Volatility - CheatSheet

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
Pata bidhaa rasmi za PEASS & HackTricks
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs za kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa ** lengo la kukuza maarifa ya kiufundi**, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila nidhamu.

RootedCONRootedCON

Ikiwa unataka kitu haraka na cha kufurahisha ambacho kitazindua programu-jalizi kadhaa za Volatility kwa wakati mmoja unaweza kutumia: https://github.com/carlospolop/autoVolatility

python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # It will use the most important plugins (could use a lot of space depending on the size of the memory)

Usanidi

volatility3

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py —h

volatility2

Download the executable from https://www.volatilityfoundation.org/26

git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py install

Amri za Volatility

Pata hati rasmi katika Marejeleo ya Amri ya Volatility

Taarifa kuhusu programu-jalizi za "orodha" dhidi ya "skani"

Volatility ina njia mbili kuu za programu-jalizi, ambazo mara nyingi zinaonekana katika majina yao. Programu-jalizi za "orodha" zitajaribu kupita kwa miundo ya Kernel ya Windows ili kupata habari kama michakato (kupata na kutembea orodha iliyounganishwa ya miundo ya _EPROCESS kwenye kumbukumbu), vitambulisho vya OS (kupata na kuorodhesha meza ya vitambulisho, kufuta dereferencing yoyote iliyopatikana, n.k). Kimsingi zinajitenda kama API ya Windows ingefanya ikiombwa, kwa mfano, kuorodhesha michakato.

Hii inafanya programu-jalizi za "orodha" kuwa haraka, lakini sawa na API ya Windows katika kudanganywa na zisizo salama kwa zisizo na programu hasidi. Kwa mfano, ikiwa programu hasidi inatumia DKOM kufuta michakato kutoka kwa orodha iliyounganishwa ya _EPROCESS, haitaonekana kwenye Meneja wa Kazi na wala haitaonekana kwenye pslist.

Programu-jalizi za "skani", kwa upande mwingine, zitachukua njia inayofanana na kukata kumbukumbu kwa vitu ambavyo vinaweza kuwa na maana wakati wa kufuta kama miundo maalum. Kwa mfano, psscan itasoma kumbukumbu na kujaribu kufanya vitu vya _EPROCESS kutoka kwake (inatumia skanning ya alama ya dimbwi, ambayo inatafuta herufi za 4-baiti zinazoonyesha uwepo wa muundo wa kuvutia). Faida ni kwamba inaweza kuchimba michakato ambayo imeondoka, na hata ikiwa programu hasidi inachezea orodha iliyounganishwa ya _EPROCESS, programu-jalizi bado itapata muundo uliopo kwenye kumbukumbu (kwani bado inahitaji kuwepo kwa mchakato ili uendelee). Kuporomoka ni kwamba programu-jalizi za "skani" ni polepole kidogo kuliko programu-jalizi za "orodha", na mara nyinginezo zinaweza kutoa matokeo sahihi ya uwongo (mchakato ambao umeondoka muda mrefu uliopita na sehemu za muundo wake zimeandikwa juu na shughuli nyingine).

Kutoka: http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/

Profaili za OS

Volatility3

Kama ilivyoelezwa kwenye faili ya kusoma, unahitaji kuweka meza ya alama ya OS unayotaka kusaidia ndani ya volatility3/volatility/symbols. Pakiti za meza ya alama kwa mifumo mbalimbali ya uendeshaji zinapatikana kwa kupakuliwa kwa:

Volatility2

Profaili ya Nje

Unaweza kupata orodha ya profaili zilizoungwa mkono kwa kufanya:

./volatility_2.6_lin64_standalone --info | grep "Profile"

Ikiwa unataka kutumia wasifu mpya uliopakuliwa (kwa mfano wa linux) unahitaji kuunda mahali muundo wa folda ifuatayo: plugins/overlays/linux na weka ndani ya folda hii faili ya zip inayohifadhi wasifu. Kisha, pata idadi ya maelezo kwa kutumia:

./vol --plugins=/home/kali/Desktop/ctfs/final/plugins --info
Volatility Foundation Volatility Framework 2.6


Profiles
--------
LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 - A Profile for Linux CentOS7_3.10.0-123.el7.x86_64_profile x64
VistaSP0x64                                   - A Profile for Windows Vista SP0 x64
VistaSP0x86                                   - A Profile for Windows Vista SP0 x86

Unaweza kupakua maelezo ya Linux na Mac kutoka https://github.com/volatilityfoundation/profiles

Katika sehemu iliyotangulia unaweza kuona kuwa maelezo yanaitwa LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64, na unaweza kuitumia kutekeleza kitu kama:

./vol -f file.dmp --plugins=. --profile=LinuxCentOS7_3_10_0-123_el7_x86_64_profilex64 linux_netscan

Pata Maelezo ya Profaili

volatility imageinfo -f file.dmp
volatility kdbgscan -f file.dmp

Tofauti kati ya imageinfo na kdbgscan

Kutoka hapa: Badala ya imageinfo ambayo hutoa mapendekezo ya maelezo ya wasifu, kdbgscan imeundwa kwa lengo la kutambua kwa uhakika wasifu sahihi na anwani sahihi ya KDBG (ikiwa kuna zaidi ya moja). Programu-jalizi hii huchunguza saini za KDBGHeader zinazohusiana na maelezo ya Volatility na hutekeleza ukaguzi wa akili ili kupunguza matokeo sahihi ya uwongo. Uelekevu wa matokeo na idadi ya ukaguzi wa akili unaweza kutekelezwa inategemea ikiwa Volatility inaweza kupata DTB, kwa hivyo ikiwa tayari unajua wasifu sahihi (au ikiwa una mapendekezo ya wasifu kutoka imageinfo), basi hakikisha unaitumia kutoka.

Daima angalia idadi ya michakato ambayo kdbgscan imepata. Mara nyingine imageinfo na kdbgscan wanaweza kupata zaidi ya moja inayofaa wasifu lakini tu moja sahihi itakuwa na michakato inayohusiana (Hii ni kwa sababu ya kutoa michakato anwani sahihi ya KDBG inahitajika)

# GOOD
PsActiveProcessHead           : 0xfffff800011977f0 (37 processes)
PsLoadedModuleList            : 0xfffff8000119aae0 (116 modules)

# BAD
PsActiveProcessHead           : 0xfffff800011947f0 (0 processes)
PsLoadedModuleList            : 0xfffff80001197ac0 (0 modules)

KDBG

Kizuizi cha kubadilisha msimbo wa msingi, kinachojulikana kama KDBG na Volatility, ni muhimu kwa kazi za uchunguzi zinazofanywa na Volatility na debuggers mbalimbali. Kilichotambuliwa kama KdDebuggerDataBlock na aina ya _KDDEBUGGER_DATA64, kina taarifa muhimu kama vile PsActiveProcessHead. Kumbukumbu maalum hii inaelekeza kichwa cha orodha ya michakato, ikiruhusu orodha ya michakato yote, ambayo ni muhimu kwa uchambuzi kamili wa kumbukumbu.

Taarifa za OS

#vol3 has a plugin to give OS information (note that imageinfo from vol2 will give you OS info)
./vol.py -f file.dmp windows.info.Info

Mfumo wa programu-jalizi banners.Banners unaweza kutumika katika vol3 kujaribu kupata bango za linux katika kumbukumbu.

Hashes/Passwords

Chambua SAM hashes, credentials zilizohifadhiwa za kikoa na siri za lsa.

./vol.py -f file.dmp windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM)
./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry
./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secrets

Volatility Cheatsheet

Basic Commands

Image Identification
- volatility -f <memory_dump> imageinfo
Listing Processes
- volatility -f <memory_dump> --profile=<profile> pslist
Dumping a Process
- volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>
Listing Network Connections
- volatility -f <memory_dump> --profile=<profile> connections
Dumping a File
- volmemory -f <memory_dump> --profile=<profile> file -S <start_address> -E <end_address> -O <output_directory>

Advanced Commands

Detecting Hidden Processes
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Registry json
- volatility -f <memory_dump> --profile=<profile> hivelist
- volatility -f <memory_dump> --profile=<profile> printkey -o <offset>
Extracting Registry Hives
- volatility -f <memory_dump> --profile=<profile> hivex -o <offset> -s <size> -r <output_directory>
Analyzing Kernel Modules
- volatility -f <memory_dump> --profile=<profile> modscan
Dumping Kernel Module
- volatility -f <memory_dump> --profile=<profile> moddump -o <offset> -D <output_directory>
Analyzing Drivers
- volatility -f <memory_dump> --profile=<profile> driverscan
Dumping Driver
- volatility -f <memory_dump> --profile=<profile> drvmap -D <output_directory>
Analyzing Timelime
- volatility -f <memory_dump> --profile=<profile> timeliner
Analyzing PSScan
- volatility -f <memory_dump> --profile=<profile> psscan
Analyzing Mutants
- volatility -f <memory_dump> --profile=<profile> mutantscan
Analyzing Handles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing DLLs
- volatility -f <memory_dump> --profile=<profile> dlllist
Analyizing Sockets
- volatility -f <memory_dump> --profile=<profile> sockscan
Analyzing User Handles
- volatility -f <memory_dump> --profile=<profile> userhandles
Analyzing Vad Trees
- volatility -f <memory_dump> --profile=<profile> vadtree
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyizing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyizing LDT
- volatility -f <memory_dump> --profile=<profile> ldt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyizing IDT

volatility --profile=Win7SP1x86_23418 hashdump -f file.dmp #Grab common windows hashes (SAM+SYSTEM)
volatility --profile=Win7SP1x86_23418 cachedump -f file.dmp #Grab domain cache hashes inside the registry
volatility --profile=Win7SP1x86_23418 lsadump -f file.dmp #Grab lsa secrets

Kumbukumbu ya Kijijini

Kumbukumbu ya kijijini ya mchakato ita chimba kila kitu cha hali ya sasa ya mchakato. Moduli ya procdump ita chimba tu msimbo.

volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/

RootedCON ni tukio muhimu la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Na malengo ya kukuza maarifa ya kiufundi, kongamano hili ni mahali pa kukutana kwa wataalamu wa teknolojia na usalama wa mtandao katika kila nidhamu.

RootedCONRootedCON

Mchakato

Orodha ya mchakato

Jaribu kutafuta mchakato mashaka (kwa jina) au mchakato wa mtoto usiotarajiwa (kwa mfano cmd.exe kama mtoto wa iexplorer.exe). Inaweza kuwa ya kuvutia kulinganisha matokeo ya pslist na psscan ili kutambua michakato iliyofichwa.

python3 vol.py -f file.dmp windows.pstree.PsTree # Get processes tree (not hidden)
python3 vol.py -f file.dmp windows.pslist.PsList # Get process list (EPROCESS)
python3 vol.py -f file.dmp windows.psscan.PsScan # Get hidden process list(malware)

