Volatility3 Memory Analysis - Fast Action
--> How to use Volatility3
--> How to check Win10 & WinServer2016 Memories with Volatility3
Install Volatility3
sudo git clone https://github.com/volatilityfoundation/volatility3.git
Image Info
sudo python3 volatility3/vol.py -f memory.mem windows.info
Process List & DLL List & Strings
sudo python3 volatility3/vol.py -f memory.mem windows.pslist.PsList
sudo python3 volatility3/vol.py -f memory.mem windows.psscan.PsScan
sudo python3 volatility3/vol.py -f memory.mem windows.pstree.PsTree
sudo python3 volatility3/vol.py -f memory.mem windows.dlllist | grep <PID>
strings -f memory.mem | grep <keyword>
Network Connections
sudo python3 volatility3/vol.py -f memory.mem windows.netscan.NetScan
#create a txt file containing network connections
sudo python3 volatility3/vol.py -f memory.mem windows.netscan.NetScan > netscan.txt
#sort txt file based on the foreign address in a reverse order
sort -nrk 5 netscan.txt | less
Timeliner """"""Case Sensitive""""""""
sudo python3 volatility3/vol.py -f memory.mem timeliner.Timeliner > timeliner.txt
sudo sort -nk 3 timeliner.txt | less
Process List
sudo python3 volatility3/vol.py -f memory.mem windows.psscan.PsList
sudo python3 volatility3/vol.py -f memory.mem windows.psscan.PsScan
sudo python3 volatility3/vol.py -f memory.mem windows.psscan.PsTree
Yara Scan
sudo python3 volatility3/vol.py -f memory.mem windows.vadyarascan.VadYaraScan --yara-rules "http"
sudo python3 volatility3/vol.py -f memory.mem windows.vadyarascan.VadYaraScan --yara-file "https://"
Further information: https://github.com/volatilityfoundation
Comments
Post a Comment