How to use Volatility - Memory Analysis For Beginners.

Name: How to use Volatility - Memory Analysis For Beginners.
Uploaded: Jan 24, 2020
Duration: 1525 s

Hack eXPlorer14.7K subscribers

30.8K views

Jan 24, 2020

25:25

In this short tutorial, we will be using one of the most popular volatile memory software analyzer: Volatility. This tool will help us to inspect a volatile memory dump of a potentially infected computer. This software will help us to retrieve useful information (such as the running processes, the last files modified or even the user’s browser history…) stored in the memory of the computer. We will run several volatility commands in this tutorial using a simple case: Analysing Cridex malware infection in memory. Tools Used Volatality - http://downloads.volatilityfoundation.org/releases/2.6/volatility_2.6_win64_standalone.zip CMDER - Console Emulator https://cmder.net/ Hashmyfiles https://www.nirsoft.net/utils/hashmyfiles.zip Strings https://docs.microsoft.com/en-us/sysinternals/downloads/strings How to analyze a VMware memory image with Volatility https://www.andreafortuna.org/2019/04/03/how-to-analyze-a-vmware-memory-image-with-volatility/ Volatility Command summery # What type of dump am I going to analyze ? $ volatility -f MyDump.dmp imageinfo # Which process are running $ volatility -f MyDump.dmp --profile=MyProfile pslist $ volatility -f MyDump.dmp --profile=MyProfile pstree $ volatility -f MyDump.dmp --profile=MyProfile psxview # List open TCP/UDP connections $ volatility -f MyDump.dmp --profile=MyProfile connscan $ volatility -f MyDump.dmp --profile=MyProfile sockets $ volatility -f MyDump.dmp --profile=MyProfile netscan # What commands were lastly run on the computer $ volatility -f MyDump.dmp --profile=MyProfile cmdline $ volatility -f MyDump.dmp --profile=MyProfile consoles $ volatility -f MyDump.dmp --profile=MyProfile cmdscan # Dump processes exe and memory $ volatility -f MyDump.dmp --profile=MyProfile procdump -p MyPid --dump-dir . $ volatility -f MyDump.dmp --profile=MyProfile memdump -p MyPid --dump-dir . # Hive and Registry key values $ volatility -f MyDump.dmp --profile=MyProfile hivelist $ volatility -f MyDump.dmp --profile=MyProfile printkey -K "MyPath" #Volatality #DigitalForensics #MalwareAnalysis Hshan Shouketh

Download

0 formats

No download links available.