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Kutambua Mifumo ya Uendeshaji
- volatility -f <dumpfile> imageinfo
Kutambua Michakato Inayoendesha
- volatility -f <dumpfile> pslist
Kutambua Huduma Zilizosajiliwa
- volatility -f <dumpfile> getservicesids
Kutambua Moduli Zilizopakiwa
- volatility -f <dumpfile> modscan
Kutambua Mitandao ya Kumbukumbu
- volatility -f <dumpfile> connscan
Kuchunguza Mitandao ya Kumbukumbu
- volatility -f <dumpfile> netscan
Kutambua Faili Zilizofunguliwa
- volatility -f <dumpfile> filescan
Kuchunguza Maudhui ya Kumbukumbu
- volatility -f <dumpfile> memdump -p <pid> --dump-dir <outputdir>
Kutambua Mitandao ya Kumbukumbu Inayotumika
- volatility -f <dumpfile> malfind
Kutambua Mitandao ya Kumbukumbu Inayotumika na Mchakato Fulani
- volatility -f <dumpfile> malfind -p <pid>
Kutambua Mitandao ya Kumbukumbu Inayotumika na Moduli Fulani
- volatility -f <dumpfile> malfind -m <module>
Kutambua Mitandao ya Kumbukumbu Inayotumika na Faili Fulani
- volatility -f <dumpfile> malfind -D <file>
Kutambua Mitandao ya Kumbukumbu Inayotumika na Mchakato na Moduli Fulani
- volatility -f <dumpfile> malfind -p <pid> -m <module>
Kutambua Mitandao ya Kumbukumbu Inayotumika na Mchakato na Faili Fulani
- volatility -f <dumpfile> malfind -p <pid> -D <file>
Kutambua Mitandao ya Kumbukumbu Inayotumika na Moduli na Faili Fulani
- volatility -f <dumpfile> malfind -m <module> -D <file>
Kutambua Mitandao ya Kumbukumbu Inayotumika na Mchakato, Moduli, na Faili Fulani
- volatility -f <dumpfile> malfind -p <pid> -m <module> -D <file>
Kuchunguza Mitandao ya Kumbukumbu kwa Kutumia Yara
- volatility -f <dumpfile> yarascan --yara-rules <yararulesfile>
Kuchunguza Mitandao ya Kumbukumbu kwa Kutumia Yara na Kupata Maudhui
- volatility -f <dumpfile> yarascan --yara-rules <yararulesfile> --dump-dir <outputdir>
Kuchunguza Mitandao ya Kumbukumbu kwa Kutumia Yara na Kupata Maudhui kwa Mchakato Fulani
- volatility -f <dumpfile> yarascan --yara-rules <yararulesfile> -p <pid> --dump-dir <outputdir>
Kuchunguza Mitandao ya Kumbukumbu kwa Kutumia Yara na Kupata Maudhui kwa Moduli Fulani
- volatility -f <dumpfile> yarascan --yara-rules <yararulesfile> -m <module> --dump-dir <outputdir>
Kuchunguza Mitandao ya Kumbukumbu kwa Kutumia Yara na Kupata Maudhui kwa Faili Fulani
- volatility -f <dumpfile> yarascan --yara-rules <yararulesfile> -D <file> --dump-dir <outputdir>
Kuchunguza Mitandao ya Kumbukumbu kwa Kutumia Yara na Kupata Maudhui kwa Mchakato na Moduli Fulani
- volatility -f <dumpfile> yarascan --yara-rules <yararulesfile> -p <pid> -m <module> --dump-dir <outputdir>
Kuchunguza Mitandao ya Kumbukumbu kwa Kutumia Yara na Kupata Maudhui kwa Mchakato na Faili Fulani
- volatility -f <dumpfile> yarascan --yara-rules <yararulesfile> -p <pid> -D <file> --dump-dir <outputdir>
Kuchunguza Mitandao ya Kumbukumbu kwa Kutumia Yara na Kupata Maudhui kwa Moduli na Faili Fulani
- volatility -f <dumpfile> yarascan --yara-rules <yararulesfile> -m <module> -D <file> --dump-dir <outputdir>
Kuchunguza Mitandao ya Kumbukumbu kwa Kutumia Yara na Kupata Maudhui kwa Mchakato, Moduli, na Faili Fulani
- volatility -f <dumpfile> yarascan --yara-rules <yararulesfile> -p <pid> -m <module> -D <file> --dump-dir <outputdir>

volatility --profile=PROFILE pstree -f file.dmp # Get process tree (not hidden)
volatility --profile=PROFILE pslist -f file.dmp # Get process list (EPROCESS)
volatility --profile=PROFILE psscan -f file.dmp # Get hidden process list(malware)
volatility --profile=PROFILE psxview -f file.dmp # Get hidden process list

Kumbukumbu ya Proc

./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directory

Volatility Cheatsheet

Basic Commands

Image Identification
- volatility -f <memory_dump> imageinfo
Listing Processes
- volatility -f <memory_dump> --profile=<profile> pslist
Dumping a Process
- volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>
Listing Network Connections
- volatility -f <memory_dump> --profile=<profile> connections
Dumping a File
- voljsonity -f <memory_dump> --profile=<profile> file -S <start_address> -E <end_address> -O <output_directory>

Advanced Commands

Detecting Hidden Processes
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Registry json - volatility -f <memory_dump> --profile=<profile> hivelist
- volatility -f <memory_dump> --profile=<profile> printkey -o <offset>
Extracting Registry Hives
- volatility -f <memory_dump> --profile=<profile> dumpregistry -o <output_directory>
Analyzing Kernel Modules
- volatility -f <memory_dump> --profile=<profile> modscan
Analyzing Drivers
- volatility -f <memory_dump> --profile=<profile> driverscan
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing Mutants
- volatility -f <memory_dump> --profile=<profile> mutantscan
Analyzing Handles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing PSScan
- volatility -f <memory_dump> --profile=<profile> psscan
Analyzing LDR Modules
- volatility -f <memory_dump> --profile=<profile> ldrmodules
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing CSRSS
- volatility -f <memory_dump> --profile=<profile> csrss
Analyzing DLLs
- volatility -f <memory_dump> --profile=<profile> dlllist
Analyzing Malware
- volatility -f <memory_dump> --profile=<profile> malfind
Analyzing Yara Rules
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing User Handles
- volatility -f <memory_dump> --profile=<profile> userhandles
Analyzing Privileges
- volatility -f <memory_dump> --profile=<profile> privs
Analyizing Timeliner
- volatility -f <memory_dump> --profile=<profile> timeliner
Analyzing Bash History
- volatility -f <memory_dump> --profile=<profile> bash
Analyzing Command History
- volatility -f <memory_dump> --profile=<profile> cmdscan
Analyzing Consoles
- volatility -f <memory_dump> --profile=<profile> consoles
Analyzing Netscan
- volatility -f <memory_dump> --profile=<profile> netscan
Analyzing Sockets
- volatility -f <memory_dump> --profile=<profile> sockets
Analyzing Connections
- volatility -f <memory_dump> --profile=<profile> connscan
Analyzing Malfind
- volatility -f <memory_dump> --profile=<profile> malfind
Analyzing Malprocfind
- volatility -f <memory_dump> --profile=<profile> malprocfind
Analyzing Malware Config
- volatility -f <memory_dump> --profile=<profile> malwaredump
Analyzing Malware Detection
- volatility -f <memory_dump> --profile=<profile> malfind
Analyzing Malware Scan
- volatility -f <memory_dump> --profile=<profile> malsysproc
Analyzing Malware Timeliner
- volatility -f <memory_dump> --profile=<profile> malfind
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Malware Yarascan
- volatility -f <memory_dump> --profile=<profile> yarascan
**Analyzing Malware Yaras

volatility --profile=Win7SP1x86_23418 procdump --pid=3152 -n --dump-dir=. -f file.dmp

Amri ya mstari wa amri

Je, kuna kitu chochote cha shaka kilichotekelezwa?

python3 vol.py -f file.dmp windows.cmdline.CmdLine #Display process command-line arguments

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Kuanzisha Mazingira ya Volatility:

$ export VOLATILITY_LOCATION=/path/to/volatility

Kutumia Volatility:

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw <command>

Kupata Orodha ya Msaada wa Moduli:

$ python $VOLATILITY_LOCATION/vol.py --info | grep -i <module_name>

Kuchambua Mchakato:

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> pslist

Kuchunguza Mitandao:

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> netscan

Kuchunguza Usajili:

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> printkey -o <offset>

Kuchunguza Mafaili ya Kufungua:

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> filescan

Kuchunguza Maudhui ya Kumbukumbu:

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> memdump -p <pid> -D <output_directory>

Kuchunguza Maudhui ya Kumbukumbu (Kulinganisha):

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> memmap --output=body --pid=<pid> --dump-dir=<output_directory>

Kuchunguza Maudhui ya Kumbukumbu (Kulinganisha):

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> memmap --output=body --pid=<pid> --dump-dir=<output_directory>

Kuchunguza Maudhui ya Kumbukumbu (Kulinganisha):

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> memmap --output=body --pid=<pid> --dump-dir=<output_directory>

Kuchunguza Maudhui ya Kumbukumbu (Kulinganisha):

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> memmap --output=body --pid=<pid> --dump-dir=<output_directory>

Kuchunguza Maudhui ya Kumbukumbu (Kulinganisha):

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> memmap --output=body --pid=<pid> --dump-dir=<output_directory>

Kuchunguza Maudhui ya Kumbukumbu (Kulinganisha):

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> memmap --output=body --pid=<pid> --dump-dir=<output_directory>

Kuchunguza Maudhui ya Kumbukumbu (Kulinganisha):

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> memmap --output=body --pid=<pid> --dump-dir=<output_directory>

Kuchunguza Maudhui ya Kumbukumbu (Kulinganisha):

$ python $VOLATILITY_LOCATION/vol.py -f /path/to/memory_dump.raw --profile=<profile> memmap --output=body --pid=<pid> --dump-dir=<output_directory>

volatility --profile=PROFILE cmdline -f file.dmp #Display process command-line arguments
volatility --profile=PROFILE consoles -f file.dmp #command history by scanning for _CONSOLE_INFORMATION

Amri zilizotekelezwa katika cmd.exe zinasimamiwa na conhost.exe (au csrss.exe kwenye mifumo kabla ya Windows 7). Hii inamaanisha kwamba ikiwa cmd.exe inakomeshwa na mkaidi kabla ya kupatikana kwa kumbukumbu ya kumbukumbu, bado inawezekana kupata historia ya amri za kikao kutoka kumbukumbu ya conhost.exe. Ili kufanya hivyo, ikiwa shughuli isiyo ya kawaida inagunduliwa ndani ya moduli za konsoli, kumbukumbu ya mchakato wa conhost.exe inapaswa kudondoshwa. Kisha, kwa kutafuta maneno ndani ya kumbukumbu hii, mistari ya amri zilizotumiwa katika kikao inaweza kunaswa.

Mazingira

Pata mazingira ya mazingira ya kila mchakato unaoendesha. Kunaweza kuwa na thamani za kuvutia.

python3 vol.py -f file.dmp windows.envars.Envars [--pid <pid>] #Display process environment variables

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Mwanzo

Kupata Maelezo ya Mfumo
- imageinfo: Inatoa habari kuhusu mfumo wa uendeshaji wa kumbukumbu.
- kdbgscan: Inachunguza kwa kutafuta Debugging Data Block (KDBG).
- kpcrscan: Inachunguza kwa kutafuta Processor Control Region (KPCR).
Uchunguzi wa Mchakato
- pslist: Inatoa orodha ya mchakato.
- pstree: Inatoa muundo wa mti wa mchakato.
- psscan: Inachunguza mchakato kwa kutumia Pool Scan.
Uchunguzi wa Mitandao
- netscan: Inachunguza kwa kutafuta maelezo ya mtandao.
- sockets: Inatoa orodha ya soketi.
Uchunguzi wa Usajili
- hivelist: Inachunguza Usajili wa Windows.
- printkey: Inachunguza funguo za Usajili.
Uchunguzi wa Kifaa
- devicetree: Inatoa muundo wa mti wa vifaa.
- driverirp: Inachunguza IRP kwa dereva fulani.
Uchunguzi wa Kificho
- dlllist: Inatoa orodha ya moduli zilizopakiwa.
- ldrmodules: Inachunguza moduli zilizopakiwa.
Uchunguzi wa Kumbukumbu
- memmap: Inatoa ramani ya kumbukumbu.
- memdump: Inachukua nakala ya kumbukumbu.
Uchunguzi wa Mfumo wa Faili
- filescan: Inachunguza kwa kutafuta maelezo ya faili.
- fileinfo: Inatoa habari kuhusu faili.
Uchunguzi wa Mfumo wa Mtandao
- connscan: Inachunguza kwa kutafuta maelezo ya uhusiano wa mtandao.
- connscan: Inachunguza kwa kutafuta maelezo ya uhusiano wa mtandao.
Uchunguzi wa Mfumo wa Kumbukumbu
- malfind: Inachunguza kwa kutafuta mchakato wa mashaka.
- malfind: Inachunguza kwa kutafuta mchakato wa mashaka.

