Back to notes list

Volatility - Cheatsheet

#volatility
#cheatsheet
#forensics
#blue

Installation

Vol3

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py -h

Vol2

# From source
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py install


Identify Image

Vol2

vol.py -f <memory_dump> imageinfo
vol.py -f <memory_dump> kdbgscan

Vol3

vol.py -f <memory_dump> windows.info


Processes

List / scan / tree

# Vol2
vol.py -f <memory_dump> --profile <profile> pslist
vol.py -f <memory_dump> --profile <profile> psscan
vol.py -f <memory_dump> --profile <profile> pstree
vol.py -f <memory_dump> --profile <profile> psxview

# Vol3
vol.py -f <memory_dump> windows.pslist
vol.py -f <memory_dump> windows.psscan
vol.py -f <memory_dump> windows.pstree

Dump process

# Vol2
vol.py -f <memory_dump> --profile <profile> procdump -p <PID> --dump-dir="/output"

# Vol3
vol.py -f <memory_dump> -o "/output" windows.dumpfiles --pid <PID>

Dump process memory

# Vol2
vol.py -f <memory_dump> --profile <profile> memdump -p <PID> --dump-dir="/output"

# Vol3
vol.py -f <memory_dump> -o "/output" windows.memmap --dump --pid <PID>

Handles

# Vol2
vol.py -f <memory_dump> --profile <profile> handles -p <PID>

# Vol3
vol.py -f <memory_dump> windows.handles --pid <PID>

Loaded DLLs

# Vol2
vol.py -f <memory_dump> --profile <profile> dlllist -p <PID>

# Vol3
vol.py -f <memory_dump> windows.dlllist --pid <PID>

Command line

# Vol2
vol.py -f <memory_dump> --profile <profile> cmdline
vol.py -f <memory_dump> --profile <profile> cmdscan
vol.py -f <memory_dump> --profile <profile> consoles

# Vol3
vol.py -f <memory_dump> windows.cmdline

Environment variables

# Vol2
vol.py -f <memory_dump> --profile <profile> envars
vol.py -f <memory_dump> --profile <profile> envars -p <PID>

# Vol3
vol.py -f <memory_dump> windows.envars.Envars [--pid <PID>]

SIDs / privileges

# Vol2
vol.py -f <memory_dump> --profile <profile> getsids
vol.py -f <memory_dump> --profile <profile> getsids -p <PID>
vol.py -f <memory_dump> --profile <profile> privs --pid <PID>

# Vol3
vol.py -f <memory_dump> windows.getsids.GetSIDs [--pid <PID>]
vol.py -f <memory_dump> windows.privileges.Privs [--pid <PID>]


Network

# Vol2
vol.py -f <memory_dump> --profile <profile> netscan
vol.py -f <memory_dump> --profile <profile> netstat

# Vol3
vol.py -f <memory_dump> windows.netscan
vol.py -f <memory_dump> windows.netstat


Services

# Vol2
vol.py -f <memory_dump> --profile <profile> svcscan
vol.py -f <memory_dump> --profile <profile> getservicesids

# Vol3
vol.py -f <memory_dump> windows.svcscan.SvcScan
vol.py -f <memory_dump> windows.getservicesids.GetServiceSIDs


Registry

List hives

# Vol2
vol.py -f <memory_dump> --profile <profile> hivescan
vol.py -f <memory_dump> --profile <profile> hivelist

# Vol3
vol.py -f <memory_dump> windows.registry.hivescan
vol.py -f <memory_dump> windows.registry.hivelist

# Vol2
vol.py -f <memory_dump> --profile <profile> printkey
vol.py -f <memory_dump> --profile <profile> printkey -K "Software\Microsoft\Windows\CurrentVersion"

# Vol3
vol.py -f <memory_dump> windows.registry.printkey
vol.py -f <memory_dump> windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion"

Dump hive

# Vol2
vol.py -f <memory_dump> --profile <profile> hivedump -o <offset>

# Vol3 - no direct equivalent, try dumpfiles with offset


Credentials

# Vol2
vol.py -f <memory_dump> --profile <profile> hashdump
vol.py -f <memory_dump> --profile <profile> cachedump
vol.py -f <memory_dump> --profile <profile> lsadump

