Volatility - CheatSheet

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

​​RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa ** lengo la kukuza maarifa ya kiufundi**, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila nidhamu.

Ikiwa unataka kitu haraka na cha kufurahisha ambacho kitazindua programu-jalizi kadhaa za Volatility kwa wakati mmoja unaweza kutumia: https://github.com/carlospolop/autoVolatility

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # It will use the most important plugins (could use a lot of space depending on the size of the memory)

Usanidi

volatility3

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py —h

volatility2

Download the executable from https://www.volatilityfoundation.org/26

Amri za Volatility

Pata hati rasmi katika Marejeleo ya Amri ya Volatility

Taarifa kuhusu programu-jalizi za "orodha" dhidi ya "skani"

Volatility ina njia mbili kuu za programu-jalizi, ambazo mara nyingi zinaonekana katika majina yao. Programu-jalizi za "orodha" zitajaribu kupita kwa miundo ya Kernel ya Windows ili kupata habari kama michakato (kupata na kutembea orodha iliyounganishwa ya miundo ya _EPROCESS kwenye kumbukumbu), vitambulisho vya OS (kupata na kuorodhesha meza ya vitambulisho, kufuta dereferencing yoyote iliyopatikana, n.k). Kimsingi zinajitenda kama API ya Windows ingefanya ikiombwa, kwa mfano, kuorodhesha michakato.

Hii inafanya programu-jalizi za "orodha" kuwa haraka, lakini sawa na API ya Windows katika kudanganywa na zisizo salama kwa zisizo na programu hasidi. Kwa mfano, ikiwa programu hasidi inatumia DKOM kufuta michakato kutoka kwa orodha iliyounganishwa ya _EPROCESS, haitaonekana kwenye Meneja wa Kazi na wala haitaonekana kwenye pslist.

Programu-jalizi za "skani", kwa upande mwingine, zitachukua njia inayofanana na kukata kumbukumbu kwa vitu ambavyo vinaweza kuwa na maana wakati wa kufuta kama miundo maalum. Kwa mfano, psscan itasoma kumbukumbu na kujaribu kufanya vitu vya _EPROCESS kutoka kwake (inatumia skanning ya alama ya dimbwi, ambayo inatafuta herufi za 4-baiti zinazoonyesha uwepo wa muundo wa kuvutia). Faida ni kwamba inaweza kuchimba michakato ambayo imeondoka, na hata ikiwa programu hasidi inachezea orodha iliyounganishwa ya _EPROCESS, programu-jalizi bado itapata muundo uliopo kwenye kumbukumbu (kwani bado inahitaji kuwepo kwa mchakato ili uendelee). Kuporomoka ni kwamba programu-jalizi za "skani" ni polepole kidogo kuliko programu-jalizi za "orodha", na mara nyinginezo zinaweza kutoa matokeo sahihi ya uwongo (mchakato ambao umeondoka muda mrefu uliopita na sehemu za muundo wake zimeandikwa juu na shughuli nyingine).

Kutoka: http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/

Profaili za OS

Volatility3

Kama ilivyoelezwa kwenye faili ya kusoma, unahitaji kuweka meza ya alama ya OS unayotaka kusaidia ndani ya volatility3/volatility/symbols. Pakiti za meza ya alama kwa mifumo mbalimbali ya uendeshaji zinapatikana kwa kupakuliwa kwa:

Volatility2

Profaili ya Nje

Unaweza kupata orodha ya profaili zilizoungwa mkono kwa kufanya:

./volatility_2.6_lin64_standalone --info | grep "Profile"

Ikiwa unataka kutumia wasifu mpya uliopakuliwa (kwa mfano wa linux) unahitaji kuunda mahali muundo wa folda ifuatayo: plugins/overlays/linux na weka ndani ya folda hii faili ya zip inayohifadhi wasifu. Kisha, pata idadi ya maelezo kwa kutumia:

./vol --plugins=/home/kali/Desktop/ctfs/final/plugins --info
Volatility Foundation Volatility Framework 2.6


Profiles
--------
LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 - A Profile for Linux CentOS7_3.10.0-123.el7.x86_64_profile x64
VistaSP0x64                                   - A Profile for Windows Vista SP0 x64
VistaSP0x86                                   - A Profile for Windows Vista SP0 x86

Unaweza kupakua maelezo ya Linux na Mac kutoka https://github.com/volatilityfoundation/profiles

Katika sehemu iliyotangulia unaweza kuona kuwa maelezo yanaitwa LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64, na unaweza kuitumia kutekeleza kitu kama:

./vol -f file.dmp --plugins=. --profile=LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 linux_netscan

Pata Maelezo ya Profaili

volatility imageinfo -f file.dmp
volatility kdbgscan -f file.dmp

Tofauti kati ya imageinfo na kdbgscan

Kutoka hapa: Badala ya imageinfo ambayo hutoa mapendekezo ya maelezo ya wasifu, kdbgscan imeundwa kwa lengo la kutambua kwa uhakika wasifu sahihi na anwani sahihi ya KDBG (ikiwa kuna zaidi ya moja). Programu-jalizi hii huchunguza saini za KDBGHeader zinazohusiana na maelezo ya Volatility na hutekeleza ukaguzi wa akili ili kupunguza matokeo sahihi ya uwongo. Uelekevu wa matokeo na idadi ya ukaguzi wa akili unaweza kutekelezwa inategemea ikiwa Volatility inaweza kupata DTB, kwa hivyo ikiwa tayari unajua wasifu sahihi (au ikiwa una mapendekezo ya wasifu kutoka imageinfo), basi hakikisha unaitumia kutoka.

Daima angalia idadi ya michakato ambayo kdbgscan imepata. Mara nyingine imageinfo na kdbgscan wanaweza kupata zaidi ya moja inayofaa wasifu lakini tu moja sahihi itakuwa na michakato inayohusiana (Hii ni kwa sababu ya kutoa michakato anwani sahihi ya KDBG inahitajika)

# GOOD
PsActiveProcessHead           : 0xfffff800011977f0 (37 processes)
PsLoadedModuleList            : 0xfffff8000119aae0 (116 modules)
# BAD
PsActiveProcessHead           : 0xfffff800011947f0 (0 processes)
PsLoadedModuleList            : 0xfffff80001197ac0 (0 modules)

KDBG

Kizuizi cha kubadilisha msimbo wa msingi, kinachojulikana kama KDBG na Volatility, ni muhimu kwa kazi za uchunguzi zinazofanywa na Volatility na debuggers mbalimbali. Kilichotambuliwa kama KdDebuggerDataBlock na aina ya _KDDEBUGGER_DATA64, kina taarifa muhimu kama vile PsActiveProcessHead. Kumbukumbu maalum hii inaelekeza kichwa cha orodha ya michakato, ikiruhusu orodha ya michakato yote, ambayo ni muhimu kwa uchambuzi kamili wa kumbukumbu.

Taarifa za OS

#vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info)
./vol.py -f file.dmp windows.info.Info

Mfumo wa programu-jalizi banners.Banners unaweza kutumika katika vol3 kujaribu kupata bango za linux katika kumbukumbu.

Hashes/Passwords

Chambua SAM hashes, credentials zilizohifadhiwa za kikoa na siri za lsa.

./vol.py -f file.dmp windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM)
./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry
./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secrets

Volatility Cheatsheet

Basic Commands

  • Image Identification

    • volatility -f <memory_dump> imageinfo

  • Listing Processes

    • volatility -f <memory_dump> --profile=<profile> pslist

  • Dumping a Process

    • volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>

  • Listing Network Connections

    • volatility -f <memory_dump> --profile=<profile> connections

  • Dumping a File

    • volmemory -f <memory_dump> --profile=<profile> file -S <start_address> -E <end_address> -O <output_directory>

Advanced Commands

  • Detecting Hidden Processes

    • volatility -f <memory_dump> --profile=<profile> psxview

  • Analyzing Registry json

    • volatility -f <memory_dump> --profile=<profile> hivelist

    • volatility -f <memory_dump> --profile=<profile> printkey -o <offset>

  • Extracting Registry Hives

    • volatility -f <memory_dump> --profile=<profile> hivex -o <offset> -s <size> -r <output_directory>

  • Analyzing Kernel Modules

    • volatility -f <memory_dump> --profile=<profile> modscan

  • Dumping Kernel Module

    • volatility -f <memory_dump> --profile=<profile> moddump -o <offset> -D <output_directory>