Mbinu za Kina

Uchunguzi wa Mchakato
- dlllist -p <PID>: Inatoa orodha ya moduli zilizopakiwa kwa mchakato maalum.
- ldrmodules -p <PID>: Inachunguza moduli zilizopakiwa kwa mchakato maalum.
Uchunguzi wa Mitandao
- connscan -p <PID>: Inachunguza maelezo ya uhusiano wa mtandao kwa mchakato maalum.
Uchunguzi wa Usajili
- printkey -K <RegistryKey>: Inachunguza funguo za Usajili kwa njia ya rekodi.
Uchunguzi wa Kifaa
- devicetree -p <PID>: Inatoa muundo wa mti wa vifaa kwa mchakato maalum.
Uchunguzi wa Kumbukumbu
- memdump -p <PID> -D <OutputDirectory>: Inachukua nakala ya kumbukumbu kwa mchakato maalum.
Uchunguzi wa Mfumo wa Faili
- filescan -p <PID>: Inachunguza maelezo ya faili kwa mchakato maalum.
- fileinfo -f <FileOffset>: Inatoa habari kuhusu faili kwa kutumia kiashiria cha faili.
Uchunguzi wa Mfumo wa Mtandao
- netscan -p <PID>: Inachunguza maelezo ya mtandao kwa mchakato maalum.

Zana za Kusaidia

Kuchambua Kumbukumbu
- vol.py -f <MemoryDump> <Command>: Kutumia Volatility kuchambua kumbukumbu.
Kurekebisha Kosa
- vol.py --plugins=<PluginDirectory> <Command>: Kutumia programu-jalizi za Volatility.
Kurekebisha Kosa
- vol.py --profile=<Profile> <Command>: Kutumia wasifu maalum wa mfumo wa uendeshaji.

Vidokezo vya Mwisho

Hakikisha unatumia toleo sahihi la Volatility kulingana na mfumo wa uendeshaji wa kumbukumbu.
Fanya uchambuzi wa kina kwa kutumia zana sahihi kulingana na mahitaji yako ya uchunguzi.
Tumia mbinu za kina kuchunguza maelezo zaidi kuhusu mchakato au kifaa maalum.
Weka maelezo ya uchambuzi wako kwa usahihi na kwa njia inayoeleweka.

volatility --profile=PROFILE envars -f file.dmp [--pid <pid>] #Display process environment variables

volatility --profile=PROFILE -f file.dmp linux_psenv [-p <pid>] #Get env of process. runlevel var means the runlevel where the proc is initated

Haki za Tokeni

Angalia tokeni za haki katika huduma ambazo si za kawaida. Inaweza kuwa muhimu kuorodhesha michakato inayotumia baadhi ya tokeni zenye haki za ziada.

#Get enabled privileges of some processes
python3 vol.py -f file.dmp windows.privileges.Privs [--pid <pid>]
#Get all processes with interesting privileges
python3 vol.py -f file.dmp windows.privileges.Privs | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"

Volatility Cheatsheet

Basic Commands

Image Identification
- volatility -f <memory_dump> imageinfo
Listing Processes
- volatility -f <memory_dump> --profile=<profile> pslist
Dumping a Process
- volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>
Listing Network Connections
- volatility -f <memory_dump> --profile=<profile> connections
Dumping a File
- voljsonity -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

Analyzing Registry
- volatility -f <memory_dump> --profile=<profile> hivelist
- volatility -f <memory_dump> --profile=<profile> printkey -o <offset>
Analyzing Malware
- volatility -f <memory_dump> --profile=<profile> malfind
Analyifying Kernel Modules
- volatility -f <memory_dump> --profile=<profile> modscan
Analyzing Drivers json - volatility -f <memory_dump> --profile=<profile> driverscan
Analyzing Sockets
- volatility -f <memory_dump> --profile=<profile> sockets
Analyzing Timelining
- volatility -f <memory_dump> --profile=<profile> timeliner
Analyzing Packed Binaries
- volatility -f <memory_dump> --profile=<profile> mpp
Analyzing Process Memory
- volatility -f <memory_dump> --profile=<profile> memmap
Analyzing User Profiles
- volatility -f <memory_dump> --profile=<profile> userassist

#Get enabled privileges of some processes
volatility --profile=Win7SP1x86_23418 privs --pid=3152 -f file.dmp | grep Enabled
#Get all processes with interesting privileges
volatility --profile=Win7SP1x86_23418 privs -f file.dmp | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege"

SIDs

Angalia kila SSID inayomilikiwa na mchakato. Inaweza kuwa ya kuvutia kuorodhesha michakato inayotumia SID ya mamlaka (na michakato inayotumia SID fulani ya huduma).

./vol.py -f file.dmp windows.getsids.GetSIDs [--pid <pid>] #Get SIDs of processes
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Kutambua Mfumo wa Uendeshaji
```
volatility -f <file> imageinfo
```
Kuchunguza Michakato Inayotekelezwa
```
volatility -f <file> pslist
```
Kuchunguza Mitandao ya Kumbukumbu
```
volatility -f <file> netscan
```
Kuchunguza Moduli Zilizopakiwa
```
volatility -f <file> modscan
```
Kuchunguza Kumbukumbu ya Kernel
```
volatility -f <file> kdbgscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Kupasua
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```
Kuchunguza Kumbukumbu ya Kernel kwa kutumia Mitambo
```
volatility -f <file> kpcrscan
```

volatility --profile=Win7SP1x86_23418 getsids -f file.dmp #Get the SID owned by each process
volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp #Get the SID of each service

Vitambulisho

Inatumika kujua ni faili, funguo, mihimili, michakato... gani mchakato una vitambulisho kwa (umefungua)

vol.py -f file.dmp windows.handles.Handles [--pid <pid>]

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Mwanzo

Kutambua aina ya mfumo wa uendeshaji
```
volatility -f <dumpfile> imageinfo
```
Kutambua mchakato ulioendeshwa
```
volatility -f <dumpfile> pslist
```
Kutambua huduma zilizoendeshwa
```
volatility -f <dumpfile> getservicesids
```
Kutambua programu zilizoendeshwa
```
volatility -f <dumpfile> dlllist
```
Kuchunguza mitandao iliyofunguliwa
```
volatility -f <dumpfile> netscan
```
Kuchunguza historia ya kivinjari
```
volatility -f <dumpfile> iehistory
```
Kuchunguza mafaili yaliyofunguliwa
```
volatility -f <dumpfile> filescan
```
Kuchunguza mchakato wa kuingiza kumbukumbu
```
volatility -f <dumpfile> memmap
```

Mbinu za Kina

Uchunguzi wa Usanidi wa Usanidi
```
volatility -f <dumpfile> hivex
```

Uchunguzi wa Usajili

volatility -f <dumpfile> printkey -o <offset>

Uchunguzi wa Mitandao
```
volatility -f <dumpfile> connscan
```

Uchunguzi wa Maudhui ya Kumbukumbu

volatility -f <dumpfile> memdump -p <pid> -D <output_directory>

Uchunguzi wa Mfumo wa Faili

volatility -f <dumpfile> filescan -S <start_address> -E <end_address>

Uchunguzi wa Mchakato wa Mfumo
```
volatility -f <dumpfile> psxview
```
Uchunguzi wa Mitandao ya Kijamii
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Ufuatiliaji
```
volatility -f <dumpfile> ldrmodules
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```
Uchunguzi wa Mfumo wa Kuingiza
```
volatility -f <dumpfile> malfind
```

volatility --profile=Win7SP1x86_23418 -f file.dmp handles [--pid=<pid>]

DLLs

./vol.py -f file.dmp windows.dlllist.DllList [--pid <pid>] #List dlls used by each
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --pid <pid> #Dump the .exe and dlls of the process in the current directory process

Volatility Cheatsheet

Swahili Translation:

Orodha ya Kudanganya ya Volatility

Endelea Kusoma:

volatility --profile=Win7SP1x86_23418 dlllist --pid=3152 -f file.dmp #Get dlls of a proc
volatility --profile=Win7SP1x86_23418 dlldump --pid=3152 --dump-dir=. -f file.dmp #Dump dlls of a proc

Maneno kwa mchakato

Volatility inaruhusu sisi kuangalia ni mchakato gani maneno yanahusiana nayo.

strings file.dmp > /tmp/strings.txt
./vol.py -f /tmp/file.dmp windows.strings.Strings --strings-file /tmp/strings.txt

Volatility Cheatsheet

Basic Commands

Image Identification
- volatility -f <memory_dump> imageinfo
Listing Processes
- volatility -f <memory_dump> --profile=<profile> pslist
Dumping a Process
- volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>
Listing Network Connections
- volatility -f <memory_dump> --profile=<profile> connections
Dumping Registry
- volatility -f <memory_dump> --profile=<profile> printkey -o <offset>
Recovering Deleted Files
- volatility -f <memory_dump> --profile=<profile> filescan

