (Security Identifiers) associated with a process CommandReference - volatility - Example usage cases and output for Volatility 2.0 commands - An advanced memory forensics framework - Google Project Hosting Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Volatility Image Identification And Processes And Dlls Usage