  • Analyzing Drivers

    • volatility -f <memory_dump> --profile=<profile> driverscan

  • Dumping Driver

    • volatility -f <memory_dump> --profile=<profile> drvmap -D <output_directory>

  • Analyzing Timelime

    • volatility -f <memory_dump> --profile=<profile> timeliner

  • Analyzing PSScan

    • volatility -f <memory_dump> --profile=<profile> psscan

  • Analyzing Mutants

    • volatility -f <memory_dump> --profile=<profile> mutantscan

  • Analyzing Handles

    • volatility -f <memory_dump> --profile=<profile> handles

  • Analyzing DLLs

    • volatility -f <memory_dump> --profile=<profile> dlllist

  • Analyizing Sockets

    • volatility -f <memory_dump> --profile=<profile> sockscan

  • Analyzing User Handles

    • volatility -f <memory_dump> --profile=<profile> userhandles

  • Analyzing Vad Trees

    • volatility -f <memory_dump> --profile=<profile> vadtree

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyzing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyzing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyizing IDT

    • volatility -f <memory_dump> --profile=<profile> idt

  • Analyizing LDT

    • volatility -f <memory_dump> --profile=<profile> ldt

  • Analyzing SSDT

    • volatility -f <memory_dump> --profile=<profile> ssdt

  • Analyzing GDT

    • volatility -f <memory_dump> --profile=<profile> gdt

  • Analyizing IDT

volatility --profile=Win7SP1x86_23418 hashdump -f file.dmp #Grab common windows hashes (SAM+SYSTEM)
volatility --profile=Win7SP1x86_23418 cachedump -f file.dmp #Grab domain cache hashes inside the registry
volatility --profile=Win7SP1x86_23418 lsadump -f file.dmp #Grab lsa secrets

Kumbukumbu ya Kijijini

Kumbukumbu ya kijijini ya mchakato ita chimba kila kitu cha hali ya sasa ya mchakato. Moduli ya procdump ita chimba tu msimbo.

volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/

​​​RootedCON ni tukio muhimu la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Na malengo ya kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila nidhamu.

Mchakato

Orodha ya mchakato

Jaribu kutafuta mchakato mashaka (kwa jina) au mchakato wa mtoto usiotarajiwa (kwa mfano cmd.exe kama mtoto wa iexplorer.exe). Inaweza kuwa ya kuvutia kulinganisha matokeo ya pslist na psscan ili kutambua michakato iliyofichwa.

python3 vol.py -f file.dmp windows.pstree.PsTree # Get processes tree (not hidden)
python3 vol.py -f file.dmp windows.pslist.PsList # Get process list (EPROCESS)
python3 vol.py -f file.dmp windows.psscan.PsScan # Get hidden process list(malware)

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

  • Kutambua Mifumo ya Uendeshaji

    • volatility -f <dumpfile> imageinfo

  • Kutambua Michakato Inayoendesha

    • volatility -f <dumpfile> pslist

  • Kutambua Huduma Zilizosajiliwa

    • volatility -f <dumpfile> getservicesids

  • Kutambua Moduli Zilizopakiwa

    • volatility -f <dumpfile> modscan

  • Kutambua Mitandao ya Kumbukumbu

    • volatility -f <dumpfile> connscan

  • Kuchunguza Mitandao ya Kumbukumbu

    • volatility -f <dumpfile> netscan

  • Kutambua Faili Zilizofunguliwa

    • volatility -f <dumpfile> filescan

  • Kuchunguza Maudhui ya Kumbukumbu

    • volatility -f <dumpfile> memdump -p <pid> --dump-dir <outputdir>

  • Kutambua Mitandao ya Kumbukumbu Inayotumika

    • volatility -f <dumpfile> malfind

  • Kutambua Mitandao ya Kumbukumbu Inayotumika na Mchakato Fulani

    • volatility -f <dumpfile> malfind -p <pid>

  • Kutambua Mitandao ya Kumbukumbu Inayotumika na Moduli Fulani

    • volatility -f <dumpfile> malfind -m <module>

  • Kutambua Mitandao ya Kumbukumbu Inayotumika na Faili Fulani

    • volatility -f <dumpfile> malfind -D <file>

  • Kutambua Mitandao ya Kumbukumbu Inayotumika na Mchakato na Moduli Fulani

    • volatility -f <dumpfile> malfind -p <pid> -m <module>

  • Kutambua Mitandao ya Kumbukumbu Inayotumika na Mchakato na Faili Fulani

    • volatility -f <dumpfile> malfind -p <pid> -D <file>

  • Kutambua Mitandao ya Kumbukumbu Inayotumika na Moduli na Faili Fulani

    • volatility -f <dumpfile> malfind -m <module> -D <file>

  • Kutambua Mitandao ya Kumbukumbu Inayotumika na Mchakato, Moduli, na Faili Fulani

    • volatility -f <dumpfile> malfind -p <pid> -m <module> -D <file>

  • Kuchunguza Mitandao ya Kumbukumbu kwa Ku