Advanced Commands

Analyzing Malware
- volatility -f <memory_dump> --profile=<profile> malfind
Detecting Rootkits
- volvolatility -f <memory_dump> --profile=<profile> ldrmodules
Extracting DLLs
- volatility -f <memory_dump> --profile=<profile> dlldump -D <output_directory>
Analyzing Drivers
- volatility -f <memory_dump> --profile=<profile> driverscan
Identifying Sockets
- volatility -f <memory_dump> --profile=<profile> sockets
Analyzing Timelining
- volatility -f <memory_dump> --profile=<profile> timeliner
Dumping LSA Secrets
- volatility -f <memory_dump> --profile=<profile> lsadump
Analyzing Packed Binaries
- volatility -f <memory_dump> --profile=<profile> mpparser
Analyzing Process Handles
- volatility -f <memory_dump> --profile=<profile> handle
Analyzing User Sessions
- volatility -f <memory_dump> --profile=<profile> sessions
Analyzing Kernel Modules
- volatility -f <memory_dump> --profile=<profile> modscan
Analyzing SSDT Hooks
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing Mutants
- volatility -f <memory_dump> --profile=<profile> mutantscan
Analyzing Yara Rules
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing Threads
- volatility -f <memory_dump> --profile=<profile> threads
Analyzing Handles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing Vad Trees
- volatility -f <memory_dump> --profile=<profile> vad
Analyzing API Audit
- volatility -f <memory_dump> --profile=<profile> api
Analyzing User Handles
- volatility -f <memory_dump> --profile=<profile> userhandles
Analyzing Privileges
- volatility -f <memory_dump> --profile=<profile> privs
Analyzing Dump Files
- volatility -f <memory_dump> --profile=<profile> dumpfiles
Analyzing Malware Config
- volatility -f <memory_dump> --profile=<profile> malconfig
Analyzing Malware Plugins
- volatility -f <memory_dump> --profile=<profile> malplugins
Analyzing Malware Services
- volatility -f <memory_dump> --profile=<profile> malsysproc
Analyzing Malware Tasks
- volatility -f <memory_dump> --profile=<profile> malthr
Analyzing Malware Netscan
- volatility -f <memory_dump> --profile=<profile> malnetscan
Analyzing Malware Svcscan
- volatility -f <memory_dump> --profile=<profile> malsvcscan
Analyzing Malware Driverirp
- volatility -f <memory_dump> --profile=<profile> maldriverirp
Analyzing Malware Drivermodule
- volatility -f <memory_dump> --profile=<profile> maldrivermodule
Analyzing Malware Driverunload
- volatility -f <memory_dump> --profile=<profile> maldriverunload
Analyzing Malware Handles
- volatility -f <memory_dump> --profile=<profile> malhandles
Analyzing Malware Psxview
- volatility -f <memory_dump> --profile=<profile> malpsxview
Analyzing Malware Cmdline
- volatility -f <memory_dump> --profile=<profile> malcmdline
Analyzing Malware Malfind
- volatility -f <memory_dump> --profile=<profile> malfind
Analyzing Malware Malthr
- volatility -f <memory_dump> --profile=<profile> malthr
Analyzing Malware Malldr
- volatility -f <memory_dump> --profile=<profile> malldr
Analyzing Malware Malprocscan
- volatility -f <memory_dump> --profile=<profile> malprocscan
Analyzing Malware Malstack
- volatility -f <memory_dump> --profile=<profile> malstack
Analyzing Malware Malsyscalls
- volatility -f <memory_dump> --profile=<profile> malsyscalls
Analyzing Malware Malthr
- volatility -f <memory_dump> --profile=<profile> malthr
Analyzing Malware Malthreads
- volatility -f <memory_dump> --profile=<profile> malthreads
Analyzing Malware Malvad
- volatility -f <memory_dump> --profile=<profile> malvad
Analyzing Malware Malwritemem
- volatility -f <memory_dump> --profile=<profile> malwritemem
Analyzing Malware Malzip
- volatility -f <memory_dump> --profile=<profile> malzip
Analyzing Malware Mz
- volatility -f <memory_dump> --profile=<profile> mz
Analyzing Malware Psxview
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Malware Cmdline
- volatility -f <memory_dump> --profile=<profile> cmdline
Analyzing Malware Malprocscan
- volatility -f <memory_dump> --profile=<profile> procscan
Analyzing Malware Malstack
- volatility -f <memory_dump> --profile=<profile> stack
Analyzing Malware Malsyscalls
- volatility -f <memory_dump> --profile=<profile> syscalls
Analyzing Malware Malthreads
- volatility -f <memory_dump> --profile=<profile> threads
Analyzing Malware Malvad
- volatility -f <memory_dump> --profile=<profile> vad
Analyzing Malware Malwritemem
- volatility -f <memory_dump> --profile=<profile> writemem
Analyzing Malware Malzip
- volatility -f <memory_dump> --profile=<profile> zip
Analyzing Malware Mz
- volatility -f <memory_dump> --profile=<profile> mz
Analyzing Malware Malnetscan
- volatility -f <memory_dump> --profile=<profile> netscan
Analyzing Malware Malsvcscan
- volatility -f <memory_dump> --profile=<profile> svcscan
Analyzing Malware Maldriverirp
- volatility -f <memory_dump> --profile=<profile> driverirp
Analyzing Malware Maldrivermodule
- volatility -f <memory_dump> --profile=<profile> drivermodule
Analyzing Malware Maldriverunload
- volatility -f <memory_dump> --profile=<profile> driverunload
Analyzing Malware Malhandles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing Malware Malpsxview
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Malware Malcmdline
- volatility -f <memory_dump> --profile=<profile> cmdline
Analyzing Malware Malconfig
- volatility -f <memory_dump> --profile=<profile> config
Analyzing Malware Malplugins
- volatility -f <memory_dump> --profile=<profile> plugins
Analyzing Malware Malsysproc
- volatility -f <memory_dump> --profile=<profile> sysproc
Analyzing Malware Malthr
- volatility -f <memory_dump> --profile=<profile> thr
Analyzing Malware Malnetscan
- volatility -f <memory_dump> --profile=<profile> netscan
Analyzing Malware Malsvcscan
- volatility -f <memory_dump> --profile=<profile> svcscan
Analyzing Malware Maldriverirp
- volatility -f <memory_dump> --profile=<profile> driverirp
Analyzing Malware Maldrivermodule
- volatility -f <memory_dump> --profile=<profile> drivermodule
Analyzing Malware Maldriverunload
- volatility -f <memory_dump> --profile=<profile> driverunload
Analyzing Malware Malhandles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing Malware Malpsxview
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Malware Malcmdline
- volatility -f <memory_dump> --profile=<profile> cmdline
Analyzing Malware Malconfig
- volatility -f <memory_dump> --profile=<profile> config
Analyzing Malware Malplugins
- volatility -f <memory_dump> --profile=<profile> plugins
Analyzing Malware Malsysproc
- volatility -f <memory_dump> --profile=<profile> sysproc
Analyzing Malware Malthr
- volatility -f <memory_dump> --profile=<profile> thr
Analyzing Malware Malnetscan
- volatility -f <memory_dump> --profile=<profile> netscan
Analyzing Malware Malsvcscan
- volatility -f <memory_dump> --profile=<profile> svcscan
Analyzing Malware Maldriverirp
- volatility -f <memory_dump> --profile=<profile> driverirp
Analyzing Malware Maldrivermodule
- volatility -f <memory_dump> --profile=<profile> drivermodule
Analyzing Malware Maldriverunload
- volatility -f <memory_dump> --profile=<profile> driverunload
Analyzing Malware Malhandles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing Malware Malpsxview
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Malware Malcmdline
- volatility -f <memory_dump> --profile=<profile> cmdline
Analyzing Malware Malconfig
- volatility -f <memory_dump> --profile=<profile> config
Analyzing Malware Malplugins
- volatility -f <memory_dump> --profile=<profile> plugins
Analyzing Malware Malsysproc
- volatility -f <memory_dump> --profile=<profile> sysproc
Analyzing Malware Malthr
- volatility -f <memory_dump> --profile=<profile> thr
Analyzing Malware Malnetscan
- volatility -f <memory_dump> --profile=<profile> netscan
Analyzing Malware Malsvcscan
- volatility -f <memory_dump> --profile=<profile> svcscan
Analyzing Malware Maldriverirp
- volatility -f <memory_dump> --profile=<profile> driverirp
Analyzing Malware Maldrivermodule
- volatility -f <memory_dump> --profile=<profile> drivermodule
Analyzing Malware Maldriverunload
- volatility -f <memory_dump> --profile=<profile> driverunload
Analyzing Malware Malhandles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing Malware Malpsxview
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Malware Malcmdline
- volatility -f <memory_dump> --profile=<profile> cmdline
Analyzing Malware Malconfig
- volatility -f <memory_dump> --profile=<profile> config
Analyzing Malware Malplugins
- volatility -f <memory_dump> --profile=<profile> plugins
Analyzing Malware Malsysproc
- volatility -f <memory_dump> --profile=<profile> sysproc
Analyzing Malware Malthr
- volatility -f <memory_dump> --profile=<profile> thr
Analyzing Malware Malnetscan
- volatility -f <memory_dump> --profile=<profile> netscan
Analyzing Malware Malsvcscan
- volatility -f <memory_dump> --profile=<profile> svcscan
Analyzing Malware Maldriverirp
- volatility -f <memory_dump> --profile=<profile> driverirp
Analyzing Malware Maldrivermodule
- volatility -f <memory_dump> --profile=<profile> drivermodule
Analyzing Malware Maldriverunload
- volatility -f <memory_dump> --profile=<profile> driverunload
Analyzing Malware Malhandles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing Malware Malpsxview
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Malware Malcmdline
- volatility -f <memory_dump> --profile=<profile> cmdline
Analyzing Malware Malconfig
- volatility -f <memory_dump> --profile=<profile> config
Analyzing Malware Malplugins
- volatility -f <memory_dump> --profile=<profile> plugins
Analyzing Malware Malsysproc
- volatility -f <memory_dump> --profile=<profile> sysproc
Analyzing Malware Malthr
- volatility -f <memory_dump> --profile=<profile> thr
Analyzing Malware Malnetscan
- volatility -f <memory_dump> --profile=<profile> netscan
Analyzing Malware Malsvcscan
- volatility -f <memory_dump> --profile=<profile> svcscan
Analyzing Malware Maldriverirp
- volatility -f <memory_dump> --profile=<profile> driverirp
Analyzing Malware Maldrivermodule
- volatility -f <memory_dump> --profile=<profile> drivermodule
Analyzing Malware Maldriverunload
- volatility -f <memory_dump> --profile=<profile> driverunload
Analyzing Malware Malhandles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing Malware Malpsxview
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Malware Malcmdline
- volatility -f <memory_dump> --profile=<profile> cmdline
Analyzing Malware Malconfig
- volatility -f <memory_dump> --profile=<profile> config
Analyzing Malware Malplugins
- volatility -f <memory_dump> --profile=<profile> plugins
Analyzing Malware Malsysproc
- volatility -f <memory_dump> --profile=<profile> sysproc
Analyzing Malware Malthr
- volatility -f <memory_dump> --profile=<profile> thr
Analyzing Malware Malnetscan
- volatility -f <memory_dump> --profile=<profile> netscan
Analyzing Malware Malsvcscan
- volatility -f <memory_dump> --profile=<profile> svcscan
Analyzing Malware Maldriverirp
- volatility -f <memory_dump> --profile=<profile> driverirp
Analyzing Malware Maldrivermodule
- volatility -f <memory_dump> --profile=<profile> drivermodule
Analyzing Malware Maldriverunload
- volatility -f <memory_dump> --profile=<profile> driverunload
Analyzing Malware Malhandles
- volatility -f <memory_dump> --profile=<profile> handles
**Analyzing Malware Malpsxview

strings file.dmp > /tmp/strings.txt
volatility -f /tmp/file.dmp windows.strings.Strings --string-file /tmp/strings.txt

volatility -f /tmp/file.dmp --profile=Win81U1x64 memdump -p 3532 --dump-dir .
strings 3532.dmp > strings_file

Inaruhusu pia kutafuta maneno ndani ya mchakato kwa kutumia moduli ya yarascan:

./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-rules "https://" --pid 3692 3840 3976 3312 3084 2784
./vol.py -f file.dmp yarascan.YaraScan --yara-rules "https://"

Volatility Cheatsheet

Swahili Translation:

### Mwongozo wa Volatility

#### Tafsiri ya Kiswahili:

volatility --profile=Win7SP1x86_23418 yarascan -Y "https://" -p 3692,3840,3976,3312,3084,2784

UserAssist

Windows inaendelea kufuatilia programu unazotumia kwa kutumia kipengele katika usajili kinachoitwa UserAssist keys. Vipengele hivi vinarekodi mara ngapi kila programu inatekelezwa na wakati ilipotekelezwa mara ya mwisho.

./vol.py -f file.dmp windows.registry.userassist.UserAssist

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Kuanzisha Mazingira ya Volatility:

$ python vol.py -f memory_dump.mem --profile=ProfileName

Orodha ya Mchakato:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem pslist

Uchunguzi wa Mchakato:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem pstree

Uchunguzi wa Mitandao:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem netscan

Uchunguzi wa Usajili:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem printkey -o 0xfffff8a000002030

Kuchunguza Maudhui ya Kumbukumbu:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -p PID -D /path/to/dump/

Uchambuzi wa Kificho cha Shell:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem consoles

Uchunguzi wa Moduli:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem modscan

Uchunguzi wa Kazi za Kernel:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem kdbgscan

Uchunguzi wa Mfumo wa Faili:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem filescan

Uchunguzi wa Mitandao ya Kijamii:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem malfind

Uchunguzi wa Mfumo wa Kumbukumbu:

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memmap

Uchunguzi wa Mfumo wa Kumbukumbu (kwa PID):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memmap -p PID

Uchunguzi wa Maudhui ya Kumbukumbu (kwa eneo):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -r StartAddress -s EndAddress -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa PID):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -p PID -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Mchakato):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -n ProcessName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Moduli):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -m ModuleName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Thread):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -t ThreadName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Handle):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -h HandleName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Anwani ya IP):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -a IPAddress -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Port):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -o PortNumber -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la URL):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -u URL -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Domain):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -d DomainName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Protocol):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -r ProtocolName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Query):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -q QueryName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Parameter):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -p ParameterName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Data):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -d DataName -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Keyword):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -k Keyword -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Tarehe):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -t Date -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Muda):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -m Time -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Tarehe na Muda):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -d DateTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Uwezo):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -c Capability -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Muda wa Mwisho wa Kupatikana):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -l LastAccessTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Muda wa Kubadilishwa):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -w LastWriteTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Muda wa Uundaji):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -c CreationTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Muda wa Mabadiliko ya Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -m MFTChangedTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Muda wa Upatikanaji wa Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -a LastAccessTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Muda wa Mabadiliko ya Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -c LastContentChangedTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Muda wa Kufutwa):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -d DeletedTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Muda wa Kufutwa Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -e LastDeletedTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Kumbukumbu ya Kufutwa):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -r RecoveredTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Kumbukumbu ya Kufutwa Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -s LastRecoveredTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Kumbukumbu ya Kufutwa ya Muda):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -t RecoveredDateTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Kumbukumbu ya Kufutwa ya Muda wa Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -u LastRecoveredDateTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Kumbukumbu ya Kufutwa ya Muda wa Kufutwa):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -v DeletedDateTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Kumbukumbu ya Kufutwa ya Muda wa Kufutwa Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -w LastDeletedDateTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Kumbukumbu ya Kufutwa ya Muda wa Kufutwa ya Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -x DeletedLastDateTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Kumbukumbu ya Kufutwa ya Muda wa Kufutwa ya Mwisho wa Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -y LastDeletedLastDateTime -D /path/to/dump/

Uchunguzi wa Maudhui ya Kumbukumbu (kwa Jina la Faili na Kumbukumbu ya Kufutwa ya Muda wa Kufutwa ya Mwisho wa Mwisho wa Mwisho):

$ python vol.py --plugins=plugins/ --profile=ProfileName -f memory_dump.mem memdump -f FileName -z DeletedLastLastDateTime -D /path/to/dump/

volatility --profile=Win7SP1x86_23418 -f file.dmp userassist

RootedCON ni tukio muhimu zaidi la usalama wa mtandao nchini Hispania na moja ya muhimu zaidi barani Ulaya. Kwa lengo la kukuza maarifa ya kiufundi, kongamano hili ni mahali pa mkutano wa teknolojia na wataalamu wa usalama wa mtandao katika kila nidhamu.