# Vol3
vol.py -f <memory_dump> windows.hashdump.Hashdump
vol.py -f <memory_dump> windows.cachedump.Cachedump
vol.py -f <memory_dump> windows.lsadump.Lsadump


Files

Scan files

# Vol2
vol.py -f <memory_dump> --profile <profile> filescan

# Vol3
vol.py -f <memory_dump> windows.filescan

Dump files

# Vol2
vol.py -f <memory_dump> --profile <profile> dumpfiles --dump-dir="/output"
vol.py -f <memory_dump> --profile <profile> dumpfiles --dump-dir="/output" -Q <offset>
vol.py -f <memory_dump> --profile <profile> dumpfiles --dump-dir="/output" -p <PID>

# Vol3
vol.py -f <memory_dump> -o "/output" windows.dumpfiles
vol.py -f <memory_dump> -o "/output" windows.dumpfiles --virtaddr <offset>
vol.py -f <memory_dump> -o "/output" windows.dumpfiles --physaddr <offset>


Malware / Hunting

Detect injected code

# Vol2
vol.py -f <memory_dump> --profile <profile> malfind

# Vol3
vol.py -f <memory_dump> windows.malfind

API hooks

# Vol2 only
vol.py -f <memory_dump> --profile <profile> apihooks
vol.py -f <memory_dump> --profile <profile> apihooks -p <PID>

SSDT (System Service Descriptor Table)

# Vol2
vol.py -f <memory_dump> --profile <profile> ssdt

# Vol3
vol.py -f <memory_dump> windows.ssdt.SSDT

Driver scan / IRP hooks

# Vol2
vol.py -f <memory_dump> --profile <profile> driverscan
vol.py -f <memory_dump> --profile <profile> driverirp

# Vol3
vol.py -f <memory_dump> windows.driverscan.DriverScan
vol.py -f <memory_dump> windows.driverirp.DriverIrp

Mutexes

# Vol2
vol.py -f <memory_dump> --profile <profile> mutantscan

# Vol3
vol.py -f <memory_dump> windows.mutantscan.MutantScan

YARA scan

# Vol2
vol.py -f <memory_dump> yarascan -y "/path/to/rules.yar"

# Vol3
vol.py -f <memory_dump> windows.vadyarascan --yara-rules <string>
vol.py -f <memory_dump> windows.vadyarascan --yara-file "/path/to/rules.yar"
vol.py -f <memory_dump> yarascan.yarascan --yara-file "/path/to/rules.yar"


User Activity

Clipboard

# Vol2 only
vol.py -f <memory_dump> --profile <profile> clipboard

UserAssist (executed programs)

# Vol2 only
vol.py -f <memory_dump> --profile <profile> userassist

Screenshot

# Vol2 only
vol.py -f <memory_dump> --profile <profile> screenshot --dump-dir="/output"

Notepad content

# Vol2 only
vol.py -f <memory_dump> --profile <profile> notepad

IE history

# Vol2 only
vol.py -f <memory_dump> --profile <profile> iehistory


Misc

MFT parser

# Vol2 only
vol.py -f <memory_dump> --profile <profile> mftparser

Timeline

# Vol2
vol.py -f <memory_dump> --profile <profile> timeliner

# Vol3
vol.py -f <memory_dump> timeLiner.TimeLiner

Strings per process

strings -a -t d <memory_dump> > strings.txt

# Vol2
vol.py -f <memory_dump> --profile <profile> strings -s strings.txt

Dump certs / SSL keys

# Vol2 only
vol.py -f <memory_dump> --profile <profile> dumpcerts

autoVolatility3

# https://github.com/H3xKatana/autoVolatility3
python3 autovol3.py -f <memory_dump> -o /output -s full     # all plugins
python3 autovol3.py -f <memory_dump> -o /output -s normal   # balanced
python3 autovol3.py -f <memory_dump> -o /output -s minimal  # limited set

autoVolatility (Vol2)

# https://github.com/carlospolop/autoVolatility
python autoVolatility.py -f <memory_dump> -d /output -e /path/to/vol.py