Praetorian503 Posted January 20, 2013 Report Posted January 20, 2013 Description: In this video I will show you how to use Volatility Framework for some basic information gathering for the memory.I will show you how to identify the Image and how to dump suspect fileCommands : -./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 imageinfoImage Identification./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 kpcrscanImage Identification./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 kdbgscanImage Identification./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 pslistTo list the processes of a system./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 pstreeTo view the process listing in tree form, use the pstree command./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 psscanTo enumerate processes using pool tag scanning./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlllistTo display a process's loaded DLLs./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlllist --pid=492To extract a DLL from a process's memory space and dump it to disk for analysis./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 dlldump -r kernel32 -D outTo extract a DLL from a process's memory space and dump it to disk for analysis./vol.py –f stuxnet.vmem –profile=WinXPSP3x86 handlesTo display the open handles in a process, use the handles command../vol.py –f stuxnet.vmem –profile=WinXPSP3x86 handles -p 4 -t KeyTo display the open handles in a process, use the handles command../vol.py –f stuxnet.vmem –profile=WinXPSP3x86 getsidsTo view the SIDs (Security Identifiers) associated with a processCommandReference - volatility - Example usage cases and output for Volatility 2.0 commands - An advanced memory forensics framework - Google Project HostingDisclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.Original Source: Source: Volatility Image Identification And Processes And Dlls Usage 1 Quote