RootedCONRootedCON

Huduma

./vol.py -f file.dmp windows.svcscan.SvcScan #List services
./vol.py -f file.dmp windows.getservicesids.GetServiceSIDs #Get the SID of services

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Mwanzo

Kuanza: volatility -f <file> imageinfo
Kuchunguza mchakato: volatility -f <file> --profile=<profile> pslist
Kuchunguza moduli: volatility -f <file> --profile=<profile> modscan
Kuchunguza mizizi: volatility -f <file> --profile=<profile> dlllist
Kuchunguza mitandao: volatility -f <file> --profile=<profile> netscan

Uchambuzi wa Kina

Kuchunguza mchakato: volatility -f <file> --profile=<profile> pstree
Kuchunguza mchakato wa kina: volatility -f <file> --profile=<profile> psscan
Kuchunguza mchakato wa kina zaidi: volatility -f <file> --profile=<profile> pstotal
Kuchunguza mchakato wa kina zaidi: volatility -f <file> --profile=<profile> psxview

Uchambuzi wa Kumbukumbu

Kuchunguza kumbukumbu: volatility -f <file> --profile=<profile> memmap --output-file=<output>
Kuchunguza faili za kumbukumbu: volatility -f <file> --profile=<profile> filescan

Uchambuzi wa Usalama

Kuchunguza mizizi ya usalama: volatility -f <file> --profile=<profile> malfind
Kuchunguza mizizi ya usalama: volatility -f <file> --profile=<profile> ldrmodules

Uchambuzi wa Mtandao

Kuchunguza mizizi ya mtandao: volatility -f <file> --profile=<profile> connscan
Kuchunguza mizizi ya mtandao: volatility -f <file> --profile=<profile> sockets

Uchambuzi wa Usajili

Kuchunguza usajili: volatility -f <file> --profile=<profile> hivelist
Kuchunguza usajili: volatility -f <file> --profile=<profile> printkey --key=<registry_key>

Uchambuzi wa Mfumo wa Faili

Kuchunguza mfumo wa faili: volatility -f <file> --profile=<profile> shimcache
Kuchunguza mfumo wa faili: volatility -f <file> --profile=<profile> ldrmodules

Uchambuzi wa Muda

Kuchunguza historia ya kivinjari: volatility -f <file> --profile=<profile> chromehistory
Kuchunguza historia ya kivinjari: volatility -f <file> --profile=<profile> iehistory

Uchambuzi wa Mawasiliano

Kuchunguza mawasiliano: volatility -f <file> --profile=<profile> malfind
Kuchunguza mawasiliano: volatility -f <file> --profile=<profile> ldrmodules

Uchambuzi wa Mchakato wa Kuanza

Kuchunguza mchakato wa kuanza: volatility -f <file> --profile=<profile> svcscan
Kuchunguza mchakato wa kuanza: volatility -f <file> --profile=<profile> drivermodule

Uchambuzi wa Kiotomatiki

Kuchunguza kiotomatiki: volatility -f <file> --profile=<profile> autoruns

Uchambuzi wa Kadi ya Mtandao

Kuchunguza kadi ya mtandao: volatility -f <file> --profile=<profile> ifconfig

Uchambuzi wa Kielektroniki

Kuchunguza kielektroniki: volatility -f <file> --profile=<profile> atomscan

Uchambuzi wa Kumbukumbu ya Kerneli

Kuchunguza kumbukumbu ya kerneli: volatility -f <file> --profile=<profile> kdbgscan

Uchambuzi wa Mfumo wa Kumbukumbu

Kuchunguza mfumo wa kumbukumbu: volatility -f <file> --profile=<profile> memdump --dump-dir=<output_directory> --address=<address_range>

Uchambuzi wa Mfumo wa Ufikiaji

Kuchunguza mfumo wa ufikiaji: volatility -f <file> --profile=<profile> hivelist

Uchambuzi wa Mfumo wa Mtandao

Kuchunguza mfumo wa mtandao: volatility -f <file> --profile=<profile> netscan

Uchambuzi wa Mfumo wa Muda

Kuchunguza mfumo wa muda: volatility -f <file> --profile=<profile> timeliner

Uchambuzi wa Mfumo wa Mawasiliano

Kuchunguza mfumo wa mawasiliano: volatility -f <file> --profile=<profile> connscan

Uchambuzi wa Mfumo wa Usajili

Kuchunguza mfumo wa usajili: volatility -f <file> --profile=<profile> printkey --key=<registry_key>

Uchambuzi wa Mfumo wa Mfumo wa Faili

Kuchunguza mfumo wa mfumo wa faili: volatility -f <file> --profile=<profile> shimcache

Uchambuzi wa Mfumo wa Mfumo wa Kuanza

Kuchunguza mfumo wa mfumo wa kuanza: volatility -f <file> --profile=<profile> svcscan

Uchambuzi wa Mfumo wa Kiotomatiki

Kuchunguza mfumo wa kiotomatiki: volatility -f <file> --profile=<profile> autoruns

Uchambuzi wa Mfumo wa Kadi ya Mtandao

Kuchunguza mfumo wa kadi ya mtandao: volatility -f <file> --profile=<profile> ifconfig

Uchambuzi wa Mfumo wa Kielektroniki

Kuchunguza mfumo wa kielektroniki: volatility -f <file> --profile=<profile> atomscan

Uchambuzi wa Mfumo wa Kumbukumbu ya Kerneli

Kuchunguza mfumo wa kumbukumbu ya kerneli: volatility -f <file> --profile=<profile> kdbgscan

Uchambuzi wa Mfumo wa Mfumo wa Kumbukumbu

Kuchunguza mfumo wa mfumo wa kumbukumbu: volatility -f <file> --profile=<profile> memdump --dump-dir=<output_directory> --address=<address_range>

#Get services and binary path
volatility --profile=Win7SP1x86_23418 svcscan -f file.dmp
#Get name of the services and SID (slow)
volatility --profile=Win7SP1x86_23418 getservicesids -f file.dmp

Mtandao

./vol.py -f file.dmp windows.netscan.NetScan
#For network info of linux use volatility2

volatility --profile=Win7SP1x86_23418 netscan -f file.dmp
volatility --profile=Win7SP1x86_23418 connections -f file.dmp#XP and 2003 only
volatility --profile=Win7SP1x86_23418 connscan -f file.dmp#TCP connections
volatility --profile=Win7SP1x86_23418 sockscan -f file.dmp#Open sockets
volatility --profile=Win7SP1x86_23418 sockets -f file.dmp#Scanner for tcp socket objects

volatility --profile=SomeLinux -f file.dmp linux_ifconfig
volatility --profile=SomeLinux -f file.dmp linux_netstat
volatility --profile=SomeLinux -f file.dmp linux_netfilter
volatility --profile=SomeLinux -f file.dmp linux_arp #ARP table
volatility --profile=SomeLinux -f file.dmp linux_list_raw #Processes using promiscuous raw sockets (comm between processes)
volatility --profile=SomeLinux -f file.dmp linux_route_cache

Usajili wa Mzinga

Chapisha mizinga inayopatikana

./vol.py -f file.dmp windows.registry.hivelist.HiveList #List roots
./vol.py -f file.dmp windows.registry.printkey.PrintKey #List roots and get initial subkeys

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Amri za Kuanza

volatility -f <file> imageinfo - Angalia habari za picha ya kumbukumbu
volatility -f <file> --profile=<profile> <command> - Tumia wasifu maalum wa mfumo
volatility -f <file> --profile=<profile> <command> > output.txt - Hifadhi matokeo kwenye faili

Uchunguzi wa Mchakato

volatility -f <file> --profile=<profile> pslist - Onyesha orodha ya michakato
volatility -f <file> --profile=<profile> pstree - Onyesha muundo wa mti wa michakato
volatility -f <file> --profile=<profile> psscan - Skani ya mchakato wa kumbukumbu
volatility -f <file> --profile=<profile> cmdline -p <PID> - Onyesha mstari wa amri wa mchakato maalum

Uchunguzi wa Mitandao

volatility -f <file> --profile=<profile> netscan - Skani ya kumbukumbu ya mitandao
volatility -f <file> --profile=<profile> connscan - Skani ya kumbukumbu ya uhusiano wa mitandao
volatility -f <file> --profile=<profile> sockets - Onyesha maelezo ya soketi

Uchunguzi wa Usajili

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
volatility -f <file> --profile=<profile> printkey -o <offset> - Chapisha ufunguo wa usajili kwa kutumia ofseti
volatility -f <file> --profile=<profile> userassist - Onyesha historia ya UserAssist

Uchunguzi wa Kificho

volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> dlllist -p <PID> - Onyesha orodha ya DLL kwa mchakato maalum
volatility -f <file> --profile=<profile> getsids - Onyesha SIDs za mchakato

Uchunguzi wa Kifaa

volatility -f <file> --profile=<profile> devicetree - Onyesha mti wa kifaa
volatility -f <file> --profile=<profile> driverirp - Onyesha habari za IRP za dereva
volatility -f <file> --profile=<profile> handles - Onyesha habari za kushughulikia

Uchunguzi wa Kifaa cha Uhifadhi

volatility -f <file> --profile=<profile> filescan - Skani ya kumbukumbu ya faili
volatility -f <file> --profile=<profile> fileinfo -f <file> - Onyesha habari za faili maalum
volatility -f <file> --profile=<profile> dumpfiles -Q <address> - Hifadhi faili kutoka kwa anwani maalum

Uchunguzi wa Mfumo wa Faili

volatility -f <file> --profile=<profile> mftparser - Onyesha habari za MFT
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa
volatility -f <file> --profile=<profile> modules - Onyesha habari za moduli

Uchunguzi wa Msaada wa Volatility

volatility -h - Onyesha msaada wa jumla
volatility --info - Onyesha habari za usanidi
volatility --plugins - Onyesha orodha ya programu-jalizi zilizopo

Uchambuzi wa Kumbukumbu ya Windows

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya mipangilio ya usajili
voljson -f <file> --profile=<profile> filescan - Skani ya faili na toa matokeo kama JSON
volatility -f <file> --profile=<profile> shimcacheparser - Onyesha habari za Shimcache

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta kdbg
`volatility -f <file

volatility --profile=Win7SP1x86_23418 -f file.dmp hivelist #List roots
volatility --profile=Win7SP1x86_23418 -f file.dmp printkey #List roots and get initial subkeys

Pata thamani

./vol.py -f file.dmp windows.registry.printkey.PrintKey --key "Software\Microsoft\Windows NT\CurrentVersion"

