Shulou(Shulou.com)05/31 Report--

Editor to share with you how to use the memory forensics tool Volatility, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Some common commands about volatility:

Imageinfo

Identify the operating system:

Volatility-f example.raw imageinfo

Pslist/pstree/psscan

Scanning process:

Volatility-f example.raw-- profile=Win7SP1x64 pslist # win7SP1x64 is the operating system

Filescan

Scan the file:

Volatility-f example.raw-- profile=Win7SP1x64 filescan | grep-E 'txt | png | jpg | gif | zip | rar | 7z | pdf | doc'volatility-f example.raw-- profile=Win7SP1x64 filescan | grep TMP_User # search for files in the specified folder

Dumpfiles

Volatility-f wuliao.data-- profile=Win7SP1x64 dumpfiles-Q 0x000000007f142f20-D. /-u

Cmdscan

# View terminal input history

Dumpfile/memdump

Export the file:

Volatility-f example.raw-- profile=Win7SP1x64 memdump-p [PID]-D. / #-D. / Export to the current directory orvolatility-f example.raw-- profile=Win7SP1x64 dumpfiles-Q [Offset]-D. /

Call plug-in

Volatility [plugins]-f example.raw-- profile=Win7SP1x64 extract the cmd command retained in memory usage volatility-f mem.vmem-- profile=WinXPSP2x86 cmdscan get the current network connection volatility-f mem.vmem-- profile=WinXPSP2x86 netscan

# analyze the computer memory image. Which of the following remote addresses has established a TCP connection with the local address? This command is generally used instead of plug-ins

Get the usage of the IE browser. Volatility-f mem.vmem-- profile=WinXPSP2x86 iehistoryhivelist: view the registry volatility-f bb.raw-- profile=Win7SP1x86 hivelistuserassist cached in memory: extract the running programs recorded in memory, how many times have they been run, the time of the last run, and other information volatility-f bb.raw-- profile=Win7SP1x86 userassist to obtain the system password in memory We can use hashdump to extract volatility-f mem.vmem-- profile=WinXPSP2x86 hashdump-y (virtual address of registry system)-s (virtual address of SAM) volatility-f mem.vmem-- profile=WinXPSP2x86 hashdump-y 0xe1035b60-s 0xe16aab60printkey: get users in SAM table such as: volatility-f mem.vmem-- profile=WinXPSP2x86 printkey-K "SAM\ Domains\ Account\ Users\ Names" Discovery account four users They are: Administrator Guest HelpAssistantSUPPORT_388945a0hashdump: get the system password volatility-f bb.raw in memory-- profile=Win7SP1x86 hashdump extracts the information in memory to the maximum extent, then you can use the plug-in timeliner. It collects system activity information from multiple locations: volatility-f mem.vmem-- profile=Win7SP1x86 timelinervolatility-f mem.vmem-- profile=Win7SP1x86 timeliner | grep Company_Files # to find the access details of files under the specified folder. You can export > files.

# this can see who and who did what and when. Generally, a lot of data is exported, which can be imported into a file, and then searched and found.

# if we cannot find the access records of some files or folders under this folder, we can access the process of this folder through dump, and then use the strings statement to find keywords

# for example, strings 3484.dmp | grep 'Stephen'

Getsids: check out SIDvolatility-f bb.raw-- profile=Win7SP1x86_23418 getsids

# the user sid you see may be scattered around, look for it carefully

Common plug-ins view the currently displayed notepad text volatility notepad-f file.raw-- profile=WinXPSP2x86 to view the password hash in the current operating system For example, the contents of Windows's SAM file volatility hashdump-f file.raw-- profile=WinXPSP2x86 view all processes volatility psscan-f file.raw-- profile=WinXPSP2x86 scan all file lists volatility filescan-f file.raw-- profile=WinXPSP2x86 scan Windows services volatility svcscan-f file.raw-- profile=WinXPSP2x86 view network connections volatility connscan-f file.raw-- profile=WinXPSP2x86 view operations on the command line volatility cmdscan-f file.raw-- profile=WinXPSP2x86 specifies the process to be specified according to the pid dump of the process Folder dump_dirvolatility memdump-p 120-f file.raw-- profile=WinXPSP2x86-- dump-dir=dump_dir

For the process files that come out of dump, you can use foremost to separate the files. There are often problems with binwak-e, and you need to repair the files.

For the current window interface, generate screenshots volatility screenshot-f file.raw-- profile=WinXPSP2x86-- dump-dir=out some ideas

1. The time when the computer installed windows

Look for system information under the Microsoft path.

Volatility-f memdump.mem-- profile=Win7SP1x86_23418-o 0x8bd898e8 printkey-K "WOW6432Nod\ Microsoft"

Printkey: print registry keys and their subkeys and values

-o specify the virtual address of the registry

General system information exists in

We can specify-o virtual address to go to printkey to get key

And then you can do it step by step.

The key value corresponding to InstalledDate, but it can be roughly judged by Last updated. Normal system information is recorded in the following path: (HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionInstallDate).

two。 Computer name

The computer name exists in the registry SYSTEM

Specific location: ControlSet001\ Control\ ComputerName\ ComputerName

We can use the command:

Volatility-f memdump.mem-- profile=Win7SP1x86_23418-o 0x8bc1a1c0 printkey-K "ControlSet001\ Control\ ComputerName\ ComputerName"

3. View tcp

Volatility-f memdump.mem-- profile=Win7SP1x86_23418 timeliner | grep TCP

4. Forensics of external storage devices-USB

1. First use the command volatility-h | grep service to find the commands related to the device.

Volatility-h | grep service

two。 Then use the device scan command to check for traces of USB use.

Volatility-f memdump.mem-- profile=Win7SP1x86_23418 svscan | grep usb

3. Look for key in the virtual address memory and query the USB device usage in the registry (the path related to USB devices in the registry is: ControlSet001\ Enum\ USBSTOR

Path: ControlSet001\ Enum\ USBSTOR

Use the command:

Volatility-f memdump.mem-- profile=Win7SP1x86_23418-o 0x8bc1a1c0 printkey-K "ControlSet001\ Enum\ USBSTOR" is all the contents of this article entitled "how to use memory Forensics tool Volatility". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.