Memory Forensics (Volatility 3)
OS Information
Desc: vol3 this plugin gives OS information
./vol.py -f file.dmp windows.info.InfoHashes/Passwords
Desc: Extract SAM hashes, domain cached credentials and lsa secrets.
./vol.py -f file.dmp windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM)
./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry
./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secretsProcesses
List processes
python3 vol.py -f file.dmp windows.pstree.PsTree # Get processes tree (not hidden)
python3 vol.py -f file.dmp windows.pslist.PsList # Get process list (EPROCESS)
python3 vol.py -f file.dmp windows.psscan.PsScan # Get hidden process list(malware)Dump proc
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directoryCommand line
Desc: Anything suspicious was executed?
python3 vol.py -f file.dmp windows.cmdline.CmdLine #Display process command-line argumentsServices
./vol.py -f file.dmp windows.svcscan.SvcScan #List services
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of servicesStrings Per Processes
Volatility allows us to check which process a string belongs to.
strings file.dmp > /tmp/strings.txt
./vol.py -f /tmp/file.dmp windows.strings.Strings --strings-file /tmp/strings.txtDesc: It also allows to search for strings inside a process using the yarascan module:
./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-rules "https://" --pid 3692 3840 3976 3312 3084 2784
./vol.py -f file.dmp yarascan.YaraScan --yara-rules "https://"Environment
Get the env variables of each running process. There could be some interesting values.
python3 vol.py -f file.dmp windows.envars.Envars [--pid <pid>] #Display process environment variablesToken privileges
Check for privileges tokens in unexpected services. It could be interesting to list the processes using some privileged token. Desc: Get enabled privileges of some processes
python3 vol.py -f file.dmp windows.privileges.Privs [--pid <pid>]Desc: Get all processes with interesting privileges
python3 vol.py -f file.dmp windows.privileges.Privs | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"SIDs
Check each SSID owned by a process, it could be interesting to list the processes using a privileges SID (and the processes using some service SID).
./vol.py -f file.dmp windows.getsids.GetSIDs [--pid <pid>] #Get SIDs of processes
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of servicesHandles
Useful to know to which other files, keys, threads, processes... a process has a handle for (has opened)
vol.py -f file.dmp windows.handles.Handles [--pid <pid>]DLLs
./vol.py -f file.dmp windows.dlllist.DllList [--pid <pid>] #List dlls used by each
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directory processUserAssist
Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that are executed. The number of executions and last execution date and time is available in these keys.
./vol.py -f file.dmp windows.registry.userassist.UserAssistNetwork
./vol.py -f file.dmp windows.netscan.NetScanRegistry hive
Print available hives
./vol.py -f file.dmp windows.registry.hivelist.HiveList #List roots
./vol.py -f file.dmp windows.registry.printkey.PrintKey #List roots and get initial subkeysGet a value
./vol.py -f file.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows NT\CurrentVersion"Filesystem
Scan/dump
./vol.py -f file.dmp windows.filescan.FileScan #Scan for files inside the dump
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --physaddr <0xAAAAA> #Offset from previous commandSSL Keys/Certs
Desc: search for certificates inside the registry
./vol.py -f file.dmp windows.registry.certificates.CertificatesMalware
./vol.py -f file.dmp windows.malfind.Malfind [--dump] #Find hidden and injected code, [dump each suspicious section]Malfind will search for suspicious structures related to malware
./vol.py -f file.dmp windows.driverirp.DriverIrp #Driver IRP hook detection
./vol.py -f file.dmp windows.ssdt.SSDT #Check system call address from unexpected addresses./vol.py -f file.dmp linux.check_afinfo.Check_afinfo #Verifies the operation function pointers of network protocols
./vol.py -f file.dmp linux.check_creds.Check_creds #Checks if any processes are sharing credential structures
./vol.py -f file.dmp linux.check_idt.Check_idt #Checks if the IDT has been altered
./vol.py -f file.dmp linux.check_syscall.Check_syscall #Check system call table for hooks
./vol.py -f file.dmp linux.check_modules.Check_modules #Compares module list to sysfs info, if available
./vol.py -f file.dmp linux.tty_check.tty_check #Checks tty devices for hooksScanning with Yara
Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9 Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.pyOnly Windows
./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-file /tmp/malware_rules.yarAll
./vol.py -f file.dmp yarascan.YaraScan --yara-file /tmp/malware_rules.yarMutexes
./vol.py -f file.dmp windows.mutantscan.MutantScanSymlinks
./vol.py -f file.dmp windows.symlinkscan.SymlinkScanTimeLine
./vol.py -f file.dmp timeLiner.TimeLinerDrivers
./vol.py -f file.dmp windows.driverscan.DriverScanLast updated