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Mwanzo

Kuanza: volatility -f <file> imageinfo
Kuchunguza mifumo inayowezekana: volatility -f <file> --profile=<profile> pslist

Uchunguzi wa Mchakato

Kutafuta mchakato: volatility -f <file> --profile=<profile> pstree
Kuchunguza maelezo ya mchakato: volatility -f <file> --profile=<profile> psscan

Uchunguzi wa Mitandao

Kutafuta maelezo ya soketi: volatility -f <file> --profile=<profile> sockscan
Kuchunguza maelezo ya TCP soketi: volatility -f <file> --profile=<profile> connections

Uchunguzi wa Usajili

Kuchunguza Usajili: volatility -f <file> --profile=<profile> hivelist
Kutafuta ufunguo wa Usajili: volatility -f <file> --profile=<profile> printkey -o <offset>

volatility --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows NT\CurrentVersion" -f file.dmp
# Get Run binaries registry value
volatility -f file.dmp --profile=Win7SP1x86 printkey -o 0x9670e9d0 -K 'Software\Microsoft\Windows\CurrentVersion\Run'

Kupakua

#Dump a hive
volatility --profile=Win7SP1x86_23418 hivedump -o 0x9aad6148 -f file.dmp #Offset extracted by hivelist
#Dump all hives
volatility --profile=Win7SP1x86_23418 hivedump -f file.dmp

Mfumo wa Faili

Kusanikisha

#See vol2

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Mwanzo

Kuanza: volatility -f <dumpfile> imageinfo
Kuchunguza mchakato: volatility -f <dumpfile> --profile=<profile> pslist
Kuchunguza moduli zilizopakiwa: volatility -f <dumpfile> --profile=<profile> modscan
Kuchunguza mnyororo wa mchakato: volatility -f <dumpfile> --profile=<profile> pstree

Uchunguzi wa Mitandao

Kuchunguza mizizi ya TCP: volatility -f <dumpfile> --profile=<profile> tcpconnections
Kuchunguza mizizi ya UDP: volatility -f <dumpfile> --profile=<profile> udpconnections
Kuchunguza historia ya kivinjari: volatility -f <dumpfile> --profile=<profile> chromehistory

Uchunguzi wa Mafaili

Kuchunguza mafaili yaliyofunguliwa: volatility -f <dumpfile> --profile=<profile> filescan
Kuchunguza mafaili yaliyopakuliwa: volatility -f <dumpfile> --profile=<profile> netscan

Uchunguzi wa Usajili

Kuchunguza Usajili: volatility -f <dumpfile> --profile=<profile> printkey -K "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"

Uchunguzi wa Mfumo wa Faili

Kuchunguza mizizi ya mfumo wa faili: volatility -f <dumpfile> --profile=<profile> filescan
Kuchunguza mizizi ya mfumo wa faili kwa kina: volatility -f <dumpfile> --profile=<profile> filescan -Q

Uchunguzi wa Mchakato

Kuchunguza maelezo ya mchakato: volatility -f <dumpfile> --profile=<profile> psscan
Kuchunguza maelezo ya mchakato kwa kina: volatility -f <dumpfile> --profile=<profile> psscan -v

Uchunguzi wa Mitandao ya Kijamii

Kuchunguza mazungumzo ya Facebook: volatility -f <dumpfile> --profile=<profile> facebookchat
Kuchunguza mazungumzo ya Skype: volatility -f <dumpfile> --profile=<profile> skype

Uchunguzi wa Kadi ya Mtandao

Kuchunguza maelezo ya kadi ya mtandao: volatility -f <dumpfile> --profile=<profile> ifconfig

Uchunguzi wa Muda

Kuchunguza muda wa mfumo: volatility -f <dumpfile> --profile=<profile> timeliner

Uchunguzi wa Mfumo wa Uendeshaji

Kuchunguza maelezo ya mfumo wa uendeshaji: volatility -f <dumpfile> --profile=<profile> svcscan

Uchunguzi wa Mtandao wa Wi-Fi

Kuchunguza maelezo ya Wi-Fi: volatility -f <dumpfile> --profile=<profile> wifinetworks

Uchunguzi wa Maudhui ya Kielektroniki

Kuchunguza maelezo ya barua pepe: volatility -f <dumpfile> --profile=<profile> pstree

Uchunguzi wa Maudhui ya Kielektroniki

Kuchunguza maelezo ya barua pepe: volatility -f <dumpfile> --profile=<profile> pstree

volatility --profile=SomeLinux -f file.dmp linux_mount
volatility --profile=SomeLinux -f file.dmp linux_recover_filesystem #Dump the entire filesystem (if possible)

Orodhesha/peleka

./vol.py -f file.dmp windows.filescan.FileScan #Scan for files inside the dump
./vol.py -f file.dmp windows.dumpfiles.DumpFiles --physaddr <0xAAAAA> #Offset from previous command

Volatility Cheatsheet

Basic Commands

Image Identification
- volatility -f <memory_dump> imageinfo
Listing Processes
- volatility -f <memory_dump> --profile=<profile> pslist
Dumping a Process
- volatility -f <memory_dump> --profile=<profile> memdump -p <pid> -D <output_directory>
Listing Network Connections
- volatility -f <memory_dump> --profile=<profile> connections
Dumping a File
- voljsonity -f <memory_dump> --profile=<profile> dumpfiles -Q <address_range> -D <output_directory>

Advanced Commands

Detecting Hidden Processes
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing Registry
- volatility -f <memory_dump> --profile=<profile> hivelist
- volatility -f <memory_dump> --profile=<profile> printkey -K <registry_key>
Extracting DLLs
- volatility -f <memory_dump> --profile=<profile> dlllist -p <pid>
Analyzing Drivers json - volatility -f <memory_dump> --profile=<profile> driverscan
Identifying Sockets
- volatility -f <memory_dump> --profile=<profile> sockscan
Analyzing Timelime
- volatility -f <memory_dump> --profile=<profile> timeliner
Analyzing PSScan
- volatility -f <memory_dump> --profile=<profile> psscan
Analyzing Mutants
- volatility -f <memory_dump> --profile=<profile> mutantscan
Analyzing Handles
- volatility -f <memory_dump> --profile=<profile> handles
Analyzing Vad
- volatility -f <memory_dump> --profile=<profile> vadinfo
Analyzing Yara Rules
- volatility -f <memory_dump> --profile=<profile> yarascan
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing SSDT
- volatility -f <memory_dump> --profile=<profile> ssdt
Analyzing GDT
- volatility -f <memory_dump> --profile=<profile> gdt
Analyzing IDT
- volatility -f <memory_dump> --profile=<profile> idt
Analyzing LDR Modules
- volatility -f <memory_dump> --profile=<profile> ldrmodules
Analyzing User Handles
- volatility -f <memory_dump> --profile=<profile> userhandles
Analyzing Privileges
- volatility -f <memory_dump> --profile=<profile> privs
Analyzing Crashes
- volatility -f <memory_dump> --profile=<profile> psxview
Analyzing API Audit
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Trace
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Monitor
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- volatility -f <memory_dump> --profile=<profile> apihooks
Analyzing API Hooks
- `vol

volatility --profile=Win7SP1x86_23418 filescan -f file.dmp #Scan for files inside the dump
volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-dir=/tmp -f file.dmp #Dump all files
volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-dir=/tmp -Q 0x000000007dcaa620 -f file.dmp

volatility --profile=SomeLinux -f file.dmp linux_enumerate_files
volatility --profile=SomeLinux -f file.dmp linux_find_file -F /path/to/file
volatility --profile=SomeLinux -f file.dmp linux_find_file -i 0xINODENUMBER -O /path/to/dump/file

Jedwali la Mkuu wa Faili

# I couldn't find any plugin to extract this information in volatility3

Volatility Cheatsheet

Swahili Translation:

Orodha ya Kudanganya ya Volatility

Endelea kusoma kwa umakini na uzingatie maelekezo yaliyotolewa.

volatility --profile=Win7SP1x86_23418 mftparser -f file.dmp

Mfumo wa faili wa NTFS hutumia sehemu muhimu inayoitwa meza kuu ya faili (MFT). Meza hii inaingiza angalau kuingizo moja kwa kila faili kwenye kiasi, ikijumuisha MFT yenyewe pia. Maelezo muhimu kuhusu kila faili, kama vile ukubwa, alama za wakati, ruhusa, na data halisi, zimefungwa ndani ya kuingizo cha MFT au katika maeneo nje ya MFT lakini yanayotajwa na kuingizo hizi. Maelezo zaidi yanaweza kupatikana katika hati rasmi.

#vol3 allows to search for certificates inside the registry
./vol.py -f file.dmp windows.registry.certificates.Certificates

Volatility Cheatsheet

Swahili Translation:

### Mwongozo wa Volatility

#### Tafsiri ya Kiswahili:

#vol2 allos you to search and dump certificates from memory
#Interesting options for this modules are: --pid, --name, --ssl
volatility --profile=Win7SP1x86_23418 dumpcerts --dump-dir=. -f file.dmp

Programu hasidi

./vol.py -f file.dmp windows.malfind.Malfind [--dump] #Find hidden and injected code, [dump each suspicious section]
#Malfind will search for suspicious structures related to malware
./vol.py -f file.dmp windows.driverirp.DriverIrp #Driver IRP hook detection
./vol.py -f file.dmp windows.ssdt.SSDT #Check system call address from unexpected addresses

./vol.py -f file.dmp linux.check_afinfo.Check_afinfo #Verifies the operation function pointers of network protocols
./vol.py -f file.dmp linux.check_creds.Check_creds #Checks if any processes are sharing credential structures
./vol.py -f file.dmp linux.check_idt.Check_idt #Checks if the IDT has been altered
./vol.py -f file.dmp linux.check_syscall.Check_syscall #Check system call table for hooks
./vol.py -f file.dmp linux.check_modules.Check_modules #Compares module list to sysfs info, if available
./vol.py -f file.dmp linux.tty_check.tty_check #Checks tty devices for hooks

Hii ni orodha fupi ya amri za kawaida za Volatility zinazoweza kutumika wakati wa uchambuzi wa kumbukumbu:

Kuchunguza mchakato: pslist, pstree, psscan
Kuchunguza moduli: modlist, modscan
Kuchunguza mizizi: dlllist, ldrmodules
Kuchunguza mitandao: netscan, sockets
Kuchunguza Usajili: hivelist, printkey, printkey -K
Kuchunguza kazi: deskscan, windows
Kuchunguza programu: cmdline, consoles
Kuchunguza faili: filescan, handles, handles -f
Kuchunguza kumbukumbu: memmap, memdump, memstrings
Kuchunguza mizizi ya muda: timeliner, atjobs, svcscan
Kuchunguza mizizi ya muda: timeliner, atjobs, svcscan

volatility --profile=Win7SP1x86_23418 -f file.dmp malfind [-D /tmp] #Find hidden and injected code [dump each suspicious section]
volatility --profile=Win7SP1x86_23418 -f file.dmp apihooks #Detect API hooks in process and kernel memory
volatility --profile=Win7SP1x86_23418 -f file.dmp driverirp #Driver IRP hook detection
volatility --profile=Win7SP1x86_23418 -f file.dmp ssdt #Check system call address from unexpected addresses

volatility --profile=SomeLinux -f file.dmp linux_check_afinfo
volatility --profile=SomeLinux -f file.dmp linux_check_creds
volatility --profile=SomeLinux -f file.dmp linux_check_fop
volatility --profile=SomeLinux -f file.dmp linux_check_idt
volatility --profile=SomeLinux -f file.dmp linux_check_syscall
volatility --profile=SomeLinux -f file.dmp linux_check_modules
volatility --profile=SomeLinux -f file.dmp linux_check_tty
volatility --profile=SomeLinux -f file.dmp linux_keyboard_notifiers #Keyloggers

Kuchunguza kwa kutumia yara

Tumia script hii kupakua na kuchanganya sheria zote za yara za zisizo kutoka kwenye github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9 Unda saraka ya sheria na itekeleze. Hii itaunda faili iliyoitwa malware_rules.yar ambayo ina sheria zote za yara kwa ajili ya zisizo.

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
#Only Windows
./vol.py -f file.dmp windows.vadyarascan.VadYaraScan --yara-file /tmp/malware_rules.yar
#All
./vol.py -f file.dmp yarascan.YaraScan --yara-file /tmp/malware_rules.yar

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Amri za Kimsingi

Kuanzisha Uchambuzi wa Kumbukumbu: volatility -f <faili_la_kumbukumbu> imageinfo
Kutambua Mifumo ya Uendeshaji: volatility -f <faili_la_kumbukumbu> kdbgscan
Kutambua Michakato: volatility -f <faili_la_kumbukumbu> pslist
Kutambua Huduma: volatility -f <faili_la_kumbukumbu> getservicesids
Kuchunguza Mitandao: volatility -f <faili_la_kumbukumbu> netscan

Uchambuzi wa Mfumo wa Faili

Kutambua Mafaili yaliyofunguliwa: volatility -f <faili_la_kumbukumbu> filescan
Kutambua Mafaili yaliyopakuliwa: volatility -f <faili_la_kumbukumbu> filescan | grep -i download
Kutambua Mafaili yaliyobadilishwa: volatility -f <faili_la_kumbukumbu> filescan | grep -i edit

Uchambuzi wa Usajili

Kutambua Mabadiliko ya Hivi Karibuni: volatility -f <faili_la_kumbukumbu> hivelist
Kutambua Programu za Kuanza: volatility -f <faili_la_kumbukumbu> hivelist | grep -i run
Kutambua Mafaili yaliyopakuliwa: volatility -f <faili_la_kumbukumbu> hivelist | grep -i download

Uchambuzi wa Mtandao

Kutambua Mawasiliano: volatility -f <faili_la_kumbukumbu> connscan
Kutambua Historia ya Wavuti: volatility -f <faili_la_kumbukumbu> iehistory

Uchambuzi wa Mchakato

Kutambua Mchakato wa Sasa: volatility -f <faili_la_kumbukumbu> pstree
Kutambua Mchakato uliozimwa: volatility -f <faili_la_kumbukumbu> ldrmodules
Kutambua Mchakato uliofichwa: volatility -f <faili_la_kumbukumbu> malfind

Uchambuzi wa Kificho

Kutambua Kificho cha Shell: volatility -f <faili_la_kumbukumbu> consoles
Kutambua Kificho cha Python: volatility -f <faili_la_kumbukumbu> pylist
Kutambua Kificho cha DLL: volatility -f <faili_la_kumbukumbu> dlllist

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
volatility --profile=Win7SP1x86_23418 yarascan -y malware_rules.yar -f ch2.dmp | grep "Rule:" | grep -v "Str_Win32" | sort | uniq

MISC

Viplagizi vya nje

Ikiwa unataka kutumia viplagizi vya nje hakikisha kuwa folda zinazohusiana na viplagizi ndio parameter ya kwanza inayotumiwa.

./vol.py --plugin-dirs "/tmp/plugins/" [...]

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Amri za Kimsingi

volatility -f dump.mem imageinfo: Inatoa habari kuhusu dump file.
volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName filescan: Inachunguza kumbukumbu kwa vitu vya faili.
volatility -f dump.mem --profile=ProfileName netscan: Inatoa habari kuhusu uhusiano wa mtandao.
volatility -f dump.mem --profile=ProfileName connections: Inatoa orodha ya uhusiano wa mtandao.
volatility -f dump.mem --profile=ProfileName malfind: Inachunguza mchakato kwa ishara za zisizo za kawaida.
volatility -f dump.mem --profile=ProfileName dlllist: Inatoa orodha ya maktaba za DLL zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName procdump -p PID -D /tmp/: Inachukua dump ya mchakato maalum.
volatility -f dump.mem --profile=ProfileName memdump -p PID -D /tmp/: Inachukua dump ya kumbukumbu ya mchakato maalum.

Uchambuzi wa Mfumo wa Faili

volatility -f dump.mem --profile=ProfileName filescan: Inachunguza kumbukumbu kwa vitu vya faili.
volatility -f dump.mem --profile=ProfileName filescan | grep txt: Inachuja matokeo ya faili za maandishi.
volatility -f dump.mem --profile=ProfileName dumpfiles -Q 0xADDRESS -D /tmp/: Inachukua faili zilizohifadhiwa kwenye anwani fulani ya kumbukumbu.
volatility -f dump.mem --profile=ProfileName dumpfiles -Q 0xADDRESS -D /tmp/ --name**: Inachukua faili zilizohifadhiwa kwenye anwani fulani ya kumbukumbu na kuziita kulingana na aina.

Uchambuzi wa Mtandao

volatility -f dump.mem --profile=ProfileName netscan: Inatoa habari kuhusu uhusiano wa mtandao.
volatility -f dump.mem --profile=ProfileName connections: Inatoa orodha ya uhusiano wa mtandao.
volatility -f dump.mem --profile=ProfileName connscan | grep -i ssh: Inachuja matokeo ya uhusiano wa SSH.
volatility -f dump.mem --profile=ProfileName connscan | grep -i ssh | grep -i ESTABLISHED: Inachuja matokeo ya uhusiano wa SSH ulioanzishwa.

Uchambuzi wa Malware

voljsonity -f dump.mem --profile=ProfileName yarascan: Inachunguza mchakato kwa kutumia YARA.
voljsonity -f dump.mem --profile=ProfileName yarascan --yara-rules=/path/to/rules.yar: Inachunguza mchakato kwa kutumia sheria maalum za YARA.
voljsonity -f dump.mem --profile=ProfileName malfind: Inachunguza mchakato kwa ishara za zisizo za kawaida.
voljsonity -f dump.mem --profile=ProfileName malfind --dump-dir=/tmp/: Inachukua dump ya mchakato unaoshukiwa kuwa na malware.

Uchambuzi wa Kumbukumbu ya Mfumo

volatility -f dump.mem --profile=ProfileName memmap: Inatoa ramani ya kumbukumbu ya mfumo.
volatility -f dump.mem --profile=ProfileName memdump -p PID -D /tmp/: Inachukua dump ya kumbukumbu ya mchakato maalum.
volatility -f dump.mem --profile=ProfileName memdump --dump-dir=/tmp/: Inachukua dump ya kumbukumbu ya mfumo mzima.

Uchambuzi wa Usalama

volatility -f dump.mem --profile=ProfileName shimcachemem: Inachunguza kache ya shim kwenye kumbukumbu.
volatility -f dump.mem --profile=ProfileName shimcachemem --output-file=/tmp/shimcache.csv: Huhifadhi matokeo ya uchambuzi wa kache ya shim kwenye faili ya CSV.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules | grep dll_name: Inachuja matokeo ya moduli fulani ya DLL.
volatility -f dump.mem --profile=ProfileName ldrmodules -p PID: Inatoa habari ya moduli zilizopakiwa kwa mchakato maalum.

Uchambuzi wa Usajili

volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.
volatility -f dump.mem --profile=ProfileName hivelist | grep -i user: Inachuja matokeo ya majina ya kudumu ya kuingia yanayohusiana na "user".
volatility -f dump.mem --profile=ProfileName printkey -o 0xADDRESS: Inachapisha maudhui ya ufunguo wa usajili uliohifadhiwa kwenye anwani fulani ya kumbukumbu.
volatility -f dump.mem --profile=ProfileName printkey -K "ControlSet001\Control\ComputerName\ComputerName": Inachapisha maudhui ya ufunguo wa usajili uliohifadhiwa kwenye njia maalum.

Uchambuzi wa Mchakato

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName procdump -p PID -D /tmp/: Inachukua dump ya mchakato maalum.
volatility -f dump.mem --profile=ProfileName memdump -p PID -D /tmp/: Inachukua dump ya kumbukumbu ya mchakato maalum.

Uchambuzi wa DLL

volatility -f dump.mem --profile=ProfileName dlllist: Inatoa orodha ya maktaba za DLL zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName dlldump -p PID -D /tmp/: Inachukua dump ya DLL iliyopakiwa kwa mchakato maalum.
volatility -f dump.mem --profile=ProfileName dlldump -p PID -b BASEADDRESS -D /tmp/: Inachukua dump ya DLL iliyopakiwa kwa mchakato maalum kutoka kwa anwani ya msingi iliyotolewa.

Uchambuzi wa Kernel

volatility -f dump.mem --profile=ProfileName kdbgscan: Inachunguza kumbukumbu kwa kutafuta muundo wa kdbg.
volatility -f dump.mem --profile=ProfileName kpcrscan: Inachunguza kumbukumbu kwa kutafuta muundo wa kpcr.
volatility -f dump.mem --profile=ProfileName kpcrscan | grep -i windows: Inachuja matokeo ya kpcr yanayohusiana na "windows".
volatility -f dump.mem --profile=ProfileName kpcrscan | grep -i windows | grep -i version: Inachuja matokeo ya kpcr yanayohusiana na "windows" na "version".

Uchambuzi wa Maudhui ya Kumbukumbu

volatility -f dump.mem --profile=ProfileName memdump -p PID -D /tmp/: Inachukua dump ya kumbukumbu ya mchakato maalum.
volatility -f dump.mem --profile=ProfileName memdump --dump-dir=/tmp/: Inachukua dump ya kumbukumbu ya mfumo mzima.
volatility -f dump.mem --profile=ProfileName memmap: Inatoa ramani ya kumbukumbu ya mfumo.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
volatility -f dump.mem --profile=ProfileName ldrmodules: Inatoa orodha ya moduli zilizopakiwa kwa kila mchakato.
volatility -f dump.mem --profile=ProfileName hivelist: Inatoa orodha ya majina ya kudumu ya kuingia.

Uchambuzi wa Mfumo wa Uendeshaji

volatility -f dump.mem --profile=ProfileName pslist: Inatoa orodha ya mchakato.
volatility -f dump.mem --profile=ProfileName pstree: Inatoa muundo wa mti wa mchakato.
volatility -f dump.mem --profile=ProfileName cmdline: Inatoa habari ya amri ya mchakato.
**volatility -f dump.mem

volatilitye --plugins="/tmp/plugins/" [...]

Autoruns

Pakua kutoka https://github.com/tomchop/volatility-autoruns

volatility --plugins=volatility-autoruns/ --profile=WinXPSP2x86 -f file.dmp autoruns

Mutexes

./vol.py -f file.dmp windows.mutantscan.MutantScan

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Mwanzo

Kuanza: volatility -f <dumpfile> imageinfo
Kuchunguza mchakato: volatility -f <dumpfile> --profile=<profile> pslist
Kuchunguza moduli zilizopakiwa: volatility -f <dumpfile> --profile=<profile> modscan
Kuchunguza mizizi ya mchakato: volatility -f <dumpfile> --profile=<profile> pstree

Uchunguzi wa Mitandao

Kuchunguza mizizi ya TCP: volatility -f <dumpfile> --profile=<profile> tcpconnections
Kuchunguza mizizi ya UDP: volatility -f <dumpfile> --profile=<profile> udpconnections
Kuchunguza mizizi ya mawasiliano ya soketi: volatility -f <dumpfile> --profile=<profile> sockets

Uchunguzi wa Maudhui ya Kumbukumbu

Kuchunguza maudhui ya kumbukumbu: volatility -f <dumpfile> --profile=<profile> memdump -p <pid> -D <output_directory>

Uchunguzi wa Usanidi wa Mfumo

Kuchunguza orodha ya huduma: volatility -f <dumpfile> --profile=<profile> svcscan
Kuchunguza orodha ya dereva: volatility -f <dumpfile> --profile=<profile> driverscan
Kuchunguza orodha ya moduli: volatility -f <dumpfile> --profile=<profile> modlist

Uchunguzi wa Usalama

Kuchunguza mizizi ya mchakato wa kujificha: volatility -f <dumpfile> --profile=<profile> rootkits
Kuchunguza mizizi ya mchakato wa kujificha: volatility -f <dumpfile> --profile=<profile> malfind

Uchunguzi wa Historia ya Kivinjari

Kuchunguza historia ya kivinjari cha Firefox: volatility -f <dumpfile> --profile=<profile> firefoxhistory
Kuchunguza historia ya kivinjari cha Chrome: volatility -f <dumpfile> --profile=<profile> chromehistory

Uchunguzi wa Mfumo wa Faili

Kuchunguza orodha ya faili: volatility -f <dumpfile> --profile=<profile> filescan
Kuchunguza maelezo ya faili: volatility -f <dumpfile> --profile=<profile> fileinfo -f <file_path>

Uchunguzi wa Usajili

Kuchunguza usajili: volatility -f <dumpfile> --profile=<profile> printkey -K <registry_key>
Kuchunguza historia ya usajili: volatility -f <dumpfile> --profile=<profile> hivelist

Uchunguzi wa Mitandao ya Kijamii

Kuchunguza mizizi ya ujumbe wa Facebook: volatility -f <dumpfile> --profile=<profile> facebookmessages
Kuchunguza mizizi ya ujumbe wa Twitter: volatility -f <dumpfile> --profile=<profile> twittermessages

Uchunguzi wa Barua Pepe

Kuchunguza mizizi ya barua pepe za Outlook: volatility -f <dumpfile> --profile=<profile> outlookemails
Kuchunguza mizizi ya barua pepe za Thunderbird: volatility -f <dumpfile> --profile=<profile> thunderbirdemails

volatility --profile=Win7SP1x86_23418 mutantscan -f file.dmp
volatility --profile=Win7SP1x86_23418 -f file.dmp handles -p <PID> -t mutant

Viungo vya alama

./vol.py -f file.dmp windows.symlinkscan.SymlinkScan

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Mwanzo

Kuanza: vol.py -f memory.img imageinfo
Kuchunguza mchakato: vol.py -f memory.img --profile=Profile pslist
Kuchunguza moduli: vol.py -f memory.img --profile=Profile modscan
Kuchunguza faili zilizofunguliwa: vol.py -f memory.img --profile=Profile filescan

Uchunguzi wa Mitandao

Kuchunguza mizizi ya TCP: vol.py -f memory.img --profile=Profile tcpconnections
Kuchunguza mizizi ya UDP: vol.py -f memory.img --profile=Profile udpconnections
Kuchunguza historia ya kivinjari: vol.py -f memory.img --profile=Profile chromehistory

Uchunguzi wa Maudhui

Kuchunguza maandishi yaliyohifadhiwa: vol.py -f memory.img --profile=Profile cmdline
Kuchunguza maandishi yaliyohifadhiwa: vol.py -f memory.img --profile=Profile consoles
Kuchunguza maandishi yaliyohifadhiwa: vol.py -f memory.img --profile=Profile cmdscan

Uchunguzi wa Usalama

Kuchunguza mizizi ya firewall: vol.py -f memory.img --profile=Profile getsids
Kuchunguza mizizi ya usajili: vol.py -f memory.img --profile=Profile hivelist
Kuchunguza mizizi ya usajili: vol.py -f memory.img --profile=Profile ldrmodules

Uchunguzi wa Mfumo

Kuchunguza mizizi ya mchakato: vol.py -f memory.img --profile=Profile pstree
Kuchunguza mizizi ya huduma: vol.py -f memory.img --profile=Profile svcscan
Kuchunguza mizizi ya huduma: vol.py -f memory.img --profile=Profile drivermodule

Uchunguzi wa Kificho

Kuchunguza mizizi ya kificho: vol.py -f memory.img --profile=Profile malfind
Kuchunguza mizizi ya kificho: vol.py -f memory.img --profile=Profile yarascan

Uchunguzi wa Kumbukumbu

Kuchunguza mizizi ya kumbukumbu: vol.py -f memory.img --profile=Profile memmap
Kuchunguza mizizi ya kumbukumbu: vol.py -f memory.img --profile=Profile memdump

Uchunguzi wa Mtandao

Kuchunguza mizizi ya mtandao: vol.py -f memory.img --profile=Profile netscan
Kuchunguza mizizi ya mtandao: vol.py -f memory.img --profile=Profile connscan

Uchunguzi wa Muda

Kuchunguza mizizi ya muda: vol.py -f memory.img --profile=Profile timeliner
Kuchunguza mizizi ya muda: vol.py -f memory.img --profile=Profile autoruns

Uchunguzi wa Mfumo wa Faili

Kuchunguza mizizi ya mfumo wa faili: vol.py -f memory.img --profile=Profile filescan
Kuchunguza mizizi ya mfumo wa faili: vol.py -f memory.img --profile=Profile mftparser

Uchunguzi wa Mtandao

Kuchunguza mizizi ya mtandao: vol.py -f memory.img --profile=Profile netscan
Kuchunguza mizizi ya mtandao: vol.py -f memory.img --profile=Profile connscan

Uchunguzi wa Muda

Kuchunguza mizizi ya muda: vol.py -f memory.img --profile=Profile timeliner
Kuchunguza mizizi ya muda: vol.py -f memory.img --profile=Profile autoruns

Uchunguzi wa Mfumo wa Faili

Kuchunguza mizizi ya mfumo wa faili: vol.py -f memory.img --profile=Profile filescan
Kuchunguza mizizi ya mfumo wa faili: vol.py -f memory.img --profile=Profile mftparser

volatility --profile=Win7SP1x86_23418 -f file.dmp symlinkscan

Bash

Inawezekana kusoma kumbukumbu ya historia ya bash kutoka kwenye kumbukumbu. Unaweza pia kudump faili ya .bash_history, lakini ikizimwa utafurahi unaweza kutumia moduli hii ya volatility

./vol.py -f file.dmp linux.bash.Bash

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Amri za Kuanza

volatility -f <file> imageinfo - Angalia habari za picha ya kumbukumbu
volatility -f <file> --profile=<profile> <command> - Tumia wasifu maalum wa mfumo

Uchunguzi wa Mchakato

volatility -f <file> --profile=<profile> pslist - Onyesha orodha ya michakato
volatility -f <file> --profile=<profile> pstree - Onyesha mti wa michakato
volatility -f <file> --profile=<profile> psscan - Skani ya mchakato

Uchunguzi wa Mitandao

volatility -f <file> --profile=<profile> netscan - Skani ya mitandao
volability -f <file> --profile=<profile> connscan - Skani ya uhusiano

Uchunguzi wa Kumbukumbu ya Kernel

volatility -f <file> --profile=<profile> kdbgscan - Tafuta anwani ya kumbukumbu ya kernel
volatility -f <file> --profile=<profile> modscan - Onyesha moduli zilizopakiwa

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> sockets - Onyesha mawasiliano ya soketi
volatility -f <file> --profile=<profile> sockscan - Skani ya soketi

Uchunguzi wa Kumbukumbu ya Faili

volatility -f <file> --profile=<profile> filescan - Skani ya faili
volatility -f <file> --profile=<profile> dumpfiles -Q <address> - Hifadhi faili kutoka kwa anwani fulani

Uchunguzi wa Usajili

volatility -f <file> --profile=<profile> hivelist - Onyesha orodha ya muundo wa usajili
voljson -f <file> --profile=<profile> printkey -K <key> - Chapisha thamani ya funguo fulani

Uchunguzi wa Mfumo wa Faili

volatility -f <file> --profile=<profile> mftparser - Onyesha maelezo ya MFT
volatility -f <file> --profile=<profile> mftparser -O <output_directory> - Hifadhi MFT kwenye saraka fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

Uchunguzi wa Kumbukumbu ya Mtandao

volatility -f <file> --profile=<profile> connscan - Skani ya uhusiano
volatility -f <file> --profile=<profile> connscan -p <pid> - Skani ya uhusiano kwa mchakato fulani

volatility --profile=Win7SP1x86_23418 -f file.dmp linux_bash

Muda

./vol.py -f file.dmp timeLiner.TimeLiner

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Amri za Kuanza

volatility -f <file> imageinfo - Angalia habari za picha ya kumbukumbu
volatility -f <file> --profile=<profile> pslist - Angalia mchakato wa orodha
volatility -f <file> --profile=<profile> pstree - Angalia mti wa mchakato
volatility -f <file> --profile=<profile> psscan - Skani ya mchakato
volatility -f <file> --profile=<profile> dlllist - Angalia orodha ya DLL
volatility -f <file> --profile=<profile> cmdscan - Skani ya historia ya amri
volatility -f <file> --profile=<profile> filescan - Skani ya mafaili
volatility -f <file> --profile=<profile> netscan - Skani ya mitandao
volatility -f <file> --profile=<profile> connections - Angalia uhusiano wa mtandao
volatility -f <file> --profile=<profile> consoles - Angalia kikao cha mtumiaji
volatility -f <file> --profile=<profile> hivelist - Angalia orodha ya hive
volatility -f <file> --profile=<profile> userassist - Angalia UserAssist
volatility -f <file> --profile=<profile> shimcache - Angalia ShimCache
volatility -f <file> --profile=<profile> ldrmodules - Angalia moduli za LDR
volatility -f <file> --profile=<profile> getsids - Pata SIDs
volatility -f <file> --profile=<profile> getservicesids - Pata huduma za SIDs
volatility -f <file> --profile=<profile> hivescan - Skani ya hive
volatility -f <file> --profile=<profile> printkey - Chapisha ufunguo
volatility -f <file> --profile=<profile> cmdline - Angalia mstari wa amri
volatility -f <file> --profile=<profile> consoles - Angalia kikao cha mtumiaji
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volvolatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutiliwa shaka
volatility -f <file> --profile=<profile> malfind - Tafuta mchakato wa kutil

volatility --profile=Win7SP1x86_23418 -f timeliner

Madereva

./vol.py -f file.dmp windows.driverscan.DriverScan

Cheatsheet ya Volatility

Uchambuzi wa Kumbukumbu

Kuanza: volatility -f <file> imageinfo
Orodha ya Mchakato: volatility -f <file> --profile=<profile> pslist
Uchunguzi wa Mitandao: volatility -f <file> --profile=<profile> netscan
Uchunguzi wa Moduli: volatility -f <file> --profile=<profile> modscan
Uchunguzi wa Kumbukumbu: volatility -f <file> --profile=<profile> memmap --output-file=<output>
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kdbgscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: volatility -f <file> --profile=<profile> kpcrscan
Uchunguzi wa Kumbukumbu ya Kernel: `volatility

volatility --profile=Win7SP1x86_23418 -f file.dmp driverscan

Pata ubao wa kunakili

#Just vol2
volatility --profile=Win7SP1x86_23418 clipboard -f file.dmp

Pata historia ya IE

#Just vol2
volatility --profile=Win7SP1x86_23418 iehistory -f file.dmp

Pata maandishi ya notepad

#Just vol2
volatility --profile=Win7SP1x86_23418 notepad -f file.dmp

Picha ya Skrini

#Just vol2
volatility --profile=Win7SP1x86_23418 screenshot -f file.dmp

Rekodi ya Kuu ya Mwaliko (MBR)

volatility --profile=Win7SP1x86_23418 mbrparser -f file.dmp

Master Boot Record (MBR) inacheza jukumu muhimu katika kusimamia sehemu za mantiki za kati ya kuhifadhi, ambazo zimepangwa na mifumo ya faili tofauti. Sio tu inashikilia habari ya muundo wa sehemu lakini pia ina msimbo wa kutekelezeka unaoendesha kama mzigo wa boot. Mzigo huu wa boot huanzisha moja kwa moja mchakato wa kupakia hatua ya pili ya OS (angalia mzigo wa boot hatua ya pili) au hufanya kazi kwa ushirikiano na rekodi ya boot ya kiasi (VBR) ya kila sehemu. Kwa maarifa ya kina, tazama ukurasa wa Wikipedia wa MBR.

Marejeo

RootedCONRootedCON

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
Pata bidhaa rasmi za PEASS & HackTricks
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

PreviousMemory dump analysis NextPartitions/File Systems/Carving

Last updated 